Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MicrosoftDefaults.exe

Overview

General Information

Sample Name:MicrosoftDefaults.exe
Analysis ID:818212
MD5:23edddfd3f65c753ae87f4d3cf12a215
SHA1:50df12f1a964abf7a6fc6b3ab10bff2608f49526
SHA256:d5d6bdc891cf6365e8e738cb60878e54967ccad3e3954b2cd936341db05cd178
Infos:

Detection

Score:21
Range:0 - 100
Whitelisted:false
Confidence:40%

Signatures

Potential context-aware VBS script found (checks for environment specific values)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
DLL planting / hijacking vulnerabilities found
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Binary contains a suspicious time stamp
Found large amount of non-executed APIs

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample may be VM or Sandbox-aware, try analysis on a native machine
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Process Tree

  • System is w10x64
  • MicrosoftDefaults.exe (PID: 6124 cmdline: C:\Users\user\Desktop\MicrosoftDefaults.exe MD5: 23EDDDFD3F65C753AE87F4D3CF12A215)
    • StartupInstaller.exe (PID: 4472 cmdline: C:\Users\user\AppData\Local\Temp\IXP000.TMP\StartupInstaller.exe MD5: E40AF81D67406FDCD7A1945F5CE454D6)
      • MEInstaller.exe (PID: 524 cmdline: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exe MD5: BBD7C942EF0CD6B1EBD57887641F93CD)
  • rundll32.exe (PID: 4332 cmdline: C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\ MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: C:\Users\user\Desktop\MicrosoftDefaults.exeDLL: VERSION.dllJump to behavior
Source: C:\Users\user\Desktop\MicrosoftDefaults.exeDLL: Cabinet.dllJump to behavior
Source: MicrosoftDefaults.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\MicrosoftDefaults.exeDLL: VERSION.dllJump to behavior
Source: C:\Users\user\Desktop\MicrosoftDefaults.exeDLL: Cabinet.dllJump to behavior
Source: MicrosoftDefaults.exeStatic PE information: certificate valid
Source: MicrosoftDefaults.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: wextract.pdb source: MicrosoftDefaults.exe, BrowserSettingsInstaller.exe.0.dr
Source: Binary string: wextract.pdbGCTL source: MicrosoftDefaults.exe, BrowserSettingsInstaller.exe.0.dr
Source: Binary string: C:\Users\Administrator\Downloads\StartupInstaller\StartupInstaller\Release\StartupInstaller.pdb source: StartupInstaller.exe, 00000001.00000000.304430477.0000000000F4F000.00000002.00000001.01000000.00000004.sdmp, StartupInstaller.exe, 00000001.00000002.827566651.0000000000F4F000.00000002.00000001.01000000.00000004.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: MEInstaller.exe, MEInstaller.exe, 00000002.00000002.830719414.0000000004A32000.00000002.00000001.01000000.0000000A.sdmp, Newtonsoft.Json.dll.0.dr
Source: Binary string: D:\Ramesh\VSTS\BingGrowthApps\Applications\BingWallpaperApp\Release\DispatchQueue.pdb source: MEInstaller.exe, 00000002.00000002.834121984.000000006C3AB000.00000002.00000001.01000000.00000009.sdmp, DispatchQueue.dll.0.dr
Source: Binary string: D:\SRR\VSTS\Repos\BingGrowthApps\Applications\DefaultOffer\Release\MEDefMgr.pdb source: MEInstaller.exe, 00000002.00000002.833973560.000000006BD53000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: D:\VSTS\BingGrowthApps\Installers\EnhancedEdge\MEInstaller\MEInstaller\obj\Release\MEInstaller.pdb source: MEInstaller.exe, 00000002.00000000.304879627.0000000000042000.00000002.00000001.01000000.00000005.sdmp
Source: Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: BSvcInstaller.msi.0.dr
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: MEInstaller.exe, 00000002.00000002.830719414.0000000004A32000.00000002.00000001.01000000.0000000A.sdmp, Newtonsoft.Json.dll.0.dr
Source: Binary string: C:\EEI\MEProgressBar\obj\Debug\MEProgressBar.pdb source: MEProgressBar.dll.0.dr
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\StartupInstaller.exeCode function: 1_2_00F47DAF FindFirstFileExW,1_2_00F47DAF
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeCode function: 2_2_6BD4A826 FindFirstFileExW,2_2_6BD4A826
Source: Newtonsoft.Json.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Newtonsoft.Json.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: Newtonsoft.Json.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Newtonsoft.Json.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Newtonsoft.Json.dll.0.drString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: Newtonsoft.Json.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Newtonsoft.Json.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: Newtonsoft.Json.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Newtonsoft.Json.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Newtonsoft.Json.dll.0.drString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: Newtonsoft.Json.dll.0.drString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: MEInstaller.exe, 00000002.00000003.324162573.0000000005D90000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.323575560.0000000005D8B000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.323703070.0000000005D8B000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.323809625.0000000005D8B000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324031946.0000000005D8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://en.w?
Source: MEInstaller.exe, 00000002.00000003.327601065.0000000005D7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://en.wikipw
Source: MEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
Source: Newtonsoft.Json.dll.0.drString found in binary or memory: http://james.newtonking.com/projects/json
Source: Newtonsoft.Json.dll.0.drString found in binary or memory: http://ocsp.digicert.com0A
Source: Newtonsoft.Json.dll.0.drString found in binary or memory: http://ocsp.digicert.com0C
Source: Newtonsoft.Json.dll.0.drString found in binary or memory: http://ocsp.digicert.com0O
Source: Newtonsoft.Json.dll.0.drString found in binary or memory: http://ocsp.digicert.com0X
Source: MEInstaller.exe, 00000002.00000003.323404229.0000000005D7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wG.)
Source: MEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: MEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: Newtonsoft.Json.dll.0.drString found in binary or memory: http://www.digicert.com/CPS0
Source: MEInstaller.exe, 00000002.00000003.327601065.0000000005D7F000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
Source: MEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
Source: MEInstaller.exe, 00000002.00000003.326705162.0000000005D90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
Source: MEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
Source: MEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: MEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: MEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
Source: MEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
Source: MEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
Source: MEInstaller.exe, 00000002.00000003.327601065.0000000005D7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF
Source: MEInstaller.exe, 00000002.00000003.327601065.0000000005D7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comalic
Source: MEInstaller.exe, 00000002.00000003.327601065.0000000005D7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comcomd
Source: MEInstaller.exe, 00000002.00000003.327601065.0000000005D7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comcomy
Source: MEInstaller.exe, 00000002.00000003.327601065.0000000005D7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comessed
Source: MEInstaller.exe, 00000002.00000003.327601065.0000000005D7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comessedn
Source: MEInstaller.exe, 00000002.00000002.832452605.0000000005D70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comico
Source: MEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.320177098.0000000005D8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
Source: MEInstaller.exe, 00000002.00000003.320292983.0000000005D8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comic$
Source: MEInstaller.exe, 00000002.00000003.320262937.0000000005D8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comicP
Source: MEInstaller.exe, 00000002.00000003.321402262.0000000005D7D000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: MEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: MEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: MEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: MEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: MEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: MEInstaller.exe, 00000002.00000003.324665972.0000000005D83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: MEInstaller.exe, 00000002.00000003.324926210.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324977528.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324217922.0000000005D7B000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324665972.0000000005D83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/&
Source: MEInstaller.exe, 00000002.00000003.324926210.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324977528.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324665972.0000000005D83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
Source: MEInstaller.exe, 00000002.00000003.324926210.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324977528.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.325295970.0000000005D83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/4
Source: MEInstaller.exe, 00000002.00000003.323809625.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324926210.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324977528.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324217922.0000000005D7B000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324665972.0000000005D83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/J
Source: MEInstaller.exe, 00000002.00000003.325874594.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.323809625.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324926210.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324977528.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324217922.0000000005D7B000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.325295970.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324665972.0000000005D83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/W
Source: MEInstaller.exe, 00000002.00000003.323809625.0000000005D83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-e
Source: MEInstaller.exe, 00000002.00000003.324926210.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324977528.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324217922.0000000005D7B000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.325295970.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324665972.0000000005D83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/d
Source: MEInstaller.exe, 00000002.00000003.324926210.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324977528.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324665972.0000000005D83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/i/w
Source: MEInstaller.exe, 00000002.00000003.325295970.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324665972.0000000005D83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: MEInstaller.exe, 00000002.00000003.325295970.0000000005D83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/J
Source: MEInstaller.exe, 00000002.00000003.324926210.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324977528.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.325295970.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324665972.0000000005D83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/n
Source: MEInstaller.exe, 00000002.00000003.324217922.0000000005D7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/nl-n/
Source: MEInstaller.exe, 00000002.00000003.324926210.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324977528.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.325295970.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324665972.0000000005D83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/tr-t
Source: MEInstaller.exe, 00000002.00000003.326280865.0000000005D8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.monotype.
Source: MEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: MEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
Source: MEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: MEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.321927298.0000000005D8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
Source: MEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
Source: MEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
Source: MEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: MEInstaller.exe, MEInstaller.exe, 00000002.00000002.830719414.0000000004A32000.00000002.00000001.01000000.0000000A.sdmp, Newtonsoft.Json.dll.0.drString found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: MEInstaller.exeString found in binary or memory: https://ntp.msn.com/edge/ntp
Source: MEInstaller.exe, 00000002.00000002.828248486.00000000024BE000.00000004.00000800.00020000.00000000.sdmp, MEInstaller.exe.config.0.drString found in binary or memory: https://www.msn.com
Source: Newtonsoft.Json.dll.0.drString found in binary or memory: https://www.newtonsoft.com/json
Source: Newtonsoft.Json.dll.0.drString found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: MEInstaller.exe, MEInstaller.exe, 00000002.00000002.830719414.0000000004A32000.00000002.00000001.01000000.0000000A.sdmp, Newtonsoft.Json.dll.0.drString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: MicrosoftDefaults.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\StartupInstaller.exeCode function: 1_2_00F411501_2_00F41150
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\StartupInstaller.exeCode function: 1_2_00F4DDBD1_2_00F4DDBD
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeCode function: 2_2_04A332762_2_04A33276
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeCode function: 2_2_04A333B92_2_04A333B9
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeCode function: 2_2_6BD503C12_2_6BD503C1
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeCode function: 2_2_6BD34A602_2_6BD34A60
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeCode function: 2_2_6BD481902_2_6BD48190
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeCode function: 2_2_6BD461BF2_2_6BD461BF
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeCode function: 2_2_6BD3DE502_2_6BD3DE50
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeCode function: 2_2_6BD3CDF02_2_6BD3CDF0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeCode function: 2_2_04A35D9D2_2_04A35D9D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeCode function: String function: 6BD41850 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\StartupInstaller.exeCode function: String function: 00F433C0 appears 33 times
Source: MicrosoftDefaults.exeStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 7620706 bytes, 11 files, at 0x2c +A "MEInstaller.exe" +A "Newtonsoft.Json.dll", ID 20375, number 1, 278 datablocks, 0x1503 compression
Source: BrowserSettingsInstaller.exe.0.drStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 1711254 bytes, 7 files, at 0x2c +A "BrowserSettings.exe" +A "Newtonsoft.Json.dll", ID 13813, number 1, 103 datablocks, 0x1503 compression
Source: MicrosoftDefaults.exeBinary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs MicrosoftDefaults.exe
Source: C:\Users\user\Desktop\MicrosoftDefaults.exeSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\StartupInstaller.exeSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeSection loaded: sfc.dllJump to behavior
Source: MicrosoftDefaults.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\MicrosoftDefaults.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\MicrosoftDefaults.exe C:\Users\user\Desktop\MicrosoftDefaults.exe
Source: C:\Users\user\Desktop\MicrosoftDefaults.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\StartupInstaller.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\StartupInstaller.exe
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\StartupInstaller.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exe
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
Source: C:\Users\user\Desktop\MicrosoftDefaults.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\StartupInstaller.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\StartupInstaller.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\StartupInstaller.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeFile created: C:\Users\user\AppData\Local\Microsoft\DispatcherJump to behavior
Source: C:\Users\user\Desktop\MicrosoftDefaults.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMPJump to behavior
Source: classification engineClassification label: sus21.evad.winEXE@6/11@0/0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeCode function: 2_2_6BD33D70 SetEdgeAsDefaultBrowser,CoInitializeEx,CoCreateInstance,CoUninitialize,2_2_6BD33D70
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{35e48840-e42e-40ba-ad05-f0902d406172}
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\StartupInstaller.exeMutant created: \Sessions\1\BaseNamedObjects\// {9D255ADC-2EB7-47F7-8DE0-7B2F4F9D9EB2}
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeCode function: 2_2_6BD332A0 LoadResource,LockResource,SizeofResource,2_2_6BD332A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: initial sampleStatic PE information: Valid certificate with Microsoft Issuer
Source: MicrosoftDefaults.exeStatic file information: File size 7778712 > 1048576
Source: MicrosoftDefaults.exeStatic PE information: certificate valid
Source: MicrosoftDefaults.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x760400
Source: MicrosoftDefaults.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: MicrosoftDefaults.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: MicrosoftDefaults.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: MicrosoftDefaults.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: MicrosoftDefaults.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: MicrosoftDefaults.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: MicrosoftDefaults.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: MicrosoftDefaults.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wextract.pdb source: MicrosoftDefaults.exe, BrowserSettingsInstaller.exe.0.dr
Source: Binary string: wextract.pdbGCTL source: MicrosoftDefaults.exe, BrowserSettingsInstaller.exe.0.dr
Source: Binary string: C:\Users\Administrator\Downloads\StartupInstaller\StartupInstaller\Release\StartupInstaller.pdb source: StartupInstaller.exe, 00000001.00000000.304430477.0000000000F4F000.00000002.00000001.01000000.00000004.sdmp, StartupInstaller.exe, 00000001.00000002.827566651.0000000000F4F000.00000002.00000001.01000000.00000004.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: MEInstaller.exe, MEInstaller.exe, 00000002.00000002.830719414.0000000004A32000.00000002.00000001.01000000.0000000A.sdmp, Newtonsoft.Json.dll.0.dr
Source: Binary string: D:\Ramesh\VSTS\BingGrowthApps\Applications\BingWallpaperApp\Release\DispatchQueue.pdb source: MEInstaller.exe, 00000002.00000002.834121984.000000006C3AB000.00000002.00000001.01000000.00000009.sdmp, DispatchQueue.dll.0.dr
Source: Binary string: D:\SRR\VSTS\Repos\BingGrowthApps\Applications\DefaultOffer\Release\MEDefMgr.pdb source: MEInstaller.exe, 00000002.00000002.833973560.000000006BD53000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: D:\VSTS\BingGrowthApps\Installers\EnhancedEdge\MEInstaller\MEInstaller\obj\Release\MEInstaller.pdb source: MEInstaller.exe, 00000002.00000000.304879627.0000000000042000.00000002.00000001.01000000.00000005.sdmp
Source: Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: BSvcInstaller.msi.0.dr
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: MEInstaller.exe, 00000002.00000002.830719414.0000000004A32000.00000002.00000001.01000000.0000000A.sdmp, Newtonsoft.Json.dll.0.dr
Source: Binary string: C:\EEI\MEProgressBar\obj\Debug\MEProgressBar.pdb source: MEProgressBar.dll.0.dr
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeCode function: 2_2_6BD41894 push ecx; ret 2_2_6BD418A6
Source: BrowserSettingsInstaller.exe.0.drStatic PE information: real checksum: 0x1d4b40 should be: 0x1c9a04
Source: MicrosoftDefaults.exeStatic PE information: real checksum: 0x77b01f should be: 0x7700ff
Source: MicrosoftDefaults.exeStatic PE information: 0xB9387306 [Thu Jun 21 06:07:02 2068 UTC]
Source: initial sampleStatic PE information: section name: .text entropy: 7.122567683343345
Source: C:\Users\user\Desktop\MicrosoftDefaults.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeJump to dropped file
Source: C:\Users\user\Desktop\MicrosoftDefaults.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEProgressBar.dllJump to dropped file
Source: C:\Users\user\Desktop\MicrosoftDefaults.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEDefMgr.dllJump to dropped file
Source: C:\Users\user\Desktop\MicrosoftDefaults.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BrowserSettingsInstaller.exeJump to dropped file
Source: C:\Users\user\Desktop\MicrosoftDefaults.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\DispatchQueue.dllJump to dropped file
Source: C:\Users\user\Desktop\MicrosoftDefaults.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\StartupInstaller.exeJump to dropped file
Source: C:\Users\user\Desktop\MicrosoftDefaults.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Newtonsoft.Json.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run BingSvcJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run BingSvcJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Potential context-aware VBS script found (checks for environment specific values)
Source: C:\Users\user\Desktop\MicrosoftDefaults.exeDropped file: If InStr(objItem.OSArchitecture, "64") ThenJump to dropped file
Source: C:\Users\user\Desktop\MicrosoftDefaults.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEProgressBar.dllJump to dropped file
Source: C:\Users\user\Desktop\MicrosoftDefaults.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\BrowserSettingsInstaller.exeJump to dropped file
Source: C:\Users\user\Desktop\MicrosoftDefaults.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Newtonsoft.Json.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\StartupInstaller.exeAPI coverage: 9.3 %
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeAPI coverage: 3.6 %
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\StartupInstaller.exeCode function: 1_2_00F47DAF FindFirstFileExW,1_2_00F47DAF
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeCode function: 2_2_6BD4A826 FindFirstFileExW,2_2_6BD4A826
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\StartupInstaller.exeCode function: 1_2_00F43162 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00F43162
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\StartupInstaller.exeCode function: 1_2_00F49EE9 GetProcessHeap,1_2_00F49EE9
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\StartupInstaller.exeCode function: 1_2_00F48E3C mov eax, dword ptr fs:[00000030h]1_2_00F48E3C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\StartupInstaller.exeCode function: 1_2_00F46626 mov eax, dword ptr fs:[00000030h]1_2_00F46626
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeCode function: 2_2_6BD4A3F3 mov eax, dword ptr fs:[00000030h]2_2_6BD4A3F3
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeCode function: 2_2_6BD48B68 mov eax, dword ptr fs:[00000030h]2_2_6BD48B68
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\StartupInstaller.exeCode function: 1_2_00F432F6 SetUnhandledExceptionFilter,1_2_00F432F6
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\StartupInstaller.exeCode function: 1_2_00F43162 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00F43162
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\StartupInstaller.exeCode function: 1_2_00F45A27 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00F45A27
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\StartupInstaller.exeCode function: 1_2_00F42A08 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00F42A08
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeCode function: 2_2_6BD443B4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_6BD443B4
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeCode function: 2_2_6BD41541 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_6BD41541
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeCode function: 2_2_6BD41403 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_6BD41403
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Newtonsoft.Json.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\StartupInstaller.exeCode function: 1_2_00F43405 cpuid 1_2_00F43405
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Users\user\Desktop\MicrosoftDefaults.exeCode function: 0_2_00F07105 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00F07105
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exeCode function: 2_2_6BD31020 GetVersionExW,2_2_6BD31020

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1
Scripting		1
Registry Run Keys / Startup Folder		1
Process Injection		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		Exfiltration Over Other Network Medium1
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/Job1
DLL Side-Loading		1
Registry Run Keys / Startup Folder		1
Virtualization/Sandbox Evasion		LSASS Memory2
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)1
DLL Search Order Hijacking		1
DLL Side-Loading		1
Disable or Modify Tools		Security Account Manager1
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)1
DLL Search Order Hijacking		1
Process Injection		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information		LSA Secrets24
System Information Discovery		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common1
Scripting		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup Items3
Obfuscated Files or Information		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
Rundll32		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
Software Packing		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
Timestomp		Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
Compromise Software Dependencies and Development ToolsWindows Command ShellCronCron1
DLL Side-Loading		Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
Compromise Software Supply ChainUnix ShellLaunchdLaunchd1
DLL Search Order Hijacking		KeyloggingLocal GroupsComponent Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 818212 Sample: MicrosoftDefaults.exe Startdate: 02/03/2023 Architecture: WINDOWS Score: 21 6 MicrosoftDefaults.exe 1 13 2->6         started        10 rundll32.exe 2->10         started        file3 16 C:\Users\user\...\StartupInstaller.exe, PE32 6->16 dropped 18 C:\Users\user\AppData\...18ewtonsoft.Json.dll, PE32 6->18 dropped 20 C:\Users\user\AppData\...\MEProgressBar.dll, PE32 6->20 dropped 22 4 other files (none is malicious) 6->22 dropped 24 Potential context-aware VBS script found (checks for environment specific values) 6->24 12 StartupInstaller.exe 6->12         started        signatures4 process5 process6 14 MEInstaller.exe 7 6 12->14         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
MicrosoftDefaults.exe0%ReversingLabs
MicrosoftDefaults.exe1%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\IXP000.TMP\BrowserSettingsInstaller.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\IXP000.TMP\DispatchQueue.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEDefMgr.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEProgressBar.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\IXP000.TMP\Newtonsoft.Json.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\IXP000.TMP\StartupInstaller.exe0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/a-e0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/jp/J0%URL Reputationsafe
http://www.tiro.com0%URL Reputationsafe
http://www.fontbureau.comessedn0%Avira URL Cloudsafe
http://www.fontbureau.comessed0%URL Reputationsafe
http://www.goodfont.co.kr0%URL Reputationsafe
http://www.sajatypeworks.com0%URL Reputationsafe
http://www.typography.netD0%URL Reputationsafe
http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
http://fontfabrik.com0%URL Reputationsafe
http://wG.)0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/i/w0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/40%URL Reputationsafe
http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
http://en.wikipw0%Avira URL Cloudsafe
http://www.fonts.comicP0%Avira URL Cloudsafe
http://www.sandoll.co.kr0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/&0%URL Reputationsafe
http://www.urwpp.deDPlease0%URL Reputationsafe
http://www.zhongyicts.com.cn0%URL Reputationsafe
http://www.sakkal.com0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/W0%URL Reputationsafe
http://www.fontbureau.comF0%URL Reputationsafe
http://www.fontbureau.comcomd0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/J0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/tr-t0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
http://james.newtonking.com/projects/json0%URL Reputationsafe
http://www.carterandcone.coml0%URL Reputationsafe
http://www.founder.com.cn/cn0%URL Reputationsafe
http://www.monotype.0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/n0%URL Reputationsafe
http://www.fontbureau.comalic0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/d0%URL Reputationsafe
http://www.fontbureau.comico0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/nl-n/0%Avira URL Cloudsafe
http://www.fontbureau.comcomy0%Avira URL Cloudsafe
http://en.w?0%Avira URL Cloudsafe
http://www.fonts.comic$0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.fontbureau.com/designersGMEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmpfalse
    		high
    http://www.fontbureau.com/designers/?MEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://www.fontbureau.comessednMEInstaller.exe, 00000002.00000003.327601065.0000000005D7F000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.founder.com.cn/cn/bTheMEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://www.jiyu-kobo.co.jp/a-eMEInstaller.exe, 00000002.00000003.323809625.0000000005D83000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://www.fontbureau.com/designers?MEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://www.jiyu-kobo.co.jp/jp/JMEInstaller.exe, 00000002.00000003.325295970.0000000005D83000.00000004.00000020.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://ntp.msn.com/edge/ntpMEInstaller.exefalse
          		high
          http://www.tiro.comMEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.321927298.0000000005D8D000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://www.newtonsoft.com/jsonNewtonsoft.Json.dll.0.drfalse
            		high
            http://www.fontbureau.com/designersMEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://www.fontbureau.comessedMEInstaller.exe, 00000002.00000003.327601065.0000000005D7F000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.goodfont.co.krMEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://wG.)MEInstaller.exe, 00000002.00000003.323404229.0000000005D7D000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		low
              http://www.sajatypeworks.comMEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.jiyu-kobo.co.jp/i/wMEInstaller.exe, 00000002.00000003.324926210.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324977528.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324665972.0000000005D83000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.typography.netDMEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.founder.com.cn/cn/cTheMEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.galapagosdesign.com/staff/dennis.htmMEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://fontfabrik.comMEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.jiyu-kobo.co.jp/4MEInstaller.exe, 00000002.00000003.324926210.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324977528.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.325295970.0000000005D83000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://en.wikipwMEInstaller.exe, 00000002.00000003.327601065.0000000005D7F000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.jiyu-kobo.co.jp//MEInstaller.exe, 00000002.00000003.324926210.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324977528.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324665972.0000000005D83000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://www.msn.comMEInstaller.exe, 00000002.00000002.828248486.00000000024BE000.00000004.00000800.00020000.00000000.sdmp, MEInstaller.exe.config.0.drfalse
                		high
                http://www.fonts.comicPMEInstaller.exe, 00000002.00000003.320262937.0000000005D8B000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.galapagosdesign.com/DPleaseMEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fonts.comMEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.320177098.0000000005D8B000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  http://www.sandoll.co.krMEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.jiyu-kobo.co.jp/&MEInstaller.exe, 00000002.00000003.324926210.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324977528.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324217922.0000000005D7B000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324665972.0000000005D83000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.urwpp.deDPleaseMEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.zhongyicts.com.cnMEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.sakkal.comMEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://github.com/JamesNK/Newtonsoft.JsonMEInstaller.exe, MEInstaller.exe, 00000002.00000002.830719414.0000000004A32000.00000002.00000001.01000000.0000000A.sdmp, Newtonsoft.Json.dll.0.drfalse
                    		high
                    http://www.apache.org/licenses/LICENSE-2.0MEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.comMEInstaller.exe, 00000002.00000003.327601065.0000000005D7F000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.jiyu-kobo.co.jp/WMEInstaller.exe, 00000002.00000003.325874594.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.323809625.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324926210.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324977528.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324217922.0000000005D7B000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.325295970.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324665972.0000000005D83000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.comFMEInstaller.exe, 00000002.00000003.327601065.0000000005D7F000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.jiyu-kobo.co.jp/nl-n/MEInstaller.exe, 00000002.00000003.324217922.0000000005D7B000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.comicoMEInstaller.exe, 00000002.00000002.832452605.0000000005D70000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.comcomdMEInstaller.exe, 00000002.00000003.327601065.0000000005D7F000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.jiyu-kobo.co.jp/JMEInstaller.exe, 00000002.00000003.323809625.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324926210.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324977528.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324217922.0000000005D7B000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324665972.0000000005D83000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.jiyu-kobo.co.jp/tr-tMEInstaller.exe, 00000002.00000003.324926210.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324977528.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.325295970.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324665972.0000000005D83000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.jiyu-kobo.co.jp/jp/MEInstaller.exe, 00000002.00000003.325295970.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324665972.0000000005D83000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://james.newtonking.com/projects/jsonNewtonsoft.Json.dll.0.drfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.comcomyMEInstaller.exe, 00000002.00000003.327601065.0000000005D7F000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.carterandcone.comlMEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers/cabarga.htmlNMEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.founder.com.cn/cnMEInstaller.exe, 00000002.00000003.321402262.0000000005D7D000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/frere-jones.htmlMEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.monotype.MEInstaller.exe, 00000002.00000003.326280865.0000000005D8F000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/MEInstaller.exe, 00000002.00000003.324665972.0000000005D83000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/nMEInstaller.exe, 00000002.00000003.324926210.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324977528.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.325295970.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324665972.0000000005D83000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://www.newtonsoft.com/jsonschemaNewtonsoft.Json.dll.0.drfalse
                              		high
                              http://www.fontbureau.com/designers8MEInstaller.exe, 00000002.00000002.832710128.0000000006F82000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://www.nuget.org/packages/Newtonsoft.Json.BsonMEInstaller.exe, MEInstaller.exe, 00000002.00000002.830719414.0000000004A32000.00000002.00000001.01000000.0000000A.sdmp, Newtonsoft.Json.dll.0.drfalse
                                  		high
                                  http://www.fontbureau.comalicMEInstaller.exe, 00000002.00000003.327601065.0000000005D7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/dMEInstaller.exe, 00000002.00000003.324926210.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324977528.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324217922.0000000005D7B000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.325295970.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324665972.0000000005D83000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://en.w?MEInstaller.exe, 00000002.00000003.324162573.0000000005D90000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.323575560.0000000005D8B000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.323703070.0000000005D8B000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.323809625.0000000005D8B000.00000004.00000020.00020000.00000000.sdmp, MEInstaller.exe, 00000002.00000003.324031946.0000000005D8D000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fonts.comic$MEInstaller.exe, 00000002.00000003.320292983.0000000005D8B000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		low
                                  http://www.fontbureau.com/designers/MEInstaller.exe, 00000002.00000003.326705162.0000000005D90000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high

                                    World Map of Contacted IPs

                                    No contacted IP infos

                                    General Information

                                    Joe Sandbox Version:37.0.0 Beryl
                                    Analysis ID:818212
                                    Start date and time:2023-03-02 01:51:04 +01:00
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 11m 21s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                    Number of analysed new started processes analysed:7
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample file name:MicrosoftDefaults.exe
                                    Detection:SUS
                                    Classification:sus21.evad.winEXE@6/11@0/0
                                    EGA Information:
                                    • Successful, ratio: 66.7%
                                    HDC Information:
                                    • Successful, ratio: 100% (good quality ratio 91.4%)
                                    • Quality average: 76.8%
                                    • Quality standard deviation: 31.2%
                                    HCA Information:Failed
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe
                                    • Override analysis time to 240s for rundll32

                                    Warnings

                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
                                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, ctldl.windowsupdate.com
                                    • Execution Graph export aborted for target MicrosoftDefaults.exe, PID 6124 because there are no executed function
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    01:52:22AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run BingSvc C:\Users\user\AppData\Local\Microsoft\BingSvc\BingSvc.exe
                                    01:52:30AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run BingSvc C:\Users\user\AppData\Local\Microsoft\BingSvc\BingSvc.exe

                                    Joe Sandbox View / Context

                                    IPs

                                    No context

                                    Domains

                                    No context

                                    ASNs

                                    No context

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    C:\Users\user\AppData\Local\Temp\IXP000.TMP\DispatchQueue.dllBSStartMSI.exeGet hashmaliciousUnknownBrowse

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Temp\IXP000.TMP\BSvcInstaller.msi

                                      Download File
                                      Process:C:\Users\user\Desktop\MicrosoftDefaults.exe
                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft Bing Service, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Bing Service., Template: Intel;1033, Revision Number: {DD76ED0B-FC43-4B4E-AD93-7C707F4ACA2C}, Create Time/Date: Sat Sep 10 08:31:44 2022, Last Saved Time/Date: Sat Sep 10 08:31:44 2022, Number of Pages: 300, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                      Category:dropped
                                      Size (bytes):5312512
                                      Entropy (8bit):7.9290426505765454
                                      Encrypted:false
                                      SSDEEP:98304:Mex9ZBsDZkK0kwy6kaCk+bcbMbVJzk+Aa9/UNo/QDV8hYa3x6IHEPyAZnR5U:XEWK0kwy6XCkgcbMpJI2VKVo1BiyAZRa
                                      MD5:A209E04C1E279B22E4EDF62C4C5AC100
                                      SHA1:9E4E614F2CBD670791546FFBB41E9D6CA3E3FA42
                                      SHA-256:FB4A95C8427B60F6E30010BAFE41A61824266156488D26CE8CA8EFB317820805
                                      SHA-512:4E2CCDE9F95D8B743753F9471D03EA768E613ACE4C61AF364D5486E83F73187B09812EC40CBA1B65900D6E2CC52DCD56A5EC448D646407C84280A4337AE9EBF1
                                      Malicious:false
                                      Reputation:low
                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\IXP000.TMP\BrowserSettingsInstaller.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\MicrosoftDefaults.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1869200
                                      Entropy (8bit):7.973901513317514
                                      Encrypted:false
                                      SSDEEP:49152:uLMzAv8uBwMd8hXCdLn8e9ymtIm1XRwDXr:8MziqewCdLnB9y61hwDb
                                      MD5:8395A75044B8749B0CCF2C64F9CFC0C3
                                      SHA1:9DFA97CE334D971F1BF591A2118CBF54EC2D75E2
                                      SHA-256:34D792ECFE770181FC055E3279F754E9043E67AF015D2F7EDDF6E2211E7A2AF9
                                      SHA-512:1095B1180E016B8E35C2BAC15FC3BCE2665D7E8CCD674DEB564CD1FC57534AC6594BAB467856FFC4492C1C51890B134B5A5528FCC09337407DBDEEED07666550
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Reputation:low
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........C...C...C.......B.......B.......W.......R...C...........J.....d.B.......B...RichC...................PE..L....s8..................d...........j............@.................................@K....@...... ......................................l............^...'..............T...............................@............................................text....b.......d.................. ..`.data...H............h..............@....idata..R............j..............@..@.rsrc...l............|..............@..@.reloc...............T..............@..B................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\IXP000.TMP\CreateShortCut.vbs

                                      Download File
                                      Process:C:\Users\user\Desktop\MicrosoftDefaults.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):16581
                                      Entropy (8bit):5.8551830623769865
                                      Encrypted:false
                                      SSDEEP:384:UkOxgMFddaVe4j6HvmVfg9J22ufLbbQteG:UkOSZJj6Hv8fu+LbEsG
                                      MD5:A5C3F20ADE4317E9D3C90107B25E724C
                                      SHA1:BA35748AA23B1DF70335A1CB983A2F83E7657668
                                      SHA-256:D1BF3AE24A964737EE5EA9D0143466DAB7769565049778A49830AB86DD63E0FD
                                      SHA-512:94E44F13FDE869D8E285693FEF685159B7B83B0C6630ED80C268387415C844593EA6D75064237FF03CC4AD9CDDB23A722CACF27A724316F66136AC24D47DAFDB
                                      Malicious:false
                                      Reputation:low
                                      Preview:Dim WSHShell ..Dim MyShortcut ..Dim DesktopPath....Set WSHShell = CreateObject("WScript.Shell") ..If not WSHShell Is Nothing Then ..DesktopPath = WSHShell.SpecialFolders("Desktop") ..Set MyShortcut = WSHShell.CreateShortCut(DesktopPath & "\Microsoft Edge" & ".lnk").. ..Set objWMIService = GetObject("winmgmts:\\.\root\CIMV2")..Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_OperatingSystem", "WQL", wbemFlagReturnImmediately + wbemFlagForwardOnly)....For Each objItem in colItems...If InStr(objItem.OSArchitecture, "64") Then....MyShortcut.TargetPath = "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" ....MyShortcut.WorkingDirectory = "C:\Program Files (x86)\Microsoft\Edge\Application" ...Else....MyShortcut.TargetPath = "C:\Program Files\Microsoft\Edge\Application\msedge.exe" ....MyShortcut.WorkingDirectory = "C:\Program Files\Microsoft\Edge\Application" ...End If..Next....MyShortcut.WindowStyle = 1 ..MyShortcut.Description = "Browse the web"..MyShortcut.Arguments

                                      C:\Users\user\AppData\Local\Temp\IXP000.TMP\DispatchQueue.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\MicrosoftDefaults.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):158080
                                      Entropy (8bit):6.57378529370525
                                      Encrypted:false
                                      SSDEEP:3072:oo9X5ooAfvWHrgCP0Y6jaJ+681+LnKAC/yOh3eBuPj+jRzpmfyrFBsw5yWXgZ:ood5ooAfvogCyR6HLCb3yuPj+/ssxXgZ
                                      MD5:3E32206E07EEFAA6E9CE6B3D70E0C1D5
                                      SHA1:BA3AB0FBD00453E5049D95F61A21D40CB68CF235
                                      SHA-256:B19E2C644108614CDB2607F850CED43120161B191501618806C0F91842246F9B
                                      SHA-512:FE43CACD43023E1E09FCCC83C393089FD601F7E03B01207A73D0364858928D413555D7E70E45A43D67E66976079EB980BDD53836643214741AE17895A135A5AF
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Joe Sandbox View:
                                      • Filename: BSStartMSI.exe, Detection: malicious, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........i;...h...h...h..i...h..i$..h..i...hz..i...hz..i...hz..i...h..i...h...h/..h7..i...h7..i...h7..h...h..h...h7..i...hRich...h........................PE..L.....u_...........!................................................................q.....@..........................#..$....$.......P..p............F...#...`......l...p...............................@............................................text...j........................... ..`.rdata..L...........................@..@.data...l....0....... ..............@....rsrc...p....P.......,..............@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\IXP000.TMP\LocalizedTitles.json

                                      Download File
                                      Process:C:\Users\user\Desktop\MicrosoftDefaults.exe
                                      File Type:JSON data
                                      Category:dropped
                                      Size (bytes):3445
                                      Entropy (8bit):5.968561828284263
                                      Encrypted:false
                                      SSDEEP:96:Cvv8fO5PcnOn60er6v5ecETv4z6DUlbtGa9/czuvW0V5gHJA6:CvEOCOnK6hecgJgxtGS/Wuj5V6
                                      MD5:8AF65DB3C2B26EC9A7E8DA5F7F9D8533
                                      SHA1:4B191583F144F2DAAA161185A0324AD394666E3C
                                      SHA-256:A4DDA96BF7B61EBC3128E1FA32E1E10E920D45A2AAD9B6A27F6B92BF35FCE3CA
                                      SHA-512:CED9573DEC731ADB787F58DAE173FC74BEEDFD3FA209345F5423826FD480D32B9F5F66D0F54F253E0146A65CA46A224ABEA5BDE21B5055967922D2402CE3BBA9
                                      Malicious:false
                                      Preview:{..."LocalizedTitles": [...."..... ....... .....",...."............ .. ........... . ........",...."Optimizirajte pregledavanje weba",...."Optimalizujte svoje proch.zen. webu",...."Optimer din webbrowsing",...."Optimieren Sie das Browsen im Web",...."............... ... ......... ... .... ....",...."Optimise your web browsing",...."Optimizar la exploraci.n web",...."Optimizar la exploraci.n web",...."Optimisez votre navigation sur le Web",...."Optimisez votre navigation sur le Web",...."Optimizirajte pregledavanje weba",...."Optimalkan penjelajahan web Anda",...."Ottimizza l'esplorazione Web",...."Web ........",...."..... ...... ............",....". .. ...",...."Optimaliser nettlesingen",...."Uw browsen op het web optimaliseren",...."Otimizar sua navega..o na Web",...."Otimizar a navega..o na Web",...."Optimize your web browsing",...."Optim

                                      C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEDefMgr.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\MicrosoftDefaults.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):199560
                                      Entropy (8bit):6.533665233074508
                                      Encrypted:false
                                      SSDEEP:3072:og4G157yceVCsSxoczV+zayB/u/ttJDHmo2os75ochKPpWudz77MMxYOvej9r10N:b4457yLSxdzV+zayABD+8Pgudz7MsiU
                                      MD5:11B1C577DB79D9D0B05855354715335F
                                      SHA1:90975A11A2E36CCD427D8893F9396BCE115145A3
                                      SHA-256:471EC34845A1B22FCC7CC89D672ED71B487C149072617C6E89A746C1D8C926BC
                                      SHA-512:CE4341F8014E16D63767FCBEFBF5873F57FFA0EF7751AADEB76E7EF8B1D2FC57F4D7BCDB04BA50E7D313BE7A85082870ED450772FAF13712C2FA253C2BF6D9CD
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............A..A..A..@..A..@@..A,.@..A,.@...A,.@...A..@..A..@..A..Ar..Al.@..Al.@..Al.PA..A.8A..Al.@..ARich..A................PE..L....._...........!.........................0............................... .......Z....@......................... ...................P................#..............p...........................P...@............0...............................text...=........................... ..`.rdata.......0....... ..............@..@.data...(...........................@....rsrc...P...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\MicrosoftDefaults.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):660416
                                      Entropy (8bit):7.1188742390583695
                                      Encrypted:false
                                      SSDEEP:12288:njfVSXsusPBkpYtc2uxFBbKA0S6FYYYY9GfVIr6P4WxQz4:nhNusPBkStcYgmWqz4
                                      MD5:BBD7C942EF0CD6B1EBD57887641F93CD
                                      SHA1:6AE5F342C576D3FA0DCAFB2481D16A4D3A4D37BC
                                      SHA-256:66F796E508B4BC70943496800C60AC084637A1B3FE78B727D6013D8434723231
                                      SHA-512:04B6CB0D6DE657E66172E98E64D8308AF8B2E760D1B3F82189E0513ACDF8DA2E3C5A048E99A3055D57AFCAEE2CFE894BD8F1CEAC78A423A7850ADB52E5B020B0
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$.)..........."...0......$........... ........@.. .......................`......J.....`.....................................O........!...............'...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc....!......."..................@..@.reloc.......@......................@..B........................H...................m...h................................................0..........r...ps.....s.......~....s.....~......~......~......~......~....r...p(p.....(......~....r+..p(u...9....~....r+..p(p...~....rI..p(p.....~....r]..p(p.....~....ru..p(p.....~....r...p(p.....(......o....(......(....,....(....+?..(....,6..(....,....(....+#..(....,.r...p(......+.r...p(........r...p(....,.r...p(....+...(.............(....(....r...p.{....( ...(.....,..(....~....-.~......(......&r...p(..

                                      C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exe.config

                                      Download File
                                      Process:C:\Users\user\Desktop\MicrosoftDefaults.exe
                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):2577
                                      Entropy (8bit):5.381119504417309
                                      Encrypted:false
                                      SSDEEP:48:3yPrjtT2mrjtT2mrgtT2mr8HtT0ta9O1c46bXRlpIp8nBuGztFFtMeM/gKATsKOF:0tJt2t8tkXMR/rG0z87R
                                      MD5:5B7EB3AF6ACAD627BB9B287053290D26
                                      SHA1:E411057944168C1CD715D80D962B0A31364F6581
                                      SHA-256:A6EB8AF8191092C1BA19C9B85F4DFEB5641CB2CB93C2AD53A77672BC71C80408
                                      SHA-512:93CDDC00EF333E10972B989190E2DDF85E6749F30EFEBADCA69381A4AE480F271E5962D408801DA13E300D9121A01E0FA117C61697C1C2E739E666E83A65BC26
                                      Malicious:false
                                      Preview:.<?xml version="1.0" encoding="utf-8" ?>..<configuration>...<configSections>....<section name="Extension" type="System.Configuration.AppSettingsSection, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />....<section name="Favorites" type="System.Configuration.AppSettingsSection, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />....<section name="MEDefaultsPCReset" type="System.Configuration.AppSettingsSection, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />....<section name="PinWebsite" type="System.Configuration.AppSettingsSection, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />...</configSections>...<startup>....<supportedRuntime version="v4.0" />...</startup>...<appSettings>....<add key="PC" value="EE24" />....<add key="InstallType" value="UI-IP" />....<add key="SetHomePage" value="true" />....<add key="DefaultUI

                                      C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEProgressBar.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\MicrosoftDefaults.exe
                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):16792
                                      Entropy (8bit):6.685850478580629
                                      Encrypted:false
                                      SSDEEP:192:HWedcUaRjVu5Za/OXHwNkWewhWJZf8sGGrHnhWgN7awW5Na+WyGI+X01k9z3ALNC:HHZa/OXHwNkRw2rHRN782NrR9zuNwJk
                                      MD5:A9DC80F325FF97C83D85E40E8A5E340F
                                      SHA1:E749EA0B1C92196104F3B44A98CAEEFA59687122
                                      SHA-256:BCB3530B5EDC302E83B6265D2E8C3E01384045622508A19F3A49D7F56F23DC74
                                      SHA-512:8835709A8C4168C4A525783256599F8A203937EE71C4D29FFCB49F702B17D0943707A19539A27C6B0AEAF750842D6F0A669E8D4DD07734FC312C9F6EF5B39F1F
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[1..........." ..0..............1... ...@....... ....................................`.................................}1..O....@...................'...`.......0..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................1......H.......d%.................................................................}......d}......}.....r...p(....}......}.....(.......(.....*&..(.....*.0..l.........o......{....s......{.....{....Yk.{.....{....Yk[..(.........(....k.Zi(........o.......(......o......o.....*.0............{.....+..*.0..W..............,....}.......{........,....}......}......{.....{........,....{....}......(.....*..0............{.....+..*.0..F..........{........,....}.......}.....{.....{........,....{....

                                      C:\Users\user\AppData\Local\Temp\IXP000.TMP\Newtonsoft.Json.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\MicrosoftDefaults.exe
                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):711952
                                      Entropy (8bit):5.96669864901384
                                      Encrypted:false
                                      SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                      MD5:715A1FBEE4665E99E859EDA667FE8034
                                      SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                      SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                      SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                      C:\Users\user\AppData\Local\Temp\IXP000.TMP\StartupInstaller.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\MicrosoftDefaults.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):126344
                                      Entropy (8bit):6.179287465091944
                                      Encrypted:false
                                      SSDEEP:3072:PhQH/acyWvCNOXNq0v2Jnzzx1jmYJX+7v3TcvC:PhQHpfq0uX+r3Tcv
                                      MD5:E40AF81D67406FDCD7A1945F5CE454D6
                                      SHA1:73B62801DD70F1F07E50211DC6600D69D7FA9283
                                      SHA-256:542EBD9F73322FED135381535FFC04ECFFAD064CA749E325D19A8DDDEF7BDFA1
                                      SHA-512:BA92D96D1FCE1E1BE010313F4050B7C5C570CF7F7D37660837158837A75D5BE7A2B7876D0A76AB5716B400ECC067B5672CD499D1F47544D549BBD6C6755DC055
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'S.F=..F=..F=..->..F=..-8..F=..-9..F=..39..F=..3>..F=..38..F=..-<..F=..F<..F=..34..F=..3..F=..3?..F=.Rich.F=.........PE..L...xi.a.............................-............@......................................@....................................x........................#..............p...............................@...............@............................text...I........................... ..`.rdata..<...........................@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):7.997448798348293
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:MicrosoftDefaults.exe
                                      File size:7778712
                                      MD5:23edddfd3f65c753ae87f4d3cf12a215
                                      SHA1:50df12f1a964abf7a6fc6b3ab10bff2608f49526
                                      SHA256:d5d6bdc891cf6365e8e738cb60878e54967ccad3e3954b2cd936341db05cd178
                                      SHA512:12efd73932fe89964d10638bd1dbec6c9ff48b8ad85f30e128b12b29d078ec5b4d501de621583c4ddeaa48e08ec2c76f96484e1dfd894e2b39c49f26ae07bf13
                                      SSDEEP:196608:Z6/i+wCP9Wxfwhjcb6D4TfqUFNi/iPMGdl0imuc:/OsxfYjcIGhiO9muc
                                      TLSH:4E763343EBE4C62FECF3427286E56B1744297E395864D7061D02A68F96B1384E121BFF
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........C...C...C.......B.......B.......W.......R...C...........J.....d.B.......B...RichC...................PE..L....s8............

                                      File Icon

                                      Icon Hash:f8e0e4e8ecccc870

                                      Static PE Info

                                      General

                                      Entrypoint:0x406a00
                                      Entrypoint Section:.text
                                      Digitally signed:true
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                      Time Stamp:0xB9387306 [Thu Jun 21 06:07:02 2068 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:10
                                      OS Version Minor:0
                                      File Version Major:10
                                      File Version Minor:0
                                      Subsystem Version Major:10
                                      Subsystem Version Minor:0
                                      Import Hash:646167cce332c1c252cdcb1839e0cf48

                                      Authenticode Signature

                                      Signature Valid:true
                                      Signature Issuer:CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                      Signature Validation Error:The operation completed successfully
                                      Error Number:0
                                      Not Before, Not After
                                      • 5/12/2022 1:46:02 PM 5/11/2023 1:46:02 PM
                                      Subject Chain
                                      • CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                      Version:3
                                      Thumbprint MD5:D03E1ED3E72F64CC6C5A636BE32C29AD
                                      Thumbprint SHA-1:97221B97098F37A135DCC212E2B41E452BCE51F2
                                      Thumbprint SHA-256:AAE358FD90D5500110EE8BF3BD2C668F834559710DA7D75C266018BB9506F2F6
                                      Serial:33000002CDF364BFF8D44C5D510000000002CD

                                      Entrypoint Preview

                                      Instruction
                                      call 00007FB0ACD54215h
                                      jmp 00007FB0ACD53B15h
                                      push 00000058h
                                      push 00407268h
                                      call 00007FB0ACD542B7h
                                      xor ebx, ebx
                                      mov dword ptr [ebp-20h], ebx
                                      lea eax, dword ptr [ebp-68h]
                                      push eax
                                      call dword ptr [0040A184h]
                                      mov dword ptr [ebp-04h], ebx
                                      mov eax, dword ptr fs:[00000018h]
                                      mov esi, dword ptr [eax+04h]
                                      mov edi, ebx
                                      mov edx, 004088ACh
                                      mov ecx, esi
                                      xor eax, eax
                                      lock cmpxchg dword ptr [edx], ecx
                                      test eax, eax
                                      je 00007FB0ACD53B2Ah
                                      cmp eax, esi
                                      jne 00007FB0ACD53B19h
                                      xor esi, esi
                                      inc esi
                                      mov edi, esi
                                      jmp 00007FB0ACD53B22h
                                      push 000003E8h
                                      call dword ptr [0040A188h]
                                      jmp 00007FB0ACD53AE9h
                                      xor esi, esi
                                      inc esi
                                      cmp dword ptr [004088B0h], esi
                                      jne 00007FB0ACD53B1Ch
                                      push 0000001Fh
                                      call 00007FB0ACD54045h
                                      pop ecx
                                      jmp 00007FB0ACD53B4Ch
                                      cmp dword ptr [004088B0h], ebx
                                      jne 00007FB0ACD53B3Eh
                                      mov dword ptr [004088B0h], esi
                                      push 004010C4h
                                      push 004010B8h
                                      call 00007FB0ACD53C70h
                                      pop ecx
                                      pop ecx
                                      test eax, eax
                                      je 00007FB0ACD53B29h
                                      mov dword ptr [ebp-04h], FFFFFFFEh
                                      mov eax, 000000FFh
                                      jmp 00007FB0ACD53C49h
                                      mov dword ptr [004081E4h], esi
                                      cmp dword ptr [004088B0h], esi
                                      jne 00007FB0ACD53B2Dh
                                      push 004010B4h
                                      push 004010ACh
                                      call 00007FB0ACD54203h
                                      pop ecx
                                      pop ecx
                                      mov dword ptr [000088B0h], 00000000h

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xa28c0xb4.idata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x760318.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x768a000x2798.rsrc
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x76d0000x888.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x14100x54.text
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x10080x40.text
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0xa0000x288.idata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000x62c40x6400False0.5751953125data6.303948380512371IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .data0x80000x1a480x200False0.609375data4.970639543960129IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .idata0xa0000x10520x1200False0.4136284722222222data5.020897034052699IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .rsrc0xc0000x7603180x760400unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x76d0000x8880xa00False0.751171875data6.272863797862526IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountry
                                      AVI0xca100x2e1aRIFF (little-endian) data, AVI, 272 x 60, 10.00 fps, video: RLE 8bppEnglishUnited States
                                      RT_ICON0xf82c0x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States
                                      RT_ICON0xfe940x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States
                                      RT_ICON0x1017c0x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 288EnglishUnited States
                                      RT_ICON0x103640x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States
                                      RT_ICON0x1048c0xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States
                                      RT_ICON0x113340x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States
                                      RT_ICON0x11bdc0x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishUnited States
                                      RT_ICON0x122a40x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States
                                      RT_ICON0x1280c0xd9d2PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                      RT_ICON0x201e00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States
                                      RT_ICON0x227880x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States
                                      RT_ICON0x238300x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States
                                      RT_ICON0x241b80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States
                                      RT_DIALOG0x246200x2f2dataEnglishUnited States
                                      RT_DIALOG0x249140x1b0dataEnglishUnited States
                                      RT_DIALOG0x24ac40x166dataEnglishUnited States
                                      RT_DIALOG0x24c2c0x1c0dataEnglishUnited States
                                      RT_DIALOG0x24dec0x130dataEnglishUnited States
                                      RT_DIALOG0x24f1c0x120dataEnglishUnited States
                                      RT_STRING0x2503c0x8cMatlab v4 mat-file (little endian) l, numeric, rows 0, columns 0EnglishUnited States
                                      RT_STRING0x250c80x520dataEnglishUnited States
                                      RT_STRING0x255e80x5ccdataEnglishUnited States
                                      RT_STRING0x25bb40x4b0dataEnglishUnited States
                                      RT_STRING0x260640x44adataEnglishUnited States
                                      RT_STRING0x264b00x3cedataEnglishUnited States
                                      RT_RCDATA0x268800x7ASCII text, with no line terminatorsEnglishUnited States
                                      RT_RCDATA0x268880x744862Microsoft Cabinet archive data, many, 7620706 bytes, 11 files, at 0x2c +A "MEInstaller.exe" +A "Newtonsoft.Json.dll", ID 20375, number 1, 278 datablocks, 0x1503 compressionEnglishUnited States
                                      RT_RCDATA0x76b0ec0x4dataEnglishUnited States
                                      RT_RCDATA0x76b0f00x24dataEnglishUnited States
                                      RT_RCDATA0x76b1140x7ASCII text, with no line terminatorsEnglishUnited States
                                      RT_RCDATA0x76b11c0x7ASCII text, with no line terminatorsEnglishUnited States
                                      RT_RCDATA0x76b1240x4dataEnglishUnited States
                                      RT_RCDATA0x76b1280x7ASCII text, with no line terminatorsEnglishUnited States
                                      RT_RCDATA0x76b1300x4dataEnglishUnited States
                                      RT_RCDATA0x76b1340x15ASCII text, with no line terminatorsEnglishUnited States
                                      RT_RCDATA0x76b14c0x4dataEnglishUnited States
                                      RT_RCDATA0x76b1500x12dataEnglishUnited States
                                      RT_RCDATA0x76b1640x7ASCII text, with no line terminatorsEnglishUnited States
                                      RT_RCDATA0x76b16c0x7ASCII text, with no line terminatorsEnglishUnited States
                                      RT_GROUP_ICON0x76b1740xbcdataEnglishUnited States
                                      RT_VERSION0x76b2300x4fcdata
                                      RT_VERSION0x76b72c0x408dataEnglishUnited States
                                      RT_MANIFEST0x76bb340x7e2XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

                                      Imports

                                      DLLImport
                                      ADVAPI32.dllGetTokenInformation, RegDeleteValueA, RegOpenKeyExA, RegQueryInfoKeyA, FreeSid, OpenProcessToken, RegSetValueExA, RegCreateKeyExA, LookupPrivilegeValueA, AllocateAndInitializeSid, RegQueryValueExA, EqualSid, RegCloseKey, AdjustTokenPrivileges
                                      KERNEL32.dll_lopen, _llseek, CompareStringA, GetLastError, GetFileAttributesA, GetSystemDirectoryA, LoadLibraryA, DeleteFileA, GlobalAlloc, GlobalFree, CloseHandle, WritePrivateProfileStringA, IsDBCSLeadByte, GetWindowsDirectoryA, SetFileAttributesA, GetProcAddress, GlobalLock, LocalFree, RemoveDirectoryA, FreeLibrary, _lclose, CreateDirectoryA, GetPrivateProfileIntA, GetPrivateProfileStringA, GlobalUnlock, ReadFile, SizeofResource, WriteFile, GetDriveTypeA, lstrcmpA, SetFileTime, SetFilePointer, FindResourceA, CreateMutexA, GetVolumeInformationA, ExpandEnvironmentStringsA, GetCurrentDirectoryA, FreeResource, GetVersion, SetCurrentDirectoryA, GetTempPathA, LocalFileTimeToFileTime, CreateFileA, SetEvent, TerminateThread, GetVersionExA, LockResource, GetSystemInfo, CreateThread, ResetEvent, LoadResource, ExitProcess, GetModuleHandleW, CreateProcessA, FormatMessageA, GetTempFileNameA, DosDateTimeToFileTime, CreateEventA, GetExitCodeProcess, FindNextFileA, LocalAlloc, GetShortPathNameA, MulDiv, GetDiskFreeSpaceA, EnumResourceLanguagesA, GetTickCount, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter, TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetStartupInfoW, Sleep, FindClose, GetCurrentProcess, FindFirstFileA, WaitForSingleObject, GetModuleFileNameA, LoadLibraryExA
                                      GDI32.dllGetDeviceCaps
                                      USER32.dllSetWindowLongA, GetDlgItemTextA, DialogBoxIndirectParamA, ShowWindow, MsgWaitForMultipleObjects, SetWindowPos, GetDC, GetWindowRect, DispatchMessageA, GetDesktopWindow, CharUpperA, SetDlgItemTextA, ExitWindowsEx, MessageBeep, EndDialog, CharPrevA, LoadStringA, CharNextA, EnableWindow, ReleaseDC, SetForegroundWindow, PeekMessageA, GetDlgItem, SendMessageA, SendDlgItemMessageA, MessageBoxA, SetWindowTextA, GetWindowLongA, CallWindowProcA, GetSystemMetrics
                                      msvcrt.dll_controlfp, ?terminate@@YAXXZ, _acmdln, _initterm, __setusermatherr, _except_handler4_common, memcpy, _ismbblead, __p__fmode, _cexit, _exit, exit, __set_app_type, __getmainargs, _amsg_exit, __p__commode, _XcptFilter, memcpy_s, _vsnprintf, memset
                                      COMCTL32.dll
                                      Cabinet.dll
                                      VERSION.dllGetFileVersionInfoA, VerQueryValueA, GetFileVersionInfoSizeA

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States

                                      Network Behavior

                                      Report size exceeds maximum size, go to the download page of this report and download PCAP to see all network behavior.

                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:01:51:58
                                      Start date:02/03/2023
                                      Path:C:\Users\user\Desktop\MicrosoftDefaults.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\Desktop\MicrosoftDefaults.exe
                                      Imagebase:0xf00000
                                      File size:7778712 bytes
                                      MD5 hash:23EDDDFD3F65C753AE87F4D3CF12A215
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low

                                      General

                                      Target ID:1
                                      Start time:01:52:01
                                      Start date:02/03/2023
                                      Path:C:\Users\user\AppData\Local\Temp\IXP000.TMP\StartupInstaller.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\AppData\Local\Temp\IXP000.TMP\StartupInstaller.exe
                                      Imagebase:0xf40000
                                      File size:126344 bytes
                                      MD5 hash:E40AF81D67406FDCD7A1945F5CE454D6
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 0%, ReversingLabs
                                      Reputation:low

                                      General

                                      Target ID:2
                                      Start time:01:52:01
                                      Start date:02/03/2023
                                      Path:C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exe
                                      Imagebase:0x40000
                                      File size:660416 bytes
                                      MD5 hash:BBD7C942EF0CD6B1EBD57887641F93CD
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Antivirus matches:
                                      • Detection: 0%, ReversingLabs
                                      Reputation:low

                                      General

                                      Target ID:3
                                      Start time:01:52:12
                                      Start date:02/03/2023
                                      Path:C:\Windows\System32\rundll32.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
                                      Imagebase:0x7ff7de2d0000
                                      File size:69632 bytes
                                      MD5 hash:73C519F050C20580F8A62C849D49215A
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      Disassembly

                                      Reset < >

                                        Non-executed Functions

                                        Function 00F07105 Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E00F07105() {
				void* _v8;
				struct _FILETIME _v16;
				signed int _v20;
				union _LARGE_INTEGER _v24;
				signed int _t23;
				signed int _t36;
				signed int _t37;
				signed int _t39;

				_v16.dwLowDateTime = _v16.dwLowDateTime & 0x00000000;
				_v16.dwHighDateTime = _v16.dwHighDateTime & 0x00000000;
				_t23 =  *0xf08004; // 0x9cce359
				if(_t23 == 0xbb40e64e || (0xffff0000 & _t23) == 0) {
					GetSystemTimeAsFileTime( &_v16);
					_v8 = _v16.dwHighDateTime ^ _v16.dwLowDateTime;
					_v8 = _v8 ^ GetCurrentProcessId();
					_v8 = _v8 ^ GetCurrentThreadId();
					_v8 = GetTickCount() ^ _v8 ^  &_v8;
					QueryPerformanceCounter( &_v24);
					_t36 = _v20 ^ _v24.LowPart ^ _v8;
					_t39 = _t36;
					if(_t36 == 0xbb40e64e || ( *0xf08004 & 0xffff0000) == 0) {
						_t36 = 0xbb40e64f;
						_t39 = 0xbb40e64f;
					}
					 *0xf08004 = _t39;
				}
				_t37 =  !_t36;
				 *0xf08008 = _t37;
				return _t37;
			}











                                        0x00f0710d
                                        0x00f07111
                                        0x00f07115
                                        0x00f07128
                                        0x00f07132
                                        0x00f0713e
                                        0x00f07147
                                        0x00f07150
                                        0x00f07161
                                        0x00f07168
                                        0x00f07174
                                        0x00f07177
                                        0x00f0717b
                                        0x00f07185
                                        0x00f0718a
                                        0x00f0718a
                                        0x00f0718c
                                        0x00f0718c
                                        0x00f07192
                                        0x00f07195
                                        0x00f0719c

                                        APIs
                                        • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00F07132
                                        • GetCurrentProcessId.KERNEL32 ref: 00F07141
                                        • GetCurrentThreadId.KERNEL32 ref: 00F0714A
                                        • GetTickCount.KERNEL32 ref: 00F07153
                                        • QueryPerformanceCounter.KERNEL32(?), ref: 00F07168
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.827436342.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true
                                        • Associated: 00000000.00000002.827421073.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.827453684.0000000000F08000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.827463808.0000000000F0A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.827463808.0000000000F0C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_f00000_MicrosoftDefaults.jbxd
                                        Similarity
                                        • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                        • String ID:
                                        • API String ID: 1445889803-0
                                        • Opcode ID: 8c4264e73427159a6dbb72dacf7e3c1d81af2e27a63b2e6b448dd97ebbbdc80c
                                        • Instruction ID: 377c122d0f9f307dbbe9973ac7537fbab09747d9582d2df0238c7a6d37635d00
                                        • Opcode Fuzzy Hash: 8c4264e73427159a6dbb72dacf7e3c1d81af2e27a63b2e6b448dd97ebbbdc80c
                                        • Instruction Fuzzy Hash: 1C111571D01308EBCB10DFB8DA48A9EBBF5FF48354F6548A5E502E7294EA309A05AF45
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Execution Graph

                                        Execution Coverage:3.3%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:12.8%
                                        Total number of Nodes:1353
                                        Total number of Limit Nodes:31
                                        execution_graph 8158 f4a5fe 8159 f4a52d ___scrt_uninitialize_crt 64 API calls 8158->8159 8160 f4a606 8159->8160 8168 f4bfd0 8160->8168 8162 f4a60b 8178 f4c07b 8162->8178 8165 f4a635 8166 f479d0 _free 14 API calls 8165->8166 8167 f4a640 8166->8167 8169 f4bfdc __FrameHandler3::FrameUnwindToState 8168->8169 8182 f478c6 EnterCriticalSection 8169->8182 8171 f4c053 8196 f4c072 8171->8196 8172 f4bfe7 8172->8171 8174 f4c027 DeleteCriticalSection 8172->8174 8183 f4c4fb 8172->8183 8177 f479d0 _free 14 API calls 8174->8177 8177->8172 8179 f4a61a DeleteCriticalSection 8178->8179 8180 f4c092 8178->8180 8179->8162 8179->8165 8180->8179 8181 f479d0 _free 14 API calls 8180->8181 8181->8179 8182->8172 8184 f4c507 __FrameHandler3::FrameUnwindToState 8183->8184 8185 f4c526 8184->8185 8186 f4c511 8184->8186 8188 f4c521 8185->8188 8199 f4a64a EnterCriticalSection 8185->8199 8187 f47035 _free 14 API calls 8186->8187 8189 f4c516 8187->8189 8188->8172 8191 f45bd3 ___std_exception_copy 23 API calls 8189->8191 8191->8188 8192 f4c543 8200 f4c484 8192->8200 8194 f4c54e 8216 f4c575 8194->8216 8280 f4790e LeaveCriticalSection 8196->8280 8198 f4c05f 8198->8162 8199->8192 8201 f4c491 8200->8201 8203 f4c4a6 8200->8203 8202 f47035 _free 14 API calls 8201->8202 8204 f4c496 8202->8204 8205 f4a480 ___scrt_uninitialize_crt 60 API calls 8203->8205 8208 f4c4a1 8203->8208 8206 f45bd3 ___std_exception_copy 23 API calls 8204->8206 8207 f4c4bb 8205->8207 8206->8208 8209 f4c07b 14 API calls 8207->8209 8208->8194 8210 f4c4c3 8209->8210 8211 f4ac14 ___scrt_uninitialize_crt 23 API calls 8210->8211 8212 f4c4c9 8211->8212 8219 f4caf7 8212->8219 8215 f479d0 _free 14 API calls 8215->8208 8279 f4a65e LeaveCriticalSection 8216->8279 8218 f4c57d 8218->8188 8220 f4cb1d 8219->8220 8221 f4cb08 8219->8221 8223 f4cb66 8220->8223 8228 f4cb44 8220->8228 8222 f47022 __dosmaperr 14 API calls 8221->8222 8224 f4cb0d 8222->8224 8225 f47022 __dosmaperr 14 API calls 8223->8225 8227 f47035 _free 14 API calls 8224->8227 8226 f4cb6b 8225->8226 8229 f47035 _free 14 API calls 8226->8229 8232 f4c4cf 8227->8232 8234 f4ca6b 8228->8234 8231 f4cb73 8229->8231 8233 f45bd3 ___std_exception_copy 23 API calls 8231->8233 8232->8208 8232->8215 8233->8232 8235 f4ca77 __FrameHandler3::FrameUnwindToState 8234->8235 8245 f48fbb EnterCriticalSection 8235->8245 8237 f4ca85 8238 f4cab7 8237->8238 8239 f4caac 8237->8239 8240 f47035 _free 14 API calls 8238->8240 8246 f4cb84 8239->8246 8242 f4cab2 8240->8242 8261 f4caeb 8242->8261 8245->8237 8247 f49092 ___scrt_uninitialize_crt 23 API calls 8246->8247 8250 f4cb94 8247->8250 8248 f4cb9a 8264 f49001 8248->8264 8250->8248 8251 f4cbcc 8250->8251 8253 f49092 ___scrt_uninitialize_crt 23 API calls 8250->8253 8251->8248 8254 f49092 ___scrt_uninitialize_crt 23 API calls 8251->8254 8256 f4cbc3 8253->8256 8257 f4cbd8 CloseHandle 8254->8257 8255 f4cc14 8255->8242 8259 f49092 ___scrt_uninitialize_crt 23 API calls 8256->8259 8257->8248 8260 f4cbe4 GetLastError 8257->8260 8259->8251 8260->8248 8278 f48fde LeaveCriticalSection 8261->8278 8263 f4cad4 8263->8232 8265 f49077 8264->8265 8266 f49010 8264->8266 8267 f47035 _free 14 API calls 8265->8267 8266->8265 8271 f4903a 8266->8271 8268 f4907c 8267->8268 8269 f47022 __dosmaperr 14 API calls 8268->8269 8270 f49067 8269->8270 8270->8255 8273 f46fff 8270->8273 8271->8270 8272 f49061 SetStdHandle 8271->8272 8272->8270 8274 f47022 __dosmaperr 14 API calls 8273->8274 8275 f4700a _free 8274->8275 8276 f47035 _free 14 API calls 8275->8276 8277 f4701d 8276->8277 8277->8255 8278->8263 8279->8218 8280->8198 8285 f49efb 8286 f49f14 8285->8286 8287 f49f32 8285->8287 8286->8287 8288 f4927c 28 API calls 8286->8288 8288->8286 8980 f41e60 9027 f422a0 8980->9027 8982 f41ee0 GetUserPreferredUILanguages 8983 f41f8d GetUserPreferredUILanguages 8982->8983 8984 f41f1d 8982->8984 8985 f42038 8983->8985 8992 f41faa 8983->8992 8986 f421d0 8984->8986 8987 f41f33 8984->8987 8988 f41f5c 8984->8988 8990 f422a0 56 API calls 8985->8990 9009 f42045 8985->9009 9066 f42790 8986->9066 8991 f421d5 8987->8991 9043 f42b2a 8987->9043 8994 f42b2a 25 API calls 8988->8994 8997 f41f44 __FrameHandler3::FrameUnwindToState 8988->8997 8990->9009 9069 f410b0 8991->9069 8992->8985 8992->8992 9000 f422a0 56 API calls 8992->9000 8994->8997 8996 f420fa 9001 f429fa CatchGuardHandler 4 API calls 8996->9001 8997->8983 8999 f421cb 8997->8999 8998 f42209 9061 f45be3 8999->9061 9002 f41fe9 9000->9002 9004 f4211d 9001->9004 9002->8985 9057 f459f7 9002->9057 9006 f45be3 23 API calls 9010 f42230 9006->9010 9008 f4226c 9009->8996 9009->8999 9010->9008 9011 f45be3 23 API calls 9010->9011 9017 f42292 9011->9017 9012 f423ea 9075 f41150 9012->9075 9014 f42304 9016 f423e5 9014->9016 9018 f42355 9014->9018 9015 f422c1 __InternalCxxFrameHandler 9022 f410b0 Concurrency::cancel_current_task 25 API calls 9016->9022 9017->9012 9017->9014 9017->9015 9017->9016 9020 f42371 9017->9020 9021 f42b2a 25 API calls 9018->9021 9019 f45be3 23 API calls 9023 f423f4 9019->9023 9024 f42b2a 25 API calls 9020->9024 9025 f4235b __InternalCxxFrameHandler 9020->9025 9021->9025 9022->9012 9024->9025 9025->9019 9026 f423cc 9025->9026 9031 f422c1 __InternalCxxFrameHandler 9027->9031 9032 f422ec 9027->9032 9028 f423ea 9029 f41150 56 API calls 9028->9029 9041 f4235b __InternalCxxFrameHandler 9029->9041 9030 f42304 9033 f423e5 9030->9033 9034 f42355 9030->9034 9031->8982 9032->9028 9032->9030 9032->9033 9036 f42371 9032->9036 9038 f410b0 Concurrency::cancel_current_task 25 API calls 9033->9038 9037 f42b2a 25 API calls 9034->9037 9035 f45be3 23 API calls 9039 f423f4 9035->9039 9040 f42b2a 25 API calls 9036->9040 9036->9041 9037->9041 9038->9028 9040->9041 9041->9035 9042 f423cc 9041->9042 9042->8982 9045 f42b2f 9043->9045 9044 f45ccc ___std_exception_copy 15 API calls 9044->9045 9045->9044 9046 f42b49 9045->9046 9047 f45c43 __dosmaperr 2 API calls 9045->9047 9048 f42b4b 9045->9048 9046->8997 9047->9045 9049 f42b55 9048->9049 9050 f410b0 Concurrency::cancel_current_task 9048->9050 9052 f43bd3 Concurrency::cancel_current_task RaiseException 9049->9052 9171 f43bd3 9050->9171 9054 f42df2 9052->9054 9053 f410cc 9055 f43998 ___std_exception_copy 24 API calls 9053->9055 9056 f410f3 9055->9056 9056->8997 9058 f45a05 9057->9058 9060 f45a0f 9057->9060 9174 f458f3 9058->9174 9060->9002 9062 f45b6f ___std_exception_copy 23 API calls 9061->9062 9063 f45bf2 9062->9063 9064 f45c00 ___std_exception_copy 9 API calls 9063->9064 9065 f45bff 9064->9065 9187 f429da 9066->9187 9070 f410be Concurrency::cancel_current_task 9069->9070 9071 f43bd3 Concurrency::cancel_current_task RaiseException 9070->9071 9072 f410cc 9071->9072 9073 f43998 ___std_exception_copy 24 API calls 9072->9073 9074 f410f3 9073->9074 9074->8998 9074->9006 9076 f429da std::_Xinvalid_argument 25 API calls 9075->9076 9077 f4115a __FrameHandler3::FrameUnwindToState 9076->9077 9078 f411a6 CreateMutexW RegOpenKeyW 9077->9078 9079 f41bad GetLastError 9078->9079 9080 f411ed RegOpenKeyW 9078->9080 9083 f41bba 9079->9083 9081 f41236 9080->9081 9082 f41202 RegQueryValueExW 9080->9082 9084 f422a0 41 API calls 9081->9084 9082->9079 9082->9081 9085 f429fa CatchGuardHandler 4 API calls 9083->9085 9087 f4126a __FrameHandler3::FrameUnwindToState 9084->9087 9086 f41bcc 9085->9086 9086->9025 9088 f4127e GetModuleFileNameW 9087->9088 9089 f412c0 9088->9089 9089->9089 9090 f422a0 41 API calls 9089->9090 9091 f412e1 __FrameHandler3::FrameUnwindToState 9090->9091 9092 f413e1 9091->9092 9093 f41e3e 9091->9093 9094 f422a0 41 API calls 9092->9094 9095 f45be3 23 API calls 9093->9095 9096 f41431 9094->9096 9097 f41e43 9095->9097 9098 f422a0 41 API calls 9096->9098 9099 f45be3 23 API calls 9097->9099 9106 f4146b 9098->9106 9100 f41e48 9099->9100 9101 f45be3 23 API calls 9100->9101 9102 f41e4d 9101->9102 9104 f45be3 23 API calls 9102->9104 9103 f422a0 41 API calls 9105 f4152d 9103->9105 9107 f41e52 9104->9107 9111 f41558 __InternalCxxFrameHandler 9105->9111 9198 f427a0 9105->9198 9106->9100 9106->9103 9108 f422a0 41 API calls 9107->9108 9110 f41ee0 GetUserPreferredUILanguages 9108->9110 9112 f41f8d GetUserPreferredUILanguages 9110->9112 9113 f41f1d 9110->9113 9127 f4164d __InternalCxxFrameHandler 9111->9127 9213 f42400 9111->9213 9114 f42038 9112->9114 9122 f41faa 9112->9122 9115 f421d0 9113->9115 9117 f41f33 9113->9117 9118 f41f5c 9113->9118 9120 f422a0 41 API calls 9114->9120 9146 f42045 9114->9146 9119 f42790 25 API calls 9115->9119 9121 f421d5 9117->9121 9123 f42b2a 25 API calls 9117->9123 9124 f42b2a 25 API calls 9118->9124 9130 f41f44 __FrameHandler3::FrameUnwindToState 9118->9130 9119->9121 9120->9146 9125 f410b0 Concurrency::cancel_current_task 25 API calls 9121->9125 9122->9114 9122->9122 9135 f422a0 41 API calls 9122->9135 9123->9130 9124->9130 9140 f421da 9125->9140 9126 f41751 9128 f422a0 41 API calls 9126->9128 9127->9097 9127->9126 9134 f4178f GetCommandLineW CommandLineToArgvW 9128->9134 9129 f420fa 9133 f429fa CatchGuardHandler 4 API calls 9129->9133 9130->9112 9132 f421cb 9130->9132 9131 f42209 9131->9025 9139 f45be3 23 API calls 9132->9139 9136 f4211d 9133->9136 9137 f419b4 CreateProcessW 9134->9137 9168 f417bd __InternalCxxFrameHandler 9134->9168 9138 f41fe9 9135->9138 9136->9025 9141 f41a68 WaitForSingleObject GetExitCodeProcess CloseHandle CloseHandle 9137->9141 9147 f41aa4 9137->9147 9138->9114 9144 f459f7 39 API calls 9138->9144 9139->9115 9140->9131 9142 f45be3 23 API calls 9140->9142 9141->9147 9150 f42230 9142->9150 9143 f422a0 41 API calls 9143->9168 9144->9138 9145 f4226c 9145->9025 9146->9129 9146->9132 9147->9100 9149 f41ba8 9147->9149 9148 f429fa CatchGuardHandler 4 API calls 9151 f41e38 9148->9151 9149->9148 9150->9145 9152 f45be3 23 API calls 9150->9152 9151->9025 9160 f42292 9152->9160 9154 f423ea 9156 f41150 41 API calls 9154->9156 9155 f42400 41 API calls 9155->9168 9169 f4235b __InternalCxxFrameHandler 9156->9169 9157 f42304 9159 f423e5 9157->9159 9161 f42355 9157->9161 9158 f422c1 __InternalCxxFrameHandler 9158->9025 9165 f410b0 Concurrency::cancel_current_task 25 API calls 9159->9165 9160->9154 9160->9157 9160->9158 9160->9159 9163 f42371 9160->9163 9164 f42b2a 25 API calls 9161->9164 9162 f45be3 23 API calls 9166 f423f4 9162->9166 9167 f42b2a 25 API calls 9163->9167 9163->9169 9164->9169 9165->9154 9167->9169 9168->9100 9168->9137 9168->9143 9168->9155 9228 f42580 9168->9228 9169->9162 9170 f423cc 9169->9170 9170->9025 9172 f43bed 9171->9172 9173 f43c1a RaiseException 9171->9173 9172->9173 9173->9053 9175 f4590a 9174->9175 9183 f4591f 9174->9183 9176 f45870 __fassign 35 API calls 9175->9176 9177 f45916 9176->9177 9181 f4596b 9177->9181 9177->9183 9184 f46f82 9177->9184 9178 f47035 _free 14 API calls 9180 f45971 9178->9180 9182 f47232 39 API calls 9180->9182 9181->9178 9181->9180 9182->9183 9183->9060 9185 f45870 __fassign 35 API calls 9184->9185 9186 f46f95 __fassign 9185->9186 9186->9181 9192 f42973 9187->9192 9190 f43bd3 Concurrency::cancel_current_task RaiseException 9191 f429f9 9190->9191 9195 f42923 9192->9195 9196 f43998 ___std_exception_copy 24 API calls 9195->9196 9197 f4294f 9196->9197 9197->9190 9199 f42900 9198->9199 9201 f427cb 9198->9201 9200 f41150 56 API calls 9199->9200 9211 f42831 __InternalCxxFrameHandler 9200->9211 9202 f428fb 9201->9202 9205 f42847 9201->9205 9206 f42820 9201->9206 9204 f410b0 Concurrency::cancel_current_task 25 API calls 9202->9204 9203 f45be3 23 API calls 9207 f4290a 9203->9207 9204->9199 9210 f42b2a 25 API calls 9205->9210 9205->9211 9206->9202 9208 f4282b 9206->9208 9209 f42b2a 25 API calls 9208->9209 9209->9211 9210->9211 9211->9203 9212 f428c3 __InternalCxxFrameHandler 9211->9212 9212->9111 9214 f42572 9213->9214 9217 f4242b 9213->9217 9216 f41150 56 API calls 9214->9216 9215 f42440 9218 f4256d 9215->9218 9220 f42488 9215->9220 9226 f4248e __InternalCxxFrameHandler 9216->9226 9217->9215 9217->9218 9222 f424a4 9217->9222 9221 f410b0 Concurrency::cancel_current_task 25 API calls 9218->9221 9219 f45be3 23 API calls 9223 f4257c 9219->9223 9224 f42b2a 25 API calls 9220->9224 9221->9214 9225 f42b2a 25 API calls 9222->9225 9222->9226 9224->9226 9225->9226 9226->9219 9227 f42529 __InternalCxxFrameHandler 9226->9227 9227->9127 9231 f425c3 9228->9231 9229 f4277b 9230 f41150 56 API calls 9229->9230 9233 f426f3 9230->9233 9231->9229 9232 f426b2 9231->9232 9234 f42776 9231->9234 9235 f4270b 9231->9235 9241 f425c8 __InternalCxxFrameHandler 9231->9241 9232->9234 9236 f426ed 9232->9236 9238 f45be3 23 API calls 9233->9238 9243 f42700 __InternalCxxFrameHandler 9233->9243 9237 f410b0 Concurrency::cancel_current_task 25 API calls 9234->9237 9242 f42b2a 25 API calls 9235->9242 9235->9243 9239 f42b2a 25 API calls 9236->9239 9237->9229 9240 f42785 9238->9240 9239->9233 9241->9168 9242->9243 9243->9168 7032 f461d6 7043 f488f7 7032->7043 7036 f461f3 7039 f479d0 _free 14 API calls 7036->7039 7041 f46222 7039->7041 7044 f48900 7043->7044 7045 f461e8 7043->7045 7086 f47696 7044->7086 7049 f48db8 GetEnvironmentStringsW 7045->7049 7050 f48dcf 7049->7050 7051 f48e28 7049->7051 7054 f48cca ___scrt_uninitialize_crt WideCharToMultiByte 7050->7054 7052 f461ed 7051->7052 7053 f48e2e FreeEnvironmentStringsW 7051->7053 7052->7036 7063 f46228 7052->7063 7053->7052 7055 f48de8 7054->7055 7055->7051 7056 f48df2 7055->7056 7057 f47925 15 API calls 7056->7057 7058 f48df8 7057->7058 7059 f48e10 7058->7059 7060 f48cca ___scrt_uninitialize_crt WideCharToMultiByte 7058->7060 7061 f479d0 _free 14 API calls 7059->7061 7060->7059 7062 f48e25 7061->7062 7062->7051 7064 f4623d 7063->7064 7065 f47973 __dosmaperr 14 API calls 7064->7065 7066 f46264 7065->7066 7068 f462c9 7066->7068 7070 f47973 __dosmaperr 14 API calls 7066->7070 7071 f462cb 7066->7071 7075 f462eb 7066->7075 7078 f479d0 _free 14 API calls 7066->7078 7738 f46e66 7066->7738 7067 f479d0 _free 14 API calls 7069 f461fe 7067->7069 7068->7067 7080 f479d0 7069->7080 7070->7066 7747 f462f8 7071->7747 7077 f45c00 ___std_exception_copy 9 API calls 7075->7077 7076 f479d0 _free 14 API calls 7076->7068 7079 f462f7 7077->7079 7078->7066 7081 f47a04 _free 7080->7081 7082 f479db HeapFree 7080->7082 7081->7036 7082->7081 7083 f479f0 7082->7083 7084 f47035 _free 12 API calls 7083->7084 7085 f479f6 GetLastError 7084->7085 7085->7081 7087 f476a1 7086->7087 7088 f476a7 7086->7088 7130 f49cc1 7087->7130 7110 f476ad 7088->7110 7135 f49d00 7088->7135 7096 f476ee 7100 f49d00 __dosmaperr 6 API calls 7096->7100 7097 f476d9 7099 f49d00 __dosmaperr 6 API calls 7097->7099 7098 f47726 7111 f48743 7098->7111 7108 f476e5 7099->7108 7101 f476fa 7100->7101 7102 f4770d 7101->7102 7103 f476fe 7101->7103 7147 f47407 7102->7147 7105 f49d00 __dosmaperr 6 API calls 7103->7105 7104 f479d0 _free 14 API calls 7104->7110 7105->7108 7108->7104 7109 f479d0 _free 14 API calls 7109->7110 7110->7098 7152 f46e22 7110->7152 7536 f48857 7111->7536 7116 f4876f 7116->7045 7118 f48780 7119 f487b2 7118->7119 7561 f48952 7118->7561 7122 f479d0 _free 14 API calls 7119->7122 7124 f487c0 7122->7124 7123 f487ad 7125 f47035 _free 14 API calls 7123->7125 7124->7045 7125->7119 7126 f487f4 7126->7119 7572 f483df 7126->7572 7127 f487c8 7127->7126 7128 f479d0 _free 14 API calls 7127->7128 7128->7126 7163 f49b61 7130->7163 7132 f49cdd 7133 f49ce6 7132->7133 7134 f49cf8 TlsGetValue 7132->7134 7133->7088 7136 f49b61 __dosmaperr 5 API calls 7135->7136 7137 f49d1c 7136->7137 7138 f476c1 7137->7138 7139 f49d3a TlsSetValue 7137->7139 7138->7110 7140 f47973 7138->7140 7145 f47980 __dosmaperr 7140->7145 7141 f479c0 7179 f47035 7141->7179 7142 f479ab RtlAllocateHeap 7143 f476d1 7142->7143 7142->7145 7143->7096 7143->7097 7145->7141 7145->7142 7176 f45c43 7145->7176 7216 f4729b 7147->7216 7358 f4a06b 7152->7358 7156 f46e3c IsProcessorFeaturePresent 7159 f46e48 7156->7159 7157 f46e5b 7395 f466e8 7157->7395 7158 f46e32 7158->7156 7158->7157 7388 f45a27 7159->7388 7164 f49b8f 7163->7164 7168 f49b8b __dosmaperr 7163->7168 7164->7168 7169 f49a9a 7164->7169 7167 f49ba9 GetProcAddress 7167->7168 7168->7132 7174 f49aab ___vcrt_FlsSetValue 7169->7174 7170 f49b56 7170->7167 7170->7168 7171 f49ac9 LoadLibraryExW 7172 f49ae4 GetLastError 7171->7172 7171->7174 7172->7174 7173 f49b3f FreeLibrary 7173->7174 7174->7170 7174->7171 7174->7173 7175 f49b17 LoadLibraryExW 7174->7175 7175->7174 7182 f45c70 7176->7182 7193 f47730 GetLastError 7179->7193 7181 f4703a 7181->7143 7183 f45c7c __FrameHandler3::FrameUnwindToState 7182->7183 7188 f478c6 EnterCriticalSection 7183->7188 7185 f45c87 7189 f45cc3 7185->7189 7188->7185 7192 f4790e LeaveCriticalSection 7189->7192 7191 f45c4e 7191->7145 7192->7191 7194 f47747 7193->7194 7195 f4774d 7193->7195 7196 f49cc1 __dosmaperr 6 API calls 7194->7196 7197 f49d00 __dosmaperr 6 API calls 7195->7197 7212 f47753 SetLastError 7195->7212 7196->7195 7198 f4776b 7197->7198 7199 f47973 __dosmaperr 12 API calls 7198->7199 7198->7212 7200 f4777b 7199->7200 7202 f47783 7200->7202 7203 f4779a 7200->7203 7204 f49d00 __dosmaperr 6 API calls 7202->7204 7205 f49d00 __dosmaperr 6 API calls 7203->7205 7213 f47791 7204->7213 7206 f477a6 7205->7206 7207 f477aa 7206->7207 7208 f477bb 7206->7208 7210 f49d00 __dosmaperr 6 API calls 7207->7210 7211 f47407 __dosmaperr 12 API calls 7208->7211 7209 f479d0 _free 12 API calls 7209->7212 7210->7213 7214 f477c6 7211->7214 7212->7181 7213->7209 7215 f479d0 _free 12 API calls 7214->7215 7215->7212 7217 f472a7 __FrameHandler3::FrameUnwindToState 7216->7217 7230 f478c6 EnterCriticalSection 7217->7230 7219 f472b1 7231 f472e1 7219->7231 7222 f473ad 7223 f473b9 __FrameHandler3::FrameUnwindToState 7222->7223 7235 f478c6 EnterCriticalSection 7223->7235 7225 f473c3 7236 f4758e 7225->7236 7227 f473db 7240 f473fb 7227->7240 7230->7219 7234 f4790e LeaveCriticalSection 7231->7234 7233 f472cf 7233->7222 7234->7233 7235->7225 7237 f475c4 __fassign 7236->7237 7238 f4759d __fassign 7236->7238 7237->7227 7238->7237 7243 f4972f 7238->7243 7357 f4790e LeaveCriticalSection 7240->7357 7242 f473e9 7242->7109 7244 f497af 7243->7244 7247 f49745 7243->7247 7246 f479d0 _free 14 API calls 7244->7246 7269 f497fd 7244->7269 7248 f497d1 7246->7248 7247->7244 7249 f49778 7247->7249 7253 f479d0 _free 14 API calls 7247->7253 7250 f479d0 _free 14 API calls 7248->7250 7255 f479d0 _free 14 API calls 7249->7255 7270 f4979a 7249->7270 7251 f497e4 7250->7251 7254 f479d0 _free 14 API calls 7251->7254 7252 f479d0 _free 14 API calls 7256 f497a4 7252->7256 7258 f4976d 7253->7258 7261 f497f2 7254->7261 7262 f4978f 7255->7262 7263 f479d0 _free 14 API calls 7256->7263 7257 f4986b 7264 f479d0 _free 14 API calls 7257->7264 7271 f49308 7258->7271 7259 f4980b 7259->7257 7268 f479d0 14 API calls _free 7259->7268 7265 f479d0 _free 14 API calls 7261->7265 7299 f49406 7262->7299 7263->7244 7267 f49871 7264->7267 7265->7269 7267->7237 7268->7259 7311 f498a0 7269->7311 7270->7252 7272 f49402 7271->7272 7273 f49319 7271->7273 7272->7249 7274 f4932a 7273->7274 7275 f479d0 _free 14 API calls 7273->7275 7276 f4933c 7274->7276 7278 f479d0 _free 14 API calls 7274->7278 7275->7274 7277 f4934e 7276->7277 7279 f479d0 _free 14 API calls 7276->7279 7280 f49360 7277->7280 7281 f479d0 _free 14 API calls 7277->7281 7278->7276 7279->7277 7282 f49372 7280->7282 7283 f479d0 _free 14 API calls 7280->7283 7281->7280 7284 f49384 7282->7284 7286 f479d0 _free 14 API calls 7282->7286 7283->7282 7285 f49396 7284->7285 7287 f479d0 _free 14 API calls 7284->7287 7288 f493a8 7285->7288 7289 f479d0 _free 14 API calls 7285->7289 7286->7284 7287->7285 7290 f493ba 7288->7290 7291 f479d0 _free 14 API calls 7288->7291 7289->7288 7292 f493cc 7290->7292 7294 f479d0 _free 14 API calls 7290->7294 7291->7290 7293 f493de 7292->7293 7295 f479d0 _free 14 API calls 7292->7295 7296 f493f0 7293->7296 7297 f479d0 _free 14 API calls 7293->7297 7294->7292 7295->7293 7296->7272 7298 f479d0 _free 14 API calls 7296->7298 7297->7296 7298->7272 7300 f49413 7299->7300 7301 f4946b 7299->7301 7302 f49423 7300->7302 7303 f479d0 _free 14 API calls 7300->7303 7301->7270 7304 f49435 7302->7304 7305 f479d0 _free 14 API calls 7302->7305 7303->7302 7306 f49447 7304->7306 7307 f479d0 _free 14 API calls 7304->7307 7305->7304 7308 f49459 7306->7308 7309 f479d0 _free 14 API calls 7306->7309 7307->7306 7308->7301 7310 f479d0 _free 14 API calls 7308->7310 7309->7308 7310->7301 7312 f498ad 7311->7312 7313 f498cc 7311->7313 7312->7313 7317 f494a7 7312->7317 7313->7259 7316 f479d0 _free 14 API calls 7316->7313 7318 f49585 7317->7318 7319 f494b8 7317->7319 7318->7316 7353 f4946f 7319->7353 7322 f4946f __fassign 14 API calls 7323 f494cb 7322->7323 7324 f4946f __fassign 14 API calls 7323->7324 7325 f494d6 7324->7325 7326 f4946f __fassign 14 API calls 7325->7326 7327 f494e1 7326->7327 7328 f4946f __fassign 14 API calls 7327->7328 7329 f494ef 7328->7329 7330 f479d0 _free 14 API calls 7329->7330 7331 f494fa 7330->7331 7332 f479d0 _free 14 API calls 7331->7332 7333 f49505 7332->7333 7334 f479d0 _free 14 API calls 7333->7334 7335 f49510 7334->7335 7336 f4946f __fassign 14 API calls 7335->7336 7337 f4951e 7336->7337 7338 f4946f __fassign 14 API calls 7337->7338 7339 f4952c 7338->7339 7340 f4946f __fassign 14 API calls 7339->7340 7341 f4953d 7340->7341 7342 f4946f __fassign 14 API calls 7341->7342 7343 f4954b 7342->7343 7344 f4946f __fassign 14 API calls 7343->7344 7345 f49559 7344->7345 7346 f479d0 _free 14 API calls 7345->7346 7347 f49564 7346->7347 7348 f479d0 _free 14 API calls 7347->7348 7349 f4956f 7348->7349 7350 f479d0 _free 14 API calls 7349->7350 7351 f4957a 7350->7351 7352 f479d0 _free 14 API calls 7351->7352 7352->7318 7354 f494a2 7353->7354 7355 f49492 7353->7355 7354->7322 7355->7354 7356 f479d0 _free 14 API calls 7355->7356 7356->7355 7357->7242 7398 f49f9d 7358->7398 7361 f4a0b0 7362 f4a0bc __FrameHandler3::FrameUnwindToState 7361->7362 7363 f47730 __dosmaperr 14 API calls 7362->7363 7366 f4a0e9 __FrameHandler3::FrameUnwindToState 7362->7366 7369 f4a0e3 __FrameHandler3::FrameUnwindToState 7362->7369 7363->7369 7364 f4a130 7365 f47035 _free 14 API calls 7364->7365 7367 f4a135 7365->7367 7368 f4a15c 7366->7368 7412 f478c6 EnterCriticalSection 7366->7412 7409 f45bd3 7367->7409 7373 f4a19e 7368->7373 7374 f4a28f 7368->7374 7384 f4a1cd 7368->7384 7369->7364 7369->7366 7387 f4a11a 7369->7387 7373->7384 7413 f475d9 GetLastError 7373->7413 7376 f4a29a 7374->7376 7444 f4790e LeaveCriticalSection 7374->7444 7377 f466e8 __FrameHandler3::FrameUnwindToState 23 API calls 7376->7377 7379 f4a2a2 7377->7379 7381 f475d9 _unexpected 35 API calls 7385 f4a222 7381->7385 7383 f475d9 _unexpected 35 API calls 7383->7384 7440 f4a23c 7384->7440 7386 f475d9 _unexpected 35 API calls 7385->7386 7385->7387 7386->7387 7387->7158 7389 f45a43 __FrameHandler3::FrameUnwindToState 7388->7389 7390 f45a6f IsDebuggerPresent 7389->7390 7391 f45b2f UnhandledExceptionFilter 7390->7391 7394 f45b40 __FrameHandler3::FrameUnwindToState 7391->7394 7393 f45b5e 7393->7157 7458 f429fa 7394->7458 7467 f465c2 7395->7467 7399 f49fa9 __FrameHandler3::FrameUnwindToState 7398->7399 7404 f478c6 EnterCriticalSection 7399->7404 7401 f49fb7 7405 f49ff5 7401->7405 7404->7401 7408 f4790e LeaveCriticalSection 7405->7408 7407 f46e27 7407->7158 7407->7361 7408->7407 7445 f45b6f 7409->7445 7411 f45bdf 7411->7387 7412->7368 7414 f475f0 7413->7414 7417 f475f6 7413->7417 7415 f49cc1 __dosmaperr 6 API calls 7414->7415 7415->7417 7416 f49d00 __dosmaperr 6 API calls 7418 f47614 7416->7418 7417->7416 7437 f475fc SetLastError 7417->7437 7419 f47973 __dosmaperr 14 API calls 7418->7419 7418->7437 7420 f47624 7419->7420 7422 f47643 7420->7422 7423 f4762c 7420->7423 7428 f49d00 __dosmaperr 6 API calls 7422->7428 7426 f49d00 __dosmaperr 6 API calls 7423->7426 7424 f47690 7427 f46e22 __FrameHandler3::FrameUnwindToState 33 API calls 7424->7427 7425 f4768a 7425->7383 7429 f4763a 7426->7429 7430 f47695 7427->7430 7431 f4764f 7428->7431 7434 f479d0 _free 14 API calls 7429->7434 7432 f47664 7431->7432 7433 f47653 7431->7433 7436 f47407 __dosmaperr 14 API calls 7432->7436 7435 f49d00 __dosmaperr 6 API calls 7433->7435 7434->7437 7435->7429 7438 f4766f 7436->7438 7437->7424 7437->7425 7439 f479d0 _free 14 API calls 7438->7439 7439->7437 7441 f4a242 7440->7441 7443 f4a213 7440->7443 7457 f4790e LeaveCriticalSection 7441->7457 7443->7381 7443->7385 7443->7387 7444->7376 7446 f47730 __dosmaperr 14 API calls 7445->7446 7447 f45b7a 7446->7447 7449 f45b88 7447->7449 7453 f45c00 IsProcessorFeaturePresent 7447->7453 7449->7411 7450 f45bd2 7451 f45b6f ___std_exception_copy 23 API calls 7450->7451 7452 f45bdf 7451->7452 7452->7411 7454 f45c0c 7453->7454 7455 f45a27 __FrameHandler3::FrameUnwindToState 6 API calls 7454->7455 7456 f45c21 GetCurrentProcess TerminateProcess 7455->7456 7456->7450 7457->7443 7459 f42a02 7458->7459 7460 f42a03 IsProcessorFeaturePresent 7458->7460 7459->7393 7462 f42a45 7460->7462 7465 f42a08 7462->7465 7464 f42b28 7464->7393 7466 f42a13 UnhandledExceptionFilter GetCurrentProcess TerminateProcess 7465->7466 7466->7464 7468 f465d0 7467->7468 7477 f465e1 7467->7477 7478 f432b3 GetModuleHandleW 7468->7478 7473 f4661b 7485 f46488 7477->7485 7479 f432bf 7478->7479 7479->7477 7480 f46668 GetModuleHandleExW 7479->7480 7481 f46687 GetProcAddress 7480->7481 7482 f4669c 7480->7482 7481->7482 7483 f466b0 FreeLibrary 7482->7483 7484 f466b9 7482->7484 7483->7484 7484->7477 7486 f46494 __FrameHandler3::FrameUnwindToState 7485->7486 7501 f478c6 EnterCriticalSection 7486->7501 7488 f4649e 7502 f464d5 7488->7502 7490 f464ab 7506 f464c9 7490->7506 7493 f46626 7529 f48e3c GetPEB 7493->7529 7496 f46655 7499 f46668 __FrameHandler3::FrameUnwindToState 3 API calls 7496->7499 7497 f46635 GetPEB 7497->7496 7498 f46645 GetCurrentProcess TerminateProcess 7497->7498 7498->7496 7500 f4665d ExitProcess 7499->7500 7501->7488 7503 f464e1 __FrameHandler3::FrameUnwindToState 7502->7503 7504 f46542 __FrameHandler3::FrameUnwindToState 7503->7504 7509 f46bc1 7503->7509 7504->7490 7528 f4790e LeaveCriticalSection 7506->7528 7508 f464b7 7508->7473 7508->7493 7512 f468f2 7509->7512 7513 f468fe __FrameHandler3::FrameUnwindToState 7512->7513 7520 f478c6 EnterCriticalSection 7513->7520 7515 f4690c 7521 f46ad1 7515->7521 7520->7515 7522 f46af0 7521->7522 7523 f46919 7521->7523 7522->7523 7524 f479d0 _free 14 API calls 7522->7524 7525 f46941 7523->7525 7524->7523 7526 f4790e __FrameHandler3::FrameUnwindToState LeaveCriticalSection 7525->7526 7527 f4692a 7526->7527 7527->7504 7528->7508 7530 f46630 7529->7530 7531 f48e56 7529->7531 7530->7496 7530->7497 7533 f49be4 7531->7533 7534 f49b61 __dosmaperr 5 API calls 7533->7534 7535 f49c00 7534->7535 7535->7530 7537 f48863 __FrameHandler3::FrameUnwindToState 7536->7537 7538 f4887d 7537->7538 7580 f478c6 EnterCriticalSection 7537->7580 7540 f48756 7538->7540 7543 f46e22 __FrameHandler3::FrameUnwindToState 35 API calls 7538->7543 7547 f484ed 7540->7547 7541 f488b9 7581 f488d6 7541->7581 7544 f488f6 7543->7544 7545 f4888d 7545->7541 7546 f479d0 _free 14 API calls 7545->7546 7546->7541 7585 f45870 7547->7585 7550 f48520 7552 f48525 GetACP 7550->7552 7553 f48537 7550->7553 7551 f4850e GetOEMCP 7551->7553 7552->7553 7553->7116 7554 f47925 7553->7554 7555 f47963 7554->7555 7559 f47933 __dosmaperr 7554->7559 7557 f47035 _free 14 API calls 7555->7557 7556 f4794e HeapAlloc 7558 f47961 7556->7558 7556->7559 7557->7558 7558->7118 7559->7555 7559->7556 7560 f45c43 __dosmaperr 2 API calls 7559->7560 7560->7559 7562 f484ed 37 API calls 7561->7562 7563 f48972 7562->7563 7564 f489e8 __FrameHandler3::FrameUnwindToState 7563->7564 7565 f489ac IsValidCodePage 7563->7565 7566 f429fa CatchGuardHandler 4 API calls 7564->7566 7565->7564 7567 f489be 7565->7567 7568 f487a5 7566->7568 7569 f489ed GetCPInfo 7567->7569 7571 f489c7 __FrameHandler3::FrameUnwindToState 7567->7571 7568->7123 7568->7127 7569->7564 7569->7571 7628 f485c3 7571->7628 7573 f483eb __FrameHandler3::FrameUnwindToState 7572->7573 7712 f478c6 EnterCriticalSection 7573->7712 7575 f483f5 7713 f4842c 7575->7713 7580->7545 7584 f4790e LeaveCriticalSection 7581->7584 7583 f488dd 7583->7538 7584->7583 7586 f45890 7585->7586 7592 f45887 7585->7592 7587 f475d9 _unexpected 35 API calls 7586->7587 7586->7592 7588 f458b0 7587->7588 7593 f4782b 7588->7593 7592->7550 7592->7551 7594 f458c6 7593->7594 7595 f4783e 7593->7595 7597 f47858 7594->7597 7595->7594 7601 f4997b 7595->7601 7598 f4786b 7597->7598 7600 f47880 7597->7600 7598->7600 7623 f4893f 7598->7623 7600->7592 7602 f49987 __FrameHandler3::FrameUnwindToState 7601->7602 7603 f475d9 _unexpected 35 API calls 7602->7603 7604 f49990 7603->7604 7605 f499d6 7604->7605 7614 f478c6 EnterCriticalSection 7604->7614 7605->7594 7607 f499ae 7615 f499fc 7607->7615 7612 f46e22 __FrameHandler3::FrameUnwindToState 35 API calls 7613 f499fb 7612->7613 7614->7607 7616 f49a0a __fassign 7615->7616 7618 f499bf 7615->7618 7617 f4972f __fassign 14 API calls 7616->7617 7616->7618 7617->7618 7619 f499db 7618->7619 7622 f4790e LeaveCriticalSection 7619->7622 7621 f499d2 7621->7605 7621->7612 7622->7621 7624 f475d9 _unexpected 35 API calls 7623->7624 7625 f48949 7624->7625 7626 f48857 __fassign 35 API calls 7625->7626 7627 f4894f 7626->7627 7627->7600 7629 f485eb GetCPInfo 7628->7629 7630 f486b4 7628->7630 7629->7630 7634 f48603 7629->7634 7631 f429fa CatchGuardHandler 4 API calls 7630->7631 7633 f48741 7631->7633 7633->7564 7639 f495af 7634->7639 7638 f47232 39 API calls 7638->7630 7640 f45870 __fassign 35 API calls 7639->7640 7641 f495cf 7640->7641 7659 f48c4e 7641->7659 7643 f4968d 7644 f429fa CatchGuardHandler 4 API calls 7643->7644 7647 f4866b 7644->7647 7645 f495fc 7645->7643 7646 f47925 15 API calls 7645->7646 7650 f49622 __FrameHandler3::FrameUnwindToState 7645->7650 7646->7650 7654 f47232 7647->7654 7648 f49687 7662 f4727b 7648->7662 7650->7648 7651 f48c4e __fassign MultiByteToWideChar 7650->7651 7652 f49670 7651->7652 7652->7648 7653 f49677 GetStringTypeW 7652->7653 7653->7648 7655 f45870 __fassign 35 API calls 7654->7655 7656 f47245 7655->7656 7666 f47048 7656->7666 7661 f48c5f MultiByteToWideChar 7659->7661 7661->7645 7663 f47287 7662->7663 7665 f47298 7662->7665 7664 f479d0 _free 14 API calls 7663->7664 7663->7665 7664->7665 7665->7643 7667 f47063 7666->7667 7668 f48c4e __fassign MultiByteToWideChar 7667->7668 7671 f470a7 7668->7671 7669 f4720c 7670 f429fa CatchGuardHandler 4 API calls 7669->7670 7672 f4721f 7670->7672 7671->7669 7673 f47925 15 API calls 7671->7673 7676 f470cc 7671->7676 7672->7638 7673->7676 7674 f48c4e __fassign MultiByteToWideChar 7677 f47112 7674->7677 7675 f4727b __freea 14 API calls 7675->7669 7676->7674 7693 f47171 7676->7693 7677->7693 7694 f49d8d 7677->7694 7680 f47180 7682 f47925 15 API calls 7680->7682 7687 f47192 7680->7687 7681 f47148 7683 f49d8d 6 API calls 7681->7683 7681->7693 7682->7687 7683->7693 7684 f471fd 7685 f4727b __freea 14 API calls 7684->7685 7685->7693 7686 f49d8d 6 API calls 7688 f471da 7686->7688 7687->7684 7687->7686 7688->7684 7700 f48cca 7688->7700 7690 f471f4 7690->7684 7691 f47229 7690->7691 7692 f4727b __freea 14 API calls 7691->7692 7692->7693 7693->7675 7703 f49a66 7694->7703 7697 f47134 7697->7680 7697->7681 7697->7693 7699 f49dde LCMapStringW 7699->7697 7702 f48ce1 WideCharToMultiByte 7700->7702 7702->7690 7704 f49b61 __dosmaperr 5 API calls 7703->7704 7705 f49a7c 7704->7705 7705->7697 7706 f49dea 7705->7706 7709 f49a80 7706->7709 7708 f49df5 7708->7699 7710 f49b61 __dosmaperr 5 API calls 7709->7710 7711 f49a96 7710->7711 7711->7708 7712->7575 7723 f48b45 7713->7723 7715 f4844e 7716 f48b45 23 API calls 7715->7716 7717 f4846d 7716->7717 7718 f479d0 _free 14 API calls 7717->7718 7719 f48402 7717->7719 7718->7719 7720 f48420 7719->7720 7737 f4790e LeaveCriticalSection 7720->7737 7722 f4840e 7722->7119 7724 f48b56 7723->7724 7732 f48b52 __InternalCxxFrameHandler 7723->7732 7725 f48b5d 7724->7725 7729 f48b70 __FrameHandler3::FrameUnwindToState 7724->7729 7726 f47035 _free 14 API calls 7725->7726 7727 f48b62 7726->7727 7728 f45bd3 ___std_exception_copy 23 API calls 7727->7728 7728->7732 7730 f48ba7 7729->7730 7731 f48b9e 7729->7731 7729->7732 7730->7732 7735 f47035 _free 14 API calls 7730->7735 7733 f47035 _free 14 API calls 7731->7733 7732->7715 7734 f48ba3 7733->7734 7736 f45bd3 ___std_exception_copy 23 API calls 7734->7736 7735->7734 7736->7732 7737->7722 7739 f46e81 7738->7739 7740 f46e73 7738->7740 7741 f47035 _free 14 API calls 7739->7741 7740->7739 7745 f46e98 7740->7745 7742 f46e89 7741->7742 7743 f45bd3 ___std_exception_copy 23 API calls 7742->7743 7744 f46e93 7743->7744 7744->7066 7745->7744 7746 f47035 _free 14 API calls 7745->7746 7746->7742 7748 f462d1 7747->7748 7749 f46305 7747->7749 7748->7076 7750 f4631c 7749->7750 7751 f479d0 _free 14 API calls 7749->7751 7752 f479d0 _free 14 API calls 7750->7752 7751->7749 7752->7748 7753 f42c50 7754 f42c5c __FrameHandler3::FrameUnwindToState 7753->7754 7780 f42e6e 7754->7780 7756 f42c63 7757 f42db6 7756->7757 7763 f42c8d ___scrt_is_nonwritable_in_current_image __FrameHandler3::FrameUnwindToState ___scrt_release_startup_lock 7756->7763 7815 f43162 IsProcessorFeaturePresent 7757->7815 7759 f42dbd 7820 f46724 7759->7820 7762 f466e8 __FrameHandler3::FrameUnwindToState 23 API calls 7764 f42dcb 7762->7764 7765 f42cac 7763->7765 7766 f42d2d 7763->7766 7800 f466fe 7763->7800 7791 f4327d 7766->7791 7771 f42d3b 7772 f42d48 7771->7772 7773 f432b3 __FrameHandler3::FrameUnwindToState GetModuleHandleW 7772->7773 7774 f42d4f 7773->7774 7774->7759 7775 f42d53 7774->7775 7776 f42d5c 7775->7776 7806 f466d9 7775->7806 7809 f42fdf 7776->7809 7781 f42e77 7780->7781 7823 f43405 IsProcessorFeaturePresent 7781->7823 7785 f42e88 7790 f42e8c 7785->7790 7833 f46d45 7785->7833 7788 f42ea3 7788->7756 7790->7756 7960 f43e50 7791->7960 7794 f42d33 7795 f463c2 7794->7795 7796 f488f7 45 API calls 7795->7796 7797 f463cb 7796->7797 7798 f46405 7797->7798 7962 f48c1d 7797->7962 7798->7771 7801 f46714 __FrameHandler3::FrameUnwindToState __dosmaperr 7800->7801 7801->7766 7802 f475d9 _unexpected 35 API calls 7801->7802 7803 f46df7 7802->7803 7804 f46e22 __FrameHandler3::FrameUnwindToState 35 API calls 7803->7804 7805 f46e21 7804->7805 7807 f465c2 __FrameHandler3::FrameUnwindToState 23 API calls 7806->7807 7808 f466e4 7807->7808 7808->7776 7810 f42feb 7809->7810 7811 f42d64 7810->7811 7968 f46d57 7810->7968 7811->7765 7813 f42ff9 7814 f43dfd ___scrt_uninitialize_crt 7 API calls 7813->7814 7814->7811 7816 f43178 __FrameHandler3::FrameUnwindToState 7815->7816 7817 f43223 IsDebuggerPresent 7816->7817 7818 f43260 UnhandledExceptionFilter 7817->7818 7819 f4326e __FrameHandler3::FrameUnwindToState 7818->7819 7819->7759 7821 f465c2 __FrameHandler3::FrameUnwindToState 23 API calls 7820->7821 7822 f42dc3 7821->7822 7822->7762 7824 f42e83 7823->7824 7825 f43dde 7824->7825 7842 f44fd7 7825->7842 7828 f43de7 7828->7785 7830 f43def 7831 f43dfa 7830->7831 7856 f45013 7830->7856 7831->7785 7898 f49f04 7833->7898 7836 f43dfd 7837 f43e06 7836->7837 7838 f43e10 7836->7838 7839 f44099 ___vcrt_uninitialize_ptd 6 API calls 7837->7839 7838->7790 7840 f43e0b 7839->7840 7841 f45013 ___vcrt_uninitialize_locks DeleteCriticalSection 7840->7841 7841->7838 7843 f44fe0 7842->7843 7845 f45009 7843->7845 7846 f43de3 7843->7846 7860 f45214 7843->7860 7847 f45013 ___vcrt_uninitialize_locks DeleteCriticalSection 7845->7847 7846->7828 7848 f44066 7846->7848 7847->7846 7879 f45125 7848->7879 7851 f4407b 7851->7830 7854 f44096 7854->7830 7857 f4501e 7856->7857 7859 f4503d 7856->7859 7858 f45028 DeleteCriticalSection 7857->7858 7858->7858 7858->7859 7859->7828 7865 f450dc 7860->7865 7863 f4524c InitializeCriticalSectionAndSpinCount 7864 f45237 7863->7864 7864->7843 7866 f450f4 7865->7866 7867 f45117 7865->7867 7866->7867 7871 f45042 7866->7871 7867->7863 7867->7864 7870 f45109 GetProcAddress 7870->7867 7877 f4504e ___vcrt_FlsSetValue 7871->7877 7872 f450c2 7872->7867 7872->7870 7873 f45064 LoadLibraryExW 7874 f45082 GetLastError 7873->7874 7875 f450c9 7873->7875 7874->7877 7875->7872 7876 f450d1 FreeLibrary 7875->7876 7876->7872 7877->7872 7877->7873 7878 f450a4 LoadLibraryExW 7877->7878 7878->7875 7878->7877 7880 f450dc ___vcrt_FlsSetValue 5 API calls 7879->7880 7881 f4513f 7880->7881 7882 f45158 TlsAlloc 7881->7882 7883 f44070 7881->7883 7883->7851 7884 f451d6 7883->7884 7885 f450dc ___vcrt_FlsSetValue 5 API calls 7884->7885 7886 f451f0 7885->7886 7887 f44089 7886->7887 7888 f4520b TlsSetValue 7886->7888 7887->7854 7889 f44099 7887->7889 7888->7887 7890 f440a9 7889->7890 7891 f440a3 7889->7891 7890->7851 7893 f45160 7891->7893 7894 f450dc ___vcrt_FlsSetValue 5 API calls 7893->7894 7895 f4517a 7894->7895 7896 f45192 TlsFree 7895->7896 7897 f45186 7895->7897 7896->7897 7897->7890 7899 f49f14 7898->7899 7900 f42e95 7898->7900 7899->7900 7902 f4927c 7899->7902 7900->7788 7900->7836 7903 f49288 __FrameHandler3::FrameUnwindToState 7902->7903 7914 f478c6 EnterCriticalSection 7903->7914 7905 f4928f 7915 f48f1d 7905->7915 7908 f492ad 7939 f492d3 7908->7939 7914->7905 7916 f48f29 __FrameHandler3::FrameUnwindToState 7915->7916 7917 f48f32 7916->7917 7918 f48f53 7916->7918 7920 f47035 _free 14 API calls 7917->7920 7942 f478c6 EnterCriticalSection 7918->7942 7921 f48f37 7920->7921 7922 f45bd3 ___std_exception_copy 23 API calls 7921->7922 7923 f48f41 7922->7923 7923->7908 7928 f49112 GetStartupInfoW 7923->7928 7924 f48f8b 7950 f48fb2 7924->7950 7927 f48f5f 7927->7924 7943 f48e6d 7927->7943 7929 f491c3 7928->7929 7930 f4912f 7928->7930 7934 f491c8 7929->7934 7930->7929 7931 f48f1d 24 API calls 7930->7931 7932 f49157 7931->7932 7932->7929 7933 f49187 GetFileType 7932->7933 7933->7932 7936 f491cf 7934->7936 7935 f49212 GetStdHandle 7935->7936 7936->7935 7937 f49278 7936->7937 7938 f49225 GetFileType 7936->7938 7937->7908 7938->7936 7959 f4790e LeaveCriticalSection 7939->7959 7941 f492be 7941->7899 7942->7927 7944 f47973 __dosmaperr 14 API calls 7943->7944 7945 f48e7f 7944->7945 7949 f48e8c 7945->7949 7953 f49d42 7945->7953 7946 f479d0 _free 14 API calls 7948 f48ee1 7946->7948 7948->7927 7949->7946 7958 f4790e LeaveCriticalSection 7950->7958 7952 f48fb9 7952->7923 7954 f49b61 __dosmaperr 5 API calls 7953->7954 7955 f49d5e 7954->7955 7956 f49d7c InitializeCriticalSectionAndSpinCount 7955->7956 7957 f49d67 7955->7957 7956->7957 7957->7945 7958->7952 7959->7941 7961 f43290 GetStartupInfoW 7960->7961 7961->7794 7965 f48bc6 7962->7965 7966 f45870 __fassign 35 API calls 7965->7966 7967 f48bda 7966->7967 7967->7797 7969 f46d74 ___scrt_uninitialize_crt 7968->7969 7970 f46d62 7968->7970 7969->7813 7971 f46d70 7970->7971 7973 f4a52d 7970->7973 7971->7813 7976 f4a3db 7973->7976 7979 f4a32f 7976->7979 7980 f4a33b __FrameHandler3::FrameUnwindToState 7979->7980 7987 f478c6 EnterCriticalSection 7980->7987 7982 f4a345 ___scrt_uninitialize_crt 7983 f4a3b1 7982->7983 7988 f4a2a3 7982->7988 7996 f4a3cf 7983->7996 7987->7982 7989 f4a2af __FrameHandler3::FrameUnwindToState 7988->7989 7999 f4a64a EnterCriticalSection 7989->7999 7991 f4a305 8010 f4a323 7991->8010 7992 f4a2b9 ___scrt_uninitialize_crt 7992->7991 8000 f4a4e5 7992->8000 8143 f4790e LeaveCriticalSection 7996->8143 7998 f4a3bd 7998->7971 7999->7992 8001 f4a4f2 8000->8001 8002 f4a4fb 8000->8002 8003 f4a3db ___scrt_uninitialize_crt 64 API calls 8001->8003 8013 f4a480 8002->8013 8006 f4a4f8 8003->8006 8006->7991 8008 f4a517 8026 f4b50c 8008->8026 8142 f4a65e LeaveCriticalSection 8010->8142 8012 f4a311 8012->7982 8014 f4a4bd 8013->8014 8015 f4a498 8013->8015 8014->8006 8019 f4ac14 8014->8019 8015->8014 8016 f4ac14 ___scrt_uninitialize_crt 23 API calls 8015->8016 8017 f4a4b6 8016->8017 8037 f4bd04 8017->8037 8020 f4ac35 8019->8020 8021 f4ac20 8019->8021 8020->8008 8022 f47035 _free 14 API calls 8021->8022 8023 f4ac25 8022->8023 8024 f45bd3 ___std_exception_copy 23 API calls 8023->8024 8025 f4ac30 8024->8025 8025->8008 8027 f4b51d 8026->8027 8028 f4b52a 8026->8028 8029 f47035 _free 14 API calls 8027->8029 8030 f4b573 8028->8030 8032 f4b551 8028->8032 8036 f4b522 8029->8036 8031 f47035 _free 14 API calls 8030->8031 8033 f4b578 8031->8033 8111 f4b46a 8032->8111 8035 f45bd3 ___std_exception_copy 23 API calls 8033->8035 8035->8036 8036->8006 8038 f4bd10 __FrameHandler3::FrameUnwindToState 8037->8038 8039 f4bd30 8038->8039 8040 f4bd18 8038->8040 8041 f4bdcb 8039->8041 8045 f4bd62 8039->8045 8062 f47022 8040->8062 8043 f47022 __dosmaperr 14 API calls 8041->8043 8046 f4bdd0 8043->8046 8065 f48fbb EnterCriticalSection 8045->8065 8049 f47035 _free 14 API calls 8046->8049 8047 f47035 _free 14 API calls 8061 f4bd25 8047->8061 8051 f4bdd8 8049->8051 8050 f4bd68 8052 f4bd84 8050->8052 8053 f4bd99 8050->8053 8054 f45bd3 ___std_exception_copy 23 API calls 8051->8054 8055 f47035 _free 14 API calls 8052->8055 8066 f4bdf6 8053->8066 8054->8061 8057 f4bd89 8055->8057 8059 f47022 __dosmaperr 14 API calls 8057->8059 8058 f4bd94 8108 f4bdc3 8058->8108 8059->8058 8061->8014 8063 f47730 __dosmaperr 14 API calls 8062->8063 8064 f47027 8063->8064 8064->8047 8065->8050 8067 f4be18 8066->8067 8081 f4be34 8066->8081 8068 f4be1c 8067->8068 8070 f4be6c 8067->8070 8069 f47022 __dosmaperr 14 API calls 8068->8069 8071 f4be21 8069->8071 8072 f4be82 8070->8072 8074 f4c437 ___scrt_uninitialize_crt 25 API calls 8070->8074 8073 f47035 _free 14 API calls 8071->8073 8075 f4b99d ___scrt_uninitialize_crt 36 API calls 8072->8075 8076 f4be29 8073->8076 8074->8072 8077 f4be8b 8075->8077 8078 f45bd3 ___std_exception_copy 23 API calls 8076->8078 8079 f4be90 8077->8079 8080 f4bec9 8077->8080 8078->8081 8084 f4be94 8079->8084 8085 f4beb6 8079->8085 8082 f4bf23 WriteFile 8080->8082 8083 f4bedd 8080->8083 8081->8058 8089 f4bf46 GetLastError 8082->8089 8091 f4beac 8082->8091 8086 f4bee5 8083->8086 8087 f4bf13 8083->8087 8088 f4bf90 8084->8088 8094 f4b935 ___scrt_uninitialize_crt 6 API calls 8084->8094 8090 f4b589 ___scrt_uninitialize_crt 41 API calls 8085->8090 8092 f4bf03 8086->8092 8093 f4beea 8086->8093 8095 f4ba0e ___scrt_uninitialize_crt 6 API calls 8087->8095 8088->8081 8096 f47035 _free 14 API calls 8088->8096 8089->8091 8090->8091 8091->8081 8091->8088 8099 f4bf66 8091->8099 8097 f4bbd2 ___scrt_uninitialize_crt 7 API calls 8092->8097 8093->8088 8100 f4bae9 ___scrt_uninitialize_crt 6 API calls 8093->8100 8094->8091 8095->8091 8098 f4bfb1 8096->8098 8097->8091 8101 f47022 __dosmaperr 14 API calls 8098->8101 8102 f4bf84 8099->8102 8103 f4bf6d 8099->8103 8100->8091 8101->8081 8105 f46fff __dosmaperr 14 API calls 8102->8105 8104 f47035 _free 14 API calls 8103->8104 8106 f4bf72 8104->8106 8105->8081 8107 f47022 __dosmaperr 14 API calls 8106->8107 8107->8081 8109 f48fde ___scrt_uninitialize_crt LeaveCriticalSection 8108->8109 8110 f4bdc9 8109->8110 8110->8061 8112 f4b476 __FrameHandler3::FrameUnwindToState 8111->8112 8125 f48fbb EnterCriticalSection 8112->8125 8114 f4b485 8115 f4b4cc 8114->8115 8126 f49092 8114->8126 8117 f47035 _free 14 API calls 8115->8117 8119 f4b4d1 8117->8119 8118 f4b4b1 FlushFileBuffers 8118->8119 8120 f4b4bd 8118->8120 8139 f4b500 8119->8139 8121 f47022 __dosmaperr 14 API calls 8120->8121 8123 f4b4c2 GetLastError 8121->8123 8123->8115 8125->8114 8127 f490b4 8126->8127 8128 f4909f 8126->8128 8130 f47022 __dosmaperr 14 API calls 8127->8130 8132 f490d9 8127->8132 8129 f47022 __dosmaperr 14 API calls 8128->8129 8131 f490a4 8129->8131 8133 f490e4 8130->8133 8134 f47035 _free 14 API calls 8131->8134 8132->8118 8135 f47035 _free 14 API calls 8133->8135 8136 f490ac 8134->8136 8137 f490ec 8135->8137 8136->8118 8138 f45bd3 ___std_exception_copy 23 API calls 8137->8138 8138->8136 8140 f48fde ___scrt_uninitialize_crt LeaveCriticalSection 8139->8140 8141 f4b4e9 8140->8141 8141->8036 8142->8012 8143->7998 8144 f42c3e 8145 f42c43 8144->8145 8148 f468a2 8145->8148 8147 f42c4e 8149 f468ae 8148->8149 8150 f468c8 8148->8150 8149->8150 8151 f47035 _free 14 API calls 8149->8151 8150->8147 8152 f468b8 8151->8152 8153 f45bd3 ___std_exception_copy 23 API calls 8152->8153 8154 f468c3 8153->8154 8154->8147 8626 f474a0 8627 f474bb 8626->8627 8628 f474ab 8626->8628 8632 f474c1 8628->8632 8631 f479d0 _free 14 API calls 8631->8627 8633 f474d6 8632->8633 8634 f474dc 8632->8634 8635 f479d0 _free 14 API calls 8633->8635 8636 f479d0 _free 14 API calls 8634->8636 8635->8634 8637 f474e8 8636->8637 8638 f479d0 _free 14 API calls 8637->8638 8639 f474f3 8638->8639 8640 f479d0 _free 14 API calls 8639->8640 8641 f474fe 8640->8641 8642 f479d0 _free 14 API calls 8641->8642 8643 f47509 8642->8643 8644 f479d0 _free 14 API calls 8643->8644 8645 f47514 8644->8645 8646 f479d0 _free 14 API calls 8645->8646 8647 f4751f 8646->8647 8648 f479d0 _free 14 API calls 8647->8648 8649 f4752a 8648->8649 8650 f479d0 _free 14 API calls 8649->8650 8651 f47535 8650->8651 8652 f479d0 _free 14 API calls 8651->8652 8653 f47543 8652->8653 8658 f472ed 8653->8658 8659 f472f9 __FrameHandler3::FrameUnwindToState 8658->8659 8674 f478c6 EnterCriticalSection 8659->8674 8661 f4732d 8675 f4734c 8661->8675 8663 f47303 8663->8661 8665 f479d0 _free 14 API calls 8663->8665 8665->8661 8666 f47358 8667 f47364 __FrameHandler3::FrameUnwindToState 8666->8667 8679 f478c6 EnterCriticalSection 8667->8679 8669 f4736e 8670 f4758e __dosmaperr 14 API calls 8669->8670 8671 f47381 8670->8671 8680 f473a1 8671->8680 8674->8663 8678 f4790e LeaveCriticalSection 8675->8678 8677 f4733a 8677->8666 8678->8677 8679->8669 8683 f4790e LeaveCriticalSection 8680->8683 8682 f4738f 8682->8631 8683->8682 9569 f46812 9572 f46777 9569->9572 9573 f46783 __FrameHandler3::FrameUnwindToState 9572->9573 9580 f478c6 EnterCriticalSection 9573->9580 9575 f467bb 9581 f467d9 9575->9581 9577 f4678d 9577->9575 9579 f499fc __fassign 14 API calls 9577->9579 9579->9577 9580->9577 9584 f4790e LeaveCriticalSection 9581->9584 9583 f467c7 9584->9583 8796 f42b8b 8797 f42b93 8796->8797 8813 f4673a 8797->8813 8799 f42b9e 8820 f42ea7 8799->8820 8801 f42c10 8802 f43162 3 API calls 8801->8802 8812 f42c2d 8801->8812 8803 f42c35 8802->8803 8804 f42bb3 __RTC_Initialize 8804->8801 8826 f43034 8804->8826 8806 f42bcc 8806->8801 8829 f430ee InitializeSListHead 8806->8829 8808 f42be2 8830 f430fd 8808->8830 8810 f42c05 8836 f46839 8810->8836 8814 f4676c 8813->8814 8815 f46749 8813->8815 8814->8799 8815->8814 8816 f47035 _free 14 API calls 8815->8816 8817 f4675c 8816->8817 8818 f45bd3 ___std_exception_copy 23 API calls 8817->8818 8819 f46767 8818->8819 8819->8799 8821 f42eb7 8820->8821 8822 f42eb3 8820->8822 8823 f43162 3 API calls 8821->8823 8825 f42ec4 ___scrt_release_startup_lock 8821->8825 8822->8804 8824 f42f2d 8823->8824 8825->8804 8843 f43007 8826->8843 8829->8808 8878 f46d87 8830->8878 8832 f4310e 8833 f43115 8832->8833 8834 f43162 3 API calls 8832->8834 8833->8810 8835 f4311d 8834->8835 8835->8810 8837 f475d9 _unexpected 35 API calls 8836->8837 8839 f46844 8837->8839 8838 f4687c 8838->8801 8839->8838 8840 f47035 _free 14 API calls 8839->8840 8841 f46871 8840->8841 8842 f45bd3 ___std_exception_copy 23 API calls 8841->8842 8842->8838 8844 f43016 8843->8844 8845 f4301d 8843->8845 8849 f46bab 8844->8849 8852 f46c17 8845->8852 8848 f4301b 8848->8806 8850 f46c17 26 API calls 8849->8850 8851 f46bbd 8850->8851 8851->8848 8855 f4694d 8852->8855 8856 f46959 __FrameHandler3::FrameUnwindToState 8855->8856 8863 f478c6 EnterCriticalSection 8856->8863 8858 f46967 8864 f469a8 8858->8864 8860 f46974 8874 f4699c 8860->8874 8863->8858 8865 f469c4 8864->8865 8867 f46a3b __dosmaperr 8864->8867 8866 f46a1b 8865->8866 8865->8867 8868 f49e7c 26 API calls 8865->8868 8866->8867 8869 f49e7c 26 API calls 8866->8869 8867->8860 8870 f46a11 8868->8870 8871 f46a31 8869->8871 8873 f479d0 _free 14 API calls 8870->8873 8872 f479d0 _free 14 API calls 8871->8872 8872->8867 8873->8866 8877 f4790e LeaveCriticalSection 8874->8877 8876 f46985 8876->8848 8877->8876 8879 f46da5 8878->8879 8883 f46dc5 8878->8883 8880 f47035 _free 14 API calls 8879->8880 8881 f46dbb 8880->8881 8882 f45bd3 ___std_exception_copy 23 API calls 8881->8882 8882->8883 8883->8832

                                        Executed Functions

                                        Function 00F41150 Relevance: 43.1, APIs: 17, Strings: 7, Instructions: 1091registrysynchronizationprocessCOMMONCrypto
                                        Download Yara Rule
                                        C-Code - Quality: 67%
                                        			E00F41150(void* __ebx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _v4;
				intOrPtr _v8;
				signed int _v12;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v76;
				char _v80;
				char _v84;
				intOrPtr _v88;
				int** _v92;
				char _v272;
				short _v800;
				short _v804;
				short _v806;
				char _v808;
				short _v820;
				short _v822;
				char _v824;
				char _v848;
				char _v868;
				signed int _v892;
				intOrPtr _v908;
				signed int _v928;
				signed int _v936;
				char _v1080;
				signed int _v1156;
				int* _v1160;
				struct _STARTUPINFOW _v1228;
				signed int _v1232;
				int** _v1240;
				signed int _v1248;
				int** _v1268;
				int _v1276;
				long _v1280;
				signed int _v1284;
				signed int _v1296;
				int* _v1300;
				signed int _v1304;
				int* _v1308;
				short _v1316;
				signed int _v1320;
				int* _v1324;
				int* _v1328;
				short _v1340;
				signed int _v1344;
				intOrPtr _v1348;
				struct _PROCESS_INFORMATION _v1364;
				signed int _v1368;
				int* _v1372;
				signed int _v1376;
				int* _v1380;
				intOrPtr _v1384;
				int* _v1388;
				signed int _v1392;
				short* _v1396;
				signed int _v1400;
				short* _v1404;
				signed int _v1408;
				int* _v1412;
				char _v1420;
				signed int _v1424;
				int* _v1428;
				int* _v1432;
				signed int _v1436;
				char _v1440;
				int* _v1444;
				signed int _v1448;
				int* _v1452;
				int* _v1456;
				signed int _v1460;
				int* _v1464;
				signed int _v1468;
				int* _v1472;
				intOrPtr _v1476;
				int* _v1480;
				int* _v1488;
				signed int _v1492;
				signed int _v1496;
				int** _v1500;
				int** _v1504;
				char _v1508;
				intOrPtr _v1516;
				signed int _v1520;
				signed int _v1564;
				unsigned int _v1568;
				signed int _v1580;
				unsigned int _v1584;
				unsigned int _v1588;
				signed int _v1600;
				short* _v1604;
				signed int _v1612;
				int* _v1624;
				intOrPtr _v1628;
				signed int _v1636;
				unsigned int _v1652;
				int* _v1660;
				signed int _t555;
				long _t561;
				long _t562;
				signed int _t563;
				signed int _t564;
				signed int _t566;
				signed int _t567;
				WCHAR* _t568;
				void* _t570;
				int** _t573;
				signed int _t579;
				signed int _t580;
				signed int _t585;
				signed int _t587;
				signed int _t591;
				signed int _t597;
				intOrPtr _t602;
				signed int _t607;
				int* _t615;
				signed int _t619;
				signed int _t631;
				unsigned int _t633;
				void* _t634;
				void* _t640;
				signed int _t651;
				signed int _t653;
				signed int _t655;
				signed int _t656;
				void* _t657;
				signed int _t659;
				signed int _t660;
				signed int _t677;
				unsigned int _t679;
				void* _t680;
				void* _t681;
				signed int _t683;
				intOrPtr _t686;
				signed int _t700;
				signed int _t701;
				void* _t704;
				void* _t705;
				signed int _t707;
				signed int _t708;
				signed int _t711;
				unsigned int _t713;
				signed int _t717;
				signed int _t718;
				signed int _t722;
				signed int _t727;
				signed int _t729;
				intOrPtr _t734;
				signed int _t736;
				signed int _t738;
				signed int _t745;
				signed int _t752;
				signed int _t759;
				signed short* _t761;
				signed int _t769;
				long _t773;
				intOrPtr _t778;
				signed int _t780;
				signed int _t781;
				short* _t786;
				short* _t788;
				signed int _t792;
				signed int _t795;
				int** _t798;
				intOrPtr _t802;
				intOrPtr _t806;
				signed int _t815;
				char _t818;
				signed int _t821;
				int* _t822;
				intOrPtr _t826;
				intOrPtr _t830;
				intOrPtr _t839;
				int* _t844;
				intOrPtr _t852;
				int* _t869;
				intOrPtr _t873;
				signed int _t877;
				signed char _t884;
				void* _t885;
				intOrPtr* _t886;
				signed int _t889;
				long _t893;
				void* _t894;
				signed int _t895;
				unsigned int _t897;
				signed int _t898;
				signed int* _t899;
				signed int _t910;
				int** _t915;
				signed int _t917;
				signed int _t923;
				signed int _t926;
				signed int _t927;
				signed int _t928;
				unsigned int _t929;
				signed int _t931;
				signed int _t932;
				void* _t940;
				int* _t952;
				void* _t954;
				void* _t957;
				void* _t958;
				signed int _t961;
				intOrPtr* _t962;
				signed int _t966;
				signed int _t969;
				signed short* _t971;
				signed int _t975;
				intOrPtr* _t982;
				intOrPtr* _t986;
				signed int _t993;
				signed int _t996;
				signed int _t1000;
				intOrPtr _t1003;
				intOrPtr _t1004;
				intOrPtr* _t1006;
				signed int _t1011;
				int* _t1013;
				int* _t1014;
				intOrPtr _t1015;
				intOrPtr _t1016;
				int* _t1017;
				int* _t1020;
				intOrPtr _t1021;
				void* _t1022;
				signed int _t1023;
				signed int _t1024;
				signed int _t1026;
				signed int _t1031;
				signed int _t1033;
				intOrPtr _t1034;
				unsigned int _t1036;
				signed int _t1037;
				signed int _t1038;
				intOrPtr* _t1041;
				signed short* _t1043;
				signed short* _t1044;
				void* _t1045;
				void* _t1046;
				signed int _t1047;
				signed int _t1048;
				signed int _t1049;
				signed int _t1050;
				signed int _t1051;
				signed int _t1054;
				signed int _t1055;
				void* _t1056;
				void* _t1057;
				intOrPtr* _t1058;
				void* _t1060;
				signed int _t1061;
				signed int _t1062;
				void* _t1063;
				void* _t1064;
				void* _t1065;
				void* _t1066;
				void* _t1067;
				int* _t1069;
				void* _t1070;
				void* _t1071;
				signed int _t1072;
				signed int _t1074;
				signed int _t1076;
				void* _t1077;
				int** _t1078;
				void* _t1079;
				signed int _t1080;
				unsigned int _t1081;
				signed int _t1082;
				signed int _t1090;
				unsigned int _t1093;
				intOrPtr _t1097;
				void* _t1098;
				void* _t1100;
				short* _t1101;
				signed int _t1106;
				void* _t1107;
				void* _t1108;
				int** _t1109;
				signed int _t1111;
				signed int _t1113;
				short* _t1114;
				unsigned int _t1115;
				signed int _t1117;
				void* _t1119;
				signed int _t1121;
				signed int _t1131;
				void* _t1133;
				void* _t1135;
				void* _t1138;
				signed int _t1139;
				void* _t1141;
				signed int _t1145;
				signed int _t1148;
				void* _t1150;
				void* _t1151;
				void* _t1152;
				signed int _t1164;
				signed int _t1166;
				signed int _t1167;
				signed int _t1171;
				void* _t1172;
				void* _t1178;
				void* _t1179;
				void* _t1180;
				void* _t1181;

				_t1075 = __edi;
				_t1029 = __edx;
				_t894 = __ebx;
				_push("string too long");
				E00F429DA(__ebx, __edx, __edi, __esi);
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				_t1145 = _t1164;
				_t1166 = (_t1164 & 0xfffffff0) - 0x568;
				_t555 =  *0xf5c004; // 0x6a58fef8
				_v12 = _t555 ^ _t1166;
				_push(__esi);
				_push(__edi);
				_v1276 = 0;
				_v1228.wShowWindow = 4;
				E00F43E50(__edi,  &_v272, 0, 0xff);
				_t1167 = _t1166 + 0xc;
				_v1228.dwFillAttribute = 0xffffffff;
				_v1228.dwFlags = 0xff;
				CreateMutexW(0, 0, L"// {9D255ADC-2EB7-47F7-8DE0-7B2F4F9D9EB2}"); // executed
				_t561 = RegOpenKeyW(0x80000002, L"SOFTWARE\\Microsoft\\NET Framework Setup\\NDP\\v4\\Full",  &_v1276); // executed
				if(_t561 != 0) {
					L92:
					_t562 = GetLastError();
					__eflags = _t562 - 0xb7;
					if(_t562 != 0xb7) {
						L138();
						__eflags = _v1228.dwXSize - 8;
						_t563 =  &(_v1228.lpReserved);
						_t1076 = StrCmpIW;
						_v1388 = _t563;
						if(_v1228.dwXSize < 8) {
							L97:
							_t1106 = 0;
							asm("o16 nop [eax+eax]");
							while(1) {
								_t564 =  *_t1076(_t563,  *((intOrPtr*)(0xf5a510 + _t1106 * 8)));
								__eflags = _t564;
								if(_t564 == 0) {
									break;
								}
								_t563 = _v1396;
								_t1106 = _t1106 + 1;
								__eflags = _t1106 - 0x5f;
								if(_t1106 < 0x5f) {
									continue;
								} else {
									_t1044 = _v1396;
									__eflags = 0;
									_v808 = 0;
									_t975 = 0x3fffffff;
									_v804 = 0;
									_t761 = _t1044;
									while(1) {
										__eflags =  *_t761;
										if( *_t761 == 0) {
											break;
										}
										_t761 =  &(_t761[1]);
										_t975 = _t975 - 1;
										__eflags = _t975;
										if(_t975 != 0) {
											continue;
										}
										break;
									}
									__eflags = _t975;
									if(_t975 == 0) {
										goto L96;
									} else {
										_t763 = 0x3fffffff - _t975;
										asm("sbb ecx, ecx");
										__eflags = ( ~_t975 & 0x3fffffff - _t975 + _t763) - 2;
										if(( ~_t975 & 0x3fffffff - _t975 + _t763) <= 2) {
											goto L96;
										} else {
											_v808 =  *_t1044 & 0x0000ffff;
											_v806 = _t1044[1] & 0x0000ffff;
											_v804 = 0;
											_t1106 = 0;
											__eflags = 0;
											while(1) {
												_t769 =  *_t1076( &_v808,  *((intOrPtr*)(0xf5a510 + _t1106 * 8)));
												__eflags = _t769;
												if(_t769 == 0) {
													break;
												}
												_t1106 = _t1106 + 1;
												__eflags = _t1106 - 0x5f;
												if(_t1106 < 0x5f) {
													continue;
												} else {
													_v1404 = L"StartupInstaller.exe - This installer could not be started.";
												}
												goto L111;
											}
											_v1404 =  *((intOrPtr*)(0xf5a514 + _t1106 * 8));
										}
									}
								}
								goto L111;
							}
							_v1396 =  *((intOrPtr*)(0xf5a514 + _t1106 * 8));
						} else {
							_t563 = _v1228.lpReserved;
							_v1388 = _t563;
							__eflags = _t563;
							if(_t563 != 0) {
								goto L97;
							} else {
								L96:
								_v1396 = L"StartupInstaller.exe - This installer could not be started.";
							}
						}
						L111:
						__eflags = _v1228.dwX - 8;
						_t566 =  &_v1232;
						_v1392 = _t566;
						if(_v1228.dwX < 8) {
							L114:
							_t1106 = 0;
							__eflags = 0;
							while(1) {
								_t567 =  *_t1076(_t566,  *((intOrPtr*)(0xf5a218 + _t1106 * 8)));
								__eflags = _t567;
								if(_t567 == 0) {
									break;
								}
								_t566 = _v1400;
								_t1106 = _t1106 + 1;
								__eflags = _t1106 - 0x5f;
								if(_t1106 < 0x5f) {
									continue;
								} else {
									_t1043 = _v1400;
									__eflags = 0;
									_v824 = 0;
									_t971 = _t1043;
									_v820 = 0;
									_t752 = 0x3fffffff;
									while(1) {
										__eflags =  *_t971;
										if( *_t971 == 0) {
											break;
										}
										_t971 =  &(_t971[1]);
										_t752 = _t752 - 1;
										__eflags = _t752;
										if(_t752 != 0) {
											continue;
										}
										break;
									}
									__eflags = _t752;
									if(_t752 == 0) {
										L125:
										_t568 = L"This installer requires .Net Framework v4.6 or higher. Please install the required .Net Framework and then try to install Enhance Microsoft Edge.\n\nDo you want to install this .Net Framework version now?";
									} else {
										_t973 = 0x3fffffff - _t752;
										asm("sbb eax, eax");
										__eflags = ( ~_t752 & 0x3fffffff - _t752 + _t973) - 2;
										if(( ~_t752 & 0x3fffffff - _t752 + _t973) <= 2) {
											goto L125;
										} else {
											_v824 =  *_t1043 & 0x0000ffff;
											_v822 = _t1043[1] & 0x0000ffff;
											_v820 = 0;
											_t1106 = 0;
											__eflags = 0;
											while(1) {
												_t759 =  *_t1076( &_v824,  *((intOrPtr*)(0xf5a218 + _t1106 * 8)));
												__eflags = _t759;
												if(_t759 == 0) {
													goto L126;
												}
												_t1106 = _t1106 + 1;
												__eflags = _t1106 - 0x5f;
												if(_t1106 < 0x5f) {
													continue;
												} else {
													goto L125;
												}
												goto L127;
											}
											break;
										}
									}
								}
								goto L127;
							}
							L126:
							_t568 =  *(0xf5a21c + _t1106 * 8);
						} else {
							_t566 = _v1232;
							_v1392 = _t566;
							__eflags = _t566;
							if(_t566 != 0) {
								goto L114;
							} else {
								_t568 = L"This installer requires .Net Framework v4.6 or higher. Please install the required .Net Framework and then try to install Enhance Microsoft Edge.\n\nDo you want to install this .Net Framework version now?";
							}
						}
						L127:
						_t570 = MessageBoxW(0, _t568, _v1404, 0x31) - 1;
						__eflags = _t570;
						if(_t570 == 0) {
							ShellExecuteW(_t570, L"open", L"https://go.microsoft.com/fwlink/?linkid=2134832", _t570, _t570, 1);
						}
						_t1030 = _v1228.lpDesktop;
						__eflags = _t1030 - 8;
						if(_t1030 < 8) {
							goto L133;
						} else {
							_t915 = _v1240;
							_t1030 = 2 + _t1030 * 2;
							_t573 = _t915;
							__eflags = _t1030 - 0x1000;
							if(_t1030 < 0x1000) {
								goto L132;
							} else {
								_t915 =  *(_t915 - 4);
								_t1030 = _t1030 + 0x23;
								__eflags = _t573 - _t915 + 0xfffffffc - 0x1f;
								if(__eflags > 0) {
									goto L137;
								} else {
									goto L132;
								}
							}
						}
					} else {
						_pop(_t1098);
						_pop(_t1138);
						__eflags = _v12 ^ _t1167;
						return E00F429FA(0, _t894, _v12 ^ _t1167, _t1029, _t1098, _t1138);
					}
				} else {
					_t773 = RegOpenKeyW(0x80000002, L"SOFTWARE\\Microsoft\\NET Framework Setup\\NDP\\v4\\Full",  &_v1276); // executed
					if(_t773 != 0) {
						L4:
						_push(0);
						_push(0xf53a68);
						_v1228.lpReserved2 = 0;
						_v1160 = 0;
						_v1156 = 7;
						L190();
						E00F43E50(_t1075,  &_v800, 0, 0x208);
						_t1167 = _t1167 + 0xc;
						GetModuleFileNameW(0,  &_v800, 0x104);
						_t982 =  &_v800;
						_v1388 = 0;
						_v1372 = 0;
						_t1045 = _t982 + 2;
						_v1368 = 7;
						do {
							_t778 =  *_t982;
							_t982 = _t982 + 2;
						} while (_t778 != 0);
						_push(_t982 - _t1045 >> 1);
						_push( &_v800);
						L190();
						_t1139 = _v1380;
						_t1076 =  >=  ? _v1396 :  &_v1396;
						if(_t1139 == 0) {
							L22:
							_t1106 = _t1139 | 0xffffffff;
							__eflags = _t1106;
						} else {
							E00F43E50(_t1076,  &_v1080, 0, 0x100);
							_t1167 = _t1167 + 0xc;
							_t1023 = L"\\/";
							while(1) {
								_t884 =  *_t1023 & 0x0000ffff;
								if(_t884 >= 0x100) {
									break;
								}
								_t1023 = _t1023 + 2;
								 *((char*)(_t1167 + (_t884 & 0x000000ff) + 0x150)) = 1;
								if(_t1023 != 0xf5a1c8) {
									continue;
								} else {
									_t33 = _t1139 - 1; // -1
									_t1028 =  <  ? _t33 : _t1023 | 0xffffffff;
									_t1139 = _t1076 + ( <  ? _t33 : _t1023 | 0xffffffff) * 2;
									while(1) {
										_t889 =  *_t1139 & 0x0000ffff;
										if(_t889 < 0x100 &&  *((char*)(_t1167 + _t889 + 0x150)) != 0) {
											break;
										}
										if(_t1139 == _t1076) {
											goto L22;
										} else {
											_t1139 = _t1139 - 2;
											continue;
										}
										goto L23;
									}
									L21:
									_t1106 = _t1139 - _t1076 >> 1;
								}
								goto L23;
							}
							_t38 = _t1139 - 1; // -1
							_t885 = _t38;
							_t1024 = _t1023 | 0xffffffff;
							__eflags = _t885 - _t1024;
							_t1025 =  <  ? _t885 : _t1024;
							_t1139 = _t1076 + ( <  ? _t885 : _t1024) * 2;
							while(1) {
								L16:
								_t1074 =  *_t1139 & 0x0000ffff;
								_t1026 = 2;
								_t886 = L"\\/";
								while(1) {
									__eflags =  *_t886 - _t1074;
									if( *_t886 == _t1074) {
										goto L21;
									}
									_t886 = _t886 + 2;
									_t1026 = _t1026 - 1;
									__eflags = _t1026;
									if(_t1026 != 0) {
										continue;
									} else {
										__eflags = _t1139 - _t1076;
										if(_t1139 == _t1076) {
											goto L22;
										} else {
											_t1139 = _t1139 - 2;
											goto L16;
										}
									}
									goto L23;
								}
								goto L21;
							}
						}
						L23:
						_t780 = _v1376;
						__eflags = _t780 - 8;
						if(_t780 < 8) {
							L27:
							_t986 =  &_v808;
							_v1396 = 0;
							_v1380 = 0;
							_t1046 = _t986 + 2;
							_v1376 = 7;
							do {
								_t781 =  *_t986;
								_t986 = _t986 + 2;
								__eflags = _t781;
							} while (_t781 != 0);
							_push(_t986 - _t1046 >> 1);
							_push( &_v808);
							L190();
							__eflags = _v1388 - _t1106;
							_v1344 = 0;
							_t1106 =  <  ? _v1388 : _t1106;
							__eflags = _v1384 - 8;
							_push(_t1106);
							_t784 =  >=  ? _v1404 :  &_v1404;
							_push( >=  ? _v1404 :  &_v1404);
							_v1328 = 0;
							_v1324 = 7;
							L190();
							_t1047 = _v1228.dwFillAttribute;
							__eflags = _t1047 - 8;
							if(_t1047 < 8) {
								L33:
								asm("movaps xmm0, [esp+0x50]");
								_t1048 = _v1392;
								asm("movaps [esp+0xe0], xmm0");
								asm("movq xmm0, [esp+0x60]");
								asm("movq [esp+0xf0], xmm0");
								__eflags = _t1048 - 8;
								if(_t1048 < 8) {
									L37:
									_push(1);
									_push("\\");
									_v1412 = 0;
									_v1396 = 0;
									_v1392 = 7;
									L190();
									__eflags = _v1340 - 8;
									_t993 =  >=  ? _v1364.hThread :  &(_v1228.lpTitle);
									_t1076 = _v1404;
									_t786 = _v1400 - _t1076;
									_t1106 = _v1344;
									_v1424 = _t993;
									__eflags = _t1106 - _t786;
									if(_t1106 > _t786) {
										_push(_t1106);
										_push(_t993);
										_push(_t993);
										_v848 = 0;
										_push(_v848);
										_push(_t1106);
										L269();
									} else {
										__eflags = _v1400 - 8;
										_v1404 = _t1106 + _t1076;
										_t1069 =  >=  ? _v1420 :  &_v1420;
										_t852 = _t1106 + _t1106;
										_v848 = _t852;
										_t1101 = _t1076 + _t1076;
										_v1428 = _t1069;
										_v1396 = _t1101;
										__eflags = _t852 + _t993 - _t1069;
										if(_t852 + _t993 <= _t1069) {
											L43:
											_t1076 = _t1106;
										} else {
											__eflags = _t993 - _t1069 + _t1101;
											if(_t993 > _t1069 + _t1101) {
												goto L43;
											} else {
												__eflags = _t1069 - _t993;
												if(_t1069 > _t993) {
													_t1076 = _t1069 - _t993 >> 1;
												} else {
													_t1076 = 0;
												}
											}
										}
										E00F452B0(_v848 + _t1069, _t1069,  &(_v1396[1]));
										_t1106 = _t1076 + _t1076;
										E00F452B0(_v1428, _v1424, _t1106);
										E00F452B0(_v1428 + _t1106, _v1424 + (_t1076 + _v1344) * 2, _v1344 - _t1076 + _v1344 - _t1076);
										_t1167 = _t1167 + 0x24;
										_t786 =  &_v1420;
									}
									asm("movups xmm0, [eax]");
									asm("movups [esp+0x30], xmm0");
									asm("movq xmm0, [eax+0x10]");
									asm("movq [esp+0x40], xmm0");
									 *(_t786 + 0x10) = 0;
									 *(_t786 + 0x14) = 7;
									 *_t786 = 0;
									_t1049 = _v1392;
									_t996 = _v1396;
									_t788 = _t1049 - _t996;
									__eflags = _t788 - 0xf;
									if(_t788 < 0xf) {
										_push(0xf);
										_push(L"MEInstaller.exe");
										_v868 = 0;
										_push(_v868);
										_push(0xf);
										L216();
									} else {
										__eflags = _t1049 - 8;
										_t1106 =  >=  ? _v1412 :  &_v1412;
										_t1076 = _t996 + 0xf;
										_v1396 = _t1076;
										E00F452B0(_t1106 + _t996 * 2, L"MEInstaller.exe", 0x1e);
										_t1167 = _t1167 + 0xc;
										 *((short*)(_t1106 + _t1076 * 2)) = 0;
										_t788 =  &_v1412;
									}
									asm("movups xmm0, [eax]");
									asm("movups [esp+0xb0], xmm0");
									asm("movq xmm0, [eax+0x10]");
									asm("movq [esp+0xc0], xmm0");
									 *(_t788 + 0x10) = 0;
									 *(_t788 + 0x14) = 7;
									 *_t788 = 0;
									_t1050 = _v1408;
									__eflags = _t1050 - 8;
									if(_t1050 < 8) {
										L53:
										_t1051 = _v1436;
										_v1412 = 0;
										_v1408 = 7;
										_v1428 = 0;
										__eflags = _t1051 - 8;
										if(_t1051 < 8) {
											L57:
											_push(0);
											_push(0xf53a68);
											_v1324 = 0;
											_v1308 = 0;
											_v1304 = 7;
											L190();
											_t792 = CommandLineToArgvW(GetCommandLineW(),  &_v1276);
											_t1000 = _v1284;
											_t1076 = _t792;
											_v892 = _t1076;
											__eflags = _t1000 - 1;
											if(_t1000 <= 1) {
												L78:
												__eflags = _v1320 - 8;
												_v1228.cb = 0x44;
												asm("xorps xmm0, xmm0");
												_t1002 =  >=  ? _v1340 :  &_v1340;
												__eflags = _v1296 - 8;
												_t794 =  >=  ? _v1316 :  &_v1316;
												asm("movlpd [esp+0x134], xmm0");
												asm("movlpd [esp+0x13c], xmm0");
												asm("movlpd [esp+0x144], xmm0");
												asm("movlpd [esp+0x14c], xmm0");
												asm("movlpd [esp+0x154], xmm0");
												asm("movlpd [esp+0x15c], xmm0");
												asm("movlpd [esp+0x164], xmm0");
												asm("movlpd [esp+0x16c], xmm0");
												asm("movaps [esp+0xa8], xmm0"); // executed
												_t795 = CreateProcessW( >=  ? _v1316 :  &_v1316,  >=  ? _v1340 :  &_v1340, 0, 0, 0, 0, 0, 0,  &_v1228,  &_v1364); // executed
												__eflags = _t795;
												if(_t795 != 0) {
													WaitForSingleObject(_v1364.hProcess, 0xffffffff);
													GetExitCodeProcess(_v1364.hProcess,  &_v1280);
													_t1106 = CloseHandle;
													CloseHandle(_v1364.hThread);
													CloseHandle(_v1364);
												}
												_t1054 = _v1320;
												__eflags = _t1054 - 8;
												if(_t1054 < 8) {
													L84:
													_t1055 = _v1296;
													_v1324 = 0;
													_v1320 = 7;
													_v1340 = 0;
													__eflags = _t1055 - 8;
													if(_t1055 < 8) {
														L88:
														_t1030 = _v1248;
														_v1300 = 0;
														_v1296 = 7;
														_v1316 = 0;
														__eflags = _t1030 - 8;
														if(_t1030 < 8) {
															L133:
															_pop(_t1077);
															_pop(_t1107);
															__eflags = _v28 ^ _t1167;
															return E00F429FA(_v1228.dwXSize, _t894, _v28 ^ _t1167, _t1030, _t1077, _t1107);
														} else {
															_t915 = _v1268;
															_t1030 = 2 + _t1030 * 2;
															_t798 = _t915;
															__eflags = _t1030 - 0x1000;
															if(_t1030 < 0x1000) {
																L132:
																_push(_t1030);
																E00F42B5A(_t915);
																_t1167 = _t1167 + 8;
																goto L133;
															} else {
																_t915 =  *(_t915 - 4);
																_t1030 = _t1030 + 0x23;
																__eflags = _t798 - _t915 + 0xfffffffc - 0x1f;
																if(__eflags > 0) {
																	goto L136;
																} else {
																	goto L132;
																}
															}
														}
													} else {
														_t1003 = _v1316;
														_t1056 = 2 + _t1055 * 2;
														_t802 = _t1003;
														__eflags = _t1056 - 0x1000;
														if(_t1056 < 0x1000) {
															L87:
															_push(_t1056);
															E00F42B5A(_t1003);
															_t1167 = _t1167 + 8;
															goto L88;
														} else {
															_t915 =  *(_t1003 - 4);
															_t1030 = _t1056 + 0x23;
															__eflags = _t802 - _t915 + 0xfffffffc - 0x1f;
															if(__eflags > 0) {
																goto L136;
															} else {
																goto L87;
															}
														}
													}
												} else {
													_t1004 = _v1340;
													_t1057 = 2 + _t1054 * 2;
													_t806 = _t1004;
													__eflags = _t1057 - 0x1000;
													if(_t1057 < 0x1000) {
														L83:
														_push(_t1057);
														E00F42B5A(_t1004);
														_t1167 = _t1167 + 8;
														goto L84;
													} else {
														_t915 =  *(_t1004 - 4);
														_t1030 = _t1057 + 0x23;
														__eflags = _t806 - _t915 + 0xfffffffc - 0x1f;
														if(__eflags > 0) {
															goto L136;
														} else {
															goto L83;
														}
													}
												}
											} else {
												_t1106 = 0;
												_v1476 = 0;
												__eflags = _t1000;
												if(_t1000 > 0) {
													do {
														_push(1);
														_push(" ");
														_v1444 = 0;
														_v1428 = 0;
														_v1424 = 7;
														L190();
														_t1058 =  *((intOrPtr*)(_t1076 + _t1106 * 4));
														_t1006 = _t1058;
														_v1480 = 0;
														_v1464 = 0;
														_v1460 = 7;
														_t1100 = _t1006 + 2;
														do {
															_t815 =  *_t1006;
															_t1006 = _t1006 + 2;
															__eflags = _t815;
														} while (_t815 != 0);
														_push(_t1006 - _t1100 >> 1);
														_push(_t1058);
														L190();
														_push( &_v1460);
														_push( &_v1488);
														_push(_v908);
														L238();
														__eflags = _v1420 - 8;
														_t818 = _v1440;
														_t1076 = _v1364.dwThreadId;
														_t1060 =  >=  ? _t818 :  &_v1440;
														_t1011 = _v1424;
														_v1476 = _t818;
														_v928 = _t1076;
														__eflags = _t1011 - _v1348 - _t1076;
														if(_t1011 > _v1348 - _t1076) {
															_push(_t1011);
															_push(_t1060);
															_v1508 = 0;
															_push(_v1508);
															_push(_t1011);
															L216();
															_t1013 = _v1456;
														} else {
															_t1076 = _t1076 + _t1011;
															__eflags = _v1348 - 8;
															_t1141 =  >=  ? _v1368 :  &_v1368;
															_v1364.dwThreadId = _t1076;
															E00F452B0(_t1141 + _v928 * 2, _t1060, _t1011 + _t1011);
															_t1013 = _v1476;
															_t1167 = _t1167 + 0xc;
															 *((short*)(_t1141 + _t1076 * 2)) = 0;
															_t1106 = _v1504;
														}
														_t821 = _v1436;
														__eflags = _t821 - 8;
														if(_t821 < 8) {
															L69:
															_t1061 = _v1496;
															__eflags = _t1061 - 8;
															if(_t1061 < 8) {
																L73:
																_t1062 = _v1468;
																__eflags = _t1062 - 8;
																if(_t1062 < 8) {
																	goto L77;
																} else {
																	_t1014 = _v1488;
																	_t1063 = 2 + _t1062 * 2;
																	_t822 = _t1014;
																	__eflags = _t1063 - 0x1000;
																	if(_t1063 < 0x1000) {
																		L76:
																		_push(_t1063);
																		E00F42B5A(_t1014);
																		_t1167 = _t1167 + 8;
																		goto L77;
																	} else {
																		_t915 =  *(_t1014 - 4);
																		_t1030 = _t1063 + 0x23;
																		__eflags = _t822 - _t915 + 0xfffffffc - 0x1f;
																		if(__eflags > 0) {
																			goto L136;
																		} else {
																			goto L76;
																		}
																	}
																}
															} else {
																_t1015 = _v1516;
																_t1064 = 2 + _t1061 * 2;
																_t826 = _t1015;
																__eflags = _t1064 - 0x1000;
																if(_t1064 < 0x1000) {
																	L72:
																	_push(_t1064);
																	E00F42B5A(_t1015);
																	_t1167 = _t1167 + 8;
																	goto L73;
																} else {
																	_t915 =  *(_t1015 - 4);
																	_t1030 = _t1064 + 0x23;
																	__eflags = _t826 - _t915 + 0xfffffffc - 0x1f;
																	if(__eflags > 0) {
																		goto L136;
																	} else {
																		goto L72;
																	}
																}
															}
														} else {
															_t1065 = 2 + _t821 * 2;
															_t830 = _t1013;
															__eflags = _t1065 - 0x1000;
															if(_t1065 < 0x1000) {
																L68:
																_push(_t1065);
																E00F42B5A(_t1013);
																_t1167 = _t1167 + 8;
																goto L69;
															} else {
																_t915 =  *(_t1013 - 4);
																_t1030 = _t1065 + 0x23;
																__eflags = _t830 - _t915 + 0xfffffffc - 0x1f;
																if(__eflags > 0) {
																	goto L136;
																} else {
																	goto L68;
																}
															}
														}
														goto L293;
														L77:
														_t1076 = _v936;
														_t1106 = _t1106 + 1;
														_v1520 = _t1106;
														__eflags = _t1106 - _v1328;
													} while (_t1106 < _v1328);
												}
												goto L78;
											}
										} else {
											_t1016 = _v1456;
											_t1066 = 2 + _t1051 * 2;
											_t839 = _t1016;
											__eflags = _t1066 - 0x1000;
											if(_t1066 < 0x1000) {
												L56:
												_push(_t1066);
												E00F42B5A(_t1016);
												_t1167 = _t1167 + 8;
												goto L57;
											} else {
												_t915 =  *(_t1016 - 4);
												_t1030 = _t1066 + 0x23;
												__eflags = _t839 - _t915 + 0xfffffffc - 0x1f;
												if(__eflags > 0) {
													goto L135;
												} else {
													goto L56;
												}
											}
										}
									} else {
										_t1017 = _v1428;
										_t1067 = 2 + _t1050 * 2;
										_t844 = _t1017;
										__eflags = _t1067 - 0x1000;
										if(_t1067 < 0x1000) {
											L52:
											_push(_t1067);
											E00F42B5A(_t1017);
											_t1167 = _t1167 + 8;
											goto L53;
										} else {
											_t915 =  *(_t1017 - 4);
											_t1030 = _t1067 + 0x23;
											__eflags = _t844 - _t915 + 0xfffffffc - 0x1f;
											if(__eflags > 0) {
												goto L135;
											} else {
												goto L52;
											}
										}
									}
								} else {
									_t1020 = _v1412;
									_t1070 = 2 + _t1048 * 2;
									_t869 = _t1020;
									__eflags = _t1070 - 0x1000;
									if(_t1070 < 0x1000) {
										L36:
										_push(_t1070);
										E00F42B5A(_t1020);
										_t1167 = _t1167 + 8;
										goto L37;
									} else {
										_t915 =  *(_t1020 - 4);
										_t1030 = _t1070 + 0x23;
										__eflags = _t869 - _t915 + 0xfffffffc - 0x1f;
										if(__eflags > 0) {
											goto L136;
										} else {
											goto L36;
										}
									}
								}
							} else {
								_t1021 = _v1228.dwY;
								_t1071 = 2 + _t1047 * 2;
								_t873 = _t1021;
								__eflags = _t1071 - 0x1000;
								if(_t1071 < 0x1000) {
									L32:
									_push(_t1071);
									E00F42B5A(_t1021);
									_t1167 = _t1167 + 8;
									goto L33;
								} else {
									_t915 =  *(_t1021 - 4);
									_t1030 = _t1071 + 0x23;
									__eflags = _t873 - _t915 + 0xfffffffc - 0x1f;
									if(__eflags > 0) {
										goto L136;
									} else {
										goto L32;
									}
								}
							}
						} else {
							_t1072 = _v1396;
							_t1022 = 2 + _t780 * 2;
							_t877 = _t1072;
							__eflags = _t1022 - 0x1000;
							if(_t1022 < 0x1000) {
								L26:
								_push(_t1022);
								E00F42B5A(_t1072);
								_t1167 = _t1167 + 8;
								goto L27;
							} else {
								_t1030 =  *(_t1072 - 4);
								_t915 = _t1022 + 0x23;
								__eflags = _t877 -  *(_t1072 - 4) + 0xfffffffc - 0x1f;
								if(__eflags > 0) {
									E00F45BE3(_t894, _t915, _t1030, __eflags);
									L135:
									E00F45BE3(_t894, _t915, _t1030, __eflags);
									L136:
									E00F45BE3(_t894, _t915, _t1030, __eflags);
									L137:
									E00F45BE3(_t894, _t915, _t1030, __eflags);
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									_t895 = _t1167;
									_t1171 = (_t1167 - 0x00000008 & 0xfffffff8) + 4;
									_v1424 =  *(_t895 + 4);
									_t1148 = _t1171;
									_t1172 = _t1171 - 0x40;
									_t579 =  *0xf5c004; // 0x6a58fef8
									_t580 = _t579 ^ _t1148;
									_v1448 = _t580;
									 *[fs:0x0] =  &_v1440;
									_t1078 = _t915;
									_v1504 = _t1078;
									_v1500 = _t1078;
									_v1488 = 0;
									_v1500 = _t1078;
									_v1464 = 0;
									_v1492 = 0;
									_v1472 = 0;
									_v1468 = 7;
									_v1488 = 0;
									L190();
									_v1432 = 0;
									__imp__GetUserPreferredUILanguages(8,  &_v1464, 0,  &_v1492, 0xf53a68, 0, _t580, _t1076, _t1106, _t895,  *[fs:0x0], 0xf4e605, 0xffffffff, _t1145, _t894);
									_t585 = _v1492;
									_t917 = 0;
									_v1452 = 0;
									asm("xorps xmm0, xmm0");
									asm("movq [ebp-0x20], xmm0");
									_v1460 = 0;
									_v1456 = 0;
									_v1452 = 0;
									_v1496 = _t585;
									__eflags = _t585;
									if(_t585 == 0) {
										L148:
										_v20 = 1;
										_t587 =  &_v52;
										__imp__GetUserPreferredUILanguages(8, _t587, _t917,  &_v80);
										__eflags = _t587;
										if(_t587 == 0) {
											L166:
											_push(5);
											 *_t1078 = 0;
											_t1078[4] = 0;
											_t1078[5] = 7;
											_push(L"en-us");
											 *_t1078 = 0;
											L190();
											_t1031 = _v48;
											__eflags = _t1031;
											if(_t1031 == 0) {
												L170:
												_t1032 = _v56;
												__eflags = _t1032 - 8;
												if(_t1032 < 8) {
													goto L165;
												} else {
													_t923 = _v76;
													_t1032 = 2 + _t1032 * 2;
													_t591 = _t923;
													__eflags = _t1032 - 0x1000;
													if(_t1032 < 0x1000) {
														goto L164;
													} else {
														_t923 =  *(_t923 - 4);
														_t1032 = _t1032 + 0x23;
														__eflags = _t591 - _t923 + 0xfffffffc - 0x1f;
														if(__eflags <= 0) {
															goto L164;
														} else {
															goto L173;
														}
													}
												}
											} else {
												_t722 = _t1031;
												_t961 = _v40 - _t1031 & 0xfffffffe;
												__eflags = _t961 - 0x1000;
												if(_t961 < 0x1000) {
													L169:
													_push(_t961);
													E00F42B5A(_t1031);
													_t1172 = _t1172 + 8;
													_v48 = 0;
													_v44 = 0;
													_v40 = 0;
													goto L170;
												} else {
													_t1032 =  *(_t1031 - 4);
													_t923 = _t961 + 0x23;
													__eflags = _t722 -  *(_t1031 - 4) + 0xfffffffc - 0x1f;
													if(__eflags > 0) {
														goto L173;
													} else {
														goto L169;
													}
												}
											}
										} else {
											_t1041 = _v48;
											_t727 = _v44 - _t1041;
											__eflags = _t727;
											if(_t727 == 0) {
												goto L166;
											} else {
												__eflags = _v52;
												if(_v52 <= 0) {
													goto L166;
												} else {
													_t962 = _t1041;
													_t1135 = _t962 + 2;
													do {
														_t729 =  *_t962;
														_t962 = _t962 + 2;
														__eflags = _t729;
													} while (_t729 != 0);
													_push(_t962 - _t1135 >> 1);
													_push(_t1041);
													L190();
													__eflags = _v56 - 8;
													_t966 = _v76;
													_t731 =  >=  ? _t966 :  &_v76;
													_v84 =  >=  ? _t966 :  &_v76;
													_t733 =  >=  ? _t966 :  &_v76;
													_t734 = ( >=  ? _t966 :  &_v76) + _v60 * 2;
													_v88 = _t734;
													_t1106 =  >=  ? _t966 :  &_v76;
													__eflags = _t1106 - _t734;
													if(_t1106 != _t734) {
														_t345 =  &_v84;
														 *_t345 = _v84 - _t1106;
														__eflags =  *_t345;
														_t1097 = _v84;
														do {
															 *((short*)(_t1097 + _t1106)) = E00F459F7( *_t1106 & 0x0000ffff);
															_t1172 = _t1172 + 4;
															_t1106 = _t1106 + 2;
															__eflags = _t1106 - _v88;
														} while (_t1106 != _v88);
														_t1078 = _v92;
													}
													__eflags = _v60;
													if(_v60 == 0) {
														goto L166;
													} else {
														asm("movups xmm0, [ebp-0x3c]");
														_t1032 = _v48;
														 *_t1078 = 0;
														_t1078[4] = 0;
														_t1078[5] = 0;
														_v76 = 0;
														asm("movups [edi], xmm0");
														asm("movq xmm0, [ebp-0x2c]");
														asm("movq [edi+0x10], xmm0");
														_v60 = 0;
														_v56 = 7;
														__eflags = _t1032;
														if(_t1032 == 0) {
															L165:
															 *[fs:0x0] = _v28;
															_pop(_t1079);
															_pop(_t1108);
															__eflags = _v36 ^ _t1148;
															return E00F429FA(_t1078, _t895, _v36 ^ _t1148, _t1032, _t1079, _t1108);
														} else {
															_t736 = _t1032;
															_t969 = _v40 - _t1032 & 0xfffffffe;
															__eflags = _t969 - 0x1000;
															if(_t969 < 0x1000) {
																L161:
																_push(_t969);
																E00F42B5A(_t1032);
																_t1032 = _v56;
																_t1172 = _t1172 + 8;
																_v48 = 0;
																_v44 = 0;
																_v40 = 0;
																__eflags = _t1032 - 8;
																if(_t1032 < 8) {
																	goto L165;
																} else {
																	_t923 = _v76;
																	_t1032 = 2 + _t1032 * 2;
																	_t738 = _t923;
																	__eflags = _t1032 - 0x1000;
																	if(_t1032 < 0x1000) {
																		L164:
																		_push(_t1032);
																		E00F42B5A(_t923);
																		goto L165;
																	} else {
																		_t923 =  *(_t923 - 4);
																		_t1032 = _t1032 + 0x23;
																		__eflags = _t738 - _t923 + 0xfffffffc - 0x1f;
																		if(__eflags > 0) {
																			goto L173;
																		} else {
																			goto L164;
																		}
																	}
																}
															} else {
																_t1032 =  *(_t1032 - 4);
																_t923 = _t969 + 0x23;
																__eflags = _t736 - _t1032 + 0xfffffffc - 0x1f;
																if(__eflags > 0) {
																	goto L173;
																} else {
																	goto L161;
																}
															}
														}
													}
												}
											}
										}
									} else {
										__eflags = _t585 - 0x7fffffff;
										if(_t585 > 0x7fffffff) {
											L174:
											L268();
											goto L175;
										} else {
											_t1106 = _t585 + _t585;
											__eflags = _t1106 - 0x1000;
											if(_t1106 < 0x1000) {
												__eflags = _t1106;
												if(__eflags == 0) {
													_t745 = 0;
													__eflags = 0;
												} else {
													_t745 = E00F42B2A(_t1106, __eflags, _t1106);
													_t1172 = _t1172 + 4;
												}
												goto L147;
											} else {
												_t318 = _t1106 + 0x23; // 0x7618f5f3
												_t747 = _t318;
												__eflags = _t318 - _t1106;
												if(__eflags <= 0) {
													L175:
													E00F410B0();
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													_push(_t1106);
													_t1109 = _t923;
													_t597 =  *_t1109;
													__eflags = _t597;
													if(_t597 == 0) {
														L181:
														return _t597;
													} else {
														_t926 = _t1109[2] - _t597 & 0xfffffffe;
														__eflags = _t926 - 0x1000;
														if(_t926 < 0x1000) {
															L180:
															_push(_t926);
															_t597 = E00F42B5A(_t597);
															 *_t1109 = 0;
															_t1109[1] = 0;
															_t1109[2] = 0;
															goto L181;
														} else {
															_t1033 =  *(_t597 - 4);
															_t926 = _t926 + 0x23;
															__eflags = _t597 - _t1033 + 0xfffffffc - 0x1f;
															if(__eflags > 0) {
																E00F45BE3(_t895, _t926, _t1033, __eflags);
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																_push(_t1109);
																_t1111 = _t926;
																_t927 =  *(_t1111 + 0x14);
																__eflags = _t927 - 8;
																if(_t927 < 8) {
																	L188:
																	__eflags = 0;
																	 *(_t1111 + 0x10) = 0;
																	 *(_t1111 + 0x14) = 7;
																	 *_t1111 = 0;
																	return 0;
																} else {
																	_t602 =  *_t1111;
																	_t928 = 2 + _t927 * 2;
																	__eflags = _t928 - 0x1000;
																	if(_t928 < 0x1000) {
																		L187:
																		_push(_t928);
																		E00F42B5A(_t602);
																		goto L188;
																	} else {
																		_t1034 =  *((intOrPtr*)(_t602 - 4));
																		_t928 = _t928 + 0x23;
																		__eflags = _t602 - _t1034 + 0xfffffffc - 0x1f;
																		if(__eflags > 0) {
																			E00F45BE3(_t895, _t928, _t1034, __eflags);
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			_push(_t1148);
																			_t1150 = _t1172;
																			_t1178 = _t1172 - 0xc;
																			_t607 = _v1564;
																			_t1035 = _v1568;
																			_push(_t895);
																			_push(_t1111);
																			_push(_t1078);
																			_t1080 = _t928;
																			_v1584 = _v1568;
																			_v1580 = _t607;
																			_t929 =  *(_t1080 + 0x14);
																			_v1588 = _t929;
																			__eflags = _t607 - _t929;
																			if(_t607 > _t929) {
																				__eflags = _t607 - 0x7ffffffe;
																				if(_t607 > 0x7ffffffe) {
																					L214:
																					E00F41150(_t895, _t1035, _t1080, _t1111);
																					goto L215;
																				} else {
																					_t1131 = _t607 | 0x00000007;
																					__eflags = _t1131 - 0x7ffffffe;
																					if(_t1131 <= 0x7ffffffe) {
																						_t1035 = _t929 >> 1;
																						__eflags = _t929 - 0x7ffffffe - _t1035;
																						if(_t929 <= 0x7ffffffe - _t1035) {
																							_t704 = _t1035 + _t929;
																							__eflags = _t1131 - _t704;
																							_t1111 =  <  ? _t704 : _t1131;
																							_t403 = _t1111 + 1; // 0x6a58fef9
																							_t705 = _t403;
																							__eflags = _t705 - 0x7fffffff;
																							if(_t705 > 0x7fffffff) {
																								goto L213;
																							} else {
																								_t707 = _t705 + _t705;
																								__eflags = _t707 - 0x1000;
																								if(_t707 < 0x1000) {
																									__eflags = _t707;
																									if(__eflags == 0) {
																										_t895 = 0;
																										__eflags = 0;
																									} else {
																										_t717 = E00F42B2A(_t1111, __eflags, _t707);
																										_t1178 = _t1178 + 4;
																										_t895 = _t717;
																									}
																									goto L207;
																								} else {
																									goto L201;
																								}
																							}
																						} else {
																							_t1111 = 0x7ffffffe;
																							_t707 = 0xfffffffe;
																							goto L201;
																						}
																					} else {
																						_t1111 = 0x7ffffffe;
																						_t707 = 0xfffffffe;
																						L201:
																						_t404 = _t707 + 0x23; // 0x100000021
																						_t929 = _t404;
																						__eflags = _t929 - _t707;
																						if(__eflags <= 0) {
																							L213:
																							E00F410B0();
																							goto L214;
																						} else {
																							_t718 = E00F42B2A(_t1111, __eflags, _t929);
																							_t1178 = _t1178 + 4;
																							__eflags = _t718;
																							if(__eflags == 0) {
																								L215:
																								E00F45BE3(_t895, _t929, _t1035, __eflags);
																								asm("int3");
																								asm("int3");
																								asm("int3");
																								asm("int3");
																								asm("int3");
																								asm("int3");
																								asm("int3");
																								asm("int3");
																								asm("int3");
																								asm("int3");
																								asm("int3");
																								asm("int3");
																								_push(_t1150);
																								_t1151 = _t1178;
																								_t1179 = _t1178 - 0x14;
																								_t1036 = _v1588;
																								_push(_t895);
																								_t897 = _t929;
																								_v1612 = _v1580;
																								_t930 = 0x7ffffffe;
																								_push(_t1111);
																								_t1113 =  *(_t897 + 0x10);
																								_v1600 = _t1113;
																								_push(_t1080);
																								__eflags = 0x7ffffffe - _t1113 - _t1036;
																								if(0x7ffffffe - _t1113 < _t1036) {
																									L236:
																									E00F41150(_t897, _t1036, _t1080, _t1113);
																									goto L237;
																								} else {
																									_t677 = _t1113 + _t1036;
																									_t1113 =  *(_t897 + 0x14);
																									_v32 = _t677;
																									_t1090 = _t677 | 0x00000007;
																									_v36 = _t1113;
																									__eflags = _t1090 - 0x7ffffffe;
																									if(_t1090 <= 0x7ffffffe) {
																										_t679 = _t1113 >> 1;
																										_t930 = 0x7ffffffe - _t679;
																										__eflags = _t1113 - _t930;
																										if(_t1113 <= _t930) {
																											_t680 = _t679 + _t1113;
																											__eflags = _t1090 - _t680;
																											_t1080 =  <  ? _t680 : _t1090;
																											_t426 = _t1080 + 1; // 0x7fffffff
																											_t681 = _t426;
																											__eflags = _t681 - 0x7fffffff;
																											if(_t681 > 0x7fffffff) {
																												goto L235;
																											} else {
																												_t683 = _t681 + _t681;
																												__eflags = _t683 - 0x1000;
																												if(_t683 < 0x1000) {
																													__eflags = _t683;
																													if(__eflags == 0) {
																														_t1113 = 0;
																														__eflags = 0;
																													} else {
																														_t700 = E00F42B2A(_t1113, __eflags, _t683);
																														_t1179 = _t1179 + 4;
																														_t1113 = _t700;
																													}
																													goto L229;
																												} else {
																													goto L223;
																												}
																											}
																										} else {
																											_t1080 = 0x7ffffffe;
																											_t683 = 0xfffffffe;
																											goto L223;
																										}
																									} else {
																										_t1080 = 0x7ffffffe;
																										_t683 = 0xfffffffe;
																										L223:
																										_t427 = _t683 + 0x23; // 0x100000021
																										_t930 = _t427;
																										__eflags = _t930 - _t683;
																										if(__eflags <= 0) {
																											L235:
																											E00F410B0();
																											goto L236;
																										} else {
																											_t701 = E00F42B2A(_t1113, __eflags, _t930);
																											_t1179 = _t1179 + 4;
																											__eflags = _t701;
																											if(__eflags == 0) {
																												L237:
																												E00F45BE3(_t897, _t930, _t1036, __eflags);
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												_push(_t1151);
																												_t1152 = _t1179;
																												_t1180 = _t1179 - 0x14;
																												_push(_t897);
																												_t898 = _v1600;
																												_push(_t1113);
																												_t1114 = _v1604;
																												_push(_t1080);
																												_t1081 = _t930;
																												 *_t1081 = 0;
																												 *(_t1081 + 0x10) = 0;
																												 *(_t1081 + 0x14) = 0;
																												_t615 =  *(_t1114 + 0x10);
																												_t1037 =  *(_t898 + 0x10);
																												_t931 =  *(_t898 + 0x14);
																												_v1624 = _t615;
																												_v1628 = _t615 + _t1037;
																												_v1636 = _t1037;
																												__eflags = _t1037 -  *(_t1114 + 0x14) - _v1624;
																												if(_t1037 >  *(_t1114 + 0x14) - _v1624) {
																													L245:
																													_t619 = _v36;
																													_t932 = _t931 - _t1037;
																													__eflags = _t619 - _t932;
																													if(_t619 > _t932) {
																														__eflags = 0x7ffffffe - _v36 - _t1037;
																														if(0x7ffffffe - _v36 < _t1037) {
																															L266:
																															E00F41150(_t898, _t1037, _t1081, _t1114);
																															goto L267;
																														} else {
																															_t655 = _v40 | 0x00000007;
																															__eflags = _t655 - 0x7ffffffe;
																															if(_t655 <= 0x7ffffffe) {
																																_t932 = 0xa;
																																__eflags = _t655 - 0xa;
																																_t656 =  <  ? 0xa : _t655;
																																_v32 = _t656;
																																_t657 = _t656 + 1;
																																__eflags = _t657 - 0x7fffffff;
																																if(_t657 > 0x7fffffff) {
																																	goto L265;
																																} else {
																																	_t659 = _t657 + _t657;
																																	__eflags = _t659 - 0x1000;
																																	if(_t659 < 0x1000) {
																																		__eflags = _t659;
																																		if(__eflags == 0) {
																																			_t660 = 0;
																																			__eflags = 0;
																																		} else {
																																			_t660 = E00F42B2A(_t1114, __eflags, _t659);
																																			_t1180 = _t1180 + 4;
																																		}
																																		goto L260;
																																	} else {
																																		goto L254;
																																	}
																																}
																															} else {
																																_v32 = 0x7ffffffe;
																																_t659 = 0xfffffffe;
																																L254:
																																_t497 = _t659 + 0x23; // 0x100000021
																																_t932 = _t497;
																																__eflags = _t932 - _t659;
																																if(__eflags <= 0) {
																																	L265:
																																	E00F410B0();
																																	goto L266;
																																} else {
																																	_t932 = E00F42B2A(_t1114, __eflags, _t932);
																																	_t1180 = _t1180 + 4;
																																	__eflags = _t932;
																																	if(__eflags == 0) {
																																		L267:
																																		E00F45BE3(_t898, _t932, _t1037, __eflags);
																																		asm("int3");
																																		asm("int3");
																																		asm("int3");
																																		asm("int3");
																																		asm("int3");
																																		asm("int3");
																																		asm("int3");
																																		asm("int3");
																																		asm("int3");
																																		asm("int3");
																																		asm("int3");
																																		_push("vector too long");
																																		E00F429DA(_t898, _t1037, _t1081, _t1114);
																																		asm("int3");
																																		asm("int3");
																																		asm("int3");
																																		asm("int3");
																																		asm("int3");
																																		asm("int3");
																																		_push(_t1152);
																																		_t1181 = _t1180 - 0x10;
																																		_t1038 = _v1636;
																																		_push(_t898);
																																		_t899 = _t932;
																																		_v1660 = _v1624;
																																		_t933 = 0x7ffffffe;
																																		_push(_t1114);
																																		_t1115 = _t899[4];
																																		_v1652 = _t1115;
																																		_push(_t1081);
																																		__eflags = 0x7ffffffe - _t1115 - _t1038;
																																		if(0x7ffffffe - _t1115 < _t1038) {
																																			L290:
																																			E00F41150(_t899, _t1038, _t1081, _t1115);
																																			goto L291;
																																		} else {
																																			_t1081 = _t899[5];
																																			_t631 = _t1115 + _t1038;
																																			_v36 = _t631;
																																			_t1117 = _t631 | 0x00000007;
																																			_v44 = _t1081;
																																			__eflags = _t1117 - 0x7ffffffe;
																																			if(__eflags <= 0) {
																																				_t633 = _t1081 >> 1;
																																				__eflags = _t1081 - 0x7ffffffe - _t633;
																																				if(__eflags <= 0) {
																																					_t634 = _t633 + _t1081;
																																					__eflags = _t1117 - _t634;
																																					_t1115 =  <  ? _t634 : _t1117;
																																				} else {
																																					_t1115 = 0x7ffffffe;
																																				}
																																			} else {
																																				_t1115 = 0x7ffffffe;
																																			}
																																			_t933 =  ~(0 | __eflags > 0x00000000) | _t1115 + 0x00000001;
																																			__eflags = _t933 - 0x7fffffff;
																																			if(_t933 > 0x7fffffff) {
																																				L289:
																																				E00F410B0();
																																				goto L290;
																																			} else {
																																				_t933 = _t933 + _t933;
																																				__eflags = _t933 - 0x1000;
																																				if(_t933 < 0x1000) {
																																					__eflags = _t933;
																																					if(__eflags == 0) {
																																						_t1082 = 0;
																																						__eflags = 0;
																																					} else {
																																						_t651 = E00F42B2A(_t1115, __eflags, _t933);
																																						_t1181 = _t1181 + 4;
																																						_t1082 = _t651;
																																					}
																																					goto L283;
																																				} else {
																																					_t525 = _t933 + 0x23; // 0x23
																																					_t652 = _t525;
																																					__eflags = _t525 - _t933;
																																					if(__eflags <= 0) {
																																						goto L289;
																																					} else {
																																						_t653 = E00F42B2A(_t1115, __eflags, _t652);
																																						_t1181 = _t1181 + 4;
																																						__eflags = _t653;
																																						if(__eflags == 0) {
																																							L291:
																																							E00F45BE3(_t899, _t933, _t1038, __eflags);
																																							asm("int3");
																																							 *(_t933 + 4) =  *(_t933 + 4) & 0x00000000;
																																							_t551 = _t933 + 8;
																																							 *_t551 =  *(_t933 + 8) & 0x00000000;
																																							__eflags =  *_t551;
																																							 *(_t933 + 4) = "bad allocation";
																																							 *_t933 = 0xf4f1a0;
																																							return _t933;
																																						} else {
																																							_t526 = _t653 + 0x23; // 0x23
																																							_t1082 = _t526 & 0xffffffe0;
																																							 *(_t1082 - 4) = _t653;
																																							L283:
																																							_t899[4] = _v36;
																																							_t640 = _v8 + _v8;
																																							_t899[5] = _t1115;
																																							__eflags = _v44 - 8;
																																							_push(_t640);
																																							_push(_v48);
																																							_t1119 = 2 + _v40 * 2;
																																							_v36 = _t640 + _t1082;
																																							_push(_t1082);
																																							if(_v44 < 8) {
																																								E00F452B0();
																																								E00F452B0(_v36, _t899, _t1119);
																																								 *_t899 = _t1082;
																																								return _t899;
																																							} else {
																																								_t1121 =  *_t899;
																																								E00F452B0();
																																								E00F452B0(_v36, _t1121, 2 + _v40 * 2);
																																								_t940 = 2 + _v44 * 2;
																																								__eflags = _t940 - 0x1000;
																																								if(_t940 < 0x1000) {
																																									L287:
																																									_push(_t940);
																																									E00F42B5A(_t1121);
																																									 *_t899 = _t1082;
																																									return _t899;
																																								} else {
																																									_t1038 =  *(_t1121 - 4);
																																									_t933 = _t940 + 0x23;
																																									__eflags = _t1121 - _t1038 - 4 - 0x1f;
																																									if(__eflags > 0) {
																																										goto L291;
																																									} else {
																																										_t1121 = _t1038;
																																										goto L287;
																																									}
																																								}
																																							}
																																						}
																																					}
																																				}
																																			}
																																		}
																																	} else {
																																		_t498 = _t932 + 0x23; // 0x23
																																		_t660 = _t498 & 0xffffffe0;
																																		 *(_t660 - 4) = _t932;
																																		L260:
																																		 *(_t1081 + 0x10) = _v40;
																																		 *_t1081 = _t660;
																																		 *(_t1081 + 0x14) = _v32;
																																		__eflags =  *(_t1114 + 0x14) - 8;
																																		_v44 = _t660;
																																		if( *(_t1114 + 0x14) >= 8) {
																																			_t1114 =  *_t1114;
																																		}
																																		_v32 = _v36 + _v36;
																																		E00F452B0(_t660, _t1114, _v36 + _v36);
																																		__eflags =  *(_t898 + 0x14) - 8;
																																		if( *(_t898 + 0x14) >= 8) {
																																			_t898 =  *_t898;
																																		}
																																		__eflags = _v32 + _v44;
																																		E00F452B0(_v32 + _v44, _t898, 2 + _v48 * 2);
																																		return _t1081;
																																	}
																																}
																															}
																														}
																													} else {
																														asm("movups xmm0, [ebx]");
																														asm("movups [edi], xmm0");
																														asm("movq xmm0, [ebx+0x10]");
																														asm("movq [edi+0x10], xmm0");
																														 *_t898 = 0;
																														 *(_t898 + 0x10) = 0;
																														 *(_t898 + 0x14) = 7;
																														_t903 =  *_t1081;
																														_v32 = _t619 + _t619;
																														E00F452B0(_t619 + _t619 +  *_t1081,  *_t1081, 2 + _t1037 * 2);
																														__eflags =  *(_t1114 + 0x14) - 8;
																														if( *(_t1114 + 0x14) >= 8) {
																															_t1114 =  *_t1114;
																														}
																														E00F452B0(_t903, _t1114, _v32);
																														 *(_t1081 + 0x10) = _v40;
																														return _t1081;
																													}
																												} else {
																													__eflags = _t931 -  *(_t1114 + 0x14);
																													if(_t931 >  *(_t1114 + 0x14)) {
																														goto L245;
																													} else {
																														asm("movups xmm0, [esi]");
																														_t952 = _t1081;
																														asm("movups [edi], xmm0");
																														asm("movq xmm0, [esi+0x10]");
																														asm("movq [edi+0x10], xmm0");
																														 *(_t1114 + 0x10) = 0;
																														 *(_t1114 + 0x14) = 7;
																														 *_t1114 = 0;
																														__eflags =  *(_t1081 + 0x14) - 8;
																														if( *(_t1081 + 0x14) >= 8) {
																															_t952 =  *_t1081;
																														}
																														__eflags =  *(_t898 + 0x14) - 8;
																														if( *(_t898 + 0x14) >= 8) {
																															_t898 =  *_t898;
																														}
																														E00F452B0(_t952 + _v36 * 2, _t898, 2 + _t1037 * 2);
																														 *(_t1081 + 0x10) = _v40;
																														return _t1081;
																													}
																												}
																											} else {
																												_t428 = _t701 + 0x23; // 0x23
																												_t1113 = _t428 & 0xffffffe0;
																												 *(_t1113 - 4) = _t701;
																												L229:
																												 *(_t897 + 0x10) = _v32;
																												 *(_t897 + 0x14) = _t1080;
																												_t954 = _v28 + _v28;
																												_t686 = _v4;
																												_v32 = _t954 + _t1113;
																												_push(_t954);
																												_t1091 = _t686 + _t686;
																												__eflags = _v36 - 8;
																												_v44 = _t686 + _t686;
																												_v28 = _t1113 + (_t686 + _v28) * 2;
																												if(_v36 < 8) {
																													_push(_t897);
																													_push(_t1113);
																													E00F452B0();
																													E00F452B0(_v32, _v40, _t1091);
																													__eflags = 0;
																													 *_v28 = 0;
																													 *_t897 = _t1113;
																													return _t897;
																												} else {
																													_t1093 =  *_t897;
																													_push(_t1093);
																													_push(_t1113);
																													E00F452B0();
																													E00F452B0(_v32, _v40, _v44);
																													_t1179 = _t1179 + 0x18;
																													 *_v28 = 0;
																													_t957 = 2 + _v36 * 2;
																													__eflags = _t957 - 0x1000;
																													if(_t957 < 0x1000) {
																														L233:
																														_push(_t957);
																														E00F42B5A(_t1093);
																														 *_t897 = _t1113;
																														return _t897;
																													} else {
																														_t1036 =  *(_t1093 - 4);
																														_t930 = _t957 + 0x23;
																														_t1080 = _t1093 - _t1036;
																														_t453 = _t1080 - 4; // 0x7ffffffa
																														__eflags = _t453 - 0x1f;
																														if(__eflags > 0) {
																															goto L237;
																														} else {
																															_t1093 = _t1036;
																															goto L233;
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																							} else {
																								_t405 = _t718 + 0x23; // 0x23
																								_t895 = _t405 & 0xffffffe0;
																								 *(_t895 - 4) = _t718;
																								L207:
																								_t708 = _v24;
																								 *(_t1080 + 0x14) = _t1111;
																								 *(_t1080 + 0x10) = _t708;
																								_t1111 = _t708 + _t708;
																								E00F452B0(_t895, _v28, _t1111);
																								_t1178 = _t1178 + 0xc;
																								 *((short*)(_t1111 + _t895)) = 0;
																								_t711 = _v32;
																								__eflags = _t711 - 8;
																								if(_t711 < 8) {
																									L212:
																									 *_t1080 = _t895;
																									return _t1080;
																								} else {
																									_t958 = 2 + _t711 * 2;
																									_t713 =  *_t1080;
																									__eflags = _t958 - 0x1000;
																									if(_t958 < 0x1000) {
																										L211:
																										_push(_t958);
																										E00F42B5A(_t713);
																										goto L212;
																									} else {
																										_t1035 =  *(_t713 - 4);
																										_t929 = _t958 + 0x23;
																										__eflags = _t713 - _t1035 + 0xfffffffc - 0x1f;
																										if(__eflags > 0) {
																											goto L215;
																										} else {
																											_t713 = _t1035;
																											goto L211;
																										}
																									}
																								}
																							}
																						}
																					}
																				}
																			} else {
																				_t910 = _t1080;
																				__eflags = _t929 - 8;
																				if(_t929 >= 8) {
																					_t910 =  *_t1080;
																				}
																				_t1133 = _t607 + _t607;
																				 *(_t1080 + 0x10) = _t607;
																				E00F452B0(_t910, _t1035, _t1133);
																				__eflags = 0;
																				 *((short*)(_t1133 + _t910)) = 0;
																				return _t1080;
																			}
																		} else {
																			_t602 = _t1034;
																			goto L187;
																		}
																	}
																}
															} else {
																_t597 = _t1033;
																goto L180;
															}
														}
													}
												} else {
													_t923 = E00F42B2A(_t1106, __eflags, _t747);
													_t1172 = _t1172 + 4;
													__eflags = _t923;
													if(__eflags == 0) {
														L173:
														E00F45BE3(_t895, _t923, _t1032, __eflags);
														goto L174;
													} else {
														_t319 = _t923 + 0x23; // 0x23
														_t745 = _t319 & 0xffffffe0;
														 *(_t745 - 4) = _t923;
														L147:
														_t1106 = _t1106 + _t745;
														__eflags = _t1106;
														_v48 = _t745;
														_v40 = _t1106;
														E00F43E50(_t1078, _t745, 0, _v84 + _v84);
														_t917 = _v48;
														_t1172 = _t1172 + 0xc;
														_v44 = _t1106;
														goto L148;
													}
												}
											}
										}
									}
								} else {
									goto L26;
								}
							}
						}
					} else {
						_t893 = RegQueryValueExW(_v1276, L"Release", 0,  &(_v1228.wShowWindow),  &_v272,  &(_v1228.dwFlags)); // executed
						if(_t893 != 0) {
							goto L92;
						} else {
							goto L4;
						}
					}
				}
				L293:
			}






























































































































































































































































































































                                        0x00f41150
                                        0x00f41150
                                        0x00f41150
                                        0x00f41150
                                        0x00f41155
                                        0x00f4115a
                                        0x00f4115b
                                        0x00f4115c
                                        0x00f4115d
                                        0x00f4115e
                                        0x00f4115f
                                        0x00f41161
                                        0x00f41166
                                        0x00f4116c
                                        0x00f41173
                                        0x00f4117a
                                        0x00f4117b
                                        0x00f41188
                                        0x00f41196
                                        0x00f411a1
                                        0x00f411a6
                                        0x00f411a9
                                        0x00f411b4
                                        0x00f411c8
                                        0x00f411e3
                                        0x00f411e7
                                        0x00f41bad
                                        0x00f41bad
                                        0x00f41bb3
                                        0x00f41bb8
                                        0x00f41bd9
                                        0x00f41bde
                                        0x00f41be6
                                        0x00f41bed
                                        0x00f41bf3
                                        0x00f41bf7
                                        0x00f41c15
                                        0x00f41c15
                                        0x00f41c17
                                        0x00f41c20
                                        0x00f41c28
                                        0x00f41c2a
                                        0x00f41c2c
                                        0x00000000
                                        0x00000000
                                        0x00f41c32
                                        0x00f41c36
                                        0x00f41c37
                                        0x00f41c3a
                                        0x00000000
                                        0x00f41c3c
                                        0x00f41c3c
                                        0x00f41c40
                                        0x00f41c42
                                        0x00f41c49
                                        0x00f41c4e
                                        0x00f41c56
                                        0x00f41c58
                                        0x00f41c58
                                        0x00f41c5c
                                        0x00000000
                                        0x00000000
                                        0x00f41c5e
                                        0x00f41c61
                                        0x00f41c61
                                        0x00f41c64
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f41c64
                                        0x00f41c66
                                        0x00f41c68
                                        0x00000000
                                        0x00f41c6a
                                        0x00f41c6f
                                        0x00f41c75
                                        0x00f41c79
                                        0x00f41c7c
                                        0x00000000
                                        0x00f41c7e
                                        0x00f41c81
                                        0x00f41c8d
                                        0x00f41c97
                                        0x00f41c9f
                                        0x00f41c9f
                                        0x00f41ca1
                                        0x00f41cb0
                                        0x00f41cb2
                                        0x00f41cb4
                                        0x00000000
                                        0x00000000
                                        0x00f41cb6
                                        0x00f41cb7
                                        0x00f41cba
                                        0x00000000
                                        0x00f41cbc
                                        0x00f41cbc
                                        0x00f41cbc
                                        0x00000000
                                        0x00f41cba
                                        0x00f41ccd
                                        0x00f41ccd
                                        0x00f41c7c
                                        0x00f41c68
                                        0x00000000
                                        0x00f41c3a
                                        0x00f41cda
                                        0x00f41bf9
                                        0x00f41bf9
                                        0x00f41c00
                                        0x00f41c04
                                        0x00f41c06
                                        0x00000000
                                        0x00f41c08
                                        0x00f41c08
                                        0x00f41c08
                                        0x00f41c08
                                        0x00f41c06
                                        0x00f41cde
                                        0x00f41cde
                                        0x00f41ce6
                                        0x00f41ced
                                        0x00f41cf1
                                        0x00f41d0c
                                        0x00f41d0c
                                        0x00f41d0c
                                        0x00f41d10
                                        0x00f41d18
                                        0x00f41d1a
                                        0x00f41d1c
                                        0x00000000
                                        0x00000000
                                        0x00f41d22
                                        0x00f41d26
                                        0x00f41d27
                                        0x00f41d2a
                                        0x00000000
                                        0x00f41d2c
                                        0x00f41d2c
                                        0x00f41d30
                                        0x00f41d32
                                        0x00f41d39
                                        0x00f41d3b
                                        0x00f41d43
                                        0x00f41d48
                                        0x00f41d48
                                        0x00f41d4c
                                        0x00000000
                                        0x00000000
                                        0x00f41d4e
                                        0x00f41d51
                                        0x00f41d51
                                        0x00f41d54
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f41d54
                                        0x00f41d56
                                        0x00f41d58
                                        0x00f41dac
                                        0x00f41dac
                                        0x00f41d5a
                                        0x00f41d5f
                                        0x00f41d65
                                        0x00f41d69
                                        0x00f41d6c
                                        0x00000000
                                        0x00f41d6e
                                        0x00f41d71
                                        0x00f41d7d
                                        0x00f41d87
                                        0x00f41d8f
                                        0x00f41d8f
                                        0x00f41d91
                                        0x00f41da0
                                        0x00f41da2
                                        0x00f41da4
                                        0x00000000
                                        0x00000000
                                        0x00f41da6
                                        0x00f41da7
                                        0x00f41daa
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f41daa
                                        0x00000000
                                        0x00f41d91
                                        0x00f41d6c
                                        0x00f41d58
                                        0x00000000
                                        0x00f41d2a
                                        0x00f41db3
                                        0x00f41db3
                                        0x00f41cf3
                                        0x00f41cf3
                                        0x00f41cfa
                                        0x00f41cfe
                                        0x00f41d00
                                        0x00000000
                                        0x00f41d02
                                        0x00f41d02
                                        0x00f41d02
                                        0x00f41d00
                                        0x00f41dba
                                        0x00f41dc9
                                        0x00f41dc9
                                        0x00f41dcc
                                        0x00f41ddd
                                        0x00f41ddd
                                        0x00f41de3
                                        0x00f41dea
                                        0x00f41ded
                                        0x00000000
                                        0x00f41def
                                        0x00f41def
                                        0x00f41df6
                                        0x00f41dfd
                                        0x00f41dff
                                        0x00f41e05
                                        0x00000000
                                        0x00f41e07
                                        0x00f41e07
                                        0x00f41e0a
                                        0x00f41e12
                                        0x00f41e15
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f41e15
                                        0x00f41e05
                                        0x00f41bba
                                        0x00f41bbc
                                        0x00f41bbd
                                        0x00f41bc5
                                        0x00f41bcf
                                        0x00f41bcf
                                        0x00f411ed
                                        0x00f411fc
                                        0x00f41200
                                        0x00f41236
                                        0x00f41236
                                        0x00f41238
                                        0x00f41244
                                        0x00f4124f
                                        0x00f4125a
                                        0x00f41265
                                        0x00f41279
                                        0x00f4127e
                                        0x00f41290
                                        0x00f41296
                                        0x00f4129d
                                        0x00f412a5
                                        0x00f412ad
                                        0x00f412b0
                                        0x00f412c0
                                        0x00f412c0
                                        0x00f412c3
                                        0x00f412c6
                                        0x00f412d6
                                        0x00f412d7
                                        0x00f412dc
                                        0x00f412ea
                                        0x00f412ee
                                        0x00f412f5
                                        0x00f413ac
                                        0x00f413ac
                                        0x00f413ac
                                        0x00f412fb
                                        0x00f4130a
                                        0x00f4130f
                                        0x00f41312
                                        0x00f41320
                                        0x00f41320
                                        0x00f41326
                                        0x00000000
                                        0x00000000
                                        0x00f4132b
                                        0x00f4132e
                                        0x00f4133c
                                        0x00000000
                                        0x00f4133e
                                        0x00f4133e
                                        0x00f41346
                                        0x00f41349
                                        0x00f41350
                                        0x00f41350
                                        0x00f41356
                                        0x00000000
                                        0x00000000
                                        0x00f41364
                                        0x00000000
                                        0x00f41366
                                        0x00f41366
                                        0x00000000
                                        0x00f41366
                                        0x00000000
                                        0x00f41364
                                        0x00f413a6
                                        0x00f413a8
                                        0x00f413a8
                                        0x00000000
                                        0x00f4133c
                                        0x00f4136b
                                        0x00f4136b
                                        0x00f4136e
                                        0x00f41371
                                        0x00f41373
                                        0x00f41376
                                        0x00f41380
                                        0x00f41380
                                        0x00f41380
                                        0x00f41383
                                        0x00f41388
                                        0x00f41390
                                        0x00f41390
                                        0x00f41393
                                        0x00000000
                                        0x00000000
                                        0x00f41395
                                        0x00f41398
                                        0x00f41398
                                        0x00f4139b
                                        0x00000000
                                        0x00f4139d
                                        0x00f4139d
                                        0x00f4139f
                                        0x00000000
                                        0x00f413a1
                                        0x00f413a1
                                        0x00000000
                                        0x00f413a1
                                        0x00f4139f
                                        0x00000000
                                        0x00f4139b
                                        0x00000000
                                        0x00f41390
                                        0x00f41380
                                        0x00f413af
                                        0x00f413af
                                        0x00f413b3
                                        0x00f413b6
                                        0x00f413eb
                                        0x00f413eb
                                        0x00f413f2
                                        0x00f413fa
                                        0x00f41402
                                        0x00f41405
                                        0x00f41410
                                        0x00f41410
                                        0x00f41413
                                        0x00f41416
                                        0x00f41416
                                        0x00f41426
                                        0x00f41427
                                        0x00f4142c
                                        0x00f41431
                                        0x00f4143d
                                        0x00f41445
                                        0x00f4144a
                                        0x00f4144f
                                        0x00f41450
                                        0x00f41455
                                        0x00f41456
                                        0x00f4145e
                                        0x00f41466
                                        0x00f4146b
                                        0x00f41472
                                        0x00f41475
                                        0x00f414ad
                                        0x00f414ad
                                        0x00f414b2
                                        0x00f414b6
                                        0x00f414be
                                        0x00f414c4
                                        0x00f414cd
                                        0x00f414d0
                                        0x00f41505
                                        0x00f41505
                                        0x00f41507
                                        0x00f41510
                                        0x00f41518
                                        0x00f41520
                                        0x00f41528
                                        0x00f4152d
                                        0x00f4153d
                                        0x00f41542
                                        0x00f41546
                                        0x00f41548
                                        0x00f4154c
                                        0x00f41550
                                        0x00f41552
                                        0x00f415fa
                                        0x00f415fb
                                        0x00f415fc
                                        0x00f415fd
                                        0x00f41609
                                        0x00f41610
                                        0x00f41611
                                        0x00f41558
                                        0x00f41558
                                        0x00f41560
                                        0x00f41568
                                        0x00f4156d
                                        0x00f41570
                                        0x00f41577
                                        0x00f4157b
                                        0x00f4157f
                                        0x00f41583
                                        0x00f41585
                                        0x00f4159e
                                        0x00f4159e
                                        0x00f41587
                                        0x00f4158a
                                        0x00f4158c
                                        0x00000000
                                        0x00f4158e
                                        0x00f4158e
                                        0x00f41590
                                        0x00f4159a
                                        0x00f41592
                                        0x00f41592
                                        0x00f41592
                                        0x00f41590
                                        0x00f4158c
                                        0x00f415b3
                                        0x00f415bb
                                        0x00f415c7
                                        0x00f415ec
                                        0x00f415f1
                                        0x00f415f4
                                        0x00f415f4
                                        0x00f41616
                                        0x00f4161b
                                        0x00f41620
                                        0x00f41625
                                        0x00f4162b
                                        0x00f41632
                                        0x00f41639
                                        0x00f4163c
                                        0x00f41642
                                        0x00f41646
                                        0x00f41648
                                        0x00f4164b
                                        0x00f4167f
                                        0x00f41681
                                        0x00f41686
                                        0x00f41692
                                        0x00f41699
                                        0x00f4169b
                                        0x00f4164d
                                        0x00f4164d
                                        0x00f41656
                                        0x00f4165b
                                        0x00f41663
                                        0x00f4166b
                                        0x00f41670
                                        0x00f41675
                                        0x00f41679
                                        0x00f41679
                                        0x00f416a0
                                        0x00f416a5
                                        0x00f416ad
                                        0x00f416b2
                                        0x00f416bb
                                        0x00f416c2
                                        0x00f416c9
                                        0x00f416cc
                                        0x00f416d0
                                        0x00f416d3
                                        0x00f41708
                                        0x00f41708
                                        0x00f4170e
                                        0x00f41716
                                        0x00f4171e
                                        0x00f41723
                                        0x00f41726
                                        0x00f4175b
                                        0x00f4175b
                                        0x00f4175d
                                        0x00f41769
                                        0x00f41774
                                        0x00f4177f
                                        0x00f4178a
                                        0x00f4179e
                                        0x00f417a4
                                        0x00f417ab
                                        0x00f417ad
                                        0x00f417b4
                                        0x00f417b7
                                        0x00f419b4
                                        0x00f419b4
                                        0x00f419cb
                                        0x00f419df
                                        0x00f419e9
                                        0x00f419f8
                                        0x00f41a02
                                        0x00f41a0e
                                        0x00f41a17
                                        0x00f41a20
                                        0x00f41a29
                                        0x00f41a32
                                        0x00f41a3b
                                        0x00f41a44
                                        0x00f41a4d
                                        0x00f41a56
                                        0x00f41a5e
                                        0x00f41a64
                                        0x00f41a66
                                        0x00f41a71
                                        0x00f41a86
                                        0x00f41a93
                                        0x00f41a99
                                        0x00f41aa2
                                        0x00f41aa2
                                        0x00f41aa4
                                        0x00f41aab
                                        0x00f41aae
                                        0x00f41ae6
                                        0x00f41ae6
                                        0x00f41aef
                                        0x00f41afa
                                        0x00f41b05
                                        0x00f41b0d
                                        0x00f41b10
                                        0x00f41b48
                                        0x00f41b48
                                        0x00f41b51
                                        0x00f41b5c
                                        0x00f41b67
                                        0x00f41b6f
                                        0x00f41b72
                                        0x00f41e21
                                        0x00f41e2f
                                        0x00f41e30
                                        0x00f41e31
                                        0x00f41e3b
                                        0x00f41b78
                                        0x00f41b78
                                        0x00f41b7f
                                        0x00f41b86
                                        0x00f41b88
                                        0x00f41b8e
                                        0x00f41e17
                                        0x00f41e17
                                        0x00f41e19
                                        0x00f41e1e
                                        0x00000000
                                        0x00f41b94
                                        0x00f41b94
                                        0x00f41b97
                                        0x00f41b9f
                                        0x00f41ba2
                                        0x00000000
                                        0x00f41ba8
                                        0x00000000
                                        0x00f41ba8
                                        0x00f41ba2
                                        0x00f41b8e
                                        0x00f41b12
                                        0x00f41b12
                                        0x00f41b19
                                        0x00f41b20
                                        0x00f41b22
                                        0x00f41b28
                                        0x00f41b3e
                                        0x00f41b3e
                                        0x00f41b40
                                        0x00f41b45
                                        0x00000000
                                        0x00f41b2a
                                        0x00f41b2a
                                        0x00f41b2d
                                        0x00f41b35
                                        0x00f41b38
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f41b38
                                        0x00f41b28
                                        0x00f41ab0
                                        0x00f41ab0
                                        0x00f41ab7
                                        0x00f41abe
                                        0x00f41ac0
                                        0x00f41ac6
                                        0x00f41adc
                                        0x00f41adc
                                        0x00f41ade
                                        0x00f41ae3
                                        0x00000000
                                        0x00f41ac8
                                        0x00f41ac8
                                        0x00f41acb
                                        0x00f41ad3
                                        0x00f41ad6
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f41ad6
                                        0x00f41ac6
                                        0x00f417bd
                                        0x00f417bd
                                        0x00f417bf
                                        0x00f417c3
                                        0x00f417c5
                                        0x00f417d0
                                        0x00f417d0
                                        0x00f417d2
                                        0x00f417db
                                        0x00f417e3
                                        0x00f417eb
                                        0x00f417f3
                                        0x00f417f8
                                        0x00f417fb
                                        0x00f417fd
                                        0x00f41805
                                        0x00f4180d
                                        0x00f41815
                                        0x00f41820
                                        0x00f41820
                                        0x00f41823
                                        0x00f41826
                                        0x00f41826
                                        0x00f4182f
                                        0x00f41830
                                        0x00f41835
                                        0x00f4183e
                                        0x00f41843
                                        0x00f41844
                                        0x00f4184f
                                        0x00f41854
                                        0x00f4185d
                                        0x00f41861
                                        0x00f41868
                                        0x00f4186b
                                        0x00f4186f
                                        0x00f4187c
                                        0x00f41883
                                        0x00f41885
                                        0x00f418cf
                                        0x00f418d0
                                        0x00f418d1
                                        0x00f418d6
                                        0x00f418da
                                        0x00f418e2
                                        0x00f418e7
                                        0x00f41887
                                        0x00f41887
                                        0x00f4188c
                                        0x00f4189c
                                        0x00f418ac
                                        0x00f418b7
                                        0x00f418bc
                                        0x00f418c0
                                        0x00f418c5
                                        0x00f418c9
                                        0x00f418c9
                                        0x00f418eb
                                        0x00f418ef
                                        0x00f418f2
                                        0x00f41923
                                        0x00f41923
                                        0x00f41927
                                        0x00f4192a
                                        0x00f4195f
                                        0x00f4195f
                                        0x00f41963
                                        0x00f41966
                                        0x00000000
                                        0x00f41968
                                        0x00f41968
                                        0x00f4196c
                                        0x00f41973
                                        0x00f41975
                                        0x00f4197b
                                        0x00f41991
                                        0x00f41991
                                        0x00f41993
                                        0x00f41998
                                        0x00000000
                                        0x00f4197d
                                        0x00f4197d
                                        0x00f41980
                                        0x00f41988
                                        0x00f4198b
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f4198b
                                        0x00f4197b
                                        0x00f4192c
                                        0x00f4192c
                                        0x00f41930
                                        0x00f41937
                                        0x00f41939
                                        0x00f4193f
                                        0x00f41955
                                        0x00f41955
                                        0x00f41957
                                        0x00f4195c
                                        0x00000000
                                        0x00f41941
                                        0x00f41941
                                        0x00f41944
                                        0x00f4194c
                                        0x00f4194f
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f4194f
                                        0x00f4193f
                                        0x00f418f4
                                        0x00f418f4
                                        0x00f418fb
                                        0x00f418fd
                                        0x00f41903
                                        0x00f41919
                                        0x00f41919
                                        0x00f4191b
                                        0x00f41920
                                        0x00000000
                                        0x00f41905
                                        0x00f41905
                                        0x00f41908
                                        0x00f41910
                                        0x00f41913
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f41913
                                        0x00f41903
                                        0x00000000
                                        0x00f4199b
                                        0x00f4199b
                                        0x00f419a2
                                        0x00f419a3
                                        0x00f419a7
                                        0x00f419a7
                                        0x00f417d0
                                        0x00000000
                                        0x00f417c5
                                        0x00f41728
                                        0x00f41728
                                        0x00f4172c
                                        0x00f41733
                                        0x00f41735
                                        0x00f4173b
                                        0x00f41751
                                        0x00f41751
                                        0x00f41753
                                        0x00f41758
                                        0x00000000
                                        0x00f4173d
                                        0x00f4173d
                                        0x00f41740
                                        0x00f41748
                                        0x00f4174b
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f4174b
                                        0x00f4173b
                                        0x00f416d5
                                        0x00f416d5
                                        0x00f416d9
                                        0x00f416e0
                                        0x00f416e2
                                        0x00f416e8
                                        0x00f416fe
                                        0x00f416fe
                                        0x00f41700
                                        0x00f41705
                                        0x00000000
                                        0x00f416ea
                                        0x00f416ea
                                        0x00f416ed
                                        0x00f416f5
                                        0x00f416f8
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f416f8
                                        0x00f416e8
                                        0x00f414d2
                                        0x00f414d2
                                        0x00f414d6
                                        0x00f414dd
                                        0x00f414df
                                        0x00f414e5
                                        0x00f414fb
                                        0x00f414fb
                                        0x00f414fd
                                        0x00f41502
                                        0x00000000
                                        0x00f414e7
                                        0x00f414e7
                                        0x00f414ea
                                        0x00f414f2
                                        0x00f414f5
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f414f5
                                        0x00f414e5
                                        0x00f41477
                                        0x00f41477
                                        0x00f4147e
                                        0x00f41485
                                        0x00f41487
                                        0x00f4148d
                                        0x00f414a3
                                        0x00f414a3
                                        0x00f414a5
                                        0x00f414aa
                                        0x00000000
                                        0x00f4148f
                                        0x00f4148f
                                        0x00f41492
                                        0x00f4149a
                                        0x00f4149d
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f4149d
                                        0x00f4148d
                                        0x00f413b8
                                        0x00f413b8
                                        0x00f413bc
                                        0x00f413c3
                                        0x00f413c5
                                        0x00f413cb
                                        0x00f413e1
                                        0x00f413e1
                                        0x00f413e3
                                        0x00f413e8
                                        0x00000000
                                        0x00f413cd
                                        0x00f413cd
                                        0x00f413d0
                                        0x00f413d8
                                        0x00f413db
                                        0x00f41e3e
                                        0x00f41e43
                                        0x00f41e43
                                        0x00f41e48
                                        0x00f41e48
                                        0x00f41e4d
                                        0x00f41e4d
                                        0x00f41e52
                                        0x00f41e53
                                        0x00f41e54
                                        0x00f41e55
                                        0x00f41e56
                                        0x00f41e57
                                        0x00f41e58
                                        0x00f41e59
                                        0x00f41e5a
                                        0x00f41e5b
                                        0x00f41e5c
                                        0x00f41e5d
                                        0x00f41e5e
                                        0x00f41e5f
                                        0x00f41e61
                                        0x00f41e69
                                        0x00f41e70
                                        0x00f41e74
                                        0x00f41e85
                                        0x00f41e88
                                        0x00f41e8d
                                        0x00f41e8f
                                        0x00f41e98
                                        0x00f41e9e
                                        0x00f41ea0
                                        0x00f41ea3
                                        0x00f41ea8
                                        0x00f41eb8
                                        0x00f41ebb
                                        0x00f41ec2
                                        0x00f41ec9
                                        0x00f41ed0
                                        0x00f41ed7
                                        0x00f41edb
                                        0x00f41ee3
                                        0x00f41ef3
                                        0x00f41ef9
                                        0x00f41efc
                                        0x00f41efe
                                        0x00f41f05
                                        0x00f41f08
                                        0x00f41f0d
                                        0x00f41f10
                                        0x00f41f13
                                        0x00f41f16
                                        0x00f41f19
                                        0x00f41f1b
                                        0x00f41f8d
                                        0x00f41f90
                                        0x00f41f96
                                        0x00f41f9c
                                        0x00f41fa2
                                        0x00f41fa4
                                        0x00f42124
                                        0x00f42124
                                        0x00f42128
                                        0x00f4212e
                                        0x00f42137
                                        0x00f4213e
                                        0x00f42143
                                        0x00f42146
                                        0x00f4214b
                                        0x00f4214e
                                        0x00f42150
                                        0x00f42193
                                        0x00f42193
                                        0x00f42196
                                        0x00f42199
                                        0x00000000
                                        0x00f4219f
                                        0x00f4219f
                                        0x00f421a2
                                        0x00f421a9
                                        0x00f421ab
                                        0x00f421b1
                                        0x00000000
                                        0x00f421b7
                                        0x00f421b7
                                        0x00f421ba
                                        0x00f421c2
                                        0x00f421c5
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f421c5
                                        0x00f421b1
                                        0x00f42152
                                        0x00f42155
                                        0x00f42159
                                        0x00f4215c
                                        0x00f42162
                                        0x00f42174
                                        0x00f42174
                                        0x00f42176
                                        0x00f4217b
                                        0x00f4217e
                                        0x00f42185
                                        0x00f4218c
                                        0x00000000
                                        0x00f42164
                                        0x00f42164
                                        0x00f42167
                                        0x00f4216f
                                        0x00f42172
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f42172
                                        0x00f42162
                                        0x00f41faa
                                        0x00f41fad
                                        0x00f41fb0
                                        0x00f41fb0
                                        0x00f41fb4
                                        0x00000000
                                        0x00f41fba
                                        0x00f41fba
                                        0x00f41fbe
                                        0x00000000
                                        0x00f41fc4
                                        0x00f41fc4
                                        0x00f41fc6
                                        0x00f41fd0
                                        0x00f41fd0
                                        0x00f41fd3
                                        0x00f41fd6
                                        0x00f41fd6
                                        0x00f41fdf
                                        0x00f41fe0
                                        0x00f41fe4
                                        0x00f41fe9
                                        0x00f41ff0
                                        0x00f41ff6
                                        0x00f41ff9
                                        0x00f41fff
                                        0x00f42002
                                        0x00f42008
                                        0x00f4200b
                                        0x00f4200e
                                        0x00f42010
                                        0x00f42012
                                        0x00f42012
                                        0x00f42012
                                        0x00f42015
                                        0x00f42020
                                        0x00f42029
                                        0x00f4202d
                                        0x00f42030
                                        0x00f42033
                                        0x00f42033
                                        0x00f42038
                                        0x00f42038
                                        0x00f4203b
                                        0x00f4203f
                                        0x00000000
                                        0x00f42045
                                        0x00f42045
                                        0x00f42049
                                        0x00f4204e
                                        0x00f42054
                                        0x00f4205b
                                        0x00f42062
                                        0x00f42066
                                        0x00f42069
                                        0x00f4206e
                                        0x00f42073
                                        0x00f4207a
                                        0x00f42081
                                        0x00f42083
                                        0x00f42104
                                        0x00f42109
                                        0x00f42111
                                        0x00f42112
                                        0x00f42116
                                        0x00f42123
                                        0x00f42085
                                        0x00f42088
                                        0x00f4208c
                                        0x00f4208f
                                        0x00f42095
                                        0x00f420ab
                                        0x00f420ab
                                        0x00f420ad
                                        0x00f420b2
                                        0x00f420b5
                                        0x00f420b8
                                        0x00f420bf
                                        0x00f420c6
                                        0x00f420cd
                                        0x00f420d0
                                        0x00000000
                                        0x00f420d2
                                        0x00f420d2
                                        0x00f420d5
                                        0x00f420dc
                                        0x00f420de
                                        0x00f420e4
                                        0x00f420fa
                                        0x00f420fa
                                        0x00f420fc
                                        0x00000000
                                        0x00f420e6
                                        0x00f420e6
                                        0x00f420e9
                                        0x00f420f1
                                        0x00f420f4
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f420f4
                                        0x00f420e4
                                        0x00f42097
                                        0x00f42097
                                        0x00f4209a
                                        0x00f420a2
                                        0x00f420a5
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f420a5
                                        0x00f42095
                                        0x00f42083
                                        0x00f4203f
                                        0x00f41fbe
                                        0x00f41fb4
                                        0x00f41f1d
                                        0x00f41f1d
                                        0x00f41f22
                                        0x00f421d0
                                        0x00f421d0
                                        0x00000000
                                        0x00f41f28
                                        0x00f41f28
                                        0x00f41f2b
                                        0x00f41f31
                                        0x00f41f5c
                                        0x00f41f5e
                                        0x00f41f6b
                                        0x00f41f6b
                                        0x00f41f60
                                        0x00f41f61
                                        0x00f41f66
                                        0x00f41f66
                                        0x00000000
                                        0x00f41f33
                                        0x00f41f33
                                        0x00f41f33
                                        0x00f41f36
                                        0x00f41f38
                                        0x00f421d5
                                        0x00f421d5
                                        0x00f421da
                                        0x00f421db
                                        0x00f421dc
                                        0x00f421dd
                                        0x00f421de
                                        0x00f421df
                                        0x00f421e0
                                        0x00f421e1
                                        0x00f421e3
                                        0x00f421e5
                                        0x00f421e7
                                        0x00f42229
                                        0x00f4222a
                                        0x00f421e9
                                        0x00f421ee
                                        0x00f421f1
                                        0x00f421f7
                                        0x00f4220b
                                        0x00f4220b
                                        0x00f4220d
                                        0x00f42212
                                        0x00f4221b
                                        0x00f42222
                                        0x00000000
                                        0x00f421f9
                                        0x00f421f9
                                        0x00f421fc
                                        0x00f42204
                                        0x00f42207
                                        0x00f4222b
                                        0x00f42230
                                        0x00f42231
                                        0x00f42232
                                        0x00f42233
                                        0x00f42234
                                        0x00f42235
                                        0x00f42236
                                        0x00f42237
                                        0x00f42238
                                        0x00f42239
                                        0x00f4223a
                                        0x00f4223b
                                        0x00f4223c
                                        0x00f4223d
                                        0x00f4223e
                                        0x00f4223f
                                        0x00f42240
                                        0x00f42241
                                        0x00f42243
                                        0x00f42246
                                        0x00f42249
                                        0x00f42278
                                        0x00f42278
                                        0x00f4227a
                                        0x00f42281
                                        0x00f42288
                                        0x00f4228c
                                        0x00f4224b
                                        0x00f4224b
                                        0x00f4224d
                                        0x00f42254
                                        0x00f4225a
                                        0x00f4226e
                                        0x00f4226e
                                        0x00f42270
                                        0x00000000
                                        0x00f4225c
                                        0x00f4225c
                                        0x00f4225f
                                        0x00f42267
                                        0x00f4226a
                                        0x00f4228d
                                        0x00f42292
                                        0x00f42293
                                        0x00f42294
                                        0x00f42295
                                        0x00f42296
                                        0x00f42297
                                        0x00f42298
                                        0x00f42299
                                        0x00f4229a
                                        0x00f4229b
                                        0x00f4229c
                                        0x00f4229d
                                        0x00f4229e
                                        0x00f4229f
                                        0x00f422a0
                                        0x00f422a1
                                        0x00f422a3
                                        0x00f422a6
                                        0x00f422a9
                                        0x00f422ac
                                        0x00f422ad
                                        0x00f422ae
                                        0x00f422af
                                        0x00f422b1
                                        0x00f422b4
                                        0x00f422b7
                                        0x00f422ba
                                        0x00f422bd
                                        0x00f422bf
                                        0x00f422ec
                                        0x00f422f1
                                        0x00f423ea
                                        0x00f423ea
                                        0x00000000
                                        0x00f422f7
                                        0x00f422f9
                                        0x00f422fc
                                        0x00f42302
                                        0x00f42317
                                        0x00f4231b
                                        0x00f4231d
                                        0x00f4232b
                                        0x00f4232e
                                        0x00f42330
                                        0x00f42333
                                        0x00f42333
                                        0x00f42336
                                        0x00f4233b
                                        0x00000000
                                        0x00f42341
                                        0x00f42341
                                        0x00f42343
                                        0x00f42348
                                        0x00f42371
                                        0x00f42373
                                        0x00f42382
                                        0x00f42382
                                        0x00f42375
                                        0x00f42376
                                        0x00f4237b
                                        0x00f4237e
                                        0x00f4237e
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f42348
                                        0x00f4231f
                                        0x00f4231f
                                        0x00f42324
                                        0x00000000
                                        0x00f42324
                                        0x00f42304
                                        0x00f42304
                                        0x00f42309
                                        0x00f4234a
                                        0x00f4234a
                                        0x00f4234a
                                        0x00f4234d
                                        0x00f4234f
                                        0x00f423e5
                                        0x00f423e5
                                        0x00000000
                                        0x00f42355
                                        0x00f42356
                                        0x00f4235b
                                        0x00f4235e
                                        0x00f42360
                                        0x00f423ef
                                        0x00f423ef
                                        0x00f423f4
                                        0x00f423f5
                                        0x00f423f6
                                        0x00f423f7
                                        0x00f423f8
                                        0x00f423f9
                                        0x00f423fa
                                        0x00f423fb
                                        0x00f423fc
                                        0x00f423fd
                                        0x00f423fe
                                        0x00f423ff
                                        0x00f42400
                                        0x00f42401
                                        0x00f42403
                                        0x00f42409
                                        0x00f4240c
                                        0x00f4240d
                                        0x00f4240f
                                        0x00f42412
                                        0x00f42417
                                        0x00f4241a
                                        0x00f4241f
                                        0x00f42422
                                        0x00f42423
                                        0x00f42425
                                        0x00f42572
                                        0x00f42572
                                        0x00000000
                                        0x00f4242b
                                        0x00f4242b
                                        0x00f4242e
                                        0x00f42433
                                        0x00f42436
                                        0x00f42439
                                        0x00f4243c
                                        0x00f4243e
                                        0x00f4244b
                                        0x00f4244d
                                        0x00f4244f
                                        0x00f42451
                                        0x00f4245f
                                        0x00f42461
                                        0x00f42463
                                        0x00f42466
                                        0x00f42466
                                        0x00f42469
                                        0x00f4246e
                                        0x00000000
                                        0x00f42474
                                        0x00f42474
                                        0x00f42476
                                        0x00f4247b
                                        0x00f424a4
                                        0x00f424a6
                                        0x00f424b5
                                        0x00f424b5
                                        0x00f424a8
                                        0x00f424a9
                                        0x00f424ae
                                        0x00f424b1
                                        0x00f424b1
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f4247b
                                        0x00f42453
                                        0x00f42453
                                        0x00f42458
                                        0x00000000
                                        0x00f42458
                                        0x00f42440
                                        0x00f42440
                                        0x00f42442
                                        0x00f4247d
                                        0x00f4247d
                                        0x00f4247d
                                        0x00f42480
                                        0x00f42482
                                        0x00f4256d
                                        0x00f4256d
                                        0x00000000
                                        0x00f42488
                                        0x00f42489
                                        0x00f4248e
                                        0x00f42491
                                        0x00f42493
                                        0x00f42577
                                        0x00f42577
                                        0x00f4257c
                                        0x00f4257d
                                        0x00f4257e
                                        0x00f4257f
                                        0x00f42580
                                        0x00f42581
                                        0x00f42583
                                        0x00f42586
                                        0x00f42587
                                        0x00f4258a
                                        0x00f4258b
                                        0x00f4258e
                                        0x00f4258f
                                        0x00f42591
                                        0x00f42597
                                        0x00f4259e
                                        0x00f425a5
                                        0x00f425a8
                                        0x00f425ab
                                        0x00f425ae
                                        0x00f425b3
                                        0x00f425bc
                                        0x00f425bf
                                        0x00f425c1
                                        0x00f42626
                                        0x00f42626
                                        0x00f42629
                                        0x00f4262b
                                        0x00f4262d
                                        0x00f4269d
                                        0x00f4269f
                                        0x00f4277b
                                        0x00f4277b
                                        0x00000000
                                        0x00f426a5
                                        0x00f426a8
                                        0x00f426ab
                                        0x00f426b0
                                        0x00f426c0
                                        0x00f426c5
                                        0x00f426c7
                                        0x00f426ca
                                        0x00f426cd
                                        0x00f426ce
                                        0x00f426d3
                                        0x00000000
                                        0x00f426d9
                                        0x00f426d9
                                        0x00f426db
                                        0x00f426e0
                                        0x00f4270b
                                        0x00f4270d
                                        0x00f4271a
                                        0x00f4271a
                                        0x00f4270f
                                        0x00f42710
                                        0x00f42715
                                        0x00f42715
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f426e0
                                        0x00f426b2
                                        0x00f426b2
                                        0x00f426b9
                                        0x00f426e2
                                        0x00f426e2
                                        0x00f426e2
                                        0x00f426e5
                                        0x00f426e7
                                        0x00f42776
                                        0x00f42776
                                        0x00000000
                                        0x00f426ed
                                        0x00f426f3
                                        0x00f426f5
                                        0x00f426f8
                                        0x00f426fa
                                        0x00f42780
                                        0x00f42780
                                        0x00f42785
                                        0x00f42786
                                        0x00f42787
                                        0x00f42788
                                        0x00f42789
                                        0x00f4278a
                                        0x00f4278b
                                        0x00f4278c
                                        0x00f4278d
                                        0x00f4278e
                                        0x00f4278f
                                        0x00f42790
                                        0x00f42795
                                        0x00f4279a
                                        0x00f4279b
                                        0x00f4279c
                                        0x00f4279d
                                        0x00f4279e
                                        0x00f4279f
                                        0x00f427a0
                                        0x00f427a3
                                        0x00f427a9
                                        0x00f427ac
                                        0x00f427ad
                                        0x00f427af
                                        0x00f427b2
                                        0x00f427b7
                                        0x00f427ba
                                        0x00f427bf
                                        0x00f427c2
                                        0x00f427c3
                                        0x00f427c5
                                        0x00f42900
                                        0x00f42900
                                        0x00000000
                                        0x00f427cb
                                        0x00f427cb
                                        0x00f427ce
                                        0x00f427d3
                                        0x00f427d6
                                        0x00f427d9
                                        0x00f427dc
                                        0x00f427de
                                        0x00f427e6
                                        0x00f427ea
                                        0x00f427ec
                                        0x00f427f5
                                        0x00f427f7
                                        0x00f427f9
                                        0x00f427ee
                                        0x00f427ee
                                        0x00f427ee
                                        0x00f427e0
                                        0x00f427e0
                                        0x00f427e0
                                        0x00f42808
                                        0x00f4280a
                                        0x00f42810
                                        0x00f428fb
                                        0x00f428fb
                                        0x00000000
                                        0x00f42816
                                        0x00f42816
                                        0x00f42818
                                        0x00f4281e
                                        0x00f42847
                                        0x00f42849
                                        0x00f42858
                                        0x00f42858
                                        0x00f4284b
                                        0x00f4284c
                                        0x00f42851
                                        0x00f42854
                                        0x00f42854
                                        0x00000000
                                        0x00f42820
                                        0x00f42820
                                        0x00f42820
                                        0x00f42823
                                        0x00f42825
                                        0x00000000
                                        0x00f4282b
                                        0x00f4282c
                                        0x00f42831
                                        0x00f42834
                                        0x00f42836
                                        0x00f42905
                                        0x00f42905
                                        0x00f4290a
                                        0x00f4290b
                                        0x00f42911
                                        0x00f42911
                                        0x00f42911
                                        0x00f42915
                                        0x00f4291c
                                        0x00f42922
                                        0x00f4283c
                                        0x00f4283c
                                        0x00f4283f
                                        0x00f42842
                                        0x00f4285a
                                        0x00f4285d
                                        0x00f42863
                                        0x00f42865
                                        0x00f42868
                                        0x00f4286f
                                        0x00f42870
                                        0x00f42876
                                        0x00f4287d
                                        0x00f42880
                                        0x00f42881
                                        0x00f428dc
                                        0x00f428e6
                                        0x00f428ee
                                        0x00f428f8
                                        0x00f42883
                                        0x00f42883
                                        0x00f42885
                                        0x00f42899
                                        0x00f428a4
                                        0x00f428ab
                                        0x00f428b1
                                        0x00f428c5
                                        0x00f428c5
                                        0x00f428c7
                                        0x00f428cf
                                        0x00f428d9
                                        0x00f428b3
                                        0x00f428b3
                                        0x00f428b6
                                        0x00f428be
                                        0x00f428c1
                                        0x00000000
                                        0x00f428c3
                                        0x00f428c3
                                        0x00000000
                                        0x00f428c3
                                        0x00f428c1
                                        0x00f428b1
                                        0x00f42881
                                        0x00f42836
                                        0x00f42825
                                        0x00f4281e
                                        0x00f42810
                                        0x00f42700
                                        0x00f42700
                                        0x00f42703
                                        0x00f42706
                                        0x00f4271c
                                        0x00f4271f
                                        0x00f42725
                                        0x00f42727
                                        0x00f4272a
                                        0x00f4272e
                                        0x00f42731
                                        0x00f42733
                                        0x00f42733
                                        0x00f4273d
                                        0x00f42740
                                        0x00f42748
                                        0x00f4274c
                                        0x00f4274e
                                        0x00f4274e
                                        0x00f4275e
                                        0x00f42763
                                        0x00f42773
                                        0x00f42773
                                        0x00f426fa
                                        0x00f426e7
                                        0x00f426b0
                                        0x00f4262f
                                        0x00f4262f
                                        0x00f42634
                                        0x00f42637
                                        0x00f4263c
                                        0x00f42641
                                        0x00f42647
                                        0x00f42655
                                        0x00f4265c
                                        0x00f42660
                                        0x00f42667
                                        0x00f4266f
                                        0x00f42673
                                        0x00f42675
                                        0x00f42675
                                        0x00f4267c
                                        0x00f42687
                                        0x00f42692
                                        0x00f42692
                                        0x00f425c3
                                        0x00f425c3
                                        0x00f425c6
                                        0x00000000
                                        0x00f425c8
                                        0x00f425c8
                                        0x00f425cd
                                        0x00f425cf
                                        0x00f425d2
                                        0x00f425d7
                                        0x00f425dc
                                        0x00f425e3
                                        0x00f425ea
                                        0x00f425ed
                                        0x00f425f1
                                        0x00f425f3
                                        0x00f425f3
                                        0x00f425f5
                                        0x00f425f9
                                        0x00f425fb
                                        0x00f425fb
                                        0x00f4260d
                                        0x00f42618
                                        0x00f42623
                                        0x00f42623
                                        0x00f425c6
                                        0x00f42499
                                        0x00f42499
                                        0x00f4249c
                                        0x00f4249f
                                        0x00f424b7
                                        0x00f424ba
                                        0x00f424c0
                                        0x00f424c3
                                        0x00f424c6
                                        0x00f424cc
                                        0x00f424cf
                                        0x00f424d0
                                        0x00f424d6
                                        0x00f424da
                                        0x00f424e0
                                        0x00f424e3
                                        0x00f42542
                                        0x00f42543
                                        0x00f42544
                                        0x00f42550
                                        0x00f4255b
                                        0x00f4255d
                                        0x00f42563
                                        0x00f4256a
                                        0x00f424e5
                                        0x00f424e5
                                        0x00f424e7
                                        0x00f424e8
                                        0x00f424e9
                                        0x00f424f7
                                        0x00f42501
                                        0x00f42504
                                        0x00f4250a
                                        0x00f42511
                                        0x00f42517
                                        0x00f4252b
                                        0x00f4252b
                                        0x00f4252d
                                        0x00f42535
                                        0x00f4253f
                                        0x00f42519
                                        0x00f42519
                                        0x00f4251c
                                        0x00f4251f
                                        0x00f42521
                                        0x00f42524
                                        0x00f42527
                                        0x00000000
                                        0x00f42529
                                        0x00f42529
                                        0x00000000
                                        0x00f42529
                                        0x00f42527
                                        0x00f42517
                                        0x00f424e3
                                        0x00f42493
                                        0x00f42482
                                        0x00f4243e
                                        0x00f42366
                                        0x00f42366
                                        0x00f42369
                                        0x00f4236c
                                        0x00f42384
                                        0x00f42384
                                        0x00f42387
                                        0x00f4238a
                                        0x00f4238d
                                        0x00f42395
                                        0x00f4239c
                                        0x00f4239f
                                        0x00f423a3
                                        0x00f423a6
                                        0x00f423a9
                                        0x00f423d8
                                        0x00f423d8
                                        0x00f423e2
                                        0x00f423ab
                                        0x00f423ab
                                        0x00f423b2
                                        0x00f423b4
                                        0x00f423ba
                                        0x00f423ce
                                        0x00f423ce
                                        0x00f423d0
                                        0x00000000
                                        0x00f423bc
                                        0x00f423bc
                                        0x00f423bf
                                        0x00f423c7
                                        0x00f423ca
                                        0x00000000
                                        0x00f423cc
                                        0x00f423cc
                                        0x00000000
                                        0x00f423cc
                                        0x00f423ca
                                        0x00f423ba
                                        0x00f423a9
                                        0x00f42360
                                        0x00f4234f
                                        0x00f42302
                                        0x00f422c1
                                        0x00f422c1
                                        0x00f422c3
                                        0x00f422c6
                                        0x00f422c8
                                        0x00f422c8
                                        0x00f422ca
                                        0x00f422cd
                                        0x00f422d3
                                        0x00f422db
                                        0x00f422dd
                                        0x00f422e9
                                        0x00f422e9
                                        0x00f4226c
                                        0x00f4226c
                                        0x00000000
                                        0x00f4226c
                                        0x00f4226a
                                        0x00f4225a
                                        0x00f42209
                                        0x00f42209
                                        0x00000000
                                        0x00f42209
                                        0x00f42207
                                        0x00f421f7
                                        0x00f41f3e
                                        0x00f41f44
                                        0x00f41f46
                                        0x00f41f49
                                        0x00f41f4b
                                        0x00f421cb
                                        0x00f421cb
                                        0x00000000
                                        0x00f41f51
                                        0x00f41f51
                                        0x00f41f54
                                        0x00f41f57
                                        0x00f41f6d
                                        0x00f41f70
                                        0x00f41f70
                                        0x00f41f72
                                        0x00f41f75
                                        0x00f41f7f
                                        0x00f41f84
                                        0x00f41f87
                                        0x00f41f8a
                                        0x00000000
                                        0x00f41f8a
                                        0x00f41f4b
                                        0x00f41f38
                                        0x00f41f31
                                        0x00f41f22
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f413db
                                        0x00f413cb
                                        0x00f41202
                                        0x00f41228
                                        0x00f41230
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f41230
                                        0x00f41200
                                        0x00000000

                                        APIs
                                        • std::_Xinvalid_argument.LIBCPMT ref: 00F41155
                                          • Part of subcall function 00F429DA: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00F429E6
                                        • CreateMutexW.KERNELBASE(00000000,00000000,// {9D255ADC-2EB7-47F7-8DE0-7B2F4F9D9EB2}), ref: 00F411C8
                                        • RegOpenKeyW.ADVAPI32(80000002,SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full,?), ref: 00F411E3
                                        • RegOpenKeyW.ADVAPI32(80000002,SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full,?), ref: 00F411FC
                                        • RegQueryValueExW.KERNELBASE(?,Release,00000000,?,?,?), ref: 00F41228
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?,?,000000FF,00000000,7618F5D0), ref: 00F41290
                                        • GetCommandLineW.KERNEL32(?,00F53A68,00000000,0000000F,00000000,MEInstaller.exe,0000000F,?,00000000), ref: 00F41797
                                        • CommandLineToArgvW.SHELL32(00000000), ref: 00F4179E
                                        • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00F41A5E
                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00F41A71
                                        • GetExitCodeProcess.KERNEL32 ref: 00F41A86
                                        • CloseHandle.KERNEL32(?), ref: 00F41A99
                                        • CloseHandle.KERNEL32(?), ref: 00F41AA2
                                        • GetLastError.KERNEL32 ref: 00F41BAD
                                        • GetUserPreferredUILanguages.KERNEL32(00000008,00000000,00000000,00000000,00F53A68,00000000,6A58FEF8,00000000,?), ref: 00F41EF3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.827539752.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true
                                        • Associated: 00000001.00000002.827528753.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827566651.0000000000F4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827592711.0000000000F5C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827606974.0000000000F5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_f40000_StartupInstaller.jbxd
                                        Similarity
                                        • API ID: CloseCommandCreateHandleLineOpenProcess$ArgvCodeErrorExitFileLanguagesLastModuleMutexNameObjectPreferredQuerySingleUserValueWaitXinvalid_argumentstd::_std::invalid_argument::invalid_argument
                                        • String ID: // {9D255ADC-2EB7-47F7-8DE0-7B2F4F9D9EB2}$D$MEInstaller.exe$Release$SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full$en-us$string too long
                                        • API String ID: 2287834115-796906764
                                        • Opcode ID: 650bd71c8fc48b9746ed04516455edd9805fdd959023185faf725f12bffdf8b9
                                        • Instruction ID: 0b9d3c8a9d78be8f80cf4bcf8fd49d1250cc5788eaa720a348e1aacd2a7cdc99
                                        • Opcode Fuzzy Hash: 650bd71c8fc48b9746ed04516455edd9805fdd959023185faf725f12bffdf8b9
                                        • Instruction Fuzzy Hash: 9B92F171A043418BD724CF28DC45BAEBBE5FFC4304F504A2DF88997291E774AA85DB92
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F432F6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 3COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 295 f432f6-f43301
                                        C-Code - Quality: 100%
                                        			E00F432F6() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00F43302); // executed
				return _t1;
			}




                                        0x00f432fb
                                        0x00f43301

                                        APIs
                                        • SetUnhandledExceptionFilter.KERNELBASE(Function_00003302,00F42C43), ref: 00F432FB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.827539752.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true
                                        • Associated: 00000001.00000002.827528753.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827566651.0000000000F4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827592711.0000000000F5C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827606974.0000000000F5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_f40000_StartupInstaller.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled
                                        • String ID: Pdhv
                                        • API String ID: 3192549508-2983560932
                                        • Opcode ID: 2e1248d81d350d6fe6a69a42068954ff9e54fb2c55d5d25f55d5e1bc277b6a94
                                        • Instruction ID: 6476917bcbe83a2b0a826d936b8df590796edd54ead03967f37b57d9e55aef02
                                        • Opcode Fuzzy Hash: 2e1248d81d350d6fe6a69a42068954ff9e54fb2c55d5d25f55d5e1bc277b6a94
                                        • Instruction Fuzzy Hash:
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F461D6 Relevance: 3.0, APIs: 2, Instructions: 31COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 297 f461d6-f461e8 call f488f7 call f48db8 301 f461ed-f461f1 297->301 302 f461f3-f461f6 301->302 303 f461f8-f46201 call f46228 301->303 304 f4621c-f46227 call f479d0 302->304 309 f46203-f46206 303->309 310 f46208-f4620f 303->310 311 f46214-f4621b call f479d0 309->311 310->311 311->304
                                        C-Code - Quality: 100%
                                        			E00F461D6(void* __eax, void* __ebx, void* __ecx, void* __edx) {

				 *((intOrPtr*)(__ebx + __eax + 0x33)) =  *((intOrPtr*)(__ebx + __eax + 0x33)) + __edx;
			}



                                        0x00f461db

                                        APIs
                                          • Part of subcall function 00F48DB8: GetEnvironmentStringsW.KERNEL32 ref: 00F48DC1
                                          • Part of subcall function 00F48DB8: _free.LIBCMT ref: 00F48E20
                                          • Part of subcall function 00F48DB8: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00F48E2F
                                        • _free.LIBCMT ref: 00F46216
                                        • _free.LIBCMT ref: 00F4621D
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.827539752.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true
                                        • Associated: 00000001.00000002.827528753.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827566651.0000000000F4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827592711.0000000000F5C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827606974.0000000000F5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_f40000_StartupInstaller.jbxd
                                        Similarity
                                        • API ID: _free$EnvironmentStrings$Free
                                        • String ID:
                                        • API String ID: 2490078468-0
                                        • Opcode ID: eeafc59dce032e9cdfd876c556278a4bd448c0182aa0c308f27915179e9c65c1
                                        • Instruction ID: 20e16238a7f1138e087a6aa1e6d3a108b39576b3ffd1b825a9fa6e13543e5960
                                        • Opcode Fuzzy Hash: eeafc59dce032e9cdfd876c556278a4bd448c0182aa0c308f27915179e9c65c1
                                        • Instruction Fuzzy Hash: 6BE06523A4D71026AB2177397C426AE3E454B93375B520326ED20D71C3DFA8890671D6
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F48E6D Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 314 f48e6d-f48e7a call f47973 316 f48e7f-f48e8a 314->316 317 f48e90-f48e98 316->317 318 f48e8c-f48e8e 316->318 319 f48edb-f48ee7 call f479d0 317->319 320 f48e9a-f48e9e 317->320 318->319 321 f48ea0-f48ed5 call f49d42 320->321 326 f48ed7-f48eda 321->326 326->319
                                        C-Code - Quality: 95%
                                        			E00F48E6D(void* __edi, void* __eflags) {
				intOrPtr _v12;
				char _t17;
				void* _t18;
				intOrPtr* _t32;
				char _t35;
				void* _t37;

				_push(_t27);
				_t17 = E00F47973(0x40, 0x38); // executed
				_t35 = _t17;
				_v12 = _t35;
				if(_t35 != 0) {
					_t2 = _t35 + 0xe00; // 0xe00
					_t18 = _t2;
					__eflags = _t35 - _t18;
					if(__eflags != 0) {
						_t3 = _t35 + 0x20; // 0x20
						_t32 = _t3;
						_t37 = _t18;
						do {
							_t4 = _t32 - 0x20; // 0x0
							E00F49D42(__eflags, _t4, 0xfa0, 0);
							 *(_t32 - 8) =  *(_t32 - 8) | 0xffffffff;
							 *(_t32 + 0xd) =  *(_t32 + 0xd) & 0x000000f8;
							 *_t32 = 0;
							_t32 = _t32 + 0x38;
							 *((intOrPtr*)(_t32 - 0x34)) = 0;
							 *((intOrPtr*)(_t32 - 0x30)) = 0xa0a0000;
							 *((char*)(_t32 - 0x2c)) = 0xa;
							 *((intOrPtr*)(_t32 - 0x2a)) = 0;
							 *((char*)(_t32 - 0x26)) = 0;
							__eflags = _t32 - 0x20 - _t37;
						} while (__eflags != 0);
						_t35 = _v12;
					}
				} else {
					_t35 = 0;
				}
				E00F479D0(0);
				return _t35;
			}









                                        0x00f48e73
                                        0x00f48e7a
                                        0x00f48e7f
                                        0x00f48e83
                                        0x00f48e8a
                                        0x00f48e90
                                        0x00f48e90
                                        0x00f48e96
                                        0x00f48e98
                                        0x00f48e9b
                                        0x00f48e9b
                                        0x00f48e9e
                                        0x00f48ea0
                                        0x00f48ea6
                                        0x00f48eaa
                                        0x00f48eaf
                                        0x00f48eb3
                                        0x00f48eb7
                                        0x00f48eb9
                                        0x00f48ebc
                                        0x00f48ec2
                                        0x00f48ec9
                                        0x00f48ecd
                                        0x00f48ed0
                                        0x00f48ed3
                                        0x00f48ed3
                                        0x00f48ed7
                                        0x00f48eda
                                        0x00f48e8c
                                        0x00f48e8c
                                        0x00f48e8c
                                        0x00f48edc
                                        0x00f48ee7

                                        APIs
                                          • Part of subcall function 00F47973: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00F4777B,00000001,00000364,00000006,000000FF,?,?,00F439C2,?), ref: 00F479B4
                                        • _free.LIBCMT ref: 00F48EDC
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.827539752.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true
                                        • Associated: 00000001.00000002.827528753.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827566651.0000000000F4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827592711.0000000000F5C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827606974.0000000000F5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_f40000_StartupInstaller.jbxd
                                        Similarity
                                        • API ID: AllocateHeap_free
                                        • String ID:
                                        • API String ID: 614378929-0
                                        • Opcode ID: 6fc99cc7ca8216a9ca7b6aff411c7ed7c2f0fdf07ceb2dcba78c793af90cefce
                                        • Instruction ID: 885213133e5329432ac8969de7bf01cad09ddecbe35068523872d85709c8a771
                                        • Opcode Fuzzy Hash: 6fc99cc7ca8216a9ca7b6aff411c7ed7c2f0fdf07ceb2dcba78c793af90cefce
                                        • Instruction Fuzzy Hash: 6A014972A08316ABC3209FA8C88198EFFD8EB447F0F140629E955A76C0E7706C11C7E4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F47973 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 327 f47973-f4797e 328 f47980-f4798a 327->328 329 f4798c-f47992 327->329 328->329 330 f479c0-f479cb call f47035 328->330 331 f47994-f47995 329->331 332 f479ab-f479bc RtlAllocateHeap 329->332 337 f479cd-f479cf 330->337 331->332 333 f47997-f4799e call f4689b 332->333 334 f479be 332->334 333->330 340 f479a0-f479a9 call f45c43 333->340 334->337 340->330 340->332
                                        C-Code - Quality: 100%
                                        			E00F47973(signed int _a4, signed int _a8) {
				void* _t8;
				signed int _t13;
				signed int _t18;
				long _t19;

				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0xf5d338, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E00F4689B();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E00F47035(__eflags))) = 0xc;
							__eflags = 0;
							return 0;
						}
						__eflags = E00F45C43(__eflags, _t19);
						if(__eflags == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}







                                        0x00f47979
                                        0x00f4797e
                                        0x00f4798c
                                        0x00f4798c
                                        0x00f47992
                                        0x00f47994
                                        0x00f47994
                                        0x00f479ab
                                        0x00f479b4
                                        0x00f479bc
                                        0x00000000
                                        0x00000000
                                        0x00f4799c
                                        0x00f4799e
                                        0x00f479c0
                                        0x00f479c5
                                        0x00f479cb
                                        0x00000000
                                        0x00f479cb
                                        0x00f479a7
                                        0x00f479a9
                                        0x00000000
                                        0x00000000
                                        0x00f479a9
                                        0x00000000
                                        0x00f479ab
                                        0x00f47984
                                        0x00f4798a
                                        0x00000000
                                        0x00000000
                                        0x00000000

                                        APIs
                                        • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00F4777B,00000001,00000364,00000006,000000FF,?,?,00F439C2,?), ref: 00F479B4
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.827539752.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true
                                        • Associated: 00000001.00000002.827528753.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827566651.0000000000F4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827592711.0000000000F5C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827606974.0000000000F5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_f40000_StartupInstaller.jbxd
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: b950221a1f03ce4277322e981eb057ad60b157292a648cce8c2f18d98dd55188
                                        • Instruction ID: 8f6bc65e19da441bb41885fa02faac54266af777d267210c6c84d88bf7191dfa
                                        • Opcode Fuzzy Hash: b950221a1f03ce4277322e981eb057ad60b157292a648cce8c2f18d98dd55188
                                        • Instruction Fuzzy Hash: 77F08932A097246BDF217B369C05B5B7F589F81B70F154121FC08E7191DB20E805B6E1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Function 00F43162 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 85%
                                        			E00F43162(intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4) {
				char _v0;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				char _v808;
				char* _t39;
				long _t49;
				intOrPtr _t51;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr* _t60;

				_t59 = __esi;
				_t58 = __edi;
				_t57 = __edx;
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t55 = _a4;
					asm("int 0x29");
				}
				E00F43358(_t34);
				 *_t60 = 0x2cc;
				_v632 = E00F43E50(_t58,  &_v808, 0, 3);
				_v636 = _t55;
				_v640 = _t57;
				_v644 = _t51;
				_v648 = _t59;
				_v652 = _t58;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t15);
				_v624 = _v0;
				_t39 =  &_v0;
				_v612 = _t39;
				_v808 = 0x10001;
				_v628 =  *((intOrPtr*)(_t39 - 4));
				E00F43E50(_t58,  &_v92, 0, 0x50);
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _v0;
				_t28 = IsDebuggerPresent() - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t49 = UnhandledExceptionFilter( &_v12);
				if(_t49 == 0 && _t54 == 0) {
					_push(3);
					return E00F43358(_t49);
				}
				return _t49;
			}


































                                        0x00f43162
                                        0x00f43162
                                        0x00f43162
                                        0x00f43176
                                        0x00f43178
                                        0x00f4317b
                                        0x00f4317b
                                        0x00f4317f
                                        0x00f43184
                                        0x00f4319c
                                        0x00f431a2
                                        0x00f431a8
                                        0x00f431ae
                                        0x00f431b4
                                        0x00f431ba
                                        0x00f431c0
                                        0x00f431c7
                                        0x00f431ce
                                        0x00f431d5
                                        0x00f431dc
                                        0x00f431e3
                                        0x00f431ea
                                        0x00f431eb
                                        0x00f431f4
                                        0x00f431fa
                                        0x00f431fd
                                        0x00f43203
                                        0x00f43212
                                        0x00f4321e
                                        0x00f43229
                                        0x00f43230
                                        0x00f43237
                                        0x00f43242
                                        0x00f4324a
                                        0x00f43253
                                        0x00f43255
                                        0x00f43258
                                        0x00f4325a
                                        0x00f43264
                                        0x00f4326c
                                        0x00f43272
                                        0x00000000
                                        0x00f43279
                                        0x00f4327c

                                        APIs
                                        • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00F4316E
                                        • IsDebuggerPresent.KERNEL32 ref: 00F4323A
                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00F4325A
                                        • UnhandledExceptionFilter.KERNEL32(?), ref: 00F43264
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.827539752.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true
                                        • Associated: 00000001.00000002.827528753.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827566651.0000000000F4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827592711.0000000000F5C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827606974.0000000000F5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_f40000_StartupInstaller.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                        • String ID: Pdhv
                                        • API String ID: 254469556-2983560932
                                        • Opcode ID: 88ca5f3a4f2bfb7ebeb5a0a1512fc178ba9ffdd9c27af99302568ece069a44d3
                                        • Instruction ID: 6dab99f73e544567d201a752d3eeda890c906f0f1e870872627adce38bbd56be
                                        • Opcode Fuzzy Hash: 88ca5f3a4f2bfb7ebeb5a0a1512fc178ba9ffdd9c27af99302568ece069a44d3
                                        • Instruction Fuzzy Hash: 8E311A79D0121C9BDF20DFA4DD497CDBBB8AF18300F1040AAE80DAB250EB745B889F44
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F45A27 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMONLIBRARYCODE
                                        Download Yara Rule
                                        C-Code - Quality: 78%
                                        			E00F45A27(intOrPtr __ebx, intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				void* __edi;
				signed int _t40;
				char* _t47;
				char* _t49;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t66;
				int _t67;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t65 = __edx;
				_t60 = __ebx;
				_t40 =  *0xf5c004; // 0x6a58fef8
				_t41 = _t40 ^ _t69;
				_v8 = _t40 ^ _t69;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E00F43358(_t41);
					_pop(_t61);
				}
				E00F43E50(_t66,  &_v804, 0, 0x50);
				E00F43E50(_t66,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t61;
				_v556 = _t65;
				_v560 = _t60;
				_v564 = _t68;
				_v568 = _t66;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t67 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t67 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					_t57 = E00F43358(_t57);
				}
				return E00F429FA(_t57, _t60, _v8 ^ _t69, _t65, _t67, _t68);
			}





































                                        0x00f45a27
                                        0x00f45a27
                                        0x00f45a27
                                        0x00f45a32
                                        0x00f45a37
                                        0x00f45a39
                                        0x00f45a41
                                        0x00f45a43
                                        0x00f45a46
                                        0x00f45a4b
                                        0x00f45a4b
                                        0x00f45a57
                                        0x00f45a6a
                                        0x00f45a78
                                        0x00f45a7e
                                        0x00f45a84
                                        0x00f45a8a
                                        0x00f45a90
                                        0x00f45a96
                                        0x00f45a9c
                                        0x00f45aa2
                                        0x00f45aa8
                                        0x00f45aae
                                        0x00f45ab5
                                        0x00f45abc
                                        0x00f45ac3
                                        0x00f45aca
                                        0x00f45ad1
                                        0x00f45ad8
                                        0x00f45ad9
                                        0x00f45ae2
                                        0x00f45ae8
                                        0x00f45aeb
                                        0x00f45af1
                                        0x00f45afe
                                        0x00f45b07
                                        0x00f45b10
                                        0x00f45b19
                                        0x00f45b27
                                        0x00f45b29
                                        0x00f45b3e
                                        0x00f45b4a
                                        0x00f45b4d
                                        0x00f45b52
                                        0x00f45b5f

                                        APIs
                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00F45B1F
                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00F45B29
                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00F45B36
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.827539752.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true
                                        • Associated: 00000001.00000002.827528753.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827566651.0000000000F4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827592711.0000000000F5C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827606974.0000000000F5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_f40000_StartupInstaller.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                        • String ID: Pdhv
                                        • API String ID: 3906539128-2983560932
                                        • Opcode ID: 41bf49a85e3af7c4d7327198383c58c22272548c7b1964ac950f7bc803b331da
                                        • Instruction ID: 26b9b54846a3035343409d8466351094c8da3598da0dbf64fe88e4d11e7f51f3
                                        • Opcode Fuzzy Hash: 41bf49a85e3af7c4d7327198383c58c22272548c7b1964ac950f7bc803b331da
                                        • Instruction Fuzzy Hash: 1831D47590131CABCB21DF68DC8878DBBB8AF48710F5041EAE80CA7251E7349F859F44
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F46626 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E00F46626(int _a4) {
				void* _t14;

				if(E00F48E3C(_t14) != 1 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E00F46668(_t14, _a4);
				ExitProcess(_a4);
			}




                                        0x00f46633
                                        0x00f4664f
                                        0x00f4664f
                                        0x00f46658
                                        0x00f46661

                                        APIs
                                        • GetCurrentProcess.KERNEL32(00F47695,?,00F46625,?,?,00F47695,?,00F47695), ref: 00F46648
                                        • TerminateProcess.KERNEL32(00000000,?,00F46625,?,?,00F47695,?,00F47695), ref: 00F4664F
                                        • ExitProcess.KERNEL32 ref: 00F46661
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.827539752.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true
                                        • Associated: 00000001.00000002.827528753.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827566651.0000000000F4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827592711.0000000000F5C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827606974.0000000000F5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_f40000_StartupInstaller.jbxd
                                        Similarity
                                        • API ID: Process$CurrentExitTerminate
                                        • String ID:
                                        • API String ID: 1703294689-0
                                        • Opcode ID: ced688c27d96457357cbbfb94cd249d56ff32ae61a3784b681e81d121887bad5
                                        • Instruction ID: 12338dafdfef8fab9b7b2dc8aa8904bd993111ee12646fb495c62bfce845e120
                                        • Opcode Fuzzy Hash: ced688c27d96457357cbbfb94cd249d56ff32ae61a3784b681e81d121887bad5
                                        • Instruction Fuzzy Hash: 1DE0B635401108ABDB116FA8ED0DA5D3F6AEB92791B418428FD09CA132CB39DD92EA51
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F4DDBD Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODECrypto
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E00F4DDBD(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed char _t193;
				signed int _t196;
				signed int _t200;
				signed int _t203;
				void* _t204;
				void* _t207;
				signed int _t210;
				void* _t211;
				signed int _t226;
				unsigned int* _t241;
				signed char _t243;
				signed int* _t251;
				unsigned int* _t257;
				signed int* _t258;
				signed char _t260;
				long _t263;
				signed int* _t266;

				 *(_a4 + 4) = 0;
				_t263 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t243 = _a12;
				if((_t243 & 0x00000010) != 0) {
					_t263 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t243 & 0x00000002) != 0) {
					_t263 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t243 & 0x00000001) != 0) {
					_t263 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t243 & 0x00000004) != 0) {
					_t263 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t243 & 0x00000008) != 0) {
					_t263 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t266 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 +  *_t266) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 5) ^  *(_a4 + 8)) & 1;
				_t260 = E00F4C225(_a4);
				if((_t260 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t260 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t260 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t260 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t260 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t266 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t258 = _a4;
						_t226 =  *_t258 & 0xfffffffd | 1;
						L26:
						 *_t258 = _t226;
						L29:
						_t175 =  *_t266 & 0x00000300;
						if(_t175 == 0) {
							_t251 = _a4;
							_t178 =  *_t251 & 0xffffffeb | 0x00000008;
							L35:
							 *_t251 = _t178;
							L36:
							_t179 = _a4;
							_t255 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t255 = _a4;
								_t241 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t241;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t241 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t241;
							}
							E00F4C191(_t255);
							RaiseException(_t263, 0, 1,  &_a4);
							_t257 = _a4;
							_t193 = _t257[2];
							if((_t193 & 0x00000010) != 0) {
								 *_t266 =  *_t266 & 0xfffffffe;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000008) != 0) {
								 *_t266 =  *_t266 & 0xfffffffb;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000004) != 0) {
								 *_t266 =  *_t266 & 0xfffffff7;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000002) != 0) {
								 *_t266 =  *_t266 & 0xffffffef;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000001) != 0) {
								 *_t266 =  *_t266 & 0xffffffdf;
							}
							_t196 =  *_t257 & 0x00000003;
							if(_t196 == 0) {
								 *_t266 =  *_t266 & 0xfffff3ff;
							} else {
								_t207 = _t196 - 1;
								if(_t207 == 0) {
									_t210 =  *_t266 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t266 = _t210;
									L58:
									_t200 =  *_t257 >> 0x00000002 & 0x00000007;
									if(_t200 == 0) {
										_t203 =  *_t266 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t266 = _t203;
										L65:
										if(_a28 == 0) {
											 *_t241 = _t257[0x14];
										} else {
											 *_t241 = _t257[0x14];
										}
										return _t203;
									}
									_t204 = _t200 - 1;
									if(_t204 == 0) {
										_t203 =  *_t266 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t203 = _t204 - 1;
									if(_t203 == 0) {
										 *_t266 =  *_t266 & 0xfffff3ff;
									}
									goto L65;
								}
								_t211 = _t207 - 1;
								if(_t211 == 0) {
									_t210 =  *_t266 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t211 == 1) {
									 *_t266 =  *_t266 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t251 = _a4;
							_t178 =  *_t251 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t258 = _a4;
						_t226 =  *_t258 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}
























                                        0x00f4ddcb
                                        0x00f4ddd2
                                        0x00f4ddd7
                                        0x00f4dddd
                                        0x00f4dde0
                                        0x00f4dde6
                                        0x00f4ddeb
                                        0x00f4ddf0
                                        0x00f4ddf0
                                        0x00f4ddf6
                                        0x00f4ddfb
                                        0x00f4de00
                                        0x00f4de00
                                        0x00f4de07
                                        0x00f4de0c
                                        0x00f4de11
                                        0x00f4de11
                                        0x00f4de18
                                        0x00f4de1d
                                        0x00f4de22
                                        0x00f4de22
                                        0x00f4de29
                                        0x00f4de2e
                                        0x00f4de33
                                        0x00f4de33
                                        0x00f4de3b
                                        0x00f4de4b
                                        0x00f4de5d
                                        0x00f4de6f
                                        0x00f4de82
                                        0x00f4de94
                                        0x00f4de9c
                                        0x00f4dea1
                                        0x00f4dea6
                                        0x00f4dea6
                                        0x00f4dead
                                        0x00f4deb2
                                        0x00f4deb2
                                        0x00f4deb9
                                        0x00f4debe
                                        0x00f4debe
                                        0x00f4dec5
                                        0x00f4deca
                                        0x00f4deca
                                        0x00f4ded1
                                        0x00f4ded6
                                        0x00f4ded6
                                        0x00f4dee0
                                        0x00f4dee2
                                        0x00f4df1c
                                        0x00f4dee4
                                        0x00f4dee9
                                        0x00f4df0d
                                        0x00f4df15
                                        0x00f4df09
                                        0x00f4df09
                                        0x00f4df1f
                                        0x00f4df26
                                        0x00f4df28
                                        0x00f4df4a
                                        0x00f4df52
                                        0x00f4df55
                                        0x00f4df55
                                        0x00f4df57
                                        0x00f4df57
                                        0x00f4df62
                                        0x00f4df68
                                        0x00f4df6d
                                        0x00f4df74
                                        0x00f4dfae
                                        0x00f4dfb9
                                        0x00f4dfbf
                                        0x00f4dfc2
                                        0x00f4dfc5
                                        0x00f4dfd1
                                        0x00f4dfd9
                                        0x00f4df76
                                        0x00f4df79
                                        0x00f4df85
                                        0x00f4df8b
                                        0x00f4df91
                                        0x00f4df94
                                        0x00f4df9d
                                        0x00f4df9d
                                        0x00f4dfdc
                                        0x00f4dfea
                                        0x00f4dff0
                                        0x00f4dff3
                                        0x00f4dff8
                                        0x00f4dffa
                                        0x00f4dffd
                                        0x00f4dffd
                                        0x00f4e002
                                        0x00f4e004
                                        0x00f4e007
                                        0x00f4e007
                                        0x00f4e00c
                                        0x00f4e00e
                                        0x00f4e011
                                        0x00f4e011
                                        0x00f4e016
                                        0x00f4e018
                                        0x00f4e01b
                                        0x00f4e01b
                                        0x00f4e020
                                        0x00f4e022
                                        0x00f4e022
                                        0x00f4e02f
                                        0x00f4e032
                                        0x00f4e069
                                        0x00f4e034
                                        0x00f4e034
                                        0x00f4e037
                                        0x00f4e062
                                        0x00f4e057
                                        0x00f4e057
                                        0x00f4e06b
                                        0x00f4e073
                                        0x00f4e076
                                        0x00f4e095
                                        0x00f4e09a
                                        0x00f4e09a
                                        0x00f4e09c
                                        0x00f4e0a1
                                        0x00f4e0ad
                                        0x00f4e0a3
                                        0x00f4e0a6
                                        0x00f4e0a6
                                        0x00f4e0b2
                                        0x00f4e0b2
                                        0x00f4e078
                                        0x00f4e07b
                                        0x00f4e08a
                                        0x00000000
                                        0x00f4e08a
                                        0x00f4e07d
                                        0x00f4e080
                                        0x00f4e082
                                        0x00f4e082
                                        0x00000000
                                        0x00f4e080
                                        0x00f4e039
                                        0x00f4e03c
                                        0x00f4e052
                                        0x00000000
                                        0x00f4e052
                                        0x00f4e041
                                        0x00f4e043
                                        0x00f4e043
                                        0x00f4e041
                                        0x00000000
                                        0x00f4e032
                                        0x00f4df2f
                                        0x00f4df3d
                                        0x00f4df45
                                        0x00000000
                                        0x00f4df45
                                        0x00f4df33
                                        0x00f4df38
                                        0x00f4df38
                                        0x00000000
                                        0x00f4df33
                                        0x00f4def0
                                        0x00f4defe
                                        0x00f4df06
                                        0x00000000
                                        0x00f4df06
                                        0x00f4def4
                                        0x00f4def9
                                        0x00f4def9
                                        0x00f4def4

                                        APIs
                                        • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00F4DDB8,?,?,00000008,?,?,00F4DA50,00000000), ref: 00F4DFEA
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.827539752.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true
                                        • Associated: 00000001.00000002.827528753.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827566651.0000000000F4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827592711.0000000000F5C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827606974.0000000000F5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_f40000_StartupInstaller.jbxd
                                        Similarity
                                        • API ID: ExceptionRaise
                                        • String ID:
                                        • API String ID: 3997070919-0
                                        • Opcode ID: 3241965f73ddf0b551a8e31e278110c89f52b055d68448377f4bda451fb89c5e
                                        • Instruction ID: 7c690a79ba153fb14b8a99f331946b5684d1716ae7b73311aa9fe9295991f05e
                                        • Opcode Fuzzy Hash: 3241965f73ddf0b551a8e31e278110c89f52b055d68448377f4bda451fb89c5e
                                        • Instruction Fuzzy Hash: 4BB13B32610609DFD725CF2CC48AB657FA0FF45364F258658E8AACF2A1C335E991DB40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F43405 Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 88%
                                        			E00F43405(signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _t60;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				signed int _t66;
				signed int _t67;
				signed int _t73;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr* _t77;
				signed int _t78;
				intOrPtr* _t82;
				signed int _t85;
				signed int _t90;
				intOrPtr* _t93;
				signed int _t96;
				signed int _t99;
				signed int _t104;

				_t90 = __edx;
				 *0xf5ccb8 =  *0xf5ccb8 & 0x00000000;
				 *0xf5c010 =  *0xf5c010 | 0x00000001;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L23:
					return 0;
				}
				_v20 = _v20 & 0x00000000;
				_push(_t74);
				_t93 =  &_v40;
				asm("cpuid");
				_t75 = _t74;
				 *_t93 = 0;
				 *((intOrPtr*)(_t93 + 4)) = _t74;
				 *((intOrPtr*)(_t93 + 8)) = 0;
				 *(_t93 + 0xc) = _t90;
				_v16 = _v40;
				_v12 = _v28 ^ 0x49656e69;
				_v8 = _v36 ^ 0x756e6547;
				_push(_t75);
				asm("cpuid");
				_t77 =  &_v40;
				 *_t77 = 1;
				 *((intOrPtr*)(_t77 + 4)) = _t75;
				 *((intOrPtr*)(_t77 + 8)) = 0;
				 *(_t77 + 0xc) = _t90;
				if((_v8 | _v32 ^ 0x6c65746e | _v12) != 0) {
					L9:
					_t96 =  *0xf5ccbc; // 0x2
					L10:
					_t85 = _v32;
					_t60 = 7;
					_v8 = _t85;
					if(_v16 < _t60) {
						_t78 = _v20;
					} else {
						_push(_t77);
						asm("cpuid");
						_t82 =  &_v40;
						 *_t82 = _t60;
						 *((intOrPtr*)(_t82 + 4)) = _t77;
						 *((intOrPtr*)(_t82 + 8)) = 0;
						_t85 = _v8;
						 *(_t82 + 0xc) = _t90;
						_t78 = _v36;
						if((_t78 & 0x00000200) != 0) {
							 *0xf5ccbc = _t96 | 0x00000002;
						}
					}
					_t61 =  *0xf5c010; // 0x6f
					_t62 = _t61 | 0x00000002;
					 *0xf5ccb8 = 1;
					 *0xf5c010 = _t62;
					if((_t85 & 0x00100000) != 0) {
						_t63 = _t62 | 0x00000004;
						 *0xf5ccb8 = 2;
						 *0xf5c010 = _t63;
						if((_t85 & 0x08000000) != 0 && (_t85 & 0x10000000) != 0) {
							asm("xgetbv");
							_v24 = _t63;
							_v20 = _t90;
							_t104 = 6;
							if((_v24 & _t104) == _t104) {
								_t66 =  *0xf5c010; // 0x6f
								_t67 = _t66 | 0x00000008;
								 *0xf5ccb8 = 3;
								 *0xf5c010 = _t67;
								if((_t78 & 0x00000020) != 0) {
									 *0xf5ccb8 = 5;
									 *0xf5c010 = _t67 | 0x00000020;
									if((_t78 & 0xd0030000) == 0xd0030000 && (_v24 & 0x000000e0) == 0xe0) {
										 *0xf5c010 =  *0xf5c010 | 0x00000040;
										 *0xf5ccb8 = _t104;
									}
								}
							}
						}
					}
					goto L23;
				}
				_t73 = _v40 & 0x0fff3ff0;
				if(_t73 == 0x106c0 || _t73 == 0x20660 || _t73 == 0x20670 || _t73 == 0x30650 || _t73 == 0x30660 || _t73 == 0x30670) {
					_t99 =  *0xf5ccbc; // 0x2
					_t96 = _t99 | 0x00000001;
					 *0xf5ccbc = _t96;
					goto L10;
				} else {
					goto L9;
				}
			}






























                                        0x00f43405
                                        0x00f43408
                                        0x00f43412
                                        0x00f43423
                                        0x00f435d2
                                        0x00f435d5
                                        0x00f435d5
                                        0x00f43429
                                        0x00f4342f
                                        0x00f43434
                                        0x00f43438
                                        0x00f4343c
                                        0x00f4343d
                                        0x00f4343f
                                        0x00f43442
                                        0x00f43447
                                        0x00f43450
                                        0x00f43461
                                        0x00f4346c
                                        0x00f43472
                                        0x00f43473
                                        0x00f43478
                                        0x00f4347b
                                        0x00f43480
                                        0x00f43488
                                        0x00f4348b
                                        0x00f4348e
                                        0x00f434d3
                                        0x00f434d3
                                        0x00f434d9
                                        0x00f434d9
                                        0x00f434de
                                        0x00f434df
                                        0x00f434e5
                                        0x00f43516
                                        0x00f434e7
                                        0x00f434e9
                                        0x00f434ea
                                        0x00f434ef
                                        0x00f434f2
                                        0x00f434f4
                                        0x00f434f7
                                        0x00f434fa
                                        0x00f434fd
                                        0x00f43500
                                        0x00f43509
                                        0x00f4350e
                                        0x00f4350e
                                        0x00f43509
                                        0x00f43519
                                        0x00f4351e
                                        0x00f43521
                                        0x00f4352b
                                        0x00f43536
                                        0x00f4353c
                                        0x00f4353f
                                        0x00f43549
                                        0x00f43554
                                        0x00f43560
                                        0x00f43563
                                        0x00f43566
                                        0x00f43571
                                        0x00f43576
                                        0x00f43578
                                        0x00f4357d
                                        0x00f43580
                                        0x00f4358a
                                        0x00f43592
                                        0x00f43597
                                        0x00f435a1
                                        0x00f435af
                                        0x00f435c2
                                        0x00f435c9
                                        0x00f435c9
                                        0x00f435af
                                        0x00f43592
                                        0x00f43576
                                        0x00f43554
                                        0x00000000
                                        0x00f435d1
                                        0x00f43493
                                        0x00f4349d
                                        0x00f434c2
                                        0x00f434c8
                                        0x00f434cb
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000

                                        APIs
                                        • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00F4341B
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.827539752.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true
                                        • Associated: 00000001.00000002.827528753.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827566651.0000000000F4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827592711.0000000000F5C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827606974.0000000000F5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_f40000_StartupInstaller.jbxd
                                        Similarity
                                        • API ID: FeaturePresentProcessor
                                        • String ID:
                                        • API String ID: 2325560087-0
                                        • Opcode ID: 3b64eab28fb69ca914af0eedf3f7f27af9a408d68970d6003d989a3c26693933
                                        • Instruction ID: 84bbb4266df1de573a923219ab8475aae9bc89b2bab8bf6a4c5bd621e724ccad
                                        • Opcode Fuzzy Hash: 3b64eab28fb69ca914af0eedf3f7f27af9a408d68970d6003d989a3c26693933
                                        • Instruction Fuzzy Hash: 90518271E04319CFDB15CF98D8857AABBF0FB44319F24846AD906E7291D3749A40EB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F47DAF Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 77%
                                        			E00F47DAF(void* __ecx, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v12;
				union _FINDEX_INFO_LEVELS _v28;
				intOrPtr* _v32;
				intOrPtr _v36;
				signed int _v48;
				struct _WIN32_FIND_DATAW _v604;
				char _v605;
				intOrPtr* _v612;
				union _FINDEX_INFO_LEVELS _v616;
				union _FINDEX_INFO_LEVELS _v620;
				union _FINDEX_INFO_LEVELS _v624;
				signed int _v628;
				union _FINDEX_INFO_LEVELS _v632;
				union _FINDEX_INFO_LEVELS _v636;
				signed int _v640;
				signed int _v644;
				union _FINDEX_INFO_LEVELS _v648;
				union _FINDEX_INFO_LEVELS _v652;
				union _FINDEX_INFO_LEVELS _v656;
				union _FINDEX_INFO_LEVELS _v660;
				signed int _v664;
				union _FINDEX_INFO_LEVELS _v668;
				union _FINDEX_INFO_LEVELS _v672;
				void* __ebx;
				void* __edi;
				intOrPtr _t68;
				signed int _t73;
				signed int _t75;
				char _t77;
				signed char _t78;
				signed int _t84;
				signed int _t94;
				signed int _t97;
				union _FINDEX_INFO_LEVELS _t98;
				union _FINDEX_INFO_LEVELS _t100;
				intOrPtr* _t106;
				signed int _t109;
				intOrPtr _t116;
				signed int _t118;
				signed int _t121;
				signed int _t123;
				void* _t126;
				union _FINDEX_INFO_LEVELS _t127;
				void* _t128;
				intOrPtr* _t130;
				intOrPtr* _t133;
				signed int _t135;
				intOrPtr* _t138;
				signed int _t143;
				signed int _t149;
				void* _t155;
				signed int _t158;
				intOrPtr _t160;
				void* _t161;
				void* _t165;
				void* _t166;
				signed int _t167;
				signed int _t170;
				void* _t171;
				signed int _t172;
				void* _t173;
				void* _t174;

				_push(__ecx);
				_t133 = _a4;
				_t2 = _t133 + 1; // 0x1
				_t155 = _t2;
				do {
					_t68 =  *_t133;
					_t133 = _t133 + 1;
				} while (_t68 != 0);
				_t158 = _a12;
				_t135 = _t133 - _t155 + 1;
				_v8 = _t135;
				if(_t135 <=  !_t158) {
					_push(__esi);
					_t5 = _t158 + 1; // 0x1
					_t126 = _t5 + _t135;
					_t165 = E00F47973(_t126, 1);
					__eflags = _t158;
					if(_t158 == 0) {
						L7:
						_push(_v8);
						_t126 = _t126 - _t158;
						_t73 = E00F4B201(_t165 + _t158, _t126, _a4);
						_t172 = _t171 + 0x10;
						__eflags = _t73;
						if(_t73 != 0) {
							goto L12;
						} else {
							_t130 = _a16;
							_t118 = E00F481AA(_t130);
							_v8 = _t118;
							__eflags = _t118;
							if(_t118 == 0) {
								 *( *(_t130 + 4)) = _t165;
								_t167 = 0;
								_t14 = _t130 + 4;
								 *_t14 =  *(_t130 + 4) + 4;
								__eflags =  *_t14;
							} else {
								E00F479D0(_t165);
								_t167 = _v8;
							}
							E00F479D0(0);
							_t121 = _t167;
							goto L4;
						}
					} else {
						_push(_t158);
						_t123 = E00F4B201(_t165, _t126, _a8);
						_t172 = _t171 + 0x10;
						__eflags = _t123;
						if(_t123 != 0) {
							L12:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00F45C00();
							asm("int3");
							_t170 = _t172;
							_t173 = _t172 - 0x298;
							_t75 =  *0xf5c004; // 0x6a58fef8
							_v48 = _t75 ^ _t170;
							_t138 = _v32;
							_t156 = _v28;
							_push(_t126);
							_push(0);
							_t160 = _v36;
							_v648 = _t156;
							__eflags = _t138 - _t160;
							if(_t138 != _t160) {
								while(1) {
									_t116 =  *_t138;
									__eflags = _t116 - 0x2f;
									if(_t116 == 0x2f) {
										break;
									}
									__eflags = _t116 - 0x5c;
									if(_t116 != 0x5c) {
										__eflags = _t116 - 0x3a;
										if(_t116 != 0x3a) {
											_t138 = E00F4B250(_t160, _t138);
											__eflags = _t138 - _t160;
											if(_t138 != _t160) {
												continue;
											}
										}
									}
									break;
								}
								_t156 = _v612;
							}
							_t77 =  *_t138;
							_v605 = _t77;
							__eflags = _t77 - 0x3a;
							if(_t77 != 0x3a) {
								L23:
								_t127 = 0;
								__eflags = _t77 - 0x2f;
								if(__eflags == 0) {
									L26:
									_t78 = 1;
								} else {
									__eflags = _t77 - 0x5c;
									if(__eflags == 0) {
										goto L26;
									} else {
										__eflags = _t77 - 0x3a;
										_t78 = 0;
										if(__eflags == 0) {
											goto L26;
										}
									}
								}
								_v672 = _t127;
								_v668 = _t127;
								_push(_t165);
								asm("sbb eax, eax");
								_v664 = _t127;
								_v660 = _t127;
								_v640 =  ~(_t78 & 0x000000ff) & _t138 - _t160 + 0x00000001;
								_v656 = _t127;
								_v652 = _t127;
								_t84 = E00F47BA3(_t138 - _t160 + 1, _t160,  &_v672, E00F480B7(_t156, __eflags));
								_t174 = _t173 + 0xc;
								asm("sbb eax, eax");
								_t166 = FindFirstFileExW( !( ~_t84) & _v664, _t127,  &_v604, _t127, _t127, _t127);
								__eflags = _t166 - 0xffffffff;
								if(_t166 != 0xffffffff) {
									_t143 =  *((intOrPtr*)(_v612 + 4)) -  *_v612;
									__eflags = _t143;
									_t144 = _t143 >> 2;
									_v644 = _t143 >> 2;
									do {
										_v636 = _t127;
										_v632 = _t127;
										_v628 = _t127;
										_v624 = _t127;
										_v620 = _t127;
										_v616 = _t127;
										_t94 = E00F47AD4( &(_v604.cFileName),  &_v636,  &_v605, E00F480B7(_t156, __eflags));
										_t174 = _t174 + 0x10;
										asm("sbb eax, eax");
										_t97 =  !( ~_t94) & _v628;
										__eflags =  *_t97 - 0x2e;
										if( *_t97 != 0x2e) {
											L34:
											_push(_v612);
											_t98 = E00F47DAF(_t144, _t166, _t97, _t160, _v640);
											_t174 = _t174 + 0x10;
											_v648 = _t98;
											__eflags = _t98;
											if(_t98 != 0) {
												__eflags = _v616 - _t127;
												if(_v616 != _t127) {
													E00F479D0(_v628);
													_t98 = _v648;
												}
												_t127 = _t98;
											} else {
												goto L35;
											}
										} else {
											_t144 =  *((intOrPtr*)(_t97 + 1));
											__eflags = _t144;
											if(_t144 == 0) {
												goto L35;
											} else {
												__eflags = _t144 - 0x2e;
												if(_t144 != 0x2e) {
													goto L34;
												} else {
													__eflags =  *((intOrPtr*)(_t97 + 2)) - _t127;
													if( *((intOrPtr*)(_t97 + 2)) == _t127) {
														goto L35;
													} else {
														goto L34;
													}
												}
											}
										}
										L43:
										FindClose(_t166);
										goto L44;
										L35:
										__eflags = _v616 - _t127;
										if(_v616 != _t127) {
											E00F479D0(_v628);
											_pop(_t144);
										}
										__eflags = FindNextFileW(_t166,  &_v604);
									} while (__eflags != 0);
									_t106 = _v612;
									_t149 = _v644;
									_t156 =  *_t106;
									_t109 =  *((intOrPtr*)(_t106 + 4)) -  *_t106 >> 2;
									__eflags = _t149 - _t109;
									if(_t149 != _t109) {
										E00F4AC60(_t156, _t156 + _t149 * 4, _t109 - _t149, 4, E00F47A0A);
									}
									goto L43;
								} else {
									_push(_v612);
									_t127 = E00F47DAF( &_v604, _t166, _t160, _t127, _t127);
								}
								L44:
								__eflags = _v652;
								_pop(_t165);
								if(_v652 != 0) {
									E00F479D0(_v664);
								}
								_t100 = _t127;
							} else {
								__eflags = _t138 - _t160 + 1;
								if(_t138 == _t160 + 1) {
									_t77 = _v605;
									goto L23;
								} else {
									_push(_t156);
									_t100 = E00F47DAF(_t138, _t165, _t160, 0, 0);
								}
							}
							_pop(_t161);
							__eflags = _v12 ^ _t170;
							_pop(_t128);
							return E00F429FA(_t100, _t128, _v12 ^ _t170, _t156, _t161, _t165);
						} else {
							goto L7;
						}
					}
				} else {
					_t121 = 0xc;
					L4:
					return _t121;
				}
			}


































































                                        0x00f47db4
                                        0x00f47db5
                                        0x00f47db8
                                        0x00f47db8
                                        0x00f47dbb
                                        0x00f47dbb
                                        0x00f47dbd
                                        0x00f47dbe
                                        0x00f47dc3
                                        0x00f47dca
                                        0x00f47dcd
                                        0x00f47dd2
                                        0x00f47ddb
                                        0x00f47ddc
                                        0x00f47ddf
                                        0x00f47de9
                                        0x00f47ded
                                        0x00f47def
                                        0x00f47e03
                                        0x00f47e03
                                        0x00f47e06
                                        0x00f47e10
                                        0x00f47e15
                                        0x00f47e18
                                        0x00f47e1a
                                        0x00000000
                                        0x00f47e1c
                                        0x00f47e1c
                                        0x00f47e21
                                        0x00f47e28
                                        0x00f47e2b
                                        0x00f47e2d
                                        0x00f47e3e
                                        0x00f47e40
                                        0x00f47e42
                                        0x00f47e42
                                        0x00f47e42
                                        0x00f47e2f
                                        0x00f47e30
                                        0x00f47e35
                                        0x00f47e38
                                        0x00f47e47
                                        0x00f47e4d
                                        0x00000000
                                        0x00f47e50
                                        0x00f47df1
                                        0x00f47df1
                                        0x00f47df7
                                        0x00f47dfc
                                        0x00f47dff
                                        0x00f47e01
                                        0x00f47e53
                                        0x00f47e55
                                        0x00f47e56
                                        0x00f47e57
                                        0x00f47e58
                                        0x00f47e59
                                        0x00f47e5a
                                        0x00f47e5f
                                        0x00f47e63
                                        0x00f47e65
                                        0x00f47e6b
                                        0x00f47e72
                                        0x00f47e75
                                        0x00f47e78
                                        0x00f47e7b
                                        0x00f47e7c
                                        0x00f47e7d
                                        0x00f47e80
                                        0x00f47e86
                                        0x00f47e88
                                        0x00f47e8a
                                        0x00f47e8a
                                        0x00f47e8c
                                        0x00f47e8e
                                        0x00000000
                                        0x00000000
                                        0x00f47e90
                                        0x00f47e92
                                        0x00f47e94
                                        0x00f47e96
                                        0x00f47ea1
                                        0x00f47ea3
                                        0x00f47ea5
                                        0x00000000
                                        0x00000000
                                        0x00f47ea5
                                        0x00f47e96
                                        0x00000000
                                        0x00f47e92
                                        0x00f47ea7
                                        0x00f47ea7
                                        0x00f47ead
                                        0x00f47eaf
                                        0x00f47eb5
                                        0x00f47eb7
                                        0x00f47ed9
                                        0x00f47ed9
                                        0x00f47edb
                                        0x00f47edd
                                        0x00f47ee9
                                        0x00f47ee9
                                        0x00f47edf
                                        0x00f47edf
                                        0x00f47ee1
                                        0x00000000
                                        0x00f47ee3
                                        0x00f47ee3
                                        0x00f47ee5
                                        0x00f47ee7
                                        0x00000000
                                        0x00000000
                                        0x00f47ee7
                                        0x00f47ee1
                                        0x00f47ef1
                                        0x00f47ef9
                                        0x00f47eff
                                        0x00f47f00
                                        0x00f47f02
                                        0x00f47f0a
                                        0x00f47f10
                                        0x00f47f16
                                        0x00f47f1c
                                        0x00f47f30
                                        0x00f47f35
                                        0x00f47f40
                                        0x00f47f56
                                        0x00f47f58
                                        0x00f47f5b
                                        0x00f47f7e
                                        0x00f47f7e
                                        0x00f47f80
                                        0x00f47f83
                                        0x00f47f89
                                        0x00f47f89
                                        0x00f47f8f
                                        0x00f47f95
                                        0x00f47f9b
                                        0x00f47fa1
                                        0x00f47fa7
                                        0x00f47fc8
                                        0x00f47fcd
                                        0x00f47fd2
                                        0x00f47fd6
                                        0x00f47fdc
                                        0x00f47fdf
                                        0x00f47ff2
                                        0x00f47ff2
                                        0x00f48000
                                        0x00f48005
                                        0x00f48008
                                        0x00f4800e
                                        0x00f48010
                                        0x00f4806e
                                        0x00f48074
                                        0x00f4807c
                                        0x00f48081
                                        0x00f48087
                                        0x00f48088
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f47fe1
                                        0x00f47fe1
                                        0x00f47fe4
                                        0x00f47fe6
                                        0x00000000
                                        0x00f47fe8
                                        0x00f47fe8
                                        0x00f47feb
                                        0x00000000
                                        0x00f47fed
                                        0x00f47fed
                                        0x00f47ff0
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f47ff0
                                        0x00f47feb
                                        0x00f47fe6
                                        0x00f4808a
                                        0x00f4808b
                                        0x00000000
                                        0x00f48012
                                        0x00f48012
                                        0x00f48018
                                        0x00f48020
                                        0x00f48025
                                        0x00f48025
                                        0x00f48034
                                        0x00f48034
                                        0x00f4803c
                                        0x00f48042
                                        0x00f48048
                                        0x00f4804f
                                        0x00f48052
                                        0x00f48054
                                        0x00f48064
                                        0x00f48069
                                        0x00000000
                                        0x00f47f5d
                                        0x00f47f5d
                                        0x00f47f6e
                                        0x00f47f6e
                                        0x00f48091
                                        0x00f48091
                                        0x00f48098
                                        0x00f48099
                                        0x00f480a1
                                        0x00f480a6
                                        0x00f480a7
                                        0x00f47eb9
                                        0x00f47ebc
                                        0x00f47ebe
                                        0x00f47ed3
                                        0x00000000
                                        0x00f47ec0
                                        0x00f47ec0
                                        0x00f47ec6
                                        0x00f47ecb
                                        0x00f47ebe
                                        0x00f480ac
                                        0x00f480ad
                                        0x00f480af
                                        0x00f480b6
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f47e01
                                        0x00f47dd4
                                        0x00f47dd6
                                        0x00f47dd7
                                        0x00f47dd9
                                        0x00f47dd9

                                        Memory Dump Source
                                        • Source File: 00000001.00000002.827539752.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true
                                        • Associated: 00000001.00000002.827528753.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827566651.0000000000F4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827592711.0000000000F5C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827606974.0000000000F5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_f40000_StartupInstaller.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f93a36f10400ccc77ad880ae7dcbcdce23893d2479ba27a64bf0991357b309d3
                                        • Instruction ID: 350b9040119a2f47b615e4695ee5f4f28c398a4ca949bab8ec3858a1bbfa31ce
                                        • Opcode Fuzzy Hash: f93a36f10400ccc77ad880ae7dcbcdce23893d2479ba27a64bf0991357b309d3
                                        • Instruction Fuzzy Hash: 7341A471C08219AFDB20EF69CC89AAABBB9EF45310F1442D9E81D93211DB349E849F50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F49EE9 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E00F49EE9() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0xf5d338 = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}




                                        0x00f49ee9
                                        0x00f49ef1
                                        0x00f49ef9

                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.827539752.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true
                                        • Associated: 00000001.00000002.827528753.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827566651.0000000000F4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827592711.0000000000F5C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827606974.0000000000F5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_f40000_StartupInstaller.jbxd
                                        Similarity
                                        • API ID: HeapProcess
                                        • String ID:
                                        • API String ID: 54951025-0
                                        • Opcode ID: 7fe48c55e86a02906e50f43694f691c5c7f2c96ef07fe01d79fd3df74393fcf1
                                        • Instruction ID: 5a4a6e674890020f2c7799c5080eb5ea16fd9ba912fb2907e17811839bca0cc2
                                        • Opcode Fuzzy Hash: 7fe48c55e86a02906e50f43694f691c5c7f2c96ef07fe01d79fd3df74393fcf1
                                        • Instruction Fuzzy Hash: AAA00174602349CF97548F36AA892093AA9ABA6AA27158069A909C5660EA248494AA02
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F48E3C Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E00F48E3C(void* __ecx) {
				char _v8;
				intOrPtr _t7;
				char _t13;

				_t13 = 0;
				_v8 = 0;
				_t7 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
				_t16 =  *((intOrPtr*)(_t7 + 8));
				if( *((intOrPtr*)(_t7 + 8)) < 0) {
					L2:
					_t13 = 1;
				} else {
					E00F49BE4(_t16,  &_v8);
					if(_v8 != 1) {
						goto L2;
					}
				}
				return _t13;
			}






                                        0x00f48e49
                                        0x00f48e4b
                                        0x00f48e4e
                                        0x00f48e51
                                        0x00f48e54
                                        0x00f48e65
                                        0x00f48e67
                                        0x00f48e56
                                        0x00f48e5a
                                        0x00f48e63
                                        0x00000000
                                        0x00000000
                                        0x00f48e63
                                        0x00f48e6c

                                        Memory Dump Source
                                        • Source File: 00000001.00000002.827539752.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true
                                        • Associated: 00000001.00000002.827528753.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827566651.0000000000F4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827592711.0000000000F5C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827606974.0000000000F5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_f40000_StartupInstaller.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 229538d156fd22a1852c5877b47bb8296c3c50ef5a21f9898112eb5059fd10f4
                                        • Instruction ID: b9c891c0955377d651bd45b39efa8e2392c08ca62a275acc453053839b980d54
                                        • Opcode Fuzzy Hash: 229538d156fd22a1852c5877b47bb8296c3c50ef5a21f9898112eb5059fd10f4
                                        • Instruction Fuzzy Hash: 6BE08C32A15238EBCB24DBCCC90498AF7ECEB44B50B510096B901E3200C674DF01E7D0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F4972F Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 482 f4972f-f49743 483 f49745-f4974a 482->483 484 f497b1-f497b9 482->484 483->484 485 f4974c-f49751 483->485 486 f49800-f49818 call f498a0 484->486 487 f497bb-f497be 484->487 485->484 489 f49753-f49756 485->489 497 f4981b-f49822 486->497 487->486 488 f497c0-f497fd call f479d0 * 4 487->488 488->486 489->484 492 f49758-f49760 489->492 495 f49762-f49765 492->495 496 f4977a-f49782 492->496 495->496 501 f49767-f49779 call f479d0 call f49308 495->501 499 f49784-f49787 496->499 500 f4979c-f497b0 call f479d0 * 2 496->500 502 f49824-f49828 497->502 503 f49841-f49845 497->503 499->500 505 f49789-f4979b call f479d0 call f49406 499->505 500->484 501->496 510 f4983e 502->510 511 f4982a-f4982d 502->511 506 f49847-f4984c 503->506 507 f4985d-f49869 503->507 505->500 514 f4984e-f49851 506->514 515 f4985a 506->515 507->497 517 f4986b-f49876 call f479d0 507->517 510->503 511->510 519 f4982f-f4983d call f479d0 * 2 511->519 514->515 524 f49853-f49859 call f479d0 514->524 515->507 519->510 524->515
                                        C-Code - Quality: 100%
                                        			E00F4972F(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0xf5c648) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E00F479D0(_t46);
							E00F49308( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E00F479D0(_t47);
							E00F49406( *((intOrPtr*)(_t74 + 0x88)));
						}
						E00F479D0( *((intOrPtr*)(_t74 + 0x7c)));
						E00F479D0( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E00F479D0( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E00F479D0( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E00F479D0( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E00F479D0( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E00F498A0( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0xf5c120) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E00F479D0(_t31);
							E00F479D0( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E00F479D0(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E00F479D0(_t74);
			}















                                        0x00f49737
                                        0x00f4973b
                                        0x00f49743
                                        0x00f4974c
                                        0x00f49751
                                        0x00f49758
                                        0x00f49760
                                        0x00f49768
                                        0x00f49773
                                        0x00f49779
                                        0x00f4977a
                                        0x00f49782
                                        0x00f4978a
                                        0x00f49795
                                        0x00f4979b
                                        0x00f4979f
                                        0x00f497aa
                                        0x00f497b0
                                        0x00f49751
                                        0x00f497b1
                                        0x00f497b9
                                        0x00f497cc
                                        0x00f497df
                                        0x00f497ed
                                        0x00f497f8
                                        0x00f497fd
                                        0x00f49806
                                        0x00f4980e
                                        0x00f4980f
                                        0x00f49815
                                        0x00f49818
                                        0x00f4981b
                                        0x00f49822
                                        0x00f49824
                                        0x00f49828
                                        0x00f49830
                                        0x00f49837
                                        0x00f4983d
                                        0x00f4983e
                                        0x00f4983e
                                        0x00f49845
                                        0x00f49847
                                        0x00f4984c
                                        0x00f49854
                                        0x00f49859
                                        0x00f4985a
                                        0x00f4985a
                                        0x00f4985d
                                        0x00f49860
                                        0x00f49863
                                        0x00f49866
                                        0x00f49866
                                        0x00f49876

                                        APIs
                                        • ___free_lconv_mon.LIBCMT ref: 00F49773
                                          • Part of subcall function 00F49308: _free.LIBCMT ref: 00F49325
                                          • Part of subcall function 00F49308: _free.LIBCMT ref: 00F49337
                                          • Part of subcall function 00F49308: _free.LIBCMT ref: 00F49349
                                          • Part of subcall function 00F49308: _free.LIBCMT ref: 00F4935B
                                          • Part of subcall function 00F49308: _free.LIBCMT ref: 00F4936D
                                          • Part of subcall function 00F49308: _free.LIBCMT ref: 00F4937F
                                          • Part of subcall function 00F49308: _free.LIBCMT ref: 00F49391
                                          • Part of subcall function 00F49308: _free.LIBCMT ref: 00F493A3
                                          • Part of subcall function 00F49308: _free.LIBCMT ref: 00F493B5
                                          • Part of subcall function 00F49308: _free.LIBCMT ref: 00F493C7
                                          • Part of subcall function 00F49308: _free.LIBCMT ref: 00F493D9
                                          • Part of subcall function 00F49308: _free.LIBCMT ref: 00F493EB
                                          • Part of subcall function 00F49308: _free.LIBCMT ref: 00F493FD
                                        • _free.LIBCMT ref: 00F49768
                                          • Part of subcall function 00F479D0: HeapFree.KERNEL32(00000000,00000000,?,00F49499,?,00000000,?,?,?,00F494C0,?,00000007,?,?,00F498C6,?), ref: 00F479E6
                                          • Part of subcall function 00F479D0: GetLastError.KERNEL32(?,?,00F49499,?,00000000,?,?,?,00F494C0,?,00000007,?,?,00F498C6,?,?), ref: 00F479F8
                                        • _free.LIBCMT ref: 00F4978A
                                        • _free.LIBCMT ref: 00F4979F
                                        • _free.LIBCMT ref: 00F497AA
                                        • _free.LIBCMT ref: 00F497CC
                                        • _free.LIBCMT ref: 00F497DF
                                        • _free.LIBCMT ref: 00F497ED
                                        • _free.LIBCMT ref: 00F497F8
                                        • _free.LIBCMT ref: 00F49830
                                        • _free.LIBCMT ref: 00F49837
                                        • _free.LIBCMT ref: 00F49854
                                        • _free.LIBCMT ref: 00F4986C
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.827539752.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true
                                        • Associated: 00000001.00000002.827528753.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827566651.0000000000F4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827592711.0000000000F5C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827606974.0000000000F5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_f40000_StartupInstaller.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                        • String ID:
                                        • API String ID: 161543041-0
                                        • Opcode ID: 152c158619f5cdd7f2de64ace09e23bee8c13974fee79847fed3b0b9b7c31c7e
                                        • Instruction ID: 398a56d16b5407e016a0af302701b5f4cfb93b373ccc9e8cbe2c127a0ed02472
                                        • Opcode Fuzzy Hash: 152c158619f5cdd7f2de64ace09e23bee8c13974fee79847fed3b0b9b7c31c7e
                                        • Instruction Fuzzy Hash: 88314B31A0C301AFEB20AE3CEC45B577BE8AF01360F54482AEC59D7191DBB5AC80EB54
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F4430B Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 539 f4430b-f44336 call f45278 542 f4433c-f4433f 539->542 543 f446af-f446b4 call f46e22 539->543 542->543 544 f44345-f4434e 542->544 546 f44354-f44358 544->546 547 f4444b-f44451 544->547 546->547 549 f4435e-f44365 546->549 550 f44459-f44467 547->550 551 f44367-f4436e 549->551 552 f4437d-f44382 549->552 553 f4446d-f44471 550->553 554 f44618-f4461b 550->554 551->552 555 f44370-f44377 551->555 552->547 558 f44388-f44390 call f43fc6 552->558 553->554 559 f44477-f4447e 553->559 556 f4461d-f44620 554->556 557 f4463e-f44647 call f43fc6 554->557 555->547 555->552 556->543 560 f44626-f4463b call f446b5 556->560 557->543 575 f44649-f4464d 557->575 574 f44396-f443af call f43fc6 * 2 558->574 558->575 562 f44496-f4449c 559->562 563 f44480-f44487 559->563 560->557 569 f445b4-f445b8 562->569 570 f444a2-f444c9 call f435e2 562->570 563->562 567 f44489-f44490 563->567 567->554 567->562 571 f445c4-f445d0 569->571 572 f445ba-f445c3 call f43a1a 569->572 570->569 581 f444cf-f444d2 570->581 571->557 579 f445d2-f445d6 571->579 572->571 574->543 596 f443b5-f443bb 574->596 583 f445e8-f445f0 579->583 584 f445d8-f445e0 579->584 586 f444d5-f444ea 581->586 588 f44607-f44614 call f44d1a 583->588 589 f445f2-f44605 call f43fc6 * 2 583->589 584->557 587 f445e2-f445e6 584->587 591 f44595-f445a8 586->591 592 f444f0-f444f3 586->592 587->557 587->583 605 f44616 588->605 606 f44673-f44688 call f43fc6 * 2 588->606 612 f4464e call f46de6 589->612 591->586 597 f445ae-f445b1 591->597 592->591 598 f444f9-f44501 592->598 602 f443e7-f443ef call f43fc6 596->602 603 f443bd-f443c1 596->603 597->569 598->591 604 f44507-f4451b 598->604 622 f443f1-f44411 call f43fc6 * 2 call f44d1a 602->622 623 f44453-f44456 602->623 603->602 608 f443c3-f443ca 603->608 609 f4451e-f4452e 604->609 605->557 635 f4468d-f446aa call f437d5 call f44c1a call f44dd7 call f44b91 606->635 636 f4468a 606->636 613 f443cc-f443d3 608->613 614 f443de-f443e1 608->614 615 f44556-f44563 609->615 616 f44530-f44543 call f447eb 609->616 626 f44653-f4466e call f43a1a call f44996 call f43bd3 612->626 613->614 620 f443d5-f443dc 613->620 614->543 614->602 615->609 625 f44565 615->625 632 f44545-f4454b 616->632 633 f44567-f4458f call f4428b 616->633 620->602 620->614 622->623 652 f44413-f44418 622->652 623->550 630 f44592 625->630 626->606 630->591 632->616 638 f4454d-f44553 632->638 633->630 635->543 636->635 638->615 652->612 654 f4441e-f44431 call f449ae 652->654 654->626 659 f44437-f44443 654->659 659->612 660 f44449 659->660 660->654
                                        C-Code - Quality: 63%
                                        			E00F4430B(signed int __edx, signed char* _a4, signed int _a8, signed int _a12, char _a16, signed int* _a20, signed int _a24, signed int _a28, signed int _a32) {
				signed char* _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				void _v64;
				signed int _v68;
				char _v84;
				intOrPtr _v88;
				signed int _v92;
				intOrPtr _v100;
				void _v104;
				intOrPtr* _v112;
				signed char* _v184;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t202;
				signed int _t203;
				char _t204;
				signed int _t206;
				signed int _t208;
				signed char* _t209;
				signed int _t210;
				signed int _t211;
				signed int _t215;
				void* _t218;
				signed char* _t221;
				void* _t223;
				void* _t225;
				signed char _t229;
				signed int _t230;
				void* _t232;
				void* _t235;
				void* _t238;
				signed char _t245;
				signed int _t250;
				void* _t253;
				signed int* _t255;
				signed int _t256;
				intOrPtr _t257;
				signed int _t258;
				void* _t263;
				void* _t268;
				void* _t269;
				signed int _t273;
				signed char* _t274;
				intOrPtr* _t275;
				signed char _t276;
				signed int _t277;
				signed int _t278;
				intOrPtr* _t280;
				signed int _t281;
				signed int _t282;
				signed int _t287;
				signed int _t294;
				signed int _t295;
				signed int _t298;
				signed int _t300;
				signed char* _t301;
				signed int _t302;
				signed int _t303;
				signed int* _t305;
				signed char* _t308;
				signed int _t318;
				signed int _t319;
				signed int _t321;
				signed int _t330;
				void* _t332;
				void* _t334;
				void* _t335;
				void* _t336;
				void* _t337;

				_t300 = __edx;
				_push(_t319);
				_t305 = _a20;
				_v20 = 0;
				_v28 = 0;
				_t279 = E00F45278(_a8, _a16, _t305);
				_t335 = _t334 + 0xc;
				_v12 = _t279;
				if(_t279 < 0xffffffff || _t279 >= _t305[1]) {
					L66:
					_t202 = E00F46E22(_t274, _t279, _t300, _t305, _t319);
					asm("int3");
					_t332 = _t335;
					_t336 = _t335 - 0x38;
					_push(_t274);
					_t275 = _v112;
					__eflags =  *_t275 - 0x80000003;
					if( *_t275 == 0x80000003) {
						return _t202;
					} else {
						_push(_t319);
						_push(_t305);
						_t203 = E00F43FC6(_t275, _t279, _t300, _t305, _t319);
						__eflags =  *(_t203 + 8);
						if( *(_t203 + 8) != 0) {
							__imp__EncodePointer(0);
							_t319 = _t203;
							_t223 = E00F43FC6(_t275, _t279, _t300, 0, _t319);
							__eflags =  *((intOrPtr*)(_t223 + 8)) - _t319;
							if( *((intOrPtr*)(_t223 + 8)) != _t319) {
								__eflags =  *_t275 - 0xe0434f4d;
								if( *_t275 != 0xe0434f4d) {
									__eflags =  *_t275 - 0xe0434352;
									if( *_t275 != 0xe0434352) {
										_t215 = E00F436AF(_t300, 0, _t319, _t275, _a4, _a8, _a12, _a16, _a24, _a28);
										_t336 = _t336 + 0x1c;
										__eflags = _t215;
										if(_t215 != 0) {
											L83:
											return _t215;
										}
									}
								}
							}
						}
						_t204 = _a16;
						_v28 = _t204;
						_v24 = 0;
						__eflags =  *(_t204 + 0xc);
						if( *(_t204 + 0xc) > 0) {
							_push(_a24);
							E00F435E2(_t275, _t279, 0, _t319,  &_v44,  &_v28, _a20, _a12, _t204);
							_t302 = _v40;
							_t337 = _t336 + 0x18;
							_t215 = _v44;
							_v20 = _t215;
							_v12 = _t302;
							__eflags = _t302 - _v32;
							if(_t302 >= _v32) {
								goto L83;
							}
							_t281 = _t302 * 0x14;
							__eflags = _t281;
							_v16 = _t281;
							do {
								_t282 = 5;
								_t218 = memcpy( &_v64,  *((intOrPtr*)( *_t215 + 0x10)) + _t281, _t282 << 2);
								_t337 = _t337 + 0xc;
								__eflags = _v64 - _t218;
								if(_v64 > _t218) {
									goto L82;
								}
								__eflags = _t218 - _v60;
								if(_t218 > _v60) {
									goto L82;
								}
								_t221 = _v48 + 0xfffffff0 + (_v52 << 4);
								_t287 = _t221[4];
								__eflags = _t287;
								if(_t287 == 0) {
									L80:
									__eflags =  *_t221 & 0x00000040;
									if(( *_t221 & 0x00000040) == 0) {
										_push(0);
										_push(1);
										E00F4428B(_t302, _t275, _a4, _a8, _a12, _a16, _t221, 0,  &_v64, _a24, _a28);
										_t302 = _v12;
										_t337 = _t337 + 0x30;
									}
									goto L82;
								}
								__eflags =  *((char*)(_t287 + 8));
								if( *((char*)(_t287 + 8)) != 0) {
									goto L82;
								}
								goto L80;
								L82:
								_t302 = _t302 + 1;
								_t215 = _v20;
								_t281 = _v16 + 0x14;
								_v12 = _t302;
								_v16 = _t281;
								__eflags = _t302 - _v32;
							} while (_t302 < _v32);
							goto L83;
						}
						E00F46E22(_t275, _t279, _t300, 0, _t319);
						asm("int3");
						_push(_t332);
						_t301 = _v184;
						_push(_t275);
						_push(_t319);
						_push(0);
						_t206 = _t301[4];
						__eflags = _t206;
						if(_t206 == 0) {
							L108:
							_t208 = 1;
							__eflags = 1;
						} else {
							_t280 = _t206 + 8;
							__eflags =  *_t280;
							if( *_t280 == 0) {
								goto L108;
							} else {
								__eflags =  *_t301 & 0x00000080;
								_t308 = _v0;
								if(( *_t301 & 0x00000080) == 0) {
									L90:
									_t276 = _t308[4];
									_t321 = 0;
									__eflags = _t206 - _t276;
									if(_t206 == _t276) {
										L100:
										__eflags =  *_t308 & 0x00000002;
										if(( *_t308 & 0x00000002) == 0) {
											L102:
											_t209 = _a4;
											__eflags =  *_t209 & 0x00000001;
											if(( *_t209 & 0x00000001) == 0) {
												L104:
												__eflags =  *_t209 & 0x00000002;
												if(( *_t209 & 0x00000002) == 0) {
													L106:
													_t321 = 1;
													__eflags = 1;
												} else {
													__eflags =  *_t301 & 0x00000002;
													if(( *_t301 & 0x00000002) != 0) {
														goto L106;
													}
												}
											} else {
												__eflags =  *_t301 & 0x00000001;
												if(( *_t301 & 0x00000001) != 0) {
													goto L104;
												}
											}
										} else {
											__eflags =  *_t301 & 0x00000008;
											if(( *_t301 & 0x00000008) != 0) {
												goto L102;
											}
										}
										_t208 = _t321;
									} else {
										_t185 = _t276 + 8; // 0x6e
										_t210 = _t185;
										while(1) {
											_t277 =  *_t280;
											__eflags = _t277 -  *_t210;
											if(_t277 !=  *_t210) {
												break;
											}
											__eflags = _t277;
											if(_t277 == 0) {
												L96:
												_t211 = _t321;
											} else {
												_t278 =  *((intOrPtr*)(_t280 + 1));
												__eflags = _t278 -  *((intOrPtr*)(_t210 + 1));
												if(_t278 !=  *((intOrPtr*)(_t210 + 1))) {
													break;
												} else {
													_t280 = _t280 + 2;
													_t210 = _t210 + 2;
													__eflags = _t278;
													if(_t278 != 0) {
														continue;
													} else {
														goto L96;
													}
												}
											}
											L98:
											__eflags = _t211;
											if(_t211 == 0) {
												goto L100;
											} else {
												_t208 = 0;
											}
											goto L109;
										}
										asm("sbb eax, eax");
										_t211 = _t210 | 0x00000001;
										__eflags = _t211;
										goto L98;
									}
								} else {
									__eflags =  *_t308 & 0x00000010;
									if(( *_t308 & 0x00000010) != 0) {
										goto L108;
									} else {
										goto L90;
									}
								}
							}
						}
						L109:
						return _t208;
					}
				} else {
					_t274 = _a4;
					if( *_t274 != 0xe06d7363 || _t274[0x10] != 3 || _t274[0x14] != 0x19930520 && _t274[0x14] != 0x19930521 && _t274[0x14] != 0x19930522) {
						L22:
						_t300 = _a12;
						_v8 = _t300;
						goto L24;
					} else {
						_t319 = 0;
						if(_t274[0x1c] != 0) {
							goto L22;
						} else {
							_t225 = E00F43FC6(_t274, _t279, _t300, _t305, 0);
							if( *((intOrPtr*)(_t225 + 0x10)) == 0) {
								L60:
								return _t225;
							} else {
								_t274 =  *(E00F43FC6(_t274, _t279, _t300, _t305, 0) + 0x10);
								_t263 = E00F43FC6(_t274, _t279, _t300, _t305, 0);
								_v28 = 1;
								_v8 =  *((intOrPtr*)(_t263 + 0x14));
								if(_t274 == 0 ||  *_t274 == 0xe06d7363 && _t274[0x10] == 3 && (_t274[0x14] == 0x19930520 || _t274[0x14] == 0x19930521 || _t274[0x14] == 0x19930522) && _t274[0x1c] == _t319) {
									goto L66;
								} else {
									if( *((intOrPtr*)(E00F43FC6(_t274, _t279, _t300, _t305, _t319) + 0x1c)) == _t319) {
										L23:
										_t300 = _v8;
										_t279 = _v12;
										L24:
										_v52 = _t305;
										_v48 = 0;
										__eflags =  *_t274 - 0xe06d7363;
										if( *_t274 != 0xe06d7363) {
											L56:
											__eflags = _t305[3];
											if(_t305[3] <= 0) {
												goto L59;
											} else {
												__eflags = _a24;
												if(_a24 != 0) {
													goto L66;
												} else {
													_push(_a32);
													_push(_a28);
													_push(_t279);
													_push(_t305);
													_push(_a16);
													_push(_t300);
													_push(_a8);
													_push(_t274);
													L67();
													_t335 = _t335 + 0x20;
													goto L59;
												}
											}
										} else {
											__eflags = _t274[0x10] - 3;
											if(_t274[0x10] != 3) {
												goto L56;
											} else {
												__eflags = _t274[0x14] - 0x19930520;
												if(_t274[0x14] == 0x19930520) {
													L29:
													_t319 = _a32;
													__eflags = _t305[3];
													if(_t305[3] > 0) {
														_push(_a28);
														E00F435E2(_t274, _t279, _t305, _t319,  &_v68,  &_v52, _t279, _a16, _t305);
														_t300 = _v64;
														_t335 = _t335 + 0x18;
														_t250 = _v68;
														_v44 = _t250;
														_v16 = _t300;
														__eflags = _t300 - _v56;
														if(_t300 < _v56) {
															_t294 = _t300 * 0x14;
															__eflags = _t294;
															_v32 = _t294;
															do {
																_t295 = 5;
																_t253 = memcpy( &_v104,  *((intOrPtr*)( *_t250 + 0x10)) + _t294, _t295 << 2);
																_t335 = _t335 + 0xc;
																__eflags = _v104 - _t253;
																if(_v104 <= _t253) {
																	__eflags = _t253 - _v100;
																	if(_t253 <= _v100) {
																		_t298 = 0;
																		_v20 = 0;
																		__eflags = _v92;
																		if(_v92 != 0) {
																			_t255 =  *(_t274[0x1c] + 0xc);
																			_t303 =  *_t255;
																			_t256 =  &(_t255[1]);
																			__eflags = _t256;
																			_v36 = _t256;
																			_t257 = _v88;
																			_v40 = _t303;
																			_v24 = _t257;
																			do {
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				_t318 = _v36;
																				_t330 = _t303;
																				__eflags = _t330;
																				if(_t330 <= 0) {
																					goto L40;
																				} else {
																					while(1) {
																						_push(_t274[0x1c]);
																						_t258 =  &_v84;
																						_push( *_t318);
																						_push(_t258);
																						L86();
																						_t335 = _t335 + 0xc;
																						__eflags = _t258;
																						if(_t258 != 0) {
																							break;
																						}
																						_t330 = _t330 - 1;
																						_t318 = _t318 + 4;
																						__eflags = _t330;
																						if(_t330 > 0) {
																							continue;
																						} else {
																							_t298 = _v20;
																							_t257 = _v24;
																							_t303 = _v40;
																							goto L40;
																						}
																						goto L43;
																					}
																					_push(_a24);
																					_push(_v28);
																					E00F4428B(_t303, _t274, _a8, _v8, _a16, _a20,  &_v84,  *_t318,  &_v104, _a28, _a32);
																					_t335 = _t335 + 0x30;
																				}
																				L43:
																				_t300 = _v16;
																				goto L44;
																				L40:
																				_t298 = _t298 + 1;
																				_t257 = _t257 + 0x10;
																				_v20 = _t298;
																				_v24 = _t257;
																				__eflags = _t298 - _v92;
																			} while (_t298 != _v92);
																			goto L43;
																		}
																	}
																}
																L44:
																_t300 = _t300 + 1;
																_t250 = _v44;
																_t294 = _v32 + 0x14;
																_v16 = _t300;
																_v32 = _t294;
																__eflags = _t300 - _v56;
															} while (_t300 < _v56);
															_t305 = _a20;
															_t319 = _a32;
														}
													}
													__eflags = _a24;
													if(__eflags != 0) {
														_push(1);
														E00F43A1A(_t274, _t305, _t319, __eflags);
														_t279 = _t274;
													}
													__eflags = ( *_t305 & 0x1fffffff) - 0x19930521;
													if(( *_t305 & 0x1fffffff) < 0x19930521) {
														L59:
														_t225 = E00F43FC6(_t274, _t279, _t300, _t305, _t319);
														__eflags =  *(_t225 + 0x1c);
														if( *(_t225 + 0x1c) != 0) {
															goto L66;
														} else {
															goto L60;
														}
													} else {
														__eflags = _t305[7];
														if(_t305[7] != 0) {
															L52:
															_t229 = _t305[8] >> 2;
															__eflags = _t229 & 0x00000001;
															if((_t229 & 0x00000001) == 0) {
																_push(_t305[7]);
																_t230 = E00F44D1A(_t274, _t305, _t319, _t274);
																_pop(_t279);
																__eflags = _t230;
																if(_t230 == 0) {
																	goto L63;
																} else {
																	goto L59;
																}
															} else {
																 *(E00F43FC6(_t274, _t279, _t300, _t305, _t319) + 0x10) = _t274;
																_t238 = E00F43FC6(_t274, _t279, _t300, _t305, _t319);
																_t290 = _v8;
																 *((intOrPtr*)(_t238 + 0x14)) = _v8;
																goto L61;
															}
														} else {
															_t245 = _t305[8] >> 2;
															__eflags = _t245 & 0x00000001;
															if((_t245 & 0x00000001) == 0) {
																goto L59;
															} else {
																__eflags = _a28;
																if(_a28 != 0) {
																	goto L59;
																} else {
																	goto L52;
																}
															}
														}
													}
												} else {
													__eflags = _t274[0x14] - 0x19930521;
													if(_t274[0x14] == 0x19930521) {
														goto L29;
													} else {
														__eflags = _t274[0x14] - 0x19930522;
														if(_t274[0x14] != 0x19930522) {
															goto L56;
														} else {
															goto L29;
														}
													}
												}
											}
										}
									} else {
										_v16 =  *((intOrPtr*)(E00F43FC6(_t274, _t279, _t300, _t305, _t319) + 0x1c));
										_t268 = E00F43FC6(_t274, _t279, _t300, _t305, _t319);
										_push(_v16);
										 *(_t268 + 0x1c) = _t319;
										_t269 = E00F44D1A(_t274, _t305, _t319, _t274);
										_pop(_t290);
										if(_t269 != 0) {
											goto L23;
										} else {
											_t305 = _v16;
											_t356 =  *_t305 - _t319;
											if( *_t305 <= _t319) {
												L61:
												E00F46DE6(_t274, _t290, _t300, _t305, _t319, __eflags);
											} else {
												while(1) {
													_t290 =  *((intOrPtr*)(_t319 + _t305[1] + 4));
													if(E00F449AE( *((intOrPtr*)(_t319 + _t305[1] + 4)), _t356, 0xf5c8c0) != 0) {
														goto L62;
													}
													_t319 = _t319 + 0x10;
													_t273 = _v20 + 1;
													_v20 = _t273;
													_t356 = _t273 -  *_t305;
													if(_t273 >=  *_t305) {
														goto L61;
													} else {
														continue;
													}
													goto L62;
												}
											}
											L62:
											_push(1);
											_push(_t274);
											E00F43A1A(_t274, _t305, _t319, __eflags);
											_t279 =  &_v64;
											E00F44996( &_v64);
											E00F43BD3( &_v64, 0xf5b0cc);
											L63:
											 *(E00F43FC6(_t274, _t279, _t300, _t305, _t319) + 0x10) = _t274;
											_t232 = E00F43FC6(_t274, _t279, _t300, _t305, _t319);
											_t279 = _v8;
											 *(_t232 + 0x14) = _v8;
											__eflags = _t319;
											if(_t319 == 0) {
												_t319 = _a8;
											}
											E00F437D5(_t279, _t319, _t274);
											E00F44C1A(_a8, _a16, _t305);
											_t235 = E00F44DD7(_t305);
											_t335 = _t335 + 0x10;
											_push(_t235);
											E00F44B91(_t274, _t279, _t300, _t305, _t319, __eflags);
											goto L66;
										}
									}
								}
							}
						}
					}
				}
			}























































































                                        0x00f4430b
                                        0x00f44312
                                        0x00f44314
                                        0x00f4431d
                                        0x00f44323
                                        0x00f4432b
                                        0x00f4432d
                                        0x00f44330
                                        0x00f44336
                                        0x00f446af
                                        0x00f446af
                                        0x00f446b4
                                        0x00f446b6
                                        0x00f446b8
                                        0x00f446bb
                                        0x00f446bc
                                        0x00f446bf
                                        0x00f446c5
                                        0x00f447e4
                                        0x00f446cb
                                        0x00f446cb
                                        0x00f446cc
                                        0x00f446cd
                                        0x00f446d4
                                        0x00f446d7
                                        0x00f446da
                                        0x00f446e0
                                        0x00f446e2
                                        0x00f446e7
                                        0x00f446ea
                                        0x00f446ec
                                        0x00f446f2
                                        0x00f446f4
                                        0x00f446fa
                                        0x00f4470f
                                        0x00f44714
                                        0x00f44717
                                        0x00f44719
                                        0x00f447e0
                                        0x00000000
                                        0x00f447e1
                                        0x00f44719
                                        0x00f446fa
                                        0x00f446f2
                                        0x00f446ea
                                        0x00f4471f
                                        0x00f44722
                                        0x00f44725
                                        0x00f44728
                                        0x00f4472b
                                        0x00f44731
                                        0x00f44743
                                        0x00f44748
                                        0x00f4474b
                                        0x00f4474e
                                        0x00f44751
                                        0x00f44754
                                        0x00f44757
                                        0x00f4475a
                                        0x00000000
                                        0x00000000
                                        0x00f44760
                                        0x00f44760
                                        0x00f44763
                                        0x00f44766
                                        0x00f44775
                                        0x00f44776
                                        0x00f44776
                                        0x00f44778
                                        0x00f4477b
                                        0x00000000
                                        0x00000000
                                        0x00f4477d
                                        0x00f44780
                                        0x00000000
                                        0x00000000
                                        0x00f4478e
                                        0x00f44790
                                        0x00f44793
                                        0x00f44795
                                        0x00f4479d
                                        0x00f4479d
                                        0x00f447a0
                                        0x00f447a2
                                        0x00f447a4
                                        0x00f447c0
                                        0x00f447c5
                                        0x00f447c8
                                        0x00f447c8
                                        0x00000000
                                        0x00f447a0
                                        0x00f44797
                                        0x00f4479b
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f447cb
                                        0x00f447ce
                                        0x00f447cf
                                        0x00f447d2
                                        0x00f447d5
                                        0x00f447d8
                                        0x00f447db
                                        0x00f447db
                                        0x00000000
                                        0x00f44766
                                        0x00f447e5
                                        0x00f447ea
                                        0x00f447eb
                                        0x00f447ee
                                        0x00f447f1
                                        0x00f447f2
                                        0x00f447f3
                                        0x00f447f4
                                        0x00f447f7
                                        0x00f447f9
                                        0x00f44871
                                        0x00f44873
                                        0x00f44873
                                        0x00f447fb
                                        0x00f447fb
                                        0x00f447fe
                                        0x00f44801
                                        0x00000000
                                        0x00f44803
                                        0x00f44803
                                        0x00f44806
                                        0x00f44809
                                        0x00f44810
                                        0x00f44810
                                        0x00f44813
                                        0x00f44815
                                        0x00f44817
                                        0x00f44849
                                        0x00f44849
                                        0x00f4484c
                                        0x00f44853
                                        0x00f44853
                                        0x00f44856
                                        0x00f44859
                                        0x00f44860
                                        0x00f44860
                                        0x00f44863
                                        0x00f4486a
                                        0x00f4486c
                                        0x00f4486c
                                        0x00f44865
                                        0x00f44865
                                        0x00f44868
                                        0x00000000
                                        0x00000000
                                        0x00f44868
                                        0x00f4485b
                                        0x00f4485b
                                        0x00f4485e
                                        0x00000000
                                        0x00000000
                                        0x00f4485e
                                        0x00f4484e
                                        0x00f4484e
                                        0x00f44851
                                        0x00000000
                                        0x00000000
                                        0x00f44851
                                        0x00f4486d
                                        0x00f44819
                                        0x00f44819
                                        0x00f44819
                                        0x00f4481c
                                        0x00f4481c
                                        0x00f4481e
                                        0x00f44820
                                        0x00000000
                                        0x00000000
                                        0x00f44822
                                        0x00f44824
                                        0x00f44838
                                        0x00f44838
                                        0x00f44826
                                        0x00f44826
                                        0x00f44829
                                        0x00f4482c
                                        0x00000000
                                        0x00f4482e
                                        0x00f4482e
                                        0x00f44831
                                        0x00f44834
                                        0x00f44836
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f44836
                                        0x00f4482c
                                        0x00f44841
                                        0x00f44841
                                        0x00f44843
                                        0x00000000
                                        0x00f44845
                                        0x00f44845
                                        0x00f44845
                                        0x00000000
                                        0x00f44843
                                        0x00f4483c
                                        0x00f4483e
                                        0x00f4483e
                                        0x00000000
                                        0x00f4483e
                                        0x00f4480b
                                        0x00f4480b
                                        0x00f4480e
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f4480e
                                        0x00f44809
                                        0x00f44801
                                        0x00f44874
                                        0x00f44878
                                        0x00f44878
                                        0x00f44345
                                        0x00f44345
                                        0x00f4434e
                                        0x00f4444b
                                        0x00f4444b
                                        0x00f4444e
                                        0x00000000
                                        0x00f4437d
                                        0x00f4437d
                                        0x00f44382
                                        0x00000000
                                        0x00f44388
                                        0x00f44388
                                        0x00f44390
                                        0x00f44649
                                        0x00f4464d
                                        0x00f44396
                                        0x00f4439b
                                        0x00f4439e
                                        0x00f443a3
                                        0x00f443aa
                                        0x00f443af
                                        0x00000000
                                        0x00f443e7
                                        0x00f443ef
                                        0x00f44453
                                        0x00f44453
                                        0x00f44456
                                        0x00f44459
                                        0x00f4445b
                                        0x00f4445e
                                        0x00f44461
                                        0x00f44467
                                        0x00f44618
                                        0x00f44618
                                        0x00f4461b
                                        0x00000000
                                        0x00f4461d
                                        0x00f4461d
                                        0x00f44620
                                        0x00000000
                                        0x00f44626
                                        0x00f44626
                                        0x00f44629
                                        0x00f4462c
                                        0x00f4462d
                                        0x00f4462e
                                        0x00f44631
                                        0x00f44632
                                        0x00f44635
                                        0x00f44636
                                        0x00f4463b
                                        0x00000000
                                        0x00f4463b
                                        0x00f44620
                                        0x00f4446d
                                        0x00f4446d
                                        0x00f44471
                                        0x00000000
                                        0x00f44477
                                        0x00f44477
                                        0x00f4447e
                                        0x00f44496
                                        0x00f44496
                                        0x00f44499
                                        0x00f4449c
                                        0x00f444a2
                                        0x00f444b2
                                        0x00f444b7
                                        0x00f444ba
                                        0x00f444bd
                                        0x00f444c0
                                        0x00f444c3
                                        0x00f444c6
                                        0x00f444c9
                                        0x00f444cf
                                        0x00f444cf
                                        0x00f444d2
                                        0x00f444d5
                                        0x00f444e4
                                        0x00f444e5
                                        0x00f444e5
                                        0x00f444e7
                                        0x00f444ea
                                        0x00f444f0
                                        0x00f444f3
                                        0x00f444f9
                                        0x00f444fb
                                        0x00f444fe
                                        0x00f44501
                                        0x00f4450a
                                        0x00f4450d
                                        0x00f4450f
                                        0x00f4450f
                                        0x00f44512
                                        0x00f44515
                                        0x00f44518
                                        0x00f4451b
                                        0x00f4451e
                                        0x00f44523
                                        0x00f44524
                                        0x00f44525
                                        0x00f44526
                                        0x00f44527
                                        0x00f4452a
                                        0x00f4452c
                                        0x00f4452e
                                        0x00000000
                                        0x00f44530
                                        0x00f44530
                                        0x00f44530
                                        0x00f44533
                                        0x00f44536
                                        0x00f44538
                                        0x00f44539
                                        0x00f4453e
                                        0x00f44541
                                        0x00f44543
                                        0x00000000
                                        0x00000000
                                        0x00f44545
                                        0x00f44546
                                        0x00f44549
                                        0x00f4454b
                                        0x00000000
                                        0x00f4454d
                                        0x00f4454d
                                        0x00f44550
                                        0x00f44553
                                        0x00000000
                                        0x00f44553
                                        0x00000000
                                        0x00f4454b
                                        0x00f44567
                                        0x00f4456d
                                        0x00f4458a
                                        0x00f4458f
                                        0x00f4458f
                                        0x00f44592
                                        0x00f44592
                                        0x00000000
                                        0x00f44556
                                        0x00f44556
                                        0x00f44557
                                        0x00f4455a
                                        0x00f4455d
                                        0x00f44560
                                        0x00f44560
                                        0x00000000
                                        0x00f44565
                                        0x00f44501
                                        0x00f444f3
                                        0x00f44595
                                        0x00f44598
                                        0x00f44599
                                        0x00f4459c
                                        0x00f4459f
                                        0x00f445a2
                                        0x00f445a5
                                        0x00f445a5
                                        0x00f445ae
                                        0x00f445b1
                                        0x00f445b1
                                        0x00f444c9
                                        0x00f445b4
                                        0x00f445b8
                                        0x00f445ba
                                        0x00f445bd
                                        0x00f445c3
                                        0x00f445c3
                                        0x00f445cb
                                        0x00f445d0
                                        0x00f4463e
                                        0x00f4463e
                                        0x00f44643
                                        0x00f44647
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f445d2
                                        0x00f445d2
                                        0x00f445d6
                                        0x00f445e8
                                        0x00f445eb
                                        0x00f445ee
                                        0x00f445f0
                                        0x00f44607
                                        0x00f4460b
                                        0x00f44611
                                        0x00f44612
                                        0x00f44614
                                        0x00000000
                                        0x00f44616
                                        0x00000000
                                        0x00f44616
                                        0x00f445f2
                                        0x00f445f7
                                        0x00f445fa
                                        0x00f445ff
                                        0x00f44602
                                        0x00000000
                                        0x00f44602
                                        0x00f445d8
                                        0x00f445db
                                        0x00f445de
                                        0x00f445e0
                                        0x00000000
                                        0x00f445e2
                                        0x00f445e2
                                        0x00f445e6
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f445e6
                                        0x00f445e0
                                        0x00f445d6
                                        0x00f44480
                                        0x00f44480
                                        0x00f44487
                                        0x00000000
                                        0x00f44489
                                        0x00f44489
                                        0x00f44490
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f44490
                                        0x00f44487
                                        0x00f4447e
                                        0x00f44471
                                        0x00f443f1
                                        0x00f443f9
                                        0x00f443fc
                                        0x00f44401
                                        0x00f44405
                                        0x00f44408
                                        0x00f4440e
                                        0x00f44411
                                        0x00000000
                                        0x00f44413
                                        0x00f44413
                                        0x00f44416
                                        0x00f44418
                                        0x00f4464e
                                        0x00f4464e
                                        0x00000000
                                        0x00f4441e
                                        0x00f44426
                                        0x00f44431
                                        0x00000000
                                        0x00000000
                                        0x00f4443a
                                        0x00f4443d
                                        0x00f4443e
                                        0x00f44441
                                        0x00f44443
                                        0x00000000
                                        0x00f44449
                                        0x00000000
                                        0x00f44449
                                        0x00000000
                                        0x00f44443
                                        0x00f4441e
                                        0x00f44653
                                        0x00f44653
                                        0x00f44655
                                        0x00f44656
                                        0x00f4465d
                                        0x00f44660
                                        0x00f4466e
                                        0x00f44673
                                        0x00f44678
                                        0x00f4467b
                                        0x00f44680
                                        0x00f44683
                                        0x00f44686
                                        0x00f44688
                                        0x00f4468a
                                        0x00f4468a
                                        0x00f4468f
                                        0x00f4469b
                                        0x00f446a1
                                        0x00f446a6
                                        0x00f446a9
                                        0x00f446aa
                                        0x00000000
                                        0x00f446aa
                                        0x00f44411
                                        0x00f443ef
                                        0x00f443af
                                        0x00f44390
                                        0x00f44382
                                        0x00f4434e

                                        APIs
                                        • IsInExceptionSpec.LIBVCRUNTIME ref: 00F44408
                                        • type_info::operator==.LIBVCRUNTIME ref: 00F4442A
                                        • ___TypeMatch.LIBVCRUNTIME ref: 00F44539
                                        • IsInExceptionSpec.LIBVCRUNTIME ref: 00F4460B
                                        • _UnwindNestedFrames.LIBCMT ref: 00F4468F
                                        • CallUnexpected.LIBVCRUNTIME ref: 00F446AA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.827539752.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true
                                        • Associated: 00000001.00000002.827528753.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827566651.0000000000F4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827592711.0000000000F5C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827606974.0000000000F5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_f40000_StartupInstaller.jbxd
                                        Similarity
                                        • API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                        • String ID: csm$csm$csm
                                        • API String ID: 2123188842-393685449
                                        • Opcode ID: 04dea43f90112a476a4646ec2ddf7263a4a7bea493187e6f8ebd83e769cf1742
                                        • Instruction ID: 1b7020d17e0403b34f193f9cd378972c20a7d7d8c40963458148f19056c11893
                                        • Opcode Fuzzy Hash: 04dea43f90112a476a4646ec2ddf7263a4a7bea493187e6f8ebd83e769cf1742
                                        • Instruction Fuzzy Hash: 63B14571C00209AFDF28DFA4C881AAEBFB5BF05320B15415AEC147B212D735EA51EFA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F474C1 Relevance: 15.1, APIs: 10, Instructions: 69COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 661 f474c1-f474d4 662 f474d6-f474df call f479d0 661->662 663 f474e0-f4758d call f479d0 * 9 call f472ed call f47358 661->663 662->663
                                        C-Code - Quality: 77%
                                        			E00F474C1(void* __ebx, void* __edi, void* __esi, char _a4) {
				void* _v5;
				char _v12;
				char _v16;
				char _v20;
				void* __ebp;
				char _t55;
				char _t61;
				void* _t67;
				intOrPtr _t68;
				void* _t72;
				void* _t73;

				_t73 = __esi;
				_t72 = __edi;
				_t67 = __ebx;
				_t36 = _a4;
				_t68 =  *_a4;
				_t77 = _t68 - 0xf4fcc8;
				if(_t68 != 0xf4fcc8) {
					E00F479D0(_t68);
					_t36 = _a4;
				}
				E00F479D0( *((intOrPtr*)(_t36 + 0x3c)));
				E00F479D0( *((intOrPtr*)(_a4 + 0x30)));
				E00F479D0( *((intOrPtr*)(_a4 + 0x34)));
				E00F479D0( *((intOrPtr*)(_a4 + 0x38)));
				E00F479D0( *((intOrPtr*)(_a4 + 0x28)));
				E00F479D0( *((intOrPtr*)(_a4 + 0x2c)));
				E00F479D0( *((intOrPtr*)(_a4 + 0x40)));
				E00F479D0( *((intOrPtr*)(_a4 + 0x44)));
				E00F479D0( *((intOrPtr*)(_a4 + 0x360)));
				_v16 =  &_a4;
				_t55 = 5;
				_v12 = _t55;
				_v20 = _t55;
				_push( &_v12);
				_push( &_v16);
				_push( &_v20);
				E00F472ED(_t67, _t72, _t73, _t77);
				_v16 =  &_a4;
				_t61 = 4;
				_v20 = _t61;
				_v12 = _t61;
				_push( &_v20);
				_push( &_v16);
				_push( &_v12);
				return E00F47358(_t67, _t72, _t73, _t77);
			}














                                        0x00f474c1
                                        0x00f474c1
                                        0x00f474c1
                                        0x00f474c6
                                        0x00f474cc
                                        0x00f474ce
                                        0x00f474d4
                                        0x00f474d7
                                        0x00f474dc
                                        0x00f474df
                                        0x00f474e3
                                        0x00f474ee
                                        0x00f474f9
                                        0x00f47504
                                        0x00f4750f
                                        0x00f4751a
                                        0x00f47525
                                        0x00f47530
                                        0x00f4753e
                                        0x00f47549
                                        0x00f47551
                                        0x00f47552
                                        0x00f47555
                                        0x00f4755b
                                        0x00f4755f
                                        0x00f47563
                                        0x00f47564
                                        0x00f4756e
                                        0x00f47574
                                        0x00f47575
                                        0x00f47578
                                        0x00f4757e
                                        0x00f47582
                                        0x00f47586
                                        0x00f4758d

                                        APIs
                                        • _free.LIBCMT ref: 00F474D7
                                          • Part of subcall function 00F479D0: HeapFree.KERNEL32(00000000,00000000,?,00F49499,?,00000000,?,?,?,00F494C0,?,00000007,?,?,00F498C6,?), ref: 00F479E6
                                          • Part of subcall function 00F479D0: GetLastError.KERNEL32(?,?,00F49499,?,00000000,?,?,?,00F494C0,?,00000007,?,?,00F498C6,?,?), ref: 00F479F8
                                        • _free.LIBCMT ref: 00F474E3
                                        • _free.LIBCMT ref: 00F474EE
                                        • _free.LIBCMT ref: 00F474F9
                                        • _free.LIBCMT ref: 00F47504
                                        • _free.LIBCMT ref: 00F4750F
                                        • _free.LIBCMT ref: 00F4751A
                                        • _free.LIBCMT ref: 00F47525
                                        • _free.LIBCMT ref: 00F47530
                                        • _free.LIBCMT ref: 00F4753E
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.827539752.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true
                                        • Associated: 00000001.00000002.827528753.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827566651.0000000000F4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827592711.0000000000F5C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827606974.0000000000F5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_f40000_StartupInstaller.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: bf12dd71731398afadd09e2d06232237c5c5f6dd1e72f5f9d4635b7775ac27a2
                                        • Instruction ID: 32b0af34ff195a183e8adb0251dafb3367c2068aefd670796ae4f334c1454cc5
                                        • Opcode Fuzzy Hash: bf12dd71731398afadd09e2d06232237c5c5f6dd1e72f5f9d4635b7775ac27a2
                                        • Instruction Fuzzy Hash: DC21967690820CBFCB41EF98DC81DDE7FB9AF18350F0045A6FA159B122DB75EA449B80
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F43C80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 688 f43c80-f43cd1 call f4e570 call f43c40 call f44e3c 695 f43cd3-f43ce5 688->695 696 f43d2d-f43d30 688->696 697 f43d50-f43d59 695->697 699 f43ce7-f43cfe 695->699 696->697 698 f43d32-f43d3f call f44fc0 696->698 704 f43d44-f43d4d call f43c40 698->704 701 f43d14 699->701 702 f43d00-f43d0e call f44f60 699->702 703 f43d17-f43d1c 701->703 709 f43d24-f43d2b 702->709 710 f43d10 702->710 703->699 707 f43d1e-f43d20 703->707 704->697 707->697 711 f43d22 707->711 709->704 713 f43d12 710->713 714 f43d5a-f43d63 710->714 711->704 713->703 715 f43d65-f43d6c 714->715 716 f43d9d-f43dad call f44fa0 714->716 715->716 717 f43d6e-f43d7d call f4e3e0 715->717 722 f43dc1-f43ddd call f43c40 call f44f80 716->722 723 f43daf-f43dbe call f44fc0 716->723 725 f43d7f-f43d97 717->725 726 f43d9a 717->726 723->722 725->726 726->716
                                        C-Code - Quality: 68%
                                        			E00F43C80(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _t52;
				signed int _t59;
				intOrPtr _t60;
				void* _t61;
				intOrPtr* _t62;
				intOrPtr _t64;
				intOrPtr _t67;
				intOrPtr _t72;
				intOrPtr* _t76;
				intOrPtr _t77;
				signed int _t81;
				char _t83;
				intOrPtr _t86;
				intOrPtr _t93;
				intOrPtr _t96;
				intOrPtr* _t98;
				void* _t102;
				void* _t104;
				void* _t111;

				_t89 = __edx;
				_t76 = _a4;
				_push(__edi);
				_v5 = 0;
				_v16 = 1;
				 *_t76 = E00F4E570(__ecx,  *_t76);
				_t77 = _a8;
				_t6 = _t77 + 0x10; // 0x11
				_t96 = _t6;
				_push(_t96);
				_v20 = _t96;
				_v12 =  *(_t77 + 8) ^  *0xf5c004;
				E00F43C40(_t77, __edx, __edi, _t96,  *(_t77 + 8) ^  *0xf5c004);
				E00F44E3C(_a12);
				_t52 = _a4;
				_t104 = _t102 - 0x1c + 0x10;
				_t93 =  *((intOrPtr*)(_t77 + 0xc));
				if(( *(_t52 + 4) & 0x00000066) != 0) {
					__eflags = _t93 - 0xfffffffe;
					if(_t93 != 0xfffffffe) {
						_t89 = 0xfffffffe;
						E00F44FC0(_t77, 0xfffffffe, _t96, 0xf5c004);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t52;
					_v28 = _a12;
					 *((intOrPtr*)(_t77 - 4)) =  &_v32;
					if(_t93 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t81 = _v12;
							_t59 = _t93 + (_t93 + 2) * 2;
							_t77 =  *((intOrPtr*)(_t81 + _t59 * 4));
							_t60 = _t81 + _t59 * 4;
							_t82 =  *((intOrPtr*)(_t60 + 4));
							_v24 = _t60;
							if( *((intOrPtr*)(_t60 + 4)) == 0) {
								_t83 = _v5;
								goto L7;
							} else {
								_t89 = _t96;
								_t61 = E00F44F60(_t82, _t96);
								_t83 = 1;
								_v5 = 1;
								_t111 = _t61;
								if(_t111 < 0) {
									_v16 = 0;
									L13:
									_push(_t96);
									E00F43C40(_t77, _t89, _t93, _t96, _v12);
									goto L14;
								} else {
									if(_t111 > 0) {
										_t62 = _a4;
										__eflags =  *_t62 - 0xe06d7363;
										if( *_t62 == 0xe06d7363) {
											__eflags =  *0xf4f1ec;
											if(__eflags != 0) {
												_t72 = E00F4E3E0(__eflags, 0xf4f1ec);
												_t104 = _t104 + 4;
												__eflags = _t72;
												if(_t72 != 0) {
													_t98 =  *0xf4f1ec; // 0xf43a1a
													 *0xf4f140(_a4, 1);
													 *_t98();
													_t96 = _v20;
													_t104 = _t104 + 8;
												}
												_t62 = _a4;
											}
										}
										_t90 = _t62;
										E00F44FA0(_t62, _a8, _t62);
										_t64 = _a8;
										__eflags =  *((intOrPtr*)(_t64 + 0xc)) - _t93;
										if( *((intOrPtr*)(_t64 + 0xc)) != _t93) {
											_t90 = _t93;
											E00F44FC0(_t64, _t93, _t96, 0xf5c004);
											_t64 = _a8;
										}
										_push(_t96);
										 *((intOrPtr*)(_t64 + 0xc)) = _t77;
										E00F43C40(_t77, _t90, _t93, _t96, _v12);
										_t86 =  *((intOrPtr*)(_v24 + 8));
										E00F44F80();
										asm("int3");
										__eflags = E00F44FD7();
										if(__eflags != 0) {
											_t67 = E00F44066(_t86, __eflags);
											__eflags = _t67;
											if(_t67 != 0) {
												return 1;
											} else {
												E00F45013();
												goto L24;
											}
										} else {
											L24:
											__eflags = 0;
											return 0;
										}
									} else {
										goto L7;
									}
								}
							}
							goto L28;
							L7:
							_t93 = _t77;
						} while (_t77 != 0xfffffffe);
						if(_t83 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L28:
			}





























                                        0x00f43c80
                                        0x00f43c87
                                        0x00f43c8b
                                        0x00f43c8c
                                        0x00f43c92
                                        0x00f43c9e
                                        0x00f43ca0
                                        0x00f43ca6
                                        0x00f43ca6
                                        0x00f43caf
                                        0x00f43cb1
                                        0x00f43cb4
                                        0x00f43cb7
                                        0x00f43cbf
                                        0x00f43cc4
                                        0x00f43cc7
                                        0x00f43cca
                                        0x00f43cd1
                                        0x00f43d2d
                                        0x00f43d30
                                        0x00f43d38
                                        0x00f43d3f
                                        0x00000000
                                        0x00f43d3f
                                        0x00000000
                                        0x00f43cd3
                                        0x00f43cd3
                                        0x00f43cd9
                                        0x00f43cdf
                                        0x00f43ce5
                                        0x00f43d50
                                        0x00f43d59
                                        0x00f43ce7
                                        0x00f43ce7
                                        0x00f43ce7
                                        0x00f43ced
                                        0x00f43cf0
                                        0x00f43cf3
                                        0x00f43cf6
                                        0x00f43cf9
                                        0x00f43cfe
                                        0x00f43d14
                                        0x00000000
                                        0x00f43d00
                                        0x00f43d00
                                        0x00f43d02
                                        0x00f43d07
                                        0x00f43d09
                                        0x00f43d0c
                                        0x00f43d0e
                                        0x00f43d24
                                        0x00f43d44
                                        0x00f43d44
                                        0x00f43d48
                                        0x00000000
                                        0x00f43d10
                                        0x00f43d10
                                        0x00f43d5a
                                        0x00f43d5d
                                        0x00f43d63
                                        0x00f43d65
                                        0x00f43d6c
                                        0x00f43d73
                                        0x00f43d78
                                        0x00f43d7b
                                        0x00f43d7d
                                        0x00f43d7f
                                        0x00f43d8c
                                        0x00f43d92
                                        0x00f43d94
                                        0x00f43d97
                                        0x00f43d97
                                        0x00f43d9a
                                        0x00f43d9a
                                        0x00f43d6c
                                        0x00f43da0
                                        0x00f43da2
                                        0x00f43da7
                                        0x00f43daa
                                        0x00f43dad
                                        0x00f43db5
                                        0x00f43db9
                                        0x00f43dbe
                                        0x00f43dbe
                                        0x00f43dc1
                                        0x00f43dc5
                                        0x00f43dc8
                                        0x00f43dd5
                                        0x00f43dd8
                                        0x00f43ddd
                                        0x00f43de3
                                        0x00f43de5
                                        0x00f43dea
                                        0x00f43def
                                        0x00f43df1
                                        0x00f43dfc
                                        0x00f43df3
                                        0x00f43df3
                                        0x00000000
                                        0x00f43df3
                                        0x00f43de7
                                        0x00f43de7
                                        0x00f43de7
                                        0x00f43de9
                                        0x00f43de9
                                        0x00f43d12
                                        0x00000000
                                        0x00f43d12
                                        0x00f43d10
                                        0x00f43d0e
                                        0x00000000
                                        0x00f43d17
                                        0x00f43d17
                                        0x00f43d19
                                        0x00f43d20
                                        0x00000000
                                        0x00f43d22
                                        0x00000000
                                        0x00f43d20
                                        0x00f43ce5
                                        0x00000000

                                        APIs
                                        • _ValidateLocalCookies.LIBCMT ref: 00F43CB7
                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 00F43CBF
                                        • _ValidateLocalCookies.LIBCMT ref: 00F43D48
                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 00F43D73
                                        • _ValidateLocalCookies.LIBCMT ref: 00F43DC8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.827539752.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true
                                        • Associated: 00000001.00000002.827528753.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827566651.0000000000F4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827592711.0000000000F5C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827606974.0000000000F5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_f40000_StartupInstaller.jbxd
                                        Similarity
                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                        • String ID: csm
                                        • API String ID: 1170836740-1018135373
                                        • Opcode ID: ac0f7e0a75f14dde51db42ca7c96030c1ab5386f3f1496db3061e162f528d06b
                                        • Instruction ID: 4953ed9e4672fa444204dc1c043ae62fa43777b8a82cd87e80406433bf7b2f4b
                                        • Opcode Fuzzy Hash: ac0f7e0a75f14dde51db42ca7c96030c1ab5386f3f1496db3061e162f528d06b
                                        • Instruction Fuzzy Hash: D441AC34E00218AFCF10DF68CC84A9EBFB5AF45328F148155ED19AB392D735EA55EB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F49A9A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 734 f49a9a-f49aa6 735 f49b4d-f49b50 734->735 736 f49b56 735->736 737 f49aab-f49abc 735->737 740 f49b58-f49b5c 736->740 738 f49abe-f49ac1 737->738 739 f49ac9-f49ae2 LoadLibraryExW 737->739 741 f49ac7 738->741 742 f49b4a 738->742 743 f49b34-f49b3d 739->743 744 f49ae4-f49aed GetLastError 739->744 745 f49b46-f49b48 741->745 742->735 743->745 746 f49b3f-f49b40 FreeLibrary 743->746 747 f49b24 744->747 748 f49aef-f49b01 call f46f48 744->748 745->742 751 f49b5d-f49b5f 745->751 746->745 750 f49b26-f49b28 747->750 748->747 754 f49b03-f49b15 call f46f48 748->754 750->743 753 f49b2a-f49b32 750->753 751->740 753->742 754->747 757 f49b17-f49b22 LoadLibraryExW 754->757 757->750
                                        C-Code - Quality: 100%
                                        			E00F49A9A(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0xf5d258 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0xf50a78 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E00F46F48(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E00F46F48(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}













                                        0x00f49aa3
                                        0x00f49b4d
                                        0x00f49aab
                                        0x00f49aad
                                        0x00f49ab4
                                        0x00f49ab6
                                        0x00f49abc
                                        0x00f49ac9
                                        0x00f49ade
                                        0x00f49ae2
                                        0x00f49b34
                                        0x00f49b34
                                        0x00f49b39
                                        0x00f49b3d
                                        0x00f49b40
                                        0x00f49b40
                                        0x00f49b46
                                        0x00f49b48
                                        0x00f49b5d
                                        0x00f49b58
                                        0x00f49b5c
                                        0x00f49b5c
                                        0x00f49b4a
                                        0x00f49b4a
                                        0x00000000
                                        0x00f49b4a
                                        0x00f49ae4
                                        0x00f49aed
                                        0x00f49b24
                                        0x00f49b24
                                        0x00f49b26
                                        0x00f49b28
                                        0x00000000
                                        0x00000000
                                        0x00f49b30
                                        0x00000000
                                        0x00f49b30
                                        0x00f49af7
                                        0x00f49afc
                                        0x00f49b01
                                        0x00000000
                                        0x00000000
                                        0x00f49b0b
                                        0x00f49b10
                                        0x00f49b15
                                        0x00000000
                                        0x00000000
                                        0x00f49b1a
                                        0x00f49b20
                                        0x00000000
                                        0x00f49b20
                                        0x00f49ac1
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f49ac7
                                        0x00f49b56
                                        0x00000000

                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.827539752.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true
                                        • Associated: 00000001.00000002.827528753.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827566651.0000000000F4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827592711.0000000000F5C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827606974.0000000000F5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_f40000_StartupInstaller.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: api-ms-$ext-ms-
                                        • API String ID: 0-537541572
                                        • Opcode ID: 1cdf67c65f2fe30c0afbcee01a0483a71e170b761ac1293d4fb41a6ca7bb2c99
                                        • Instruction ID: cdca226addadd3259ee46739f72c37805eeeeaace20d3db4ee1ed014c164aa0e
                                        • Opcode Fuzzy Hash: 1cdf67c65f2fe30c0afbcee01a0483a71e170b761ac1293d4fb41a6ca7bb2c99
                                        • Instruction Fuzzy Hash: 4421D532F09214ABCB318B68AC45B1B7F59DBD2770F250120ED06A7291D6B4EE04B5E1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F494A7 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E00F494A7(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E00F4946F(_t45, 7);
					E00F4946F(_t45 + 0x1c, 7);
					E00F4946F(_t45 + 0x38, 0xc);
					E00F4946F(_t45 + 0x68, 0xc);
					E00F4946F(_t45 + 0x98, 2);
					E00F479D0( *((intOrPtr*)(_t45 + 0xa0)));
					E00F479D0( *((intOrPtr*)(_t45 + 0xa4)));
					E00F479D0( *((intOrPtr*)(_t45 + 0xa8)));
					E00F4946F(_t45 + 0xb4, 7);
					E00F4946F(_t45 + 0xd0, 7);
					E00F4946F(_t45 + 0xec, 0xc);
					E00F4946F(_t45 + 0x11c, 0xc);
					E00F4946F(_t45 + 0x14c, 2);
					E00F479D0( *((intOrPtr*)(_t45 + 0x154)));
					E00F479D0( *((intOrPtr*)(_t45 + 0x158)));
					E00F479D0( *((intOrPtr*)(_t45 + 0x15c)));
					return E00F479D0( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}




                                        0x00f494ad
                                        0x00f494b2
                                        0x00f494bb
                                        0x00f494c6
                                        0x00f494d1
                                        0x00f494dc
                                        0x00f494ea
                                        0x00f494f5
                                        0x00f49500
                                        0x00f4950b
                                        0x00f49519
                                        0x00f49527
                                        0x00f49538
                                        0x00f49546
                                        0x00f49554
                                        0x00f4955f
                                        0x00f4956a
                                        0x00f49575
                                        0x00000000
                                        0x00f49585
                                        0x00f4958a

                                        APIs
                                          • Part of subcall function 00F4946F: _free.LIBCMT ref: 00F49494
                                        • _free.LIBCMT ref: 00F494F5
                                          • Part of subcall function 00F479D0: HeapFree.KERNEL32(00000000,00000000,?,00F49499,?,00000000,?,?,?,00F494C0,?,00000007,?,?,00F498C6,?), ref: 00F479E6
                                          • Part of subcall function 00F479D0: GetLastError.KERNEL32(?,?,00F49499,?,00000000,?,?,?,00F494C0,?,00000007,?,?,00F498C6,?,?), ref: 00F479F8
                                        • _free.LIBCMT ref: 00F49500
                                        • _free.LIBCMT ref: 00F4950B
                                        • _free.LIBCMT ref: 00F4955F
                                        • _free.LIBCMT ref: 00F4956A
                                        • _free.LIBCMT ref: 00F49575
                                        • _free.LIBCMT ref: 00F49580
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.827539752.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true
                                        • Associated: 00000001.00000002.827528753.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827566651.0000000000F4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827592711.0000000000F5C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827606974.0000000000F5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_f40000_StartupInstaller.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: 04646944c7fafe64dacf3c00833f378f1ae823a9dda3dd6f71df57f78d4bdcf1
                                        • Instruction ID: 775a52d8a11f9d9df7ccadce5a9495c4e7165dbc20f046b213cc73c7008a1d7e
                                        • Opcode Fuzzy Hash: 04646944c7fafe64dacf3c00833f378f1ae823a9dda3dd6f71df57f78d4bdcf1
                                        • Instruction Fuzzy Hash: A1110DB168CB04BAD520F7B0DC07FCB7F9C9F04740F408C65BBA966162DBADB9056660
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F4B589 Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        C-Code - Quality: 84%
                                        			E00F4B589(void* __eflags, intOrPtr _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				signed char _v40;
				signed int _v44;
				intOrPtr _v48;
				char _v51;
				void _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed char _v80;
				signed int _v84;
				signed int _v88;
				char _v92;
				intOrPtr _v96;
				long _v100;
				signed char* _v104;
				signed char* _v108;
				void* _v112;
				intOrPtr _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t170;
				signed int _t172;
				int _t178;
				intOrPtr _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				long _t193;
				void _t198;
				signed char* _t202;
				void* _t206;
				struct _OVERLAPPED* _t211;
				void* _t220;
				long _t224;
				intOrPtr _t225;
				char _t227;
				void* _t237;
				signed int _t242;
				intOrPtr _t245;
				signed int _t248;
				signed int _t249;
				signed int _t251;
				intOrPtr _t253;
				void* _t259;
				intOrPtr _t260;
				signed int _t261;
				signed char _t264;
				intOrPtr _t267;
				signed char* _t269;
				signed int _t272;
				signed int _t273;
				signed int _t277;
				signed int _t278;
				intOrPtr _t279;
				signed int _t280;
				struct _OVERLAPPED* _t282;
				struct _OVERLAPPED* _t284;
				signed int _t285;
				void* _t286;
				void* _t287;

				_t170 =  *0xf5c004; // 0x6a58fef8
				_v8 = _t170 ^ _t285;
				_t172 = _a8;
				_t264 = _t172 >> 6;
				_t242 = (_t172 & 0x0000003f) * 0x38;
				_t269 = _a12;
				_v108 = _t269;
				_v80 = _t264;
				_v112 =  *((intOrPtr*)(_t242 +  *((intOrPtr*)(0xf5d050 + _t264 * 4)) + 0x18));
				_v44 = _t242;
				_v96 = _a16 + _t269;
				_t178 = GetConsoleOutputCP();
				_t241 = 0;
				_v124 = _t178;
				E00F45870( &_v72, _t264, 0);
				_t273 = 0;
				_v92 = 0;
				_v88 = 0;
				_v84 = 0;
				_t245 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t245;
				_v104 = _t269;
				if(_t269 >= _v96) {
					L48:
					__eflags = _v60 - _t241;
				} else {
					while(1) {
						_t248 = _v44;
						_v51 =  *_t269;
						_v76 = _t241;
						_v40 = 1;
						_t186 =  *((intOrPtr*)(0xf5d050 + _v80 * 4));
						_v48 = _t186;
						if(_t245 != 0xfde9) {
							goto L19;
						}
						_t211 = _t241;
						_t267 = _v48 + 0x2e + _t248;
						_v116 = _t267;
						while( *((intOrPtr*)(_t267 + _t211)) != _t241) {
							_t211 =  &(_t211->Internal);
							if(_t211 < 5) {
								continue;
							}
							break;
						}
						_t264 = _v96 - _t269;
						_v40 = _t211;
						if(_t211 <= 0) {
							_t72 = ( *_t269 & 0x000000ff) + 0xf5c758; // 0x0
							_t253 =  *_t72 + 1;
							_v48 = _t253;
							__eflags = _t253 - _t264;
							if(_t253 > _t264) {
								__eflags = _t264;
								if(_t264 <= 0) {
									goto L40;
								} else {
									_t278 = _v44;
									do {
										 *((char*)( *((intOrPtr*)(0xf5d050 + _v80 * 4)) + _t278 + _t241 + 0x2e)) =  *((intOrPtr*)(_t241 + _t269));
										_t241 =  &(_t241->Internal);
										__eflags = _t241 - _t264;
									} while (_t241 < _t264);
									goto L39;
								}
							} else {
								_v144 = _t241;
								__eflags = _t253 - 4;
								_v140 = _t241;
								_v56 = _t269;
								_v40 = (_t253 == 4) + 1;
								_t220 = E00F4C2A1( &_v144,  &_v76,  &_v56, (_t253 == 4) + 1,  &_v144);
								_t287 = _t286 + 0x10;
								__eflags = _t220 - 0xffffffff;
								if(_t220 == 0xffffffff) {
									goto L48;
								} else {
									_t279 = _v48;
									goto L18;
								}
							}
						} else {
							_t224 =  *((char*)(( *(_t248 + _v48 + 0x2e) & 0x000000ff) + 0xf5c758)) + 1;
							_v56 = _t224;
							_t225 = _t224 - _v40;
							_v48 = _t225;
							if(_t225 > _t264) {
								__eflags = _t264;
								if(_t264 > 0) {
									_t280 = _t248;
									do {
										_t227 =  *((intOrPtr*)(_t241 + _t269));
										_t259 =  *((intOrPtr*)(0xf5d050 + _v80 * 4)) + _t280 + _t241;
										_t241 =  &(_t241->Internal);
										 *((char*)(_t259 + _v40 + 0x2e)) = _t227;
										_t280 = _v44;
										__eflags = _t241 - _t264;
									} while (_t241 < _t264);
									L39:
									_t273 = _v88;
								}
								L40:
								_t277 = _t273 + _t264;
								__eflags = _t277;
								L41:
								__eflags = _v60;
								_v88 = _t277;
							} else {
								_t264 = _v40;
								_t282 = _t241;
								_t260 = _v116;
								do {
									 *((char*)(_t285 + _t282 - 0xc)) =  *((intOrPtr*)(_t260 + _t282));
									_t282 =  &(_t282->Internal);
								} while (_t282 < _t264);
								_t283 = _v48;
								_t261 = _v44;
								if(_v48 > 0) {
									E00F452B0( &_v16 + _t264, _t269, _t283);
									_t261 = _v44;
									_t286 = _t286 + 0xc;
									_t264 = _v40;
								}
								_t272 = _v80;
								_t284 = _t241;
								do {
									 *( *((intOrPtr*)(0xf5d050 + _t272 * 4)) + _t261 + _t284 + 0x2e) = _t241;
									_t284 =  &(_t284->Internal);
								} while (_t284 < _t264);
								_t269 = _v104;
								_t279 = _v48;
								_v120 =  &_v16;
								_v136 = _t241;
								_v132 = _t241;
								_v40 = (_v56 == 4) + 1;
								_t237 = E00F4C2A1( &_v136,  &_v76,  &_v120, (_v56 == 4) + 1,  &_v136);
								_t287 = _t286 + 0x10;
								if(_t237 == 0xffffffff) {
									goto L48;
								} else {
									L18:
									_t269 = _t269 - 1 + _t279;
									L27:
									_t269 =  &(_t269[1]);
									_v104 = _t269;
									_t193 = E00F48CCA(_v124, _t241,  &_v76, _v40,  &_v32, 5, _t241, _t241);
									_t286 = _t287 + 0x20;
									_v56 = _t193;
									if(_t193 == 0) {
										goto L48;
									} else {
										if(WriteFile(_v112,  &_v32, _t193,  &_v100, _t241) == 0) {
											L47:
											_v92 = GetLastError();
											goto L48;
										} else {
											_t273 = _v84 - _v108 + _t269;
											_v88 = _t273;
											if(_v100 < _v56) {
												goto L48;
											} else {
												if(_v51 != 0xa) {
													L34:
													if(_t269 >= _v96) {
														goto L48;
													} else {
														_t245 = _v128;
														continue;
													}
												} else {
													_t198 = 0xd;
													_v52 = _t198;
													if(WriteFile(_v112,  &_v52, 1,  &_v100, _t241) == 0) {
														goto L47;
													} else {
														if(_v100 < 1) {
															goto L48;
														} else {
															_v84 = _v84 + 1;
															_t273 = _t273 + 1;
															_v88 = _t273;
															goto L34;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L49;
						L19:
						_t264 =  *((intOrPtr*)(_t248 + _t186 + 0x2d));
						__eflags = _t264 & 0x00000004;
						if((_t264 & 0x00000004) == 0) {
							_v33 =  *_t269;
							_t188 = E00F4958B(_t264);
							_t249 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t188 + _t249 * 2)) - _t241;
							if( *((intOrPtr*)(_t188 + _t249 * 2)) >= _t241) {
								_push(1);
								_push(_t269);
								goto L26;
							} else {
								_t100 =  &(_t269[1]); // 0x1
								_t202 = _t100;
								_v56 = _t202;
								__eflags = _t202 - _v96;
								if(_t202 >= _v96) {
									_t264 = _v80;
									_t251 = _v44;
									_t241 = _v33;
									 *((char*)(_t251 +  *((intOrPtr*)(0xf5d050 + _t264 * 4)) + 0x2e)) = _v33;
									 *(_t251 +  *((intOrPtr*)(0xf5d050 + _t264 * 4)) + 0x2d) =  *(_t251 +  *((intOrPtr*)(0xf5d050 + _t264 * 4)) + 0x2d) | 0x00000004;
									_t277 = _t273 + 1;
									goto L41;
								} else {
									_t206 = E00F4ABFA( &_v76, _t269, 2);
									_t287 = _t286 + 0xc;
									__eflags = _t206 - 0xffffffff;
									if(_t206 == 0xffffffff) {
										goto L48;
									} else {
										_t269 = _v56;
										goto L27;
									}
								}
							}
						} else {
							_t264 = _t264 & 0x000000fb;
							_v24 =  *((intOrPtr*)(_t248 + _t186 + 0x2e));
							_v23 =  *_t269;
							_push(2);
							 *(_t248 + _v48 + 0x2d) = _t264;
							_push( &_v24);
							L26:
							_push( &_v76);
							_t190 = E00F4ABFA();
							_t287 = _t286 + 0xc;
							__eflags = _t190 - 0xffffffff;
							if(_t190 == 0xffffffff) {
								goto L48;
							} else {
								goto L27;
							}
						}
						goto L49;
					}
				}
				L49:
				if(__eflags != 0) {
					_t183 = _v72;
					_t165 = _t183 + 0x350;
					 *_t165 =  *(_t183 + 0x350) & 0xfffffffd;
					__eflags =  *_t165;
				}
				__eflags = _v8 ^ _t285;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				return E00F429FA(_a4, _t241, _v8 ^ _t285, _t264, _a4,  &_v92);
			}















































































                                        0x00f4b594
                                        0x00f4b59b
                                        0x00f4b59e
                                        0x00f4b5a6
                                        0x00f4b5a9
                                        0x00f4b5b6
                                        0x00f4b5b9
                                        0x00f4b5bc
                                        0x00f4b5c3
                                        0x00f4b5cb
                                        0x00f4b5ce
                                        0x00f4b5d1
                                        0x00f4b5d7
                                        0x00f4b5d9
                                        0x00f4b5e0
                                        0x00f4b5ea
                                        0x00f4b5ec
                                        0x00f4b5ef
                                        0x00f4b5f2
                                        0x00f4b5f5
                                        0x00f4b5f8
                                        0x00f4b5fb
                                        0x00f4b601
                                        0x00f4b90c
                                        0x00f4b90c
                                        0x00000000
                                        0x00f4b607
                                        0x00f4b60f
                                        0x00f4b612
                                        0x00f4b618
                                        0x00f4b61b
                                        0x00f4b622
                                        0x00f4b629
                                        0x00f4b62c
                                        0x00000000
                                        0x00000000
                                        0x00f4b635
                                        0x00f4b63a
                                        0x00f4b63c
                                        0x00f4b63f
                                        0x00f4b644
                                        0x00f4b648
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f4b648
                                        0x00f4b64d
                                        0x00f4b64f
                                        0x00f4b654
                                        0x00f4b70e
                                        0x00f4b715
                                        0x00f4b716
                                        0x00f4b719
                                        0x00f4b71b
                                        0x00f4b8bf
                                        0x00f4b8c1
                                        0x00000000
                                        0x00f4b8c3
                                        0x00f4b8c3
                                        0x00f4b8c6
                                        0x00f4b8d5
                                        0x00f4b8d9
                                        0x00f4b8da
                                        0x00f4b8da
                                        0x00000000
                                        0x00f4b8de
                                        0x00f4b721
                                        0x00f4b723
                                        0x00f4b729
                                        0x00f4b72c
                                        0x00f4b738
                                        0x00f4b741
                                        0x00f4b74c
                                        0x00f4b751
                                        0x00f4b754
                                        0x00f4b757
                                        0x00000000
                                        0x00f4b75d
                                        0x00f4b75d
                                        0x00000000
                                        0x00f4b75d
                                        0x00f4b757
                                        0x00f4b65a
                                        0x00f4b669
                                        0x00f4b66a
                                        0x00f4b66d
                                        0x00f4b670
                                        0x00f4b675
                                        0x00f4b88b
                                        0x00f4b88d
                                        0x00f4b88f
                                        0x00f4b891
                                        0x00f4b89b
                                        0x00f4b8a3
                                        0x00f4b8a5
                                        0x00f4b8a6
                                        0x00f4b8aa
                                        0x00f4b8ad
                                        0x00f4b8ad
                                        0x00f4b8b1
                                        0x00f4b8b1
                                        0x00f4b8b1
                                        0x00f4b8b4
                                        0x00f4b8b4
                                        0x00f4b8b4
                                        0x00f4b8b6
                                        0x00f4b8b6
                                        0x00f4b8ba
                                        0x00f4b67b
                                        0x00f4b67b
                                        0x00f4b67e
                                        0x00f4b680
                                        0x00f4b683
                                        0x00f4b686
                                        0x00f4b68a
                                        0x00f4b68b
                                        0x00f4b68f
                                        0x00f4b692
                                        0x00f4b697
                                        0x00f4b6a1
                                        0x00f4b6a6
                                        0x00f4b6a9
                                        0x00f4b6ac
                                        0x00f4b6ac
                                        0x00f4b6af
                                        0x00f4b6b2
                                        0x00f4b6b4
                                        0x00f4b6bd
                                        0x00f4b6c1
                                        0x00f4b6c2
                                        0x00f4b6c6
                                        0x00f4b6cc
                                        0x00f4b6d5
                                        0x00f4b6e2
                                        0x00f4b6e9
                                        0x00f4b6ed
                                        0x00f4b6f8
                                        0x00f4b6fd
                                        0x00f4b703
                                        0x00000000
                                        0x00f4b709
                                        0x00f4b760
                                        0x00f4b761
                                        0x00f4b7e4
                                        0x00f4b7eb
                                        0x00f4b7f3
                                        0x00f4b7fb
                                        0x00f4b800
                                        0x00f4b803
                                        0x00f4b808
                                        0x00000000
                                        0x00f4b80e
                                        0x00f4b823
                                        0x00f4b903
                                        0x00f4b909
                                        0x00000000
                                        0x00f4b829
                                        0x00f4b832
                                        0x00f4b834
                                        0x00f4b83a
                                        0x00000000
                                        0x00f4b840
                                        0x00f4b844
                                        0x00f4b87a
                                        0x00f4b87d
                                        0x00000000
                                        0x00f4b883
                                        0x00f4b883
                                        0x00000000
                                        0x00f4b883
                                        0x00f4b846
                                        0x00f4b848
                                        0x00f4b84a
                                        0x00f4b863
                                        0x00000000
                                        0x00f4b869
                                        0x00f4b86d
                                        0x00000000
                                        0x00f4b873
                                        0x00f4b873
                                        0x00f4b876
                                        0x00f4b877
                                        0x00000000
                                        0x00f4b877
                                        0x00f4b86d
                                        0x00f4b863
                                        0x00f4b844
                                        0x00f4b83a
                                        0x00f4b823
                                        0x00f4b808
                                        0x00f4b703
                                        0x00f4b675
                                        0x00000000
                                        0x00f4b765
                                        0x00f4b765
                                        0x00f4b769
                                        0x00f4b76c
                                        0x00f4b78e
                                        0x00f4b791
                                        0x00f4b796
                                        0x00f4b79a
                                        0x00f4b79e
                                        0x00f4b7cc
                                        0x00f4b7ce
                                        0x00000000
                                        0x00f4b7a0
                                        0x00f4b7a0
                                        0x00f4b7a0
                                        0x00f4b7a3
                                        0x00f4b7a6
                                        0x00f4b7a9
                                        0x00f4b8e0
                                        0x00f4b8e3
                                        0x00f4b8e6
                                        0x00f4b8f0
                                        0x00f4b8fb
                                        0x00f4b900
                                        0x00000000
                                        0x00f4b7af
                                        0x00f4b7b6
                                        0x00f4b7bb
                                        0x00f4b7be
                                        0x00f4b7c1
                                        0x00000000
                                        0x00f4b7c7
                                        0x00f4b7c7
                                        0x00000000
                                        0x00f4b7c7
                                        0x00f4b7c1
                                        0x00f4b7a9
                                        0x00f4b76e
                                        0x00f4b772
                                        0x00f4b775
                                        0x00f4b77a
                                        0x00f4b780
                                        0x00f4b782
                                        0x00f4b789
                                        0x00f4b7cf
                                        0x00f4b7d2
                                        0x00f4b7d3
                                        0x00f4b7d8
                                        0x00f4b7db
                                        0x00f4b7de
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f4b7de
                                        0x00000000
                                        0x00f4b76c
                                        0x00f4b607
                                        0x00f4b90f
                                        0x00f4b90f
                                        0x00f4b911
                                        0x00f4b914
                                        0x00f4b914
                                        0x00f4b914
                                        0x00f4b914
                                        0x00f4b926
                                        0x00f4b928
                                        0x00f4b929
                                        0x00f4b92a
                                        0x00f4b934

                                        APIs
                                        • GetConsoleOutputCP.KERNEL32(?,?,?), ref: 00F4B5D1
                                        • __fassign.LIBCMT ref: 00F4B7B6
                                        • __fassign.LIBCMT ref: 00F4B7D3
                                        • WriteFile.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00F4B81B
                                        • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00F4B85B
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00F4B903
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.827539752.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true
                                        • Associated: 00000001.00000002.827528753.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827566651.0000000000F4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827592711.0000000000F5C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827606974.0000000000F5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_f40000_StartupInstaller.jbxd
                                        Similarity
                                        • API ID: FileWrite__fassign$ConsoleErrorLastOutput
                                        • String ID:
                                        • API String ID: 1735259414-0
                                        • Opcode ID: b760c805ca6e499785d5010659a2f9f6043e1000eb9ffeebd99e03c4c61fcc26
                                        • Instruction ID: d785fd691dc8f917fb6fc168cc207c095ae951dfbb8d3c85b9f58e2c21cca0b5
                                        • Opcode Fuzzy Hash: b760c805ca6e499785d5010659a2f9f6043e1000eb9ffeebd99e03c4c61fcc26
                                        • Instruction Fuzzy Hash: 9DC18A75D0125C9FCF14CFA8C880AEDBFB9AF48314F28416AE955BB342D7319A46DB60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F43FD4 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                        Download Yara Rule
                                        C-Code - Quality: 85%
                                        			E00F43FD4(void* __ecx) {
				void* _t4;
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t18;
				void* _t23;
				long _t24;
				void* _t27;

				_t13 = __ecx;
				if( *0xf5c020 != 0xffffffff) {
					_t24 = GetLastError();
					_t11 = E00F4519B(_t13, __eflags,  *0xf5c020);
					_t14 = _t23;
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E00F451D6(_t14, __eflags,  *0xf5c020, 0xffffffff);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_t27 = E00F46EC0();
								_t18 = 1;
								__eflags = _t27;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E00F451D6(_t18, __eflags,  *0xf5c020, 0);
								} else {
									_t8 = E00F451D6(_t18, __eflags,  *0xf5c020, _t27);
									_pop(_t18);
									__eflags = _t8;
									if(__eflags != 0) {
										_t11 = _t27;
										_t27 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E00F468D7(_t27);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t24);
					return _t11;
				} else {
					return 0;
				}
			}












                                        0x00f43fd4
                                        0x00f43fdb
                                        0x00f43fee
                                        0x00f43ff5
                                        0x00f43ff7
                                        0x00f43ff8
                                        0x00f43ffb
                                        0x00f44014
                                        0x00f44014
                                        0x00f43ffd
                                        0x00f43ffd
                                        0x00f43fff
                                        0x00f44009
                                        0x00f44010
                                        0x00f44012
                                        0x00f44019
                                        0x00f44022
                                        0x00f44025
                                        0x00f44026
                                        0x00f44028
                                        0x00f4403c
                                        0x00f4403c
                                        0x00f44045
                                        0x00f4402a
                                        0x00f44031
                                        0x00f44037
                                        0x00f44038
                                        0x00f4403a
                                        0x00f4404e
                                        0x00f44050
                                        0x00f44050
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f4403a
                                        0x00f44053
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f44012
                                        0x00f43fff
                                        0x00f4405b
                                        0x00f44065
                                        0x00f43fdd
                                        0x00f43fdf
                                        0x00f43fdf

                                        APIs
                                        • GetLastError.KERNEL32(?,?,00F43FCB,00F43BC6,00F43346), ref: 00F43FE2
                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00F43FF0
                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00F44009
                                        • SetLastError.KERNEL32(00000000,00F43FCB,00F43BC6,00F43346), ref: 00F4405B
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.827539752.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true
                                        • Associated: 00000001.00000002.827528753.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827566651.0000000000F4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827592711.0000000000F5C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827606974.0000000000F5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_f40000_StartupInstaller.jbxd
                                        Similarity
                                        • API ID: ErrorLastValue___vcrt_
                                        • String ID:
                                        • API String ID: 3852720340-0
                                        • Opcode ID: 933d9f124d4970986b032749f83b8b75257eb101ef17af771cff972891f8167d
                                        • Instruction ID: cd984159f3fb9f81b020d34eb5fee4af3677faed9baaac9128deafc0f783d3a8
                                        • Opcode Fuzzy Hash: 933d9f124d4970986b032749f83b8b75257eb101ef17af771cff972891f8167d
                                        • Instruction Fuzzy Hash: 2501F1339097159EA7242A78AC86B273FA4EB567793300239FF22910F2EE521814F590
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F4823C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E00F4823C(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t17;
				intOrPtr _t36;
				intOrPtr* _t38;
				intOrPtr _t39;

				_t38 = _a4;
				if(_t38 != 0) {
					__eflags =  *_t38;
					if( *_t38 != 0) {
						_t14 = E00F48CCA(_a16, 0, _t38, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t14;
						if(__eflags != 0) {
							_t36 = _a8;
							__eflags = _t14 -  *((intOrPtr*)(_t36 + 0xc));
							if(_t14 <=  *((intOrPtr*)(_t36 + 0xc))) {
								L10:
								_t15 = E00F48CCA(_a16, 0, _t38, 0xffffffff,  *((intOrPtr*)(_t36 + 8)),  *((intOrPtr*)(_t36 + 0xc)), 0, 0);
								__eflags = _t15;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t36 + 0x10)) = _t15 - 1;
									_t17 = 0;
									__eflags = 0;
								} else {
									E00F46FFF(GetLastError());
									_t17 =  *((intOrPtr*)(E00F47035(__eflags)));
								}
								L13:
								L14:
								return _t17;
							}
							_t17 = E00F48303(_t36, _t14);
							__eflags = _t17;
							if(_t17 != 0) {
								goto L13;
							}
							goto L10;
						}
						E00F46FFF(GetLastError());
						_t17 =  *((intOrPtr*)(E00F47035(__eflags)));
						goto L14;
					}
					_t39 = _a8;
					__eflags =  *((intOrPtr*)(_t39 + 0xc));
					if( *((intOrPtr*)(_t39 + 0xc)) != 0) {
						L5:
						 *((char*)( *((intOrPtr*)(_t39 + 8)))) = 0;
						_t17 = 0;
						 *((intOrPtr*)(_t39 + 0x10)) = 0;
						goto L14;
					}
					_t17 = E00F48303(_t39, 1);
					__eflags = _t17;
					if(_t17 != 0) {
						goto L14;
					}
					goto L5;
				}
				E00F4832A(_a8);
				return 0;
			}









                                        0x00f48242
                                        0x00f48247
                                        0x00f4825b
                                        0x00f4825e
                                        0x00f48290
                                        0x00f48298
                                        0x00f4829a
                                        0x00f482b3
                                        0x00f482b6
                                        0x00f482b9
                                        0x00f482c7
                                        0x00f482d6
                                        0x00f482de
                                        0x00f482e0
                                        0x00f482f9
                                        0x00f482fc
                                        0x00f482fc
                                        0x00f482e2
                                        0x00f482e9
                                        0x00f482f4
                                        0x00f482f4
                                        0x00f482fe
                                        0x00f482ff
                                        0x00000000
                                        0x00f482ff
                                        0x00f482be
                                        0x00f482c3
                                        0x00f482c5
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f482c5
                                        0x00f482a3
                                        0x00f482ae
                                        0x00000000
                                        0x00f482ae
                                        0x00f48260
                                        0x00f48263
                                        0x00f48266
                                        0x00f48279
                                        0x00f4827c
                                        0x00f4827e
                                        0x00f48280
                                        0x00000000
                                        0x00f48280
                                        0x00f4826c
                                        0x00f48271
                                        0x00f48273
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f48273
                                        0x00f4824c
                                        0x00000000

                                        Strings
                                        • C:\Users\user\AppData\Local\Temp\IXP000.TMP\StartupInstaller.exe, xrefs: 00F48241
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.827539752.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true
                                        • Associated: 00000001.00000002.827528753.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827566651.0000000000F4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827592711.0000000000F5C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827606974.0000000000F5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_f40000_StartupInstaller.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\StartupInstaller.exe
                                        • API String ID: 0-123155926
                                        • Opcode ID: 25fded91d1e3868bdc67eb6aec3e6dd3b80773ddefcc171185a04811f9e09e9a
                                        • Instruction ID: a79a47e23c05cd00f01a509b8a1115c79f8b7fc250ec8adadd54fd8d90d2516d
                                        • Opcode Fuzzy Hash: 25fded91d1e3868bdc67eb6aec3e6dd3b80773ddefcc171185a04811f9e09e9a
                                        • Instruction Fuzzy Hash: 5421CF71A04609AF9B20AF79CC8092F7FADAF023F47104625FE2496150EF75ED42B7A0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F45042 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E00F45042(void* __ecx, signed int* _a4, intOrPtr _a8) {
				WCHAR* _v8;
				signed int _t11;
				WCHAR* _t12;
				struct HINSTANCE__* _t16;
				struct HINSTANCE__* _t18;
				signed int* _t22;
				signed int* _t26;
				struct HINSTANCE__* _t29;
				WCHAR* _t31;
				void* _t32;

				_t26 = _a4;
				while(_t26 != _a8) {
					_t11 =  *_t26;
					_t22 = 0xf5cd44 + _t11 * 4;
					_t29 =  *_t22;
					if(_t29 == 0) {
						_t12 =  *(0xf4fbb0 + _t11 * 4);
						_v8 = _t12;
						_t29 = LoadLibraryExW(_t12, 0, 0x800);
						if(_t29 != 0) {
							L13:
							 *_t22 = _t29;
							if( *_t22 != 0) {
								FreeLibrary(_t29);
							}
							L15:
							_t16 = _t29;
							L12:
							return _t16;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L8:
							 *_t22 = _t18 | 0xffffffff;
							L9:
							_t26 =  &(_t26[1]);
							continue;
						}
						_t31 = _v8;
						_t18 = E00F46F48(_t31, L"api-ms-", 7);
						_t32 = _t32 + 0xc;
						if(_t18 == 0) {
							goto L8;
						}
						_t18 = LoadLibraryExW(_t31, 0, 0);
						_t29 = _t18;
						if(_t29 != 0) {
							goto L13;
						}
						goto L8;
					}
					if(_t29 != 0xffffffff) {
						goto L15;
					}
					goto L9;
				}
				_t16 = 0;
				goto L12;
			}













                                        0x00f45049
                                        0x00f450bd
                                        0x00f4504e
                                        0x00f45050
                                        0x00f45057
                                        0x00f4505b
                                        0x00f45064
                                        0x00f45073
                                        0x00f4507c
                                        0x00f45080
                                        0x00f450c9
                                        0x00f450cb
                                        0x00f450cf
                                        0x00f450d2
                                        0x00f450d2
                                        0x00f450d8
                                        0x00f450d8
                                        0x00f450c4
                                        0x00f450c8
                                        0x00f450c8
                                        0x00f45082
                                        0x00f4508b
                                        0x00f450b5
                                        0x00f450b8
                                        0x00f450ba
                                        0x00f450ba
                                        0x00000000
                                        0x00f450ba
                                        0x00f4508d
                                        0x00f45098
                                        0x00f4509d
                                        0x00f450a2
                                        0x00000000
                                        0x00000000
                                        0x00f450a9
                                        0x00f450af
                                        0x00f450b3
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f450b3
                                        0x00f45060
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f45062
                                        0x00f450c2
                                        0x00000000

                                        APIs
                                        • FreeLibrary.KERNEL32(00000000,?,?,?,00F45103,?,?,00F5CCEC,00000000,?,00F4522E,00000004,InitializeCriticalSectionEx,00F4FCA4,InitializeCriticalSectionEx,00000000), ref: 00F450D2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.827539752.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true
                                        • Associated: 00000001.00000002.827528753.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827566651.0000000000F4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827592711.0000000000F5C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827606974.0000000000F5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_f40000_StartupInstaller.jbxd
                                        Similarity
                                        • API ID: FreeLibrary
                                        • String ID: api-ms-
                                        • API String ID: 3664257935-2084034818
                                        • Opcode ID: 2447a72a36b7c53644816d5b858ad32ee9600bd1c26982870f6f747ef8f1cdbf
                                        • Instruction ID: 6363670ca6fb4604cb2e415d4418a62c017f0b61ed91766cd71071e814357b54
                                        • Opcode Fuzzy Hash: 2447a72a36b7c53644816d5b858ad32ee9600bd1c26982870f6f747ef8f1cdbf
                                        • Instruction Fuzzy Hash: 2611CD3AD41B266BCB32AB5C9C447593B549F52F70F140160ED15E72C1D760ED0466D2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F46668 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        C-Code - Quality: 25%
                                        			E00F46668(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0xf4f140(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}






                                        0x00f4666e
                                        0x00f46672
                                        0x00f4667d
                                        0x00f46685
                                        0x00f46690
                                        0x00f46696
                                        0x00f4669a
                                        0x00f466a1
                                        0x00f466a7
                                        0x00f466a7
                                        0x00f466a9
                                        0x00f466ae
                                        0x00000000
                                        0x00f466b3
                                        0x00f466ba

                                        APIs
                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00F4665D,00F47695,?,00F46625,?,?,00F47695), ref: 00F4667D
                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00F46690
                                        • FreeLibrary.KERNEL32(00000000,?,?,00F4665D,00F47695,?,00F46625,?,?,00F47695), ref: 00F466B3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.827539752.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true
                                        • Associated: 00000001.00000002.827528753.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827566651.0000000000F4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827592711.0000000000F5C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827606974.0000000000F5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_f40000_StartupInstaller.jbxd
                                        Similarity
                                        • API ID: AddressFreeHandleLibraryModuleProc
                                        • String ID: CorExitProcess$mscoree.dll
                                        • API String ID: 4061214504-1276376045
                                        • Opcode ID: e335d99b6f0a7dc199a2e5f9a2a74ac826cd533b7c1e83519f7f4dff995eac97
                                        • Instruction ID: 8f0374eb9cfb00e1a7c1200c47a787d4a8f31c630e9145c32e1038f0554d98a5
                                        • Opcode Fuzzy Hash: e335d99b6f0a7dc199a2e5f9a2a74ac826cd533b7c1e83519f7f4dff995eac97
                                        • Instruction Fuzzy Hash: 01F08C35D00218FFDB119B94DC09B9EBEB8EF92766F110074EC09E61A1CB708E08FA91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F49406 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E00F49406(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0xf5c648; // 0xf5c698
					if(_t23 != 0) {
						E00F479D0(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0xf5c64c; // 0xf5d330
					if(_t24 != 0) {
						E00F479D0(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0xf5c650; // 0xf5d330
					if(_t25 != 0) {
						E00F479D0(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0xf5c678; // 0xf5c69c
					if(_t26 != 0) {
						E00F479D0(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0xf5c67c; // 0xf5d334
					if(_t27 != 0) {
						return E00F479D0(_t6);
					}
				}
				return _t6;
			}










                                        0x00f4940c
                                        0x00f49411
                                        0x00f49415
                                        0x00f4941b
                                        0x00f4941e
                                        0x00f49423
                                        0x00f49427
                                        0x00f4942d
                                        0x00f49430
                                        0x00f49435
                                        0x00f49439
                                        0x00f4943f
                                        0x00f49442
                                        0x00f49447
                                        0x00f4944b
                                        0x00f49451
                                        0x00f49454
                                        0x00f49459
                                        0x00f4945a
                                        0x00f4945d
                                        0x00f49463
                                        0x00000000
                                        0x00f4946b
                                        0x00f49463
                                        0x00f4946e

                                        APIs
                                        • _free.LIBCMT ref: 00F4941E
                                          • Part of subcall function 00F479D0: HeapFree.KERNEL32(00000000,00000000,?,00F49499,?,00000000,?,?,?,00F494C0,?,00000007,?,?,00F498C6,?), ref: 00F479E6
                                          • Part of subcall function 00F479D0: GetLastError.KERNEL32(?,?,00F49499,?,00000000,?,?,?,00F494C0,?,00000007,?,?,00F498C6,?,?), ref: 00F479F8
                                        • _free.LIBCMT ref: 00F49430
                                        • _free.LIBCMT ref: 00F49442
                                        • _free.LIBCMT ref: 00F49454
                                        • _free.LIBCMT ref: 00F49466
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.827539752.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true
                                        • Associated: 00000001.00000002.827528753.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827566651.0000000000F4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827592711.0000000000F5C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827606974.0000000000F5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_f40000_StartupInstaller.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: 238dad3d6e918f71b630d2e6a10087cba1e164369e7a6ad83e9225f3aae8e686
                                        • Instruction ID: bab54a3342034d220d6ece6780903df3c1b9c0808f8e00a3a10e68d3a799ab68
                                        • Opcode Fuzzy Hash: 238dad3d6e918f71b630d2e6a10087cba1e164369e7a6ad83e9225f3aae8e686
                                        • Instruction Fuzzy Hash: E6F06272A0C3047B8620FB6CF8C2C177BD9AA14721B648C06F909D7A11C778FC80B6E4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F47BC0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 80%
                                        			E00F47BC0(void* __esi, signed int* _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr* _v72;
				intOrPtr* _v104;
				intOrPtr* _v108;
				intOrPtr _v112;
				signed int _v124;
				struct _WIN32_FIND_DATAW _v608;
				char _v609;
				intOrPtr* _v616;
				union _FINDEX_INFO_LEVELS _v620;
				union _FINDEX_INFO_LEVELS _v624;
				union _FINDEX_INFO_LEVELS _v628;
				signed int _v632;
				union _FINDEX_INFO_LEVELS _v636;
				union _FINDEX_INFO_LEVELS _v640;
				signed int _v644;
				signed int _v648;
				union _FINDEX_INFO_LEVELS _v652;
				union _FINDEX_INFO_LEVELS _v656;
				union _FINDEX_INFO_LEVELS _v660;
				union _FINDEX_INFO_LEVELS _v664;
				signed int _v668;
				union _FINDEX_INFO_LEVELS _v672;
				union _FINDEX_INFO_LEVELS _v676;
				intOrPtr _v724;
				void* __ebx;
				void* __edi;
				intOrPtr* _t131;
				signed int _t132;
				signed int _t134;
				signed int _t139;
				signed int _t140;
				intOrPtr* _t150;
				signed int _t152;
				intOrPtr _t153;
				signed int _t157;
				signed int _t159;
				signed int _t164;
				signed int _t166;
				char _t168;
				signed char _t169;
				signed int _t175;
				union _FINDEX_INFO_LEVELS _t179;
				signed int _t185;
				union _FINDEX_INFO_LEVELS _t188;
				intOrPtr* _t196;
				signed int _t199;
				intOrPtr _t204;
				signed int _t206;
				signed int _t209;
				signed int _t211;
				signed int _t212;
				signed int _t213;
				signed int _t215;
				signed int _t217;
				signed int _t218;
				signed int* _t219;
				signed int _t222;
				void* _t225;
				union _FINDEX_INFO_LEVELS _t226;
				void* _t227;
				intOrPtr _t229;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t236;
				intOrPtr* _t239;
				signed int _t241;
				intOrPtr* _t244;
				signed int _t249;
				signed int _t255;
				signed int _t257;
				signed int _t263;
				intOrPtr* _t264;
				signed int _t272;
				signed int _t274;
				intOrPtr* _t275;
				void* _t277;
				signed int _t280;
				signed int _t283;
				signed int _t285;
				intOrPtr _t287;
				void* _t288;
				signed int* _t292;
				signed int _t293;
				signed int _t295;
				signed int _t296;
				signed int _t297;
				signed int _t299;
				void* _t300;
				void* _t301;
				signed int _t302;
				void* _t306;
				signed int _t307;
				void* _t308;
				void* _t309;
				void* _t310;
				signed int _t311;
				void* _t312;
				void* _t313;

				_t131 = _a8;
				_t309 = _t308 - 0x28;
				_push(__esi);
				_t317 = _t131;
				if(_t131 != 0) {
					_t292 = _a4;
					_t222 = 0;
					 *_t131 = 0;
					_t283 = 0;
					_t132 =  *_t292;
					_t232 = 0;
					_v608.cAlternateFileName = 0;
					_v40 = 0;
					_v36 = 0;
					__eflags = _t132;
					if(_t132 == 0) {
						L9:
						_v8 = _t222;
						_t134 = _t232 - _t283;
						_t293 = _t283;
						_v12 = _t293;
						_t271 = (_t134 >> 2) + 1;
						_t136 = _t134 + 3 >> 2;
						__eflags = _t232 - _t293;
						_v16 = (_t134 >> 2) + 1;
						asm("sbb esi, esi");
						_t295 =  !_t293 & _t134 + 0x00000003 >> 0x00000002;
						__eflags = _t295;
						if(_t295 != 0) {
							_t213 = _t283;
							_t280 = _t222;
							do {
								_t264 =  *_t213;
								_t20 = _t264 + 1; // 0x1
								_v20 = _t20;
								do {
									_t215 =  *_t264;
									_t264 = _t264 + 1;
									__eflags = _t215;
								} while (_t215 != 0);
								_t222 = _t222 + 1 + _t264 - _v20;
								_t213 = _v12 + 4;
								_t280 = _t280 + 1;
								_v12 = _t213;
								__eflags = _t280 - _t295;
							} while (_t280 != _t295);
							_t271 = _v16;
							_v8 = _t222;
							_t222 = 0;
							__eflags = 0;
						}
						_t296 = E00F4617B(_t136, _t271, _v8, 1);
						_t310 = _t309 + 0xc;
						__eflags = _t296;
						if(_t296 != 0) {
							_v12 = _t283;
							_t139 = _t296 + _v16 * 4;
							_t233 = _t139;
							_v28 = _t139;
							_t140 = _t283;
							_v16 = _t233;
							__eflags = _t140 - _v40;
							if(_t140 == _v40) {
								L24:
								_v12 = _t222;
								 *_a8 = _t296;
								_t297 = _t222;
								goto L25;
							} else {
								_t274 = _t296 - _t283;
								__eflags = _t274;
								_v32 = _t274;
								do {
									_t150 =  *_t140;
									_t275 = _t150;
									_v24 = _t150;
									_v20 = _t275 + 1;
									do {
										_t152 =  *_t275;
										_t275 = _t275 + 1;
										__eflags = _t152;
									} while (_t152 != 0);
									_t153 = _t275 - _v20 + 1;
									_push(_t153);
									_v20 = _t153;
									_t157 = E00F4B201(_t233, _v28 - _t233 + _v8, _v24);
									_t310 = _t310 + 0x10;
									__eflags = _t157;
									if(_t157 != 0) {
										_push(_t222);
										_push(_t222);
										_push(_t222);
										_push(_t222);
										_push(_t222);
										E00F45C00();
										asm("int3");
										_t306 = _t310;
										_push(_t233);
										_t239 = _v72;
										_t65 = _t239 + 1; // 0x1
										_t277 = _t65;
										do {
											_t159 =  *_t239;
											_t239 = _t239 + 1;
											__eflags = _t159;
										} while (_t159 != 0);
										_push(_t283);
										_t285 = _a8;
										_t241 = _t239 - _t277 + 1;
										_v12 = _t241;
										__eflags = _t241 -  !_t285;
										if(_t241 <=  !_t285) {
											_push(_t222);
											_push(_t296);
											_t68 = _t285 + 1; // 0x1
											_t225 = _t68 + _t241;
											_t300 = E00F47973(_t225, 1);
											__eflags = _t285;
											if(_t285 == 0) {
												L40:
												_push(_v12);
												_t225 = _t225 - _t285;
												_t164 = E00F4B201(_t300 + _t285, _t225, _v0);
												_t311 = _t310 + 0x10;
												__eflags = _t164;
												if(_t164 != 0) {
													goto L45;
												} else {
													_t229 = _a12;
													_t206 = E00F481AA(_t229);
													_v12 = _t206;
													__eflags = _t206;
													if(_t206 == 0) {
														 *( *(_t229 + 4)) = _t300;
														_t302 = 0;
														_t77 = _t229 + 4;
														 *_t77 =  *(_t229 + 4) + 4;
														__eflags =  *_t77;
													} else {
														E00F479D0(_t300);
														_t302 = _v12;
													}
													E00F479D0(0);
													_t209 = _t302;
													goto L37;
												}
											} else {
												_push(_t285);
												_t211 = E00F4B201(_t300, _t225, _a4);
												_t311 = _t310 + 0x10;
												__eflags = _t211;
												if(_t211 != 0) {
													L45:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E00F45C00();
													asm("int3");
													_push(_t306);
													_t307 = _t311;
													_t312 = _t311 - 0x298;
													_t166 =  *0xf5c004; // 0x6a58fef8
													_v124 = _t166 ^ _t307;
													_t244 = _v108;
													_t278 = _v104;
													_push(_t225);
													_push(0);
													_t287 = _v112;
													_v724 = _t278;
													__eflags = _t244 - _t287;
													if(_t244 != _t287) {
														while(1) {
															_t204 =  *_t244;
															__eflags = _t204 - 0x2f;
															if(_t204 == 0x2f) {
																break;
															}
															__eflags = _t204 - 0x5c;
															if(_t204 != 0x5c) {
																__eflags = _t204 - 0x3a;
																if(_t204 != 0x3a) {
																	_t244 = E00F4B250(_t287, _t244);
																	__eflags = _t244 - _t287;
																	if(_t244 != _t287) {
																		continue;
																	}
																}
															}
															break;
														}
														_t278 = _v616;
													}
													_t168 =  *_t244;
													_v609 = _t168;
													__eflags = _t168 - 0x3a;
													if(_t168 != 0x3a) {
														L56:
														_t226 = 0;
														__eflags = _t168 - 0x2f;
														if(__eflags == 0) {
															L59:
															_t169 = 1;
														} else {
															__eflags = _t168 - 0x5c;
															if(__eflags == 0) {
																goto L59;
															} else {
																__eflags = _t168 - 0x3a;
																_t169 = 0;
																if(__eflags == 0) {
																	goto L59;
																}
															}
														}
														_v676 = _t226;
														_v672 = _t226;
														_push(_t300);
														asm("sbb eax, eax");
														_v668 = _t226;
														_v664 = _t226;
														_v644 =  ~(_t169 & 0x000000ff) & _t244 - _t287 + 0x00000001;
														_v660 = _t226;
														_v656 = _t226;
														_t175 = E00F47BA3(_t244 - _t287 + 1, _t287,  &_v676, E00F480B7(_t278, __eflags));
														_t313 = _t312 + 0xc;
														asm("sbb eax, eax");
														_t179 = FindFirstFileExW( !( ~_t175) & _v668, _t226,  &_v608, _t226, _t226, _t226);
														_t301 = _t179;
														__eflags = _t301 - 0xffffffff;
														if(_t301 != 0xffffffff) {
															_t249 =  *((intOrPtr*)(_v616 + 4)) -  *_v616;
															__eflags = _t249;
															_v648 = _t249 >> 2;
															do {
																_v640 = _t226;
																_v636 = _t226;
																_v632 = _t226;
																_v628 = _t226;
																_v624 = _t226;
																_v620 = _t226;
																_t185 = E00F47AD4( &(_v608.cFileName),  &_v640,  &_v609, E00F480B7(_t278, __eflags));
																_t313 = _t313 + 0x10;
																asm("sbb eax, eax");
																_t188 =  !( ~_t185) & _v632;
																__eflags =  *_t188 - 0x2e;
																if( *_t188 != 0x2e) {
																	L67:
																	_push(_v616);
																	_push(_v644);
																	_push(_t287);
																	_push(_t188);
																	L33();
																	_t313 = _t313 + 0x10;
																	_v652 = _t188;
																	__eflags = _t188;
																	if(_t188 != 0) {
																		__eflags = _v620 - _t226;
																		if(_v620 != _t226) {
																			E00F479D0(_v632);
																			_t188 = _v652;
																		}
																		_t226 = _t188;
																	} else {
																		goto L68;
																	}
																} else {
																	_t255 =  *((intOrPtr*)(_t188 + 1));
																	__eflags = _t255;
																	if(_t255 == 0) {
																		goto L68;
																	} else {
																		__eflags = _t255 - 0x2e;
																		if(_t255 != 0x2e) {
																			goto L67;
																		} else {
																			__eflags =  *((intOrPtr*)(_t188 + 2)) - _t226;
																			if( *((intOrPtr*)(_t188 + 2)) == _t226) {
																				goto L68;
																			} else {
																				goto L67;
																			}
																		}
																	}
																}
																L76:
																FindClose(_t301);
																goto L77;
																L68:
																__eflags = _v620 - _t226;
																if(_v620 != _t226) {
																	E00F479D0(_v632);
																}
																__eflags = FindNextFileW(_t301,  &_v608);
															} while (__eflags != 0);
															_t196 = _v616;
															_t257 = _v648;
															_t278 =  *_t196;
															_t199 =  *((intOrPtr*)(_t196 + 4)) -  *_t196 >> 2;
															__eflags = _t257 - _t199;
															if(_t257 != _t199) {
																E00F4AC60(_t278, _t278 + _t257 * 4, _t199 - _t257, 4, E00F47A0A);
															}
															goto L76;
														} else {
															_push(_v616);
															_push(_t226);
															_push(_t226);
															_push(_t287);
															L33();
															_t226 = _t179;
														}
														L77:
														__eflags = _v656;
														_pop(_t300);
														if(_v656 != 0) {
															E00F479D0(_v668);
														}
														_t190 = _t226;
													} else {
														_t190 = _t287 + 1;
														__eflags = _t244 - _t287 + 1;
														if(_t244 == _t287 + 1) {
															_t168 = _v609;
															goto L56;
														} else {
															_push(_t278);
															_push(0);
															_push(0);
															_push(_t287);
															L33();
														}
													}
													_pop(_t288);
													__eflags = _v16 ^ _t307;
													_pop(_t227);
													return E00F429FA(_t190, _t227, _v16 ^ _t307, _t278, _t288, _t300);
												} else {
													goto L40;
												}
											}
										} else {
											_t209 = 0xc;
											L37:
											return _t209;
										}
									} else {
										goto L23;
									}
									goto L81;
									L23:
									_t212 = _v12;
									_t263 = _v16;
									 *((intOrPtr*)(_v32 + _t212)) = _t263;
									_t140 = _t212 + 4;
									_t233 = _t263 + _v20;
									_v16 = _t233;
									_v12 = _t140;
									__eflags = _t140 - _v40;
								} while (_t140 != _v40);
								goto L24;
							}
						} else {
							_t297 = _t296 | 0xffffffff;
							_v12 = _t297;
							L25:
							E00F479D0(_t222);
							_pop(_t234);
							goto L26;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t222;
							_t217 = E00F4B210(_t132,  &_v8);
							_t234 =  *_t292;
							__eflags = _t217;
							if(_t217 != 0) {
								_push( &(_v608.cAlternateFileName));
								_push(_t217);
								_push(_t234);
								L46();
								_t309 = _t309 + 0xc;
								_v12 = _t217;
								_t297 = _t217;
							} else {
								_t218 =  &(_v608.cAlternateFileName);
								_push(_t218);
								_push(_t222);
								_push(_t222);
								_push(_t234);
								L33();
								_t297 = _t218;
								_t309 = _t309 + 0x10;
								_v12 = _t297;
							}
							__eflags = _t297;
							if(_t297 != 0) {
								break;
							}
							_t292 =  &(_a4[1]);
							_a4 = _t292;
							_t132 =  *_t292;
							__eflags = _t132;
							if(_t132 != 0) {
								continue;
							} else {
								_t283 = _v608.cAlternateFileName;
								_t232 = _v40;
								goto L9;
							}
							goto L81;
						}
						_t283 = _v608.cAlternateFileName;
						L26:
						_t272 = _t283;
						_v32 = _t272;
						__eflags = _v40 - _t272;
						asm("sbb ecx, ecx");
						_t236 =  !_t234 & _v40 - _t272 + 0x00000003 >> 0x00000002;
						__eflags = _t236;
						_v28 = _t236;
						if(_t236 != 0) {
							_t299 = _t236;
							do {
								E00F479D0( *_t283);
								_t222 = _t222 + 1;
								_t283 = _t283 + 4;
								__eflags = _t222 - _t299;
							} while (_t222 != _t299);
							_t283 = _v608.cAlternateFileName;
							_t297 = _v12;
						}
						E00F479D0(_t283);
						goto L31;
					}
				} else {
					_t219 = E00F47035(_t317);
					_t297 = 0x16;
					 *_t219 = _t297;
					E00F45BD3();
					L31:
					return _t297;
				}
				L81:
			}

















































































































                                        0x00f47bc5
                                        0x00f47bc8
                                        0x00f47bcb
                                        0x00f47bcc
                                        0x00f47bce
                                        0x00f47be4
                                        0x00f47be8
                                        0x00f47beb
                                        0x00f47bed
                                        0x00f47bef
                                        0x00f47bf1
                                        0x00f47bf3
                                        0x00f47bf6
                                        0x00f47bf9
                                        0x00f47bfc
                                        0x00f47bfe
                                        0x00f47c61
                                        0x00f47c63
                                        0x00f47c66
                                        0x00f47c68
                                        0x00f47c6c
                                        0x00f47c75
                                        0x00f47c76
                                        0x00f47c79
                                        0x00f47c7b
                                        0x00f47c7e
                                        0x00f47c82
                                        0x00f47c82
                                        0x00f47c84
                                        0x00f47c86
                                        0x00f47c88
                                        0x00f47c8a
                                        0x00f47c8a
                                        0x00f47c8c
                                        0x00f47c8f
                                        0x00f47c92
                                        0x00f47c92
                                        0x00f47c94
                                        0x00f47c95
                                        0x00f47c95
                                        0x00f47ca0
                                        0x00f47ca2
                                        0x00f47ca5
                                        0x00f47ca6
                                        0x00f47ca9
                                        0x00f47ca9
                                        0x00f47cad
                                        0x00f47cb0
                                        0x00f47cb3
                                        0x00f47cb3
                                        0x00f47cb3
                                        0x00f47cc0
                                        0x00f47cc2
                                        0x00f47cc5
                                        0x00f47cc7
                                        0x00f47cdf
                                        0x00f47ce2
                                        0x00f47ce5
                                        0x00f47ce7
                                        0x00f47cea
                                        0x00f47cec
                                        0x00f47cef
                                        0x00f47cf2
                                        0x00f47d4f
                                        0x00f47d52
                                        0x00f47d55
                                        0x00f47d57
                                        0x00000000
                                        0x00f47cf4
                                        0x00f47cf6
                                        0x00f47cf6
                                        0x00f47cf8
                                        0x00f47cfb
                                        0x00f47cfb
                                        0x00f47cfd
                                        0x00f47cff
                                        0x00f47d05
                                        0x00f47d08
                                        0x00f47d08
                                        0x00f47d0a
                                        0x00f47d0b
                                        0x00f47d0b
                                        0x00f47d12
                                        0x00f47d15
                                        0x00f47d19
                                        0x00f47d26
                                        0x00f47d2b
                                        0x00f47d2e
                                        0x00f47d30
                                        0x00f47da4
                                        0x00f47da5
                                        0x00f47da6
                                        0x00f47da7
                                        0x00f47da8
                                        0x00f47da9
                                        0x00f47dae
                                        0x00f47db2
                                        0x00f47db4
                                        0x00f47db5
                                        0x00f47db8
                                        0x00f47db8
                                        0x00f47dbb
                                        0x00f47dbb
                                        0x00f47dbd
                                        0x00f47dbe
                                        0x00f47dbe
                                        0x00f47dc2
                                        0x00f47dc3
                                        0x00f47dca
                                        0x00f47dcd
                                        0x00f47dd0
                                        0x00f47dd2
                                        0x00f47dda
                                        0x00f47ddb
                                        0x00f47ddc
                                        0x00f47ddf
                                        0x00f47de9
                                        0x00f47ded
                                        0x00f47def
                                        0x00f47e03
                                        0x00f47e03
                                        0x00f47e06
                                        0x00f47e10
                                        0x00f47e15
                                        0x00f47e18
                                        0x00f47e1a
                                        0x00000000
                                        0x00f47e1c
                                        0x00f47e1c
                                        0x00f47e21
                                        0x00f47e28
                                        0x00f47e2b
                                        0x00f47e2d
                                        0x00f47e3e
                                        0x00f47e40
                                        0x00f47e42
                                        0x00f47e42
                                        0x00f47e42
                                        0x00f47e2f
                                        0x00f47e30
                                        0x00f47e35
                                        0x00f47e38
                                        0x00f47e47
                                        0x00f47e4d
                                        0x00000000
                                        0x00f47e50
                                        0x00f47df1
                                        0x00f47df1
                                        0x00f47df7
                                        0x00f47dfc
                                        0x00f47dff
                                        0x00f47e01
                                        0x00f47e53
                                        0x00f47e55
                                        0x00f47e56
                                        0x00f47e57
                                        0x00f47e58
                                        0x00f47e59
                                        0x00f47e5a
                                        0x00f47e5f
                                        0x00f47e62
                                        0x00f47e63
                                        0x00f47e65
                                        0x00f47e6b
                                        0x00f47e72
                                        0x00f47e75
                                        0x00f47e78
                                        0x00f47e7b
                                        0x00f47e7c
                                        0x00f47e7d
                                        0x00f47e80
                                        0x00f47e86
                                        0x00f47e88
                                        0x00f47e8a
                                        0x00f47e8a
                                        0x00f47e8c
                                        0x00f47e8e
                                        0x00000000
                                        0x00000000
                                        0x00f47e90
                                        0x00f47e92
                                        0x00f47e94
                                        0x00f47e96
                                        0x00f47ea1
                                        0x00f47ea3
                                        0x00f47ea5
                                        0x00000000
                                        0x00000000
                                        0x00f47ea5
                                        0x00f47e96
                                        0x00000000
                                        0x00f47e92
                                        0x00f47ea7
                                        0x00f47ea7
                                        0x00f47ead
                                        0x00f47eaf
                                        0x00f47eb5
                                        0x00f47eb7
                                        0x00f47ed9
                                        0x00f47ed9
                                        0x00f47edb
                                        0x00f47edd
                                        0x00f47ee9
                                        0x00f47ee9
                                        0x00f47edf
                                        0x00f47edf
                                        0x00f47ee1
                                        0x00000000
                                        0x00f47ee3
                                        0x00f47ee3
                                        0x00f47ee5
                                        0x00f47ee7
                                        0x00000000
                                        0x00000000
                                        0x00f47ee7
                                        0x00f47ee1
                                        0x00f47ef1
                                        0x00f47ef9
                                        0x00f47eff
                                        0x00f47f00
                                        0x00f47f02
                                        0x00f47f0a
                                        0x00f47f10
                                        0x00f47f16
                                        0x00f47f1c
                                        0x00f47f30
                                        0x00f47f35
                                        0x00f47f40
                                        0x00f47f50
                                        0x00f47f56
                                        0x00f47f58
                                        0x00f47f5b
                                        0x00f47f7e
                                        0x00f47f7e
                                        0x00f47f83
                                        0x00f47f89
                                        0x00f47f89
                                        0x00f47f8f
                                        0x00f47f95
                                        0x00f47f9b
                                        0x00f47fa1
                                        0x00f47fa7
                                        0x00f47fc8
                                        0x00f47fcd
                                        0x00f47fd2
                                        0x00f47fd6
                                        0x00f47fdc
                                        0x00f47fdf
                                        0x00f47ff2
                                        0x00f47ff2
                                        0x00f47ff8
                                        0x00f47ffe
                                        0x00f47fff
                                        0x00f48000
                                        0x00f48005
                                        0x00f48008
                                        0x00f4800e
                                        0x00f48010
                                        0x00f4806e
                                        0x00f48074
                                        0x00f4807c
                                        0x00f48081
                                        0x00f48087
                                        0x00f48088
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f47fe1
                                        0x00f47fe1
                                        0x00f47fe4
                                        0x00f47fe6
                                        0x00000000
                                        0x00f47fe8
                                        0x00f47fe8
                                        0x00f47feb
                                        0x00000000
                                        0x00f47fed
                                        0x00f47fed
                                        0x00f47ff0
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f47ff0
                                        0x00f47feb
                                        0x00f47fe6
                                        0x00f4808a
                                        0x00f4808b
                                        0x00000000
                                        0x00f48012
                                        0x00f48012
                                        0x00f48018
                                        0x00f48020
                                        0x00f48025
                                        0x00f48034
                                        0x00f48034
                                        0x00f4803c
                                        0x00f48042
                                        0x00f48048
                                        0x00f4804f
                                        0x00f48052
                                        0x00f48054
                                        0x00f48064
                                        0x00f48069
                                        0x00000000
                                        0x00f47f5d
                                        0x00f47f5d
                                        0x00f47f63
                                        0x00f47f64
                                        0x00f47f65
                                        0x00f47f66
                                        0x00f47f6e
                                        0x00f47f6e
                                        0x00f48091
                                        0x00f48091
                                        0x00f48098
                                        0x00f48099
                                        0x00f480a1
                                        0x00f480a6
                                        0x00f480a7
                                        0x00f47eb9
                                        0x00f47eb9
                                        0x00f47ebc
                                        0x00f47ebe
                                        0x00f47ed3
                                        0x00000000
                                        0x00f47ec0
                                        0x00f47ec0
                                        0x00f47ec3
                                        0x00f47ec4
                                        0x00f47ec5
                                        0x00f47ec6
                                        0x00f47ecb
                                        0x00f47ebe
                                        0x00f480ac
                                        0x00f480ad
                                        0x00f480af
                                        0x00f480b6
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f47e01
                                        0x00f47dd4
                                        0x00f47dd6
                                        0x00f47dd7
                                        0x00f47dd9
                                        0x00f47dd9
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f47d32
                                        0x00f47d32
                                        0x00f47d38
                                        0x00f47d3b
                                        0x00f47d3e
                                        0x00f47d41
                                        0x00f47d44
                                        0x00f47d47
                                        0x00f47d4a
                                        0x00f47d4a
                                        0x00000000
                                        0x00f47cfb
                                        0x00f47cc9
                                        0x00f47cc9
                                        0x00f47ccc
                                        0x00f47d59
                                        0x00f47d5a
                                        0x00f47d5f
                                        0x00000000
                                        0x00f47d5f
                                        0x00f47c00
                                        0x00f47c00
                                        0x00f47c03
                                        0x00f47c0b
                                        0x00f47c0e
                                        0x00f47c15
                                        0x00f47c17
                                        0x00f47c19
                                        0x00f47c34
                                        0x00f47c35
                                        0x00f47c36
                                        0x00f47c37
                                        0x00f47c3c
                                        0x00f47c3f
                                        0x00f47c42
                                        0x00f47c1b
                                        0x00f47c1b
                                        0x00f47c1e
                                        0x00f47c1f
                                        0x00f47c20
                                        0x00f47c21
                                        0x00f47c22
                                        0x00f47c27
                                        0x00f47c29
                                        0x00f47c2c
                                        0x00f47c2c
                                        0x00f47c44
                                        0x00f47c46
                                        0x00000000
                                        0x00000000
                                        0x00f47c4f
                                        0x00f47c52
                                        0x00f47c55
                                        0x00f47c57
                                        0x00f47c59
                                        0x00000000
                                        0x00f47c5b
                                        0x00f47c5b
                                        0x00f47c5e
                                        0x00000000
                                        0x00f47c5e
                                        0x00000000
                                        0x00f47c59
                                        0x00f47cd4
                                        0x00f47d60
                                        0x00f47d63
                                        0x00f47d67
                                        0x00f47d70
                                        0x00f47d73
                                        0x00f47d77
                                        0x00f47d77
                                        0x00f47d79
                                        0x00f47d7c
                                        0x00f47d7e
                                        0x00f47d80
                                        0x00f47d82
                                        0x00f47d87
                                        0x00f47d88
                                        0x00f47d8c
                                        0x00f47d8c
                                        0x00f47d90
                                        0x00f47d93
                                        0x00f47d93
                                        0x00f47d97
                                        0x00000000
                                        0x00f47d9e
                                        0x00f47bd0
                                        0x00f47bd0
                                        0x00f47bd7
                                        0x00f47bd8
                                        0x00f47bda
                                        0x00f47d9f
                                        0x00f47da3
                                        0x00f47da3
                                        0x00000000

                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.827539752.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true
                                        • Associated: 00000001.00000002.827528753.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827566651.0000000000F4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827592711.0000000000F5C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827606974.0000000000F5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_f40000_StartupInstaller.jbxd
                                        Similarity
                                        • API ID: _free
                                        • String ID: *?
                                        • API String ID: 269201875-2564092906
                                        • Opcode ID: 8e6dde6846f08074af74a5003a0db7bd5cda2ca9cfa2a059068b8bbb279e2c73
                                        • Instruction ID: c2a0b6423e05f705cfba4a477bf5509ca7adfe5bbb66774e69362abfae6085d6
                                        • Opcode Fuzzy Hash: 8e6dde6846f08074af74a5003a0db7bd5cda2ca9cfa2a059068b8bbb279e2c73
                                        • Instruction Fuzzy Hash: 06614DB5D042199FCB14DFA8C8815EEFBF5EF48320B24816AEC05E7300D735AE419B90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F440B4 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                        Download Yara Rule
                                        C-Code - Quality: 64%
                                        			E00F440B4(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t52;
				signed int _t53;
				intOrPtr _t54;
				signed int _t58;
				signed int _t61;
				intOrPtr _t71;
				signed int _t75;
				signed int _t79;
				signed int _t81;
				signed int _t84;
				signed int _t85;
				signed int _t97;
				signed int* _t98;
				signed char* _t101;
				signed int _t107;
				void* _t111;

				_push(0x10);
				_push(0xf5b090);
				E00F433C0(__ebx, __edi, __esi);
				_t75 = 0;
				_t52 =  *(_t111 + 0x10);
				_t81 = _t52[1];
				if(_t81 == 0 ||  *((intOrPtr*)(_t81 + 8)) == 0) {
					L30:
					_t53 = 0;
					__eflags = 0;
					goto L31;
				} else {
					_t97 = _t52[2];
					if(_t97 != 0 ||  *_t52 < 0) {
						_t84 =  *_t52;
						_t107 =  *(_t111 + 0xc);
						if(_t84 >= 0) {
							_t107 = _t107 + 0xc + _t97;
						}
						 *(_t111 - 4) = _t75;
						_t101 =  *(_t111 + 0x14);
						if(_t84 >= 0 || ( *_t101 & 0x00000010) == 0) {
							L10:
							_t54 =  *((intOrPtr*)(_t111 + 8));
							__eflags = _t84 & 0x00000008;
							if((_t84 & 0x00000008) == 0) {
								__eflags =  *_t101 & 0x00000001;
								if(( *_t101 & 0x00000001) == 0) {
									_t84 =  *(_t54 + 0x18);
									__eflags = _t101[0x18] - _t75;
									if(_t101[0x18] != _t75) {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t107;
											if(_t107 == 0) {
												goto L32;
											} else {
												__eflags =  *_t101 & 0x00000004;
												_t79 = 0;
												_t75 = (_t79 & 0xffffff00 | ( *_t101 & 0x00000004) != 0x00000000) + 1;
												__eflags = _t75;
												 *(_t111 - 0x20) = _t75;
												goto L29;
											}
										}
									} else {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t107;
											if(_t107 == 0) {
												goto L32;
											} else {
												E00F452B0(_t107, E00F43B46(_t84,  &(_t101[8])), _t101[0x14]);
												goto L29;
											}
										}
									}
								} else {
									__eflags =  *(_t54 + 0x18);
									if( *(_t54 + 0x18) == 0) {
										goto L32;
									} else {
										__eflags = _t107;
										if(_t107 == 0) {
											goto L32;
										} else {
											E00F452B0(_t107,  *(_t54 + 0x18), _t101[0x14]);
											__eflags = _t101[0x14] - 4;
											if(_t101[0x14] == 4) {
												__eflags =  *_t107;
												if( *_t107 != 0) {
													_push( &(_t101[8]));
													_push( *_t107);
													goto L21;
												}
											}
											goto L29;
										}
									}
								}
							} else {
								_t84 =  *(_t54 + 0x18);
								goto L12;
							}
						} else {
							_t71 =  *0xf5ccc0; // 0x0
							 *((intOrPtr*)(_t111 - 0x1c)) = _t71;
							if(_t71 == 0) {
								goto L10;
							} else {
								 *0xf4f140();
								_t84 =  *((intOrPtr*)(_t111 - 0x1c))();
								L12:
								if(_t84 == 0 || _t107 == 0) {
									L32:
									E00F46E22(_t75, _t84, _t97, _t101, _t107);
									asm("int3");
									_push(8);
									_push(0xf5b0b0);
									E00F433C0(_t75, _t101, _t107);
									_t98 =  *(_t111 + 0x10);
									_t85 =  *(_t111 + 0xc);
									__eflags =  *_t98;
									if(__eflags >= 0) {
										_t103 = _t85 + 0xc + _t98[2];
										__eflags = _t85 + 0xc + _t98[2];
									} else {
										_t103 = _t85;
									}
									 *(_t111 - 4) =  *(_t111 - 4) & 0x00000000;
									_t108 =  *(_t111 + 0x14);
									_push( *(_t111 + 0x14));
									_push(_t98);
									_push(_t85);
									_t77 =  *((intOrPtr*)(_t111 + 8));
									_push( *((intOrPtr*)(_t111 + 8)));
									_t58 = E00F440B4(_t77, _t103, _t108, __eflags) - 1;
									__eflags = _t58;
									if(_t58 == 0) {
										_t61 = E00F44DB4(_t103, _t108[0x18], E00F43B46( *((intOrPtr*)(_t77 + 0x18)),  &(_t108[8])));
									} else {
										_t61 = _t58 - 1;
										__eflags = _t61;
										if(_t61 == 0) {
											_t61 = E00F44DC4(_t103, _t108[0x18], E00F43B46( *((intOrPtr*)(_t77 + 0x18)),  &(_t108[8])), 1);
										}
									}
									 *(_t111 - 4) = 0xfffffffe;
									 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0x10));
									return _t61;
								} else {
									 *_t107 = _t84;
									_push( &(_t101[8]));
									_push(_t84);
									L21:
									 *_t107 = E00F43B46();
									L29:
									 *(_t111 - 4) = 0xfffffffe;
									_t53 = _t75;
									L31:
									 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0x10));
									return _t53;
								}
							}
						}
					} else {
						goto L30;
					}
				}
			}



















                                        0x00f440b4
                                        0x00f440b6
                                        0x00f440bb
                                        0x00f440c0
                                        0x00f440c2
                                        0x00f440c5
                                        0x00f440ca
                                        0x00f441da
                                        0x00f441da
                                        0x00f441da
                                        0x00000000
                                        0x00f440d9
                                        0x00f440d9
                                        0x00f440de
                                        0x00f440e8
                                        0x00f440ea
                                        0x00f440ef
                                        0x00f440f4
                                        0x00f440f4
                                        0x00f440f6
                                        0x00f440f9
                                        0x00f440fe
                                        0x00f44120
                                        0x00f44120
                                        0x00f44123
                                        0x00f44126
                                        0x00f44144
                                        0x00f44147
                                        0x00f44186
                                        0x00f44189
                                        0x00f4418c
                                        0x00f441b1
                                        0x00f441b3
                                        0x00000000
                                        0x00f441b5
                                        0x00f441b5
                                        0x00f441b7
                                        0x00000000
                                        0x00f441b9
                                        0x00f441b9
                                        0x00f441be
                                        0x00f441c2
                                        0x00f441c2
                                        0x00f441c3
                                        0x00000000
                                        0x00f441c3
                                        0x00f441b7
                                        0x00f4418e
                                        0x00f4418e
                                        0x00f44190
                                        0x00000000
                                        0x00f44192
                                        0x00f44192
                                        0x00f44194
                                        0x00000000
                                        0x00f44196
                                        0x00f441a7
                                        0x00000000
                                        0x00f441ac
                                        0x00f44194
                                        0x00f44190
                                        0x00f44149
                                        0x00f44149
                                        0x00f4414d
                                        0x00000000
                                        0x00f44153
                                        0x00f44153
                                        0x00f44155
                                        0x00000000
                                        0x00f4415b
                                        0x00f44162
                                        0x00f4416a
                                        0x00f4416e
                                        0x00f44170
                                        0x00f44173
                                        0x00f44178
                                        0x00f44179
                                        0x00000000
                                        0x00f44179
                                        0x00f44173
                                        0x00000000
                                        0x00f4416e
                                        0x00f44155
                                        0x00f4414d
                                        0x00f44128
                                        0x00f44128
                                        0x00000000
                                        0x00f44128
                                        0x00f44105
                                        0x00f44105
                                        0x00f4410a
                                        0x00f4410f
                                        0x00000000
                                        0x00f44111
                                        0x00f44113
                                        0x00f4411c
                                        0x00f4412b
                                        0x00f4412d
                                        0x00f441ec
                                        0x00f441ec
                                        0x00f441f1
                                        0x00f441f2
                                        0x00f441f4
                                        0x00f441f9
                                        0x00f441fe
                                        0x00f44201
                                        0x00f44204
                                        0x00f44207
                                        0x00f44210
                                        0x00f44210
                                        0x00f44209
                                        0x00f44209
                                        0x00f44209
                                        0x00f44213
                                        0x00f44217
                                        0x00f4421a
                                        0x00f4421b
                                        0x00f4421c
                                        0x00f4421d
                                        0x00f44220
                                        0x00f44229
                                        0x00f44229
                                        0x00f4422c
                                        0x00f44262
                                        0x00f4422e
                                        0x00f4422e
                                        0x00f4422e
                                        0x00f44231
                                        0x00f44248
                                        0x00f44248
                                        0x00f44231
                                        0x00f44267
                                        0x00f44271
                                        0x00f4427d
                                        0x00f4413b
                                        0x00f4413b
                                        0x00f44140
                                        0x00f44141
                                        0x00f4417b
                                        0x00f44182
                                        0x00f441c6
                                        0x00f441c6
                                        0x00f441cd
                                        0x00f441dc
                                        0x00f441df
                                        0x00f441eb
                                        0x00f441eb
                                        0x00f4412d
                                        0x00f4410f
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f440de

                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.827539752.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true
                                        • Associated: 00000001.00000002.827528753.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827566651.0000000000F4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827592711.0000000000F5C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827606974.0000000000F5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_f40000_StartupInstaller.jbxd
                                        Similarity
                                        • API ID: AdjustPointer
                                        • String ID:
                                        • API String ID: 1740715915-0
                                        • Opcode ID: 3bc56b2f551a858f154d670b11e4a163694f0a3bae86188ed24ce679f6f5ca84
                                        • Instruction ID: 7f172acee01b7d7034686b2e9822628a25121d5e5ffc9180ae53d37e87f37e1f
                                        • Opcode Fuzzy Hash: 3bc56b2f551a858f154d670b11e4a163694f0a3bae86188ed24ce679f6f5ca84
                                        • Instruction Fuzzy Hash: 5251B376A002069FDB2ACF50DC41B6A7FA4FFA0711F244529ED0167291E735F990EB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F47AD4 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E00F47AD4(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t19;
				intOrPtr _t29;
				char _t31;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t41;

				_t40 = _a4;
				if(_t40 != 0) {
					_t31 = 0;
					__eflags =  *_t40;
					if( *_t40 != 0) {
						_t16 = E00F48CCA(_a16, 0, _t40, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t16;
						if(__eflags != 0) {
							_t38 = _a8;
							__eflags = _t16 -  *((intOrPtr*)(_t38 + 0xc));
							if(__eflags <= 0) {
								L11:
								_t17 = E00F48CCA(_a16, _t31, _t40, 0xffffffff,  *((intOrPtr*)(_t38 + 8)),  *((intOrPtr*)(_t38 + 0xc)), _t31, _t31);
								__eflags = _t17;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t38 + 0x10)) = _t17 - 1;
									_t19 = 0;
									__eflags = 0;
								} else {
									E00F46FFF(GetLastError());
									_t19 =  *((intOrPtr*)(E00F47035(__eflags)));
								}
								L14:
								return _t19;
							}
							_t19 = E00F48110(_t38, __eflags, _t16);
							__eflags = _t19;
							if(_t19 != 0) {
								goto L14;
							}
							goto L11;
						}
						E00F46FFF(GetLastError());
						return  *((intOrPtr*)(E00F47035(__eflags)));
					}
					_t41 = _a8;
					__eflags =  *((intOrPtr*)(_t41 + 0xc));
					if(__eflags != 0) {
						L6:
						 *((char*)( *((intOrPtr*)(_t41 + 8)))) = _t31;
						L2:
						 *((intOrPtr*)(_t41 + 0x10)) = _t31;
						return 0;
					}
					_t29 = E00F48110(_t41, __eflags, 1);
					__eflags = _t29;
					if(_t29 != 0) {
						return _t29;
					}
					goto L6;
				}
				_t41 = _a8;
				E00F480F6(_t41);
				_t31 = 0;
				 *((intOrPtr*)(_t41 + 8)) = 0;
				 *((intOrPtr*)(_t41 + 0xc)) = 0;
				goto L2;
			}











                                        0x00f47adb
                                        0x00f47ae0
                                        0x00f47afe
                                        0x00f47b00
                                        0x00f47b03
                                        0x00f47b30
                                        0x00f47b38
                                        0x00f47b3a
                                        0x00f47b53
                                        0x00f47b56
                                        0x00f47b59
                                        0x00f47b67
                                        0x00f47b76
                                        0x00f47b7e
                                        0x00f47b80
                                        0x00f47b99
                                        0x00f47b9c
                                        0x00f47b9c
                                        0x00f47b82
                                        0x00f47b89
                                        0x00f47b94
                                        0x00f47b94
                                        0x00f47b9e
                                        0x00000000
                                        0x00f47b9e
                                        0x00f47b5e
                                        0x00f47b63
                                        0x00f47b65
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f47b65
                                        0x00f47b43
                                        0x00000000
                                        0x00f47b4e
                                        0x00f47b05
                                        0x00f47b08
                                        0x00f47b0b
                                        0x00f47b1e
                                        0x00f47b21
                                        0x00f47af4
                                        0x00f47af4
                                        0x00000000
                                        0x00f47af7
                                        0x00f47b11
                                        0x00f47b16
                                        0x00f47b18
                                        0x00f47ba2
                                        0x00f47ba2
                                        0x00000000
                                        0x00f47b18
                                        0x00f47ae2
                                        0x00f47ae7
                                        0x00f47aec
                                        0x00f47aee
                                        0x00f47af1
                                        0x00000000

                                        APIs
                                          • Part of subcall function 00F480F6: _free.LIBCMT ref: 00F48104
                                          • Part of subcall function 00F48CCA: WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,00000000,00F4BF11,0000FDE9,00000000,?,?,?,00F4BC8A,0000FDE9,00000000,?), ref: 00F48D76
                                        • GetLastError.KERNEL32 ref: 00F47B3C
                                        • __dosmaperr.LIBCMT ref: 00F47B43
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 00F47B82
                                        • __dosmaperr.LIBCMT ref: 00F47B89
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.827539752.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true
                                        • Associated: 00000001.00000002.827528753.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827566651.0000000000F4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827592711.0000000000F5C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827606974.0000000000F5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_f40000_StartupInstaller.jbxd
                                        Similarity
                                        • API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
                                        • String ID:
                                        • API String ID: 167067550-0
                                        • Opcode ID: d3bd35fdf23f6bb6487444653d4fbab6fd2bb20066f387a83bede5982776f46a
                                        • Instruction ID: efa5e3d47fa71d61655c8922c5efdbae0f314f4b0765aa5f6b0115e2d24adeea
                                        • Opcode Fuzzy Hash: d3bd35fdf23f6bb6487444653d4fbab6fd2bb20066f387a83bede5982776f46a
                                        • Instruction Fuzzy Hash: 5321C4B1A08309AF9B20BF799C8192B7FADEF843B47104525FD2993250EB35DC01A7A0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F475D9 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                                        Download Yara Rule
                                        C-Code - Quality: 72%
                                        			E00F475D9(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				signed int _t39;
				signed int _t40;
				void* _t43;
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				long _t56;
				long _t60;
				long _t61;
				void* _t65;

				_t49 = __edx;
				_t43 = __ecx;
				_t60 = GetLastError();
				_t2 =  *0xf5c058; // 0x6
				_t67 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E00F49D00(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t51 = E00F47973(1, 0x364);
						_pop(_t43);
						__eflags = _t51;
						if(__eflags != 0) {
							__eflags = E00F49D00(__eflags,  *0xf5c058, _t51);
							if(__eflags != 0) {
								E00F47407(_t51, 0xf5cec4);
								E00F479D0(0);
								_t65 = _t65 + 0xc;
								goto L13;
							} else {
								_t39 = 0;
								E00F49D00(__eflags,  *0xf5c058, 0);
								_push(_t51);
								goto L9;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E00F49D00(0,  *0xf5c058, 0);
							_push(0);
							L9:
							E00F479D0();
							_pop(_t43);
							goto L4;
						}
					}
				} else {
					_t51 = E00F49CC1(_t67, _t2);
					if(_t51 == 0) {
						_t2 =  *0xf5c058; // 0x6
						goto L6;
					} else {
						if(_t51 != 0xffffffff) {
							L13:
							_t39 = _t51;
						} else {
							L3:
							_t39 = 0;
							L4:
							_t51 = _t39;
						}
					}
				}
				SetLastError(_t60);
				asm("sbb edi, edi");
				_t53 =  ~_t51 & _t39;
				if(_t53 == 0) {
					E00F46E22(_t39, _t43, _t49, _t53, _t60);
					asm("int3");
					_t5 =  *0xf5c058; // 0x6
					_push(_t60);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L22:
						_t6 = E00F49D00(__eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L31;
						} else {
							_t60 = E00F47973(1, 0x364);
							_pop(_t43);
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = E00F49D00(__eflags,  *0xf5c058, _t60);
								if(__eflags != 0) {
									E00F47407(_t60, 0xf5cec4);
									E00F479D0(0);
									_t65 = _t65 + 0xc;
									goto L29;
								} else {
									E00F49D00(__eflags,  *0xf5c058, _t21);
									_push(_t60);
									goto L25;
								}
							} else {
								E00F49D00(__eflags,  *0xf5c058, _t20);
								_push(_t60);
								L25:
								E00F479D0();
								_pop(_t43);
								goto L31;
							}
						}
					} else {
						_t60 = E00F49CC1(__eflags, _t5);
						__eflags = _t60;
						if(__eflags == 0) {
							_t5 =  *0xf5c058; // 0x6
							goto L22;
						} else {
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								L31:
								E00F46E22(_t39, _t43, _t49, _t53, _t60);
								asm("int3");
								_push(_t39);
								_push(_t60);
								_push(_t53);
								_t61 = GetLastError();
								_t9 =  *0xf5c058; // 0x6
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L38:
									_t10 = E00F49D00(__eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L35;
									} else {
										_t54 = E00F47973(1, 0x364);
										__eflags = _t54;
										if(__eflags != 0) {
											__eflags = E00F49D00(__eflags,  *0xf5c058, _t54);
											if(__eflags != 0) {
												E00F47407(_t54, 0xf5cec4);
												E00F479D0(0);
												goto L45;
											} else {
												_t40 = 0;
												E00F49D00(__eflags,  *0xf5c058, 0);
												_push(_t54);
												goto L41;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E00F49D00(0,  *0xf5c058, 0);
											_push(0);
											L41:
											E00F479D0();
											goto L36;
										}
									}
								} else {
									_t54 = E00F49CC1(__eflags, _t9);
									__eflags = _t54;
									if(__eflags == 0) {
										_t9 =  *0xf5c058; // 0x6
										goto L38;
									} else {
										__eflags = _t54 - 0xffffffff;
										if(_t54 != 0xffffffff) {
											L45:
											_t40 = _t54;
										} else {
											L35:
											_t40 = 0;
											__eflags = 0;
											L36:
											_t54 = _t40;
										}
									}
								}
								SetLastError(_t61);
								asm("sbb edi, edi");
								_t56 =  ~_t54 & _t40;
								__eflags = _t56;
								return _t56;
							} else {
								L29:
								__eflags = _t60;
								if(_t60 == 0) {
									goto L31;
								} else {
									return _t60;
								}
							}
						}
					}
				} else {
					return _t53;
				}
			}























                                        0x00f475d9
                                        0x00f475d9
                                        0x00f475e4
                                        0x00f475e6
                                        0x00f475eb
                                        0x00f475ee
                                        0x00f4760c
                                        0x00f4760f
                                        0x00f47614
                                        0x00f47616
                                        0x00000000
                                        0x00f47618
                                        0x00f47624
                                        0x00f47627
                                        0x00f47628
                                        0x00f4762a
                                        0x00f4764f
                                        0x00f47651
                                        0x00f4766a
                                        0x00f47671
                                        0x00f47676
                                        0x00000000
                                        0x00f47653
                                        0x00f47653
                                        0x00f4765c
                                        0x00f47661
                                        0x00000000
                                        0x00f47661
                                        0x00f4762c
                                        0x00f4762c
                                        0x00f4762c
                                        0x00f47635
                                        0x00f4763a
                                        0x00f4763b
                                        0x00f4763b
                                        0x00f47640
                                        0x00000000
                                        0x00f47640
                                        0x00f4762a
                                        0x00f475f0
                                        0x00f475f6
                                        0x00f475fa
                                        0x00f47607
                                        0x00000000
                                        0x00f475fc
                                        0x00f475ff
                                        0x00f47679
                                        0x00f47679
                                        0x00f47601
                                        0x00f47601
                                        0x00f47601
                                        0x00f47603
                                        0x00f47603
                                        0x00f47603
                                        0x00f475ff
                                        0x00f475fa
                                        0x00f4767c
                                        0x00f47684
                                        0x00f47686
                                        0x00f47688
                                        0x00f47690
                                        0x00f47695
                                        0x00f47696
                                        0x00f4769b
                                        0x00f4769c
                                        0x00f4769f
                                        0x00f476b9
                                        0x00f476bc
                                        0x00f476c1
                                        0x00f476c3
                                        0x00000000
                                        0x00f476c5
                                        0x00f476d1
                                        0x00f476d4
                                        0x00f476d5
                                        0x00f476d7
                                        0x00f476fa
                                        0x00f476fc
                                        0x00f47713
                                        0x00f4771a
                                        0x00f4771f
                                        0x00000000
                                        0x00f476fe
                                        0x00f47705
                                        0x00f4770a
                                        0x00000000
                                        0x00f4770a
                                        0x00f476d9
                                        0x00f476e0
                                        0x00f476e5
                                        0x00f476e6
                                        0x00f476e6
                                        0x00f476eb
                                        0x00000000
                                        0x00f476eb
                                        0x00f476d7
                                        0x00f476a1
                                        0x00f476a7
                                        0x00f476a9
                                        0x00f476ab
                                        0x00f476b4
                                        0x00000000
                                        0x00f476ad
                                        0x00f476ad
                                        0x00f476b0
                                        0x00f4772a
                                        0x00f4772a
                                        0x00f4772f
                                        0x00f47732
                                        0x00f47733
                                        0x00f47734
                                        0x00f4773b
                                        0x00f4773d
                                        0x00f47742
                                        0x00f47745
                                        0x00f47763
                                        0x00f47766
                                        0x00f4776b
                                        0x00f4776d
                                        0x00000000
                                        0x00f4776f
                                        0x00f4777b
                                        0x00f4777f
                                        0x00f47781
                                        0x00f477a6
                                        0x00f477a8
                                        0x00f477c1
                                        0x00f477c8
                                        0x00000000
                                        0x00f477aa
                                        0x00f477aa
                                        0x00f477b3
                                        0x00f477b8
                                        0x00000000
                                        0x00f477b8
                                        0x00f47783
                                        0x00f47783
                                        0x00f47783
                                        0x00f4778c
                                        0x00f47791
                                        0x00f47792
                                        0x00f47792
                                        0x00000000
                                        0x00f47797
                                        0x00f47781
                                        0x00f47747
                                        0x00f4774d
                                        0x00f4774f
                                        0x00f47751
                                        0x00f4775e
                                        0x00000000
                                        0x00f47753
                                        0x00f47753
                                        0x00f47756
                                        0x00f477d0
                                        0x00f477d0
                                        0x00f47758
                                        0x00f47758
                                        0x00f47758
                                        0x00f47758
                                        0x00f4775a
                                        0x00f4775a
                                        0x00f4775a
                                        0x00f47756
                                        0x00f47751
                                        0x00f477d3
                                        0x00f477db
                                        0x00f477dd
                                        0x00f477dd
                                        0x00f477e4
                                        0x00f476b2
                                        0x00f47722
                                        0x00f47722
                                        0x00f47724
                                        0x00000000
                                        0x00f47726
                                        0x00f47729
                                        0x00f47729
                                        0x00f47724
                                        0x00f476b0
                                        0x00f476ab
                                        0x00f4768a
                                        0x00f4768f
                                        0x00f4768f

                                        APIs
                                        • GetLastError.KERNEL32(?,00000000,?,00F458B0,00000000,?,00F42029,?,00F45916,?,?,?,?,00F45A0F,00F42029,00000000), ref: 00F475DE
                                        • _free.LIBCMT ref: 00F4763B
                                        • _free.LIBCMT ref: 00F47671
                                        • SetLastError.KERNEL32(00000000,00000006,000000FF,?,00F45916,?,?,?,?,00F45A0F,00F42029,00000000,?,00F42029,00000000), ref: 00F4767C
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.827539752.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true
                                        • Associated: 00000001.00000002.827528753.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827566651.0000000000F4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827592711.0000000000F5C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827606974.0000000000F5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_f40000_StartupInstaller.jbxd
                                        Similarity
                                        • API ID: ErrorLast_free
                                        • String ID:
                                        • API String ID: 2283115069-0
                                        • Opcode ID: a18e88a2858849d9e830d487e5994f0adf999d01dc6267c1b8f2c8f5bcc94988
                                        • Instruction ID: 956421aebe283d07506c2f7a54d1636d4d321319d6c3a7f875fe8a59a5bbcda8
                                        • Opcode Fuzzy Hash: a18e88a2858849d9e830d487e5994f0adf999d01dc6267c1b8f2c8f5bcc94988
                                        • Instruction Fuzzy Hash: 1611C632A0CB457FD611767DAC81E2B3F5B8BC13B9B260624FE19C21E2DB658C05B1A4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F47730 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE
                                        Download Yara Rule
                                        C-Code - Quality: 85%
                                        			E00F47730(void* __ecx) {
				intOrPtr _t2;
				signed int _t3;
				signed int _t13;
				signed int _t18;
				long _t21;

				_t21 = GetLastError();
				_t2 =  *0xf5c058; // 0x6
				_t24 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E00F49D00(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t18 = E00F47973(1, 0x364);
						__eflags = _t18;
						if(__eflags != 0) {
							__eflags = E00F49D00(__eflags,  *0xf5c058, _t18);
							if(__eflags != 0) {
								E00F47407(_t18, 0xf5cec4);
								E00F479D0(0);
								goto L13;
							} else {
								_t13 = 0;
								E00F49D00(__eflags,  *0xf5c058, 0);
								_push(_t18);
								goto L9;
							}
						} else {
							_t13 = 0;
							__eflags = 0;
							E00F49D00(0,  *0xf5c058, 0);
							_push(0);
							L9:
							E00F479D0();
							goto L4;
						}
					}
				} else {
					_t18 = E00F49CC1(_t24, _t2);
					if(_t18 == 0) {
						_t2 =  *0xf5c058; // 0x6
						goto L6;
					} else {
						if(_t18 != 0xffffffff) {
							L13:
							_t13 = _t18;
						} else {
							L3:
							_t13 = 0;
							L4:
							_t18 = _t13;
						}
					}
				}
				SetLastError(_t21);
				asm("sbb edi, edi");
				return  ~_t18 & _t13;
			}








                                        0x00f4773b
                                        0x00f4773d
                                        0x00f47742
                                        0x00f47745
                                        0x00f47763
                                        0x00f47766
                                        0x00f4776b
                                        0x00f4776d
                                        0x00000000
                                        0x00f4776f
                                        0x00f4777b
                                        0x00f4777f
                                        0x00f47781
                                        0x00f477a6
                                        0x00f477a8
                                        0x00f477c1
                                        0x00f477c8
                                        0x00000000
                                        0x00f477aa
                                        0x00f477aa
                                        0x00f477b3
                                        0x00f477b8
                                        0x00000000
                                        0x00f477b8
                                        0x00f47783
                                        0x00f47783
                                        0x00f47783
                                        0x00f4778c
                                        0x00f47791
                                        0x00f47792
                                        0x00f47792
                                        0x00000000
                                        0x00f47797
                                        0x00f47781
                                        0x00f47747
                                        0x00f4774d
                                        0x00f47751
                                        0x00f4775e
                                        0x00000000
                                        0x00f47753
                                        0x00f47756
                                        0x00f477d0
                                        0x00f477d0
                                        0x00f47758
                                        0x00f47758
                                        0x00f47758
                                        0x00f4775a
                                        0x00f4775a
                                        0x00f4775a
                                        0x00f47756
                                        0x00f47751
                                        0x00f477d3
                                        0x00f477db
                                        0x00f477e4

                                        APIs
                                        • GetLastError.KERNEL32(?,?,?,00F4703A,00F47968,?,?,00F439C2,?,?,?,?,?,00F41023,?,?), ref: 00F47735
                                        • _free.LIBCMT ref: 00F47792
                                        • _free.LIBCMT ref: 00F477C8
                                        • SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,00F439C2,?,?,?,?,?,00F41023,?,?), ref: 00F477D3
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.827539752.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true
                                        • Associated: 00000001.00000002.827528753.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827566651.0000000000F4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827592711.0000000000F5C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827606974.0000000000F5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_f40000_StartupInstaller.jbxd
                                        Similarity
                                        • API ID: ErrorLast_free
                                        • String ID:
                                        • API String ID: 2283115069-0
                                        • Opcode ID: 16a7339aea55972fbc5213ed2fbe902860db0743430f83ef22cc2a544a69b798
                                        • Instruction ID: e79d99070266f07a34462e105ee23e5c0611c868e1b1b6c5535d37706758c2e8
                                        • Opcode Fuzzy Hash: 16a7339aea55972fbc5213ed2fbe902860db0743430f83ef22cc2a544a69b798
                                        • Instruction Fuzzy Hash: 6A11C232A0C3047FE6113778AC85E2B3E599BC137AB600224FF19C21E1DB658C09F2A0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F4CA16 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E00F4CA16(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0xf5c860, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E00F4C9FF();
					E00F4C9C1();
					_t13 = WriteConsoleW( *0xf5c860, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}




                                        0x00f4ca33
                                        0x00f4ca37
                                        0x00f4ca44
                                        0x00f4ca49
                                        0x00f4ca64
                                        0x00f4ca64
                                        0x00f4ca6a

                                        APIs
                                        • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,00F4C470,?,00000001,?,?,?,00F4B960,?,?,?), ref: 00F4CA2D
                                        • GetLastError.KERNEL32(?,00F4C470,?,00000001,?,?,?,00F4B960,?,?,?,?,?,?,00F4BEAC,00000000), ref: 00F4CA39
                                          • Part of subcall function 00F4C9FF: CloseHandle.KERNEL32(FFFFFFFE,00F4CA49,?,00F4C470,?,00000001,?,?,?,00F4B960,?,?,?,?,?), ref: 00F4CA0F
                                        • ___initconout.LIBCMT ref: 00F4CA49
                                          • Part of subcall function 00F4C9C1: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00F4C9F0,00F4C45D,?,?,00F4B960,?,?,?,?), ref: 00F4C9D4
                                        • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,00F4C470,?,00000001,?,?,?,00F4B960,?,?,?,?), ref: 00F4CA5E
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.827539752.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true
                                        • Associated: 00000001.00000002.827528753.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827566651.0000000000F4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827592711.0000000000F5C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827606974.0000000000F5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_f40000_StartupInstaller.jbxd
                                        Similarity
                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                        • String ID:
                                        • API String ID: 2744216297-0
                                        • Opcode ID: 58acd7ff4a6b862f47a27d531cc396aec9b6d35ca86fbc110f3c114c81f9dcb5
                                        • Instruction ID: acc90508a3a6d8b170ca33c34798aaf236869d4b1999e4de5abe855409f42ddd
                                        • Opcode Fuzzy Hash: 58acd7ff4a6b862f47a27d531cc396aec9b6d35ca86fbc110f3c114c81f9dcb5
                                        • Instruction Fuzzy Hash: 93F01C3A90121CBBCF622F95EC0498A3FA6EB59BB2B054020FF5995131C6368960FBD4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F46CC7 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 100%
                                        			E00F46CC7() {

				E00F479D0( *0xf5d354);
				 *0xf5d354 = 0;
				E00F479D0( *0xf5d358);
				 *0xf5d358 = 0;
				E00F479D0( *0xf5d038);
				 *0xf5d038 = 0;
				E00F479D0( *0xf5d03c);
				 *0xf5d03c = 0;
				return 1;
			}



                                        0x00f46cd0
                                        0x00f46cdd
                                        0x00f46ce3
                                        0x00f46cee
                                        0x00f46cf4
                                        0x00f46cff
                                        0x00f46d05
                                        0x00f46d0d
                                        0x00f46d16

                                        APIs
                                        • _free.LIBCMT ref: 00F46CD0
                                          • Part of subcall function 00F479D0: HeapFree.KERNEL32(00000000,00000000,?,00F49499,?,00000000,?,?,?,00F494C0,?,00000007,?,?,00F498C6,?), ref: 00F479E6
                                          • Part of subcall function 00F479D0: GetLastError.KERNEL32(?,?,00F49499,?,00000000,?,?,?,00F494C0,?,00000007,?,?,00F498C6,?,?), ref: 00F479F8
                                        • _free.LIBCMT ref: 00F46CE3
                                        • _free.LIBCMT ref: 00F46CF4
                                        • _free.LIBCMT ref: 00F46D05
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.827539752.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true
                                        • Associated: 00000001.00000002.827528753.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827566651.0000000000F4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827592711.0000000000F5C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827606974.0000000000F5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_f40000_StartupInstaller.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: 540858d5c34990e60788c84e81cc1e9b166471dc742e4d168e527480a382aac9
                                        • Instruction ID: c5bea3a7b32d1b8d89c153068bb63b7cc793314eef759a11001e2835125d70c9
                                        • Opcode Fuzzy Hash: 540858d5c34990e60788c84e81cc1e9b166471dc742e4d168e527480a382aac9
                                        • Instruction Fuzzy Hash: 29E0EC7580B36CAA86327F18BC414593F31E744B62B15044BFA0452276C7391557FFDB
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F45ED1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                        Download Yara Rule
                                        C-Code - Quality: 90%
                                        			E00F45ED1(void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				char* _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				char* _t26;
				intOrPtr* _t36;
				signed int _t37;
				signed int _t40;
				char _t42;
				signed int _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				intOrPtr _t48;
				signed int _t49;
				signed int _t54;
				void* _t57;
				intOrPtr* _t58;
				void* _t59;
				signed int _t64;
				signed int _t66;

				_t57 = __edx;
				_t48 = _a4;
				if(_t48 != 0) {
					__eflags = _t48 - 2;
					if(_t48 == 2) {
						L5:
						_push(_t59);
						E00F488F7(_t48, _t59);
						E00F4833E(_t48, _t57, 0, 0xf5cd78, 0, 0xf5cd78, 0x104);
						_t26 =  *0xf5d040; // 0xc03518
						 *0xf5d030 = 0xf5cd78;
						_v20 = _t26;
						__eflags = _t26;
						if(_t26 == 0) {
							L7:
							_t26 = 0xf5cd78;
							_v20 = 0xf5cd78;
							L8:
							_v8 = 0;
							_v16 = 0;
							_t64 = E00F4617B(E00F46007( &_v8, _t26, 0, 0,  &_v8,  &_v16), _v8, _v16, 1);
							__eflags = _t64;
							if(__eflags != 0) {
								E00F46007( &_v8, _v20, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
								__eflags = _t48 - 1;
								if(_t48 != 1) {
									_v12 = 0;
									_push( &_v12);
									_t49 = E00F48231(_t64, _t64);
									__eflags = _t49;
									if(_t49 == 0) {
										_t58 = _v12;
										_t54 = 0;
										_t36 = _t58;
										__eflags =  *_t58;
										if( *_t58 == 0) {
											L17:
											_t37 = 0;
											 *0xf5d034 = _t54;
											_v12 = 0;
											_t49 = 0;
											 *0xf5d038 = _t58;
											L18:
											E00F479D0(_t37);
											_v12 = 0;
											L19:
											E00F479D0(_t64);
											_t40 = _t49;
											L20:
											return _t40;
										} else {
											goto L16;
										}
										do {
											L16:
											_t36 = _t36 + 4;
											_t54 = _t54 + 1;
											__eflags =  *_t36;
										} while ( *_t36 != 0);
										goto L17;
									}
									_t37 = _v12;
									goto L18;
								}
								_t42 = _v8 - 1;
								__eflags = _t42;
								 *0xf5d034 = _t42;
								_t43 = _t64;
								_t64 = 0;
								 *0xf5d038 = _t43;
								L12:
								_t49 = 0;
								goto L19;
							}
							_t44 = E00F47035(__eflags);
							_push(0xc);
							_pop(0);
							 *_t44 = 0;
							goto L12;
						}
						__eflags =  *_t26;
						if( *_t26 != 0) {
							goto L8;
						}
						goto L7;
					}
					__eflags = _t48 - 1;
					if(__eflags == 0) {
						goto L5;
					}
					_t45 = E00F47035(__eflags);
					_t66 = 0x16;
					 *_t45 = _t66;
					E00F45BD3();
					_t40 = _t66;
					goto L20;
				}
				return 0;
			}



























                                        0x00f45ed1
                                        0x00f45eda
                                        0x00f45edf
                                        0x00f45ee9
                                        0x00f45eec
                                        0x00f45f09
                                        0x00f45f09
                                        0x00f45f0a
                                        0x00f45f1d
                                        0x00f45f22
                                        0x00f45f2a
                                        0x00f45f30
                                        0x00f45f33
                                        0x00f45f35
                                        0x00f45f3c
                                        0x00f45f3c
                                        0x00f45f3e
                                        0x00f45f41
                                        0x00f45f44
                                        0x00f45f4b
                                        0x00f45f64
                                        0x00f45f69
                                        0x00f45f6b
                                        0x00f45f8c
                                        0x00f45f94
                                        0x00f45f97
                                        0x00f45fb2
                                        0x00f45fb5
                                        0x00f45fbc
                                        0x00f45fc0
                                        0x00f45fc2
                                        0x00f45fc9
                                        0x00f45fcc
                                        0x00f45fce
                                        0x00f45fd0
                                        0x00f45fd2
                                        0x00f45fdc
                                        0x00f45fdc
                                        0x00f45fde
                                        0x00f45fe4
                                        0x00f45fe7
                                        0x00f45fe9
                                        0x00f45fef
                                        0x00f45ff0
                                        0x00f45ff6
                                        0x00f45ff9
                                        0x00f45ffa
                                        0x00f46000
                                        0x00f46003
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f45fd4
                                        0x00f45fd4
                                        0x00f45fd4
                                        0x00f45fd7
                                        0x00f45fd8
                                        0x00f45fd8
                                        0x00000000
                                        0x00f45fd4
                                        0x00f45fc4
                                        0x00000000
                                        0x00f45fc4
                                        0x00f45f9c
                                        0x00f45f9c
                                        0x00f45f9d
                                        0x00f45fa2
                                        0x00f45fa4
                                        0x00f45fa6
                                        0x00f45fab
                                        0x00f45fab
                                        0x00000000
                                        0x00f45fab
                                        0x00f45f6d
                                        0x00f45f72
                                        0x00f45f74
                                        0x00f45f75
                                        0x00000000
                                        0x00f45f75
                                        0x00f45f37
                                        0x00f45f3a
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f45f3a
                                        0x00f45eee
                                        0x00f45ef1
                                        0x00000000
                                        0x00000000
                                        0x00f45ef3
                                        0x00f45efa
                                        0x00f45efb
                                        0x00f45efd
                                        0x00f45f02
                                        0x00000000
                                        0x00f45f02
                                        0x00000000

                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.827539752.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true
                                        • Associated: 00000001.00000002.827528753.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827566651.0000000000F4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827592711.0000000000F5C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827606974.0000000000F5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_f40000_StartupInstaller.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\StartupInstaller.exe
                                        • API String ID: 0-123155926
                                        • Opcode ID: 1035de47d9b3e52dfa58028960e48861c27ceab60d1683237e4f98582806a6cf
                                        • Instruction ID: ffdc1ee1e1fae2a129a42d0ea1a75ccf656b7763c9c5d9a93342d895df98e5a0
                                        • Opcode Fuzzy Hash: 1035de47d9b3e52dfa58028960e48861c27ceab60d1683237e4f98582806a6cf
                                        • Instruction Fuzzy Hash: 0441A371E00718ABCB21EF99DC819AEBFB8EF85760F100066FD05E7252E7748A45E791
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 00F446B5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                        Download Yara Rule
                                        C-Code - Quality: 58%
                                        			E00F446B5(void* __ecx, void* __edx, signed char* _a4, signed char* _a8, intOrPtr _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v36;
				void* _v40;
				intOrPtr _v44;
				signed int _v48;
				intOrPtr _v56;
				void _v60;
				signed char* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t74;
				void* _t75;
				char _t76;
				signed char _t78;
				signed int _t80;
				signed char* _t81;
				signed int _t82;
				signed int _t83;
				intOrPtr* _t87;
				void* _t90;
				signed char* _t93;
				intOrPtr* _t96;
				signed char _t97;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr* _t101;
				signed int _t102;
				signed int _t103;
				signed char _t108;
				signed char* _t111;
				signed int _t112;
				void* _t113;
				signed char* _t116;
				void* _t121;
				signed int _t123;
				void* _t130;
				void* _t131;

				_t110 = __edx;
				_t100 = __ecx;
				_t96 = _a4;
				if( *_t96 == 0x80000003) {
					return _t74;
				} else {
					_push(_t121);
					_push(_t113);
					_t75 = E00F43FC6(_t96, __ecx, __edx, _t113, _t121);
					if( *((intOrPtr*)(_t75 + 8)) != 0) {
						__imp__EncodePointer(0);
						_t121 = _t75;
						if( *((intOrPtr*)(E00F43FC6(_t96, __ecx, __edx, 0, _t121) + 8)) != _t121 &&  *_t96 != 0xe0434f4d &&  *_t96 != 0xe0434352) {
							_t87 = E00F436AF(__edx, 0, _t121, _t96, _a8, _a12, _a16, _a20, _a28, _a32);
							_t130 = _t130 + 0x1c;
							if(_t87 != 0) {
								L16:
								return _t87;
							}
						}
					}
					_t76 = _a20;
					_v24 = _t76;
					_v20 = 0;
					if( *((intOrPtr*)(_t76 + 0xc)) > 0) {
						_push(_a28);
						E00F435E2(_t96, _t100, 0, _t121,  &_v40,  &_v24, _a24, _a16, _t76);
						_t112 = _v36;
						_t131 = _t130 + 0x18;
						_t87 = _v40;
						_v16 = _t87;
						_v8 = _t112;
						if(_t112 < _v28) {
							_t102 = _t112 * 0x14;
							_v12 = _t102;
							do {
								_t103 = 5;
								_t90 = memcpy( &_v60,  *((intOrPtr*)( *_t87 + 0x10)) + _t102, _t103 << 2);
								_t131 = _t131 + 0xc;
								if(_v60 <= _t90 && _t90 <= _v56) {
									_t93 = _v44 + 0xfffffff0 + (_v48 << 4);
									_t108 = _t93[4];
									if(_t108 == 0 ||  *((char*)(_t108 + 8)) == 0) {
										if(( *_t93 & 0x00000040) == 0) {
											_push(0);
											_push(1);
											E00F4428B(_t112, _t96, _a8, _a12, _a16, _a20, _t93, 0,  &_v60, _a28, _a32);
											_t112 = _v8;
											_t131 = _t131 + 0x30;
										}
									}
								}
								_t112 = _t112 + 1;
								_t87 = _v16;
								_t102 = _v12 + 0x14;
								_v8 = _t112;
								_v12 = _t102;
							} while (_t112 < _v28);
						}
						goto L16;
					}
					E00F46E22(_t96, _t100, _t110, 0, _t121);
					asm("int3");
					_t111 = _v68;
					_push(_t96);
					_push(_t121);
					_push(0);
					_t78 = _t111[4];
					if(_t78 == 0) {
						L41:
						_t80 = 1;
					} else {
						_t101 = _t78 + 8;
						if( *_t101 == 0) {
							goto L41;
						} else {
							_t116 = _a4;
							if(( *_t111 & 0x00000080) == 0 || ( *_t116 & 0x00000010) == 0) {
								_t97 = _t116[4];
								_t123 = 0;
								if(_t78 == _t97) {
									L33:
									if(( *_t116 & 0x00000002) == 0 || ( *_t111 & 0x00000008) != 0) {
										_t81 = _a8;
										if(( *_t81 & 0x00000001) == 0 || ( *_t111 & 0x00000001) != 0) {
											if(( *_t81 & 0x00000002) == 0 || ( *_t111 & 0x00000002) != 0) {
												_t123 = 1;
											}
										}
									}
									_t80 = _t123;
								} else {
									_t59 = _t97 + 8; // 0x6e
									_t82 = _t59;
									while(1) {
										_t98 =  *_t101;
										if(_t98 !=  *_t82) {
											break;
										}
										if(_t98 == 0) {
											L29:
											_t83 = _t123;
										} else {
											_t99 =  *((intOrPtr*)(_t101 + 1));
											if(_t99 !=  *((intOrPtr*)(_t82 + 1))) {
												break;
											} else {
												_t101 = _t101 + 2;
												_t82 = _t82 + 2;
												if(_t99 != 0) {
													continue;
												} else {
													goto L29;
												}
											}
										}
										L31:
										if(_t83 == 0) {
											goto L33;
										} else {
											_t80 = 0;
										}
										goto L42;
									}
									asm("sbb eax, eax");
									_t83 = _t82 | 0x00000001;
									goto L31;
								}
							} else {
								goto L41;
							}
						}
					}
					L42:
					return _t80;
				}
			}















































                                        0x00f446b5
                                        0x00f446b5
                                        0x00f446bc
                                        0x00f446c5
                                        0x00f447e4
                                        0x00f446cb
                                        0x00f446cb
                                        0x00f446cc
                                        0x00f446cd
                                        0x00f446d7
                                        0x00f446da
                                        0x00f446e0
                                        0x00f446ea
                                        0x00f4470f
                                        0x00f44714
                                        0x00f44719
                                        0x00f447e0
                                        0x00000000
                                        0x00f447e1
                                        0x00f44719
                                        0x00f446ea
                                        0x00f4471f
                                        0x00f44722
                                        0x00f44725
                                        0x00f4472b
                                        0x00f44731
                                        0x00f44743
                                        0x00f44748
                                        0x00f4474b
                                        0x00f4474e
                                        0x00f44751
                                        0x00f44754
                                        0x00f4475a
                                        0x00f44760
                                        0x00f44763
                                        0x00f44766
                                        0x00f44775
                                        0x00f44776
                                        0x00f44776
                                        0x00f4477b
                                        0x00f4478e
                                        0x00f44790
                                        0x00f44795
                                        0x00f447a0
                                        0x00f447a2
                                        0x00f447a4
                                        0x00f447c0
                                        0x00f447c5
                                        0x00f447c8
                                        0x00f447c8
                                        0x00f447a0
                                        0x00f44795
                                        0x00f447ce
                                        0x00f447cf
                                        0x00f447d2
                                        0x00f447d5
                                        0x00f447d8
                                        0x00f447db
                                        0x00f44766
                                        0x00000000
                                        0x00f4475a
                                        0x00f447e5
                                        0x00f447ea
                                        0x00f447ee
                                        0x00f447f1
                                        0x00f447f2
                                        0x00f447f3
                                        0x00f447f4
                                        0x00f447f9
                                        0x00f44871
                                        0x00f44873
                                        0x00f447fb
                                        0x00f447fb
                                        0x00f44801
                                        0x00000000
                                        0x00f44803
                                        0x00f44806
                                        0x00f44809
                                        0x00f44810
                                        0x00f44813
                                        0x00f44817
                                        0x00f44849
                                        0x00f4484c
                                        0x00f44853
                                        0x00f44859
                                        0x00f44863
                                        0x00f4486c
                                        0x00f4486c
                                        0x00f44863
                                        0x00f44859
                                        0x00f4486d
                                        0x00f44819
                                        0x00f44819
                                        0x00f44819
                                        0x00f4481c
                                        0x00f4481c
                                        0x00f44820
                                        0x00000000
                                        0x00000000
                                        0x00f44824
                                        0x00f44838
                                        0x00f44838
                                        0x00f44826
                                        0x00f44826
                                        0x00f4482c
                                        0x00000000
                                        0x00f4482e
                                        0x00f4482e
                                        0x00f44831
                                        0x00f44836
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f44836
                                        0x00f4482c
                                        0x00f44841
                                        0x00f44843
                                        0x00000000
                                        0x00f44845
                                        0x00f44845
                                        0x00f44845
                                        0x00000000
                                        0x00f44843
                                        0x00f4483c
                                        0x00f4483e
                                        0x00000000
                                        0x00f4483e
                                        0x00000000
                                        0x00000000
                                        0x00000000
                                        0x00f44809
                                        0x00f44801
                                        0x00f44874
                                        0x00f44878
                                        0x00f44878

                                        APIs
                                        • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00F446DA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.827539752.0000000000F41000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F40000, based on PE: true
                                        • Associated: 00000001.00000002.827528753.0000000000F40000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827566651.0000000000F4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827592711.0000000000F5C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000001.00000002.827606974.0000000000F5E000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_f40000_StartupInstaller.jbxd
                                        Similarity
                                        • API ID: EncodePointer
                                        • String ID: MOC$RCC
                                        • API String ID: 2118026453-2084237596
                                        • Opcode ID: 32fda48a944a9303af90cef289c34578493e67da548876797946229fc87c9d3d
                                        • Instruction ID: f4b934fff80268fcf4cb0e22fa9262e34349505ebeaf04e6e572fbede9e61c58
                                        • Opcode Fuzzy Hash: 32fda48a944a9303af90cef289c34578493e67da548876797946229fc87c9d3d
                                        • Instruction Fuzzy Hash: A6415531D00209AFDF15DF98DD81AAEBFB5BF49310F188159FE04B6251D339AA51EB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Execution Graph

                                        Execution Coverage:0.7%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:0%
                                        Total number of Nodes:506
                                        Total number of Limit Nodes:7
                                        execution_graph 15622 6bd40a66 15633 6bd40a8d InitializeCriticalSectionAndSpinCount GetModuleHandleW 15622->15633 15624 6bd40a6b 15644 6bd40dc3 15624->15644 15626 6bd40a72 15627 6bd40a85 15626->15627 15628 6bd40a77 15626->15628 15653 6bd41541 IsProcessorFeaturePresent 15627->15653 15650 6bd40f50 15628->15650 15632 6bd40a8c 15634 6bd40ab0 GetModuleHandleW 15633->15634 15635 6bd40ac1 GetProcAddress GetProcAddress 15633->15635 15634->15635 15636 6bd40b07 15634->15636 15637 6bd40af1 CreateEventW 15635->15637 15638 6bd40adf 15635->15638 15640 6bd41541 ___scrt_fastfail 4 API calls 15636->15640 15637->15636 15639 6bd40ae3 15637->15639 15638->15637 15638->15639 15639->15624 15641 6bd40b0e DeleteCriticalSection 15640->15641 15642 6bd40b23 CloseHandle 15641->15642 15643 6bd40b2a 15641->15643 15642->15643 15643->15624 15645 6bd40dd3 15644->15645 15646 6bd40dcf 15644->15646 15647 6bd41541 ___scrt_fastfail 4 API calls 15645->15647 15649 6bd40de0 ___scrt_release_startup_lock 15645->15649 15646->15626 15648 6bd40e49 15647->15648 15649->15626 15657 6bd40f23 15650->15657 15654 6bd41556 ___scrt_fastfail 15653->15654 15655 6bd41601 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 15654->15655 15656 6bd4164c ___scrt_fastfail 15655->15656 15656->15632 15658 6bd40f32 15657->15658 15659 6bd40f39 15657->15659 15663 6bd49447 15658->15663 15666 6bd494b3 15659->15666 15662 6bd40a81 15664 6bd494b3 28 API calls 15663->15664 15665 6bd49459 15664->15665 15665->15662 15669 6bd491ca 15666->15669 15670 6bd491d6 ___scrt_is_nonwritable_in_current_image 15669->15670 15677 6bd4a346 EnterCriticalSection 15670->15677 15672 6bd491e4 15678 6bd49244 15672->15678 15674 6bd491f1 15688 6bd49219 15674->15688 15677->15672 15679 6bd49260 15678->15679 15681 6bd492d7 _unexpected 15678->15681 15680 6bd492b7 15679->15680 15679->15681 15691 6bd48742 15679->15691 15680->15681 15683 6bd48742 28 API calls 15680->15683 15681->15674 15685 6bd492cd 15683->15685 15684 6bd492ad 15700 6bd4a195 15684->15700 15687 6bd4a195 _free 14 API calls 15685->15687 15687->15681 15818 6bd4a38e LeaveCriticalSection 15688->15818 15690 6bd49202 15690->15662 15692 6bd4874f 15691->15692 15693 6bd4876a 15691->15693 15692->15693 15695 6bd4875b 15692->15695 15694 6bd48779 15693->15694 15709 6bd4a269 15693->15709 15716 6bd4a29c 15694->15716 15706 6bd44926 15695->15706 15699 6bd48760 ___scrt_fastfail 15699->15684 15701 6bd4a1a0 HeapFree 15700->15701 15705 6bd4a1c9 __dosmaperr 15700->15705 15702 6bd4a1b5 15701->15702 15701->15705 15703 6bd44926 __dosmaperr 12 API calls 15702->15703 15704 6bd4a1bb GetLastError 15703->15704 15704->15705 15705->15680 15728 6bd49d13 GetLastError 15706->15728 15708 6bd4492b 15708->15699 15710 6bd4a274 15709->15710 15711 6bd4a289 HeapSize 15709->15711 15712 6bd44926 __dosmaperr 14 API calls 15710->15712 15711->15694 15713 6bd4a279 15712->15713 15796 6bd44560 15713->15796 15717 6bd4a2b4 15716->15717 15718 6bd4a2a9 15716->15718 15720 6bd4a2bc 15717->15720 15726 6bd4a2c5 _unexpected 15717->15726 15811 6bd4a3a5 15718->15811 15721 6bd4a195 _free 14 API calls 15720->15721 15724 6bd4a2b1 15721->15724 15722 6bd4a2ef HeapReAlloc 15722->15724 15722->15726 15723 6bd4a2ca 15725 6bd44926 __dosmaperr 14 API calls 15723->15725 15724->15699 15725->15724 15726->15722 15726->15723 15727 6bd487be _unexpected 2 API calls 15726->15727 15727->15726 15729 6bd49d2a 15728->15729 15732 6bd49d30 15728->15732 15751 6bd4baa3 15729->15751 15750 6bd49d36 SetLastError 15732->15750 15756 6bd4bae2 15732->15756 15737 6bd49d66 15740 6bd4bae2 _unexpected 6 API calls 15737->15740 15738 6bd49d7d 15739 6bd4bae2 _unexpected 6 API calls 15738->15739 15741 6bd49d89 15739->15741 15742 6bd49d74 15740->15742 15743 6bd49d8d 15741->15743 15744 6bd49d9e 15741->15744 15747 6bd4a195 _free 12 API calls 15742->15747 15745 6bd4bae2 _unexpected 6 API calls 15743->15745 15768 6bd499be 15744->15768 15745->15742 15747->15750 15749 6bd4a195 _free 12 API calls 15749->15750 15750->15708 15773 6bd4b943 15751->15773 15753 6bd4babf 15754 6bd4bac8 15753->15754 15755 6bd4bada TlsGetValue 15753->15755 15754->15732 15757 6bd4b943 _unexpected 5 API calls 15756->15757 15758 6bd4bafe 15757->15758 15759 6bd49d4e 15758->15759 15760 6bd4bb1c TlsSetValue 15758->15760 15759->15750 15761 6bd4a424 15759->15761 15766 6bd4a431 _unexpected 15761->15766 15762 6bd4a471 15765 6bd44926 __dosmaperr 13 API calls 15762->15765 15763 6bd4a45c HeapAlloc 15764 6bd49d5e 15763->15764 15763->15766 15764->15737 15764->15738 15765->15764 15766->15762 15766->15763 15779 6bd487be 15766->15779 15782 6bd49852 15768->15782 15774 6bd4b971 15773->15774 15778 6bd4b96d _unexpected 15773->15778 15775 6bd4b87c _unexpected LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 15774->15775 15774->15778 15776 6bd4b985 15775->15776 15777 6bd4b98b GetProcAddress 15776->15777 15776->15778 15777->15778 15778->15753 15780 6bd487eb _unexpected EnterCriticalSection LeaveCriticalSection 15779->15780 15781 6bd487c9 15780->15781 15781->15766 15783 6bd4985e ___scrt_is_nonwritable_in_current_image 15782->15783 15784 6bd4a346 __InternalCxxFrameHandler EnterCriticalSection 15783->15784 15785 6bd49868 15784->15785 15786 6bd49898 _unexpected LeaveCriticalSection 15785->15786 15787 6bd49886 15786->15787 15788 6bd49964 15787->15788 15789 6bd49970 ___scrt_is_nonwritable_in_current_image 15788->15789 15790 6bd4a346 __InternalCxxFrameHandler EnterCriticalSection 15789->15790 15791 6bd4997a 15790->15791 15792 6bd49b45 _unexpected 14 API calls 15791->15792 15793 6bd49992 15792->15793 15794 6bd499b2 _unexpected LeaveCriticalSection 15793->15794 15795 6bd499a0 15794->15795 15795->15749 15799 6bd444fc 15796->15799 15798 6bd4456c 15798->15694 15800 6bd49d13 __dosmaperr 14 API calls 15799->15800 15801 6bd44507 15800->15801 15802 6bd44515 15801->15802 15807 6bd4458d IsProcessorFeaturePresent 15801->15807 15802->15798 15804 6bd4455f 15805 6bd444fc ___std_exception_copy 25 API calls 15804->15805 15806 6bd4456c 15805->15806 15806->15798 15808 6bd44599 15807->15808 15809 6bd443b4 __InternalCxxFrameHandler 8 API calls 15808->15809 15810 6bd445ae GetCurrentProcess TerminateProcess 15809->15810 15810->15804 15812 6bd4a3e3 15811->15812 15813 6bd4a3b3 _unexpected 15811->15813 15814 6bd44926 __dosmaperr 14 API calls 15812->15814 15813->15812 15815 6bd4a3ce HeapAlloc 15813->15815 15817 6bd487be _unexpected 2 API calls 15813->15817 15816 6bd4a3e1 15814->15816 15815->15813 15815->15816 15816->15724 15817->15813 15818->15690 15819 6bd33d50 15820 6bd33d66 15819->15820 15821 6bd33d59 15819->15821 15824 6bd324b0 15821->15824 15853 6bd33ab0 15824->15853 15856 6bd33afc 15853->15856 15854 6bd33bfa 15997 6bd33950 15854->15997 15856->15854 15858 6bd33bf5 Concurrency::cancel_current_task 15856->15858 15858->15854 16000 6bd408bf 15997->16000 16005 6bd4081e 16000->16005 16004 6bd408de 16011 6bd407ce 16005->16011 16008 6bd41fe7 16009 6bd4202e RaiseException 16008->16009 16010 6bd42001 16008->16010 16009->16004 16010->16009 16014 6bd41f43 16011->16014 16015 6bd41f50 16014->16015 16021 6bd407fa 16014->16021 16015->16021 16022 6bd48847 16015->16022 16018 6bd41f7d 16038 6bd449bd 16018->16038 16021->16008 16027 6bd4a3a5 _unexpected 16022->16027 16023 6bd4a3e3 16024 6bd44926 __dosmaperr 14 API calls 16023->16024 16026 6bd41f6d 16024->16026 16025 6bd4a3ce HeapAlloc 16025->16026 16025->16027 16026->16018 16029 6bd4973b 16026->16029 16027->16023 16027->16025 16028 6bd487be _unexpected 2 API calls 16027->16028 16028->16027 16030 6bd49748 16029->16030 16031 6bd49756 16029->16031 16030->16031 16036 6bd4976d 16030->16036 16032 6bd44926 __dosmaperr 14 API calls 16031->16032 16033 6bd4975e 16032->16033 16034 6bd44560 ___std_exception_copy 25 API calls 16033->16034 16035 6bd49768 16034->16035 16035->16018 16036->16035 16037 6bd44926 __dosmaperr 14 API calls 16036->16037 16037->16033 16039 6bd4a195 _free 14 API calls 16038->16039 16040 6bd449d5 16039->16040 16040->16021 16439 6bd413dd 16440 6bd413e6 16439->16440 16441 6bd413eb 16439->16441 16456 6bd418fa 16440->16456 16445 6bd412a7 16441->16445 16446 6bd412b3 ___scrt_is_nonwritable_in_current_image 16445->16446 16447 6bd412dc dllmain_raw 16446->16447 16451 6bd412d7 __DllMainCRTStartup@12 16446->16451 16453 6bd412c2 16446->16453 16448 6bd412f6 dllmain_crt_dispatch 16447->16448 16447->16453 16448->16451 16448->16453 16449 6bd41348 16450 6bd41351 dllmain_crt_dispatch 16449->16450 16449->16453 16452 6bd41364 dllmain_raw 16450->16452 16450->16453 16451->16449 16460 6bd411f7 16451->16460 16452->16453 16455 6bd4133d dllmain_raw 16455->16449 16457 6bd41910 16456->16457 16459 6bd41919 16457->16459 16649 6bd418ad GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 16457->16649 16459->16441 16461 6bd41203 ___scrt_is_nonwritable_in_current_image __DllMainCRTStartup@12 16460->16461 16462 6bd41234 16461->16462 16463 6bd4129f 16461->16463 16476 6bd4120c 16461->16476 16483 6bd40d5a 16462->16483 16464 6bd41541 ___scrt_fastfail 4 API calls 16463->16464 16468 6bd412a6 ___scrt_is_nonwritable_in_current_image 16464->16468 16466 6bd41239 16492 6bd41951 16466->16492 16470 6bd412dc dllmain_raw 16468->16470 16472 6bd412c2 16468->16472 16480 6bd412d7 __DllMainCRTStartup@12 16468->16480 16469 6bd4123e __RTC_Initialize __DllMainCRTStartup@12 16495 6bd40efb 16469->16495 16471 6bd412f6 dllmain_crt_dispatch 16470->16471 16470->16472 16471->16472 16471->16480 16472->16455 16476->16455 16477 6bd41348 16477->16472 16478 6bd41351 dllmain_crt_dispatch 16477->16478 16478->16472 16479 6bd41364 dllmain_raw 16478->16479 16479->16472 16480->16477 16481 6bd411f7 __DllMainCRTStartup@12 79 API calls 16480->16481 16482 6bd4133d dllmain_raw 16481->16482 16482->16477 16484 6bd40d5f ___scrt_release_startup_lock 16483->16484 16485 6bd40d63 16484->16485 16487 6bd40d6f __DllMainCRTStartup@12 16484->16487 16504 6bd4945d 16485->16504 16489 6bd40d7c 16487->16489 16490 6bd48b04 __InternalCxxFrameHandler 23 API calls 16487->16490 16489->16466 16491 6bd48c5a 16490->16491 16491->16466 16524 6bd4296a InterlockedFlushSList 16492->16524 16496 6bd40f07 16495->16496 16497 6bd40f1d 16496->16497 16528 6bd49606 16496->16528 16501 6bd41299 16497->16501 16499 6bd40f15 16533 6bd4276f 16499->16533 16632 6bd40d7d 16501->16632 16507 6bd4916f 16504->16507 16508 6bd4917b ___scrt_is_nonwritable_in_current_image 16507->16508 16515 6bd4a346 EnterCriticalSection 16508->16515 16510 6bd49189 16516 6bd4936d 16510->16516 16515->16510 16517 6bd49196 16516->16517 16518 6bd4938c 16516->16518 16520 6bd491be 16517->16520 16518->16517 16519 6bd4a195 _free 14 API calls 16518->16519 16519->16517 16523 6bd4a38e LeaveCriticalSection 16520->16523 16522 6bd40d6d 16522->16466 16523->16522 16525 6bd4195b 16524->16525 16526 6bd4297a 16524->16526 16525->16469 16526->16525 16527 6bd449bd ___std_type_info_destroy_list 14 API calls 16526->16527 16527->16526 16530 6bd49611 16528->16530 16531 6bd49623 ___scrt_uninitialize_crt 16528->16531 16529 6bd4961f 16529->16499 16530->16529 16539 6bd4c502 16530->16539 16531->16499 16534 6bd42782 16533->16534 16535 6bd42778 16533->16535 16534->16497 16605 6bd42ab2 16535->16605 16542 6bd4c3b0 16539->16542 16545 6bd4c304 16542->16545 16546 6bd4c310 ___scrt_is_nonwritable_in_current_image 16545->16546 16553 6bd4a346 EnterCriticalSection 16546->16553 16548 6bd4c386 16562 6bd4c3a4 16548->16562 16549 6bd4c31a ___scrt_uninitialize_crt 16549->16548 16554 6bd4c278 16549->16554 16553->16549 16555 6bd4c284 ___scrt_is_nonwritable_in_current_image 16554->16555 16565 6bd4c61f EnterCriticalSection 16555->16565 16557 6bd4c28e ___scrt_uninitialize_crt 16561 6bd4c2c7 16557->16561 16566 6bd4c4ba 16557->16566 16576 6bd4c2f8 16561->16576 16604 6bd4a38e LeaveCriticalSection 16562->16604 16564 6bd4c392 16564->16529 16565->16557 16567 6bd4c4c7 16566->16567 16568 6bd4c4d0 16566->16568 16570 6bd4c3b0 ___scrt_uninitialize_crt 66 API calls 16567->16570 16579 6bd4c455 16568->16579 16575 6bd4c4cd 16570->16575 16573 6bd4c4ec 16592 6bd4db30 16573->16592 16575->16561 16603 6bd4c633 LeaveCriticalSection 16576->16603 16578 6bd4c2e6 16578->16549 16580 6bd4c46d 16579->16580 16584 6bd4c492 16579->16584 16581 6bd4c7a3 ___scrt_uninitialize_crt 25 API calls 16580->16581 16580->16584 16582 6bd4c48b 16581->16582 16583 6bd4e326 ___scrt_uninitialize_crt 62 API calls 16582->16583 16583->16584 16584->16575 16585 6bd4c7a3 16584->16585 16586 6bd4c7c4 16585->16586 16587 6bd4c7af 16585->16587 16586->16573 16588 6bd44926 __dosmaperr 14 API calls 16587->16588 16589 6bd4c7b4 16588->16589 16590 6bd44560 ___std_exception_copy 25 API calls 16589->16590 16591 6bd4c7bf 16590->16591 16591->16573 16593 6bd4db41 16592->16593 16594 6bd4db4e 16592->16594 16595 6bd44926 __dosmaperr 14 API calls 16593->16595 16596 6bd4db97 16594->16596 16598 6bd4db75 16594->16598 16602 6bd4db46 16595->16602 16597 6bd44926 __dosmaperr 14 API calls 16596->16597 16599 6bd4db9c 16597->16599 16600 6bd4da8e ___scrt_uninitialize_crt 29 API calls 16598->16600 16601 6bd44560 ___std_exception_copy 25 API calls 16599->16601 16600->16602 16601->16602 16602->16575 16603->16578 16604->16564 16606 6bd42abc 16605->16606 16607 6bd4277d 16605->16607 16613 6bd43bb1 16606->16613 16609 6bd438f5 16607->16609 16610 6bd43900 16609->16610 16612 6bd4391f 16609->16612 16611 6bd4390a DeleteCriticalSection 16610->16611 16611->16611 16611->16612 16612->16534 16618 6bd43b2d 16613->16618 16616 6bd43be3 TlsFree 16617 6bd43bd7 16616->16617 16617->16607 16619 6bd43b45 16618->16619 16620 6bd43b68 16618->16620 16619->16620 16624 6bd43a93 16619->16624 16620->16616 16620->16617 16623 6bd43b5a GetProcAddress 16623->16620 16625 6bd43a9f ___vcrt_FlsFree 16624->16625 16626 6bd43b13 16625->16626 16627 6bd43ab5 LoadLibraryExW 16625->16627 16631 6bd43af5 LoadLibraryExW 16625->16631 16626->16620 16626->16623 16628 6bd43ad3 GetLastError 16627->16628 16629 6bd43b1a 16627->16629 16628->16625 16629->16626 16630 6bd43b22 FreeLibrary 16629->16630 16630->16626 16631->16625 16631->16629 16637 6bd49636 16632->16637 16635 6bd42ab2 ___vcrt_uninitialize_ptd 6 API calls 16636 6bd4129e 16635->16636 16636->16476 16640 6bd49df4 16637->16640 16641 6bd49dfe 16640->16641 16642 6bd40d84 16640->16642 16644 6bd4ba64 16641->16644 16642->16635 16645 6bd4b943 _unexpected 5 API calls 16644->16645 16646 6bd4ba80 16645->16646 16647 6bd4ba89 16646->16647 16648 6bd4ba9b TlsFree 16646->16648 16647->16642 16649->16459 16650 6bd4109d 16651 6bd410a8 16650->16651 16652 6bd410db 16650->16652 16653 6bd410cd 16651->16653 16654 6bd410ad 16651->16654 16655 6bd411f7 __DllMainCRTStartup@12 84 API calls 16652->16655 16662 6bd410f0 16653->16662 16656 6bd410b2 16654->16656 16657 6bd410c3 16654->16657 16661 6bd410b7 16655->16661 16656->16661 16676 6bd40d19 16656->16676 16681 6bd40cfa 16657->16681 16663 6bd410fc ___scrt_is_nonwritable_in_current_image 16662->16663 16689 6bd40d8a 16663->16689 16665 6bd41103 __DllMainCRTStartup@12 16666 6bd411ef 16665->16666 16667 6bd4112a 16665->16667 16673 6bd41166 ___scrt_is_nonwritable_in_current_image __InternalCxxFrameHandler 16665->16673 16669 6bd41541 ___scrt_fastfail 4 API calls 16666->16669 16697 6bd40cec 16667->16697 16670 6bd411f6 16669->16670 16671 6bd41139 __RTC_Initialize 16671->16673 16700 6bd41945 InitializeSListHead 16671->16700 16673->16661 16674 6bd41147 16674->16673 16701 6bd40cc1 16674->16701 16744 6bd495fe 16676->16744 16837 6bd42759 16681->16837 16684 6bd40d03 16684->16661 16687 6bd40d16 16687->16661 16688 6bd42764 21 API calls 16688->16684 16690 6bd40d93 16689->16690 16705 6bd41663 IsProcessorFeaturePresent 16690->16705 16694 6bd40da4 16695 6bd40da8 16694->16695 16696 6bd4276f ___scrt_uninitialize_crt 7 API calls 16694->16696 16695->16665 16696->16695 16698 6bd40dc3 4 API calls 16697->16698 16699 6bd40cf3 16698->16699 16699->16671 16700->16674 16702 6bd40cc6 ___scrt_release_startup_lock 16701->16702 16703 6bd41663 IsProcessorFeaturePresent 16702->16703 16704 6bd40ccf 16702->16704 16703->16704 16704->16673 16706 6bd40d9f 16705->16706 16707 6bd4273a 16706->16707 16715 6bd438b9 16707->16715 16710 6bd42743 16710->16694 16712 6bd4274b 16713 6bd42756 16712->16713 16714 6bd438f5 ___vcrt_uninitialize_locks DeleteCriticalSection 16712->16714 16713->16694 16714->16710 16716 6bd438c2 16715->16716 16718 6bd438eb 16716->16718 16719 6bd4273f 16716->16719 16729 6bd43c65 16716->16729 16720 6bd438f5 ___vcrt_uninitialize_locks DeleteCriticalSection 16718->16720 16719->16710 16721 6bd42a7f 16719->16721 16720->16719 16734 6bd43b76 16721->16734 16724 6bd42a94 16724->16712 16727 6bd42aaf 16727->16712 16728 6bd42ab2 ___vcrt_uninitialize_ptd 6 API calls 16728->16724 16730 6bd43b2d ___vcrt_FlsFree 5 API calls 16729->16730 16731 6bd43c7f 16730->16731 16732 6bd43c9d InitializeCriticalSectionAndSpinCount 16731->16732 16733 6bd43c88 16731->16733 16732->16733 16733->16716 16735 6bd43b2d ___vcrt_FlsFree 5 API calls 16734->16735 16736 6bd43b90 16735->16736 16737 6bd43ba9 TlsAlloc 16736->16737 16738 6bd42a89 16736->16738 16738->16724 16739 6bd43c27 16738->16739 16740 6bd43b2d ___vcrt_FlsFree 5 API calls 16739->16740 16741 6bd43c41 16740->16741 16742 6bd43c5c TlsSetValue 16741->16742 16743 6bd42aa2 16741->16743 16742->16743 16743->16727 16743->16728 16750 6bd49b90 16744->16750 16747 6bd42764 16820 6bd429a9 16747->16820 16751 6bd49b9a 16750->16751 16752 6bd40d1e 16750->16752 16753 6bd4baa3 _unexpected 6 API calls 16751->16753 16752->16747 16754 6bd49ba1 16753->16754 16754->16752 16755 6bd4bae2 _unexpected 6 API calls 16754->16755 16756 6bd49bb4 16755->16756 16758 6bd49a57 16756->16758 16759 6bd49a72 16758->16759 16760 6bd49a62 16758->16760 16759->16752 16764 6bd49a78 16760->16764 16763 6bd4a195 _free 14 API calls 16763->16759 16765 6bd49a93 16764->16765 16766 6bd49a8d 16764->16766 16767 6bd4a195 _free 14 API calls 16765->16767 16768 6bd4a195 _free 14 API calls 16766->16768 16769 6bd49a9f 16767->16769 16768->16765 16770 6bd4a195 _free 14 API calls 16769->16770 16771 6bd49aaa 16770->16771 16772 6bd4a195 _free 14 API calls 16771->16772 16773 6bd49ab5 16772->16773 16774 6bd4a195 _free 14 API calls 16773->16774 16775 6bd49ac0 16774->16775 16776 6bd4a195 _free 14 API calls 16775->16776 16777 6bd49acb 16776->16777 16778 6bd4a195 _free 14 API calls 16777->16778 16779 6bd49ad6 16778->16779 16780 6bd4a195 _free 14 API calls 16779->16780 16781 6bd49ae1 16780->16781 16782 6bd4a195 _free 14 API calls 16781->16782 16783 6bd49aec 16782->16783 16784 6bd4a195 _free 14 API calls 16783->16784 16785 6bd49afa 16784->16785 16790 6bd498a4 16785->16790 16791 6bd498b0 ___scrt_is_nonwritable_in_current_image 16790->16791 16806 6bd4a346 EnterCriticalSection 16791->16806 16795 6bd498ba 16796 6bd4a195 _free 14 API calls 16795->16796 16797 6bd498e4 16795->16797 16796->16797 16807 6bd49903 16797->16807 16798 6bd4990f 16799 6bd4991b ___scrt_is_nonwritable_in_current_image 16798->16799 16811 6bd4a346 EnterCriticalSection 16799->16811 16801 6bd49925 16812 6bd49b45 16801->16812 16803 6bd49938 16816 6bd49958 16803->16816 16806->16795 16810 6bd4a38e LeaveCriticalSection 16807->16810 16809 6bd498f1 16809->16798 16810->16809 16811->16801 16813 6bd49b54 _unexpected 16812->16813 16814 6bd49b7b _unexpected 16812->16814 16813->16814 16815 6bd4c847 _unexpected 14 API calls 16813->16815 16814->16803 16815->16814 16819 6bd4a38e LeaveCriticalSection 16816->16819 16818 6bd49946 16818->16763 16819->16818 16821 6bd429b6 16820->16821 16822 6bd40d23 16820->16822 16823 6bd429c4 16821->16823 16828 6bd43bec 16821->16828 16822->16661 16825 6bd43c27 ___vcrt_FlsSetValue 6 API calls 16823->16825 16826 6bd429d4 16825->16826 16833 6bd4298d 16826->16833 16829 6bd43b2d ___vcrt_FlsFree 5 API calls 16828->16829 16830 6bd43c06 16829->16830 16831 6bd43c1e TlsGetValue 16830->16831 16832 6bd43c12 16830->16832 16831->16832 16832->16823 16834 6bd429a4 16833->16834 16835 6bd42997 16833->16835 16834->16822 16835->16834 16836 6bd449bd ___std_type_info_destroy_list 14 API calls 16835->16836 16836->16834 16843 6bd429ed 16837->16843 16839 6bd40cff 16839->16684 16840 6bd495f3 16839->16840 16841 6bd49d13 __dosmaperr 14 API calls 16840->16841 16842 6bd40d0b 16841->16842 16842->16687 16842->16688 16844 6bd429f6 16843->16844 16845 6bd429f9 GetLastError 16843->16845 16844->16839 16846 6bd43bec ___vcrt_FlsGetValue 6 API calls 16845->16846 16847 6bd42a0e 16846->16847 16848 6bd42a73 SetLastError 16847->16848 16849 6bd43c27 ___vcrt_FlsSetValue 6 API calls 16847->16849 16856 6bd42a2d 16847->16856 16848->16839 16850 6bd42a27 __InternalCxxFrameHandler 16849->16850 16851 6bd42a4f 16850->16851 16852 6bd43c27 ___vcrt_FlsSetValue 6 API calls 16850->16852 16850->16856 16853 6bd43c27 ___vcrt_FlsSetValue 6 API calls 16851->16853 16854 6bd42a63 16851->16854 16852->16851 16853->16854 16855 6bd449bd ___std_type_info_destroy_list 14 API calls 16854->16855 16855->16856 16856->16848

                                        Executed Functions

                                        Function 6BD31E80 Relevance: 37.5, APIs: 5, Strings: 16, Instructions: 793registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 6bd31e80-6bd31f1e call 6bd33ab0 * 2 RegOpenKeyExW 5 6bd31f24-6bd31f62 RegQueryValueExW 0->5 6 6bd3242b-6bd32431 0->6 5->6 7 6bd31f68-6bd31f88 5->7 8 6bd32437-6bd3243a 6->8 9 6bd31f90-6bd31f99 7->9 10 6bd32467-6bd32482 call 6bd40a17 8->10 11 6bd3243c-6bd3244b 8->11 9->9 13 6bd31f9b-6bd31fcd call 6bd33ab0 call 6bd32a70 9->13 14 6bd3245d-6bd32464 call 6bd40a58 11->14 15 6bd3244d-6bd3245b 11->15 27 6bd32004-6bd32036 call 6bd32f00 13->27 28 6bd31fcf-6bd31fe4 13->28 14->10 15->14 18 6bd3249e-6bd3252d call 6bd44570 call 6bd33ab0 call 6bd31e80 15->18 39 6bd32532-6bd32551 18->39 41 6bd32044-6bd3206a call 6bd32f00 27->41 42 6bd32038-6bd3203f 27->42 30 6bd31fe6-6bd31ff4 28->30 31 6bd31ffa-6bd32001 call 6bd40a58 28->31 30->31 34 6bd3248a call 6bd44570 30->34 31->27 45 6bd3248f call 6bd33950 34->45 43 6bd32557-6bd32561 39->43 44 6bd327c9-6bd327df 39->44 59 6bd32078-6bd3209e call 6bd32f00 41->59 60 6bd3206c-6bd32073 41->60 46 6bd32424-6bd32426 call 6bd33ab0 42->46 50 6bd32563-6bd3256a 43->50 48 6bd327e1-6bd327e5 44->48 49 6bd327ea-6bd327f9 44->49 58 6bd32494 call 6bd44570 45->58 46->6 54 6bd32909-6bd3290c 48->54 55 6bd32815-6bd3283f call 6bd32b00 49->55 56 6bd327fb-6bd32802 49->56 50->44 57 6bd32570-6bd32576 50->57 63 6bd32939-6bd32956 call 6bd40a17 54->63 64 6bd3290e-6bd3291d 54->64 81 6bd32841-6bd3284f 55->81 82 6bd3289d 55->82 61 6bd32804-6bd3280b 56->61 57->50 62 6bd32578-6bd325ce call 6bd425e0 AssocQueryStringW 57->62 74 6bd32499 call 6bd44570 58->74 76 6bd320a0-6bd320a7 59->76 77 6bd320ac-6bd320d2 call 6bd32f00 59->77 60->46 61->55 69 6bd3280d-6bd32813 61->69 88 6bd325d4-6bd325f3 62->88 89 6bd327bd-6bd327c3 62->89 71 6bd3292f-6bd32936 call 6bd40a58 64->71 72 6bd3291f-6bd3292d 64->72 69->55 69->61 71->63 72->71 80 6bd3295e-6bd32bf7 call 6bd44570 72->80 74->18 76->46 99 6bd320e0-6bd32106 call 6bd32f00 77->99 100 6bd320d4-6bd320db 77->100 108 6bd32bf9-6bd32c2a call 6bd32f90 80->108 109 6bd32c5d-6bd32c5e 80->109 90 6bd32850-6bd3286d 81->90 86 6bd3289f-6bd328a2 82->86 93 6bd328d3-6bd32903 86->93 94 6bd328a4-6bd328b3 86->94 96 6bd325f6-6bd325ff 88->96 89->44 97 6bd3286f-6bd32871 90->97 98 6bd3288c-6bd3289b 90->98 93->54 101 6bd328b5-6bd328c3 94->101 102 6bd328c9-6bd328d0 call 6bd40a58 94->102 96->96 104 6bd32601-6bd32651 call 6bd33ab0 96->104 97->98 105 6bd32873-6bd3288a 97->105 98->86 117 6bd32114-6bd3211c 99->117 118 6bd32108-6bd3210f 99->118 100->46 101->80 101->102 102->93 115 6bd32683-6bd326ab call 6bd32f00 104->115 116 6bd32653-6bd32659 104->116 105->90 123 6bd32c3e-6bd32c5c call 6bd40a58 108->123 124 6bd32c2c-6bd32c3a 108->124 135 6bd326b9-6bd326db call 6bd32f00 115->135 136 6bd326ad-6bd326b4 115->136 120 6bd32660-6bd32675 call 6bd4484d 116->120 117->8 122 6bd32122-6bd3212c 117->122 118->46 140 6bd32677-6bd3267d 120->140 127 6bd32132-6bd32191 call 6bd33180 122->127 128 6bd32485 call 6bd33950 122->128 123->109 129 6bd32c5f-6bd32c64 call 6bd44570 124->129 130 6bd32c3c 124->130 146 6bd32193-6bd321b0 127->146 147 6bd321ea-6bd32207 call 6bd33000 127->147 128->34 130->123 150 6bd326e9-6bd3270b call 6bd32f00 135->150 151 6bd326dd-6bd326e4 135->151 141 6bd3276e-6bd3277f call 6bd33ab0 136->141 140->115 156 6bd32785-6bd3278c 141->156 152 6bd321b2-6bd321b4 146->152 153 6bd321ba-6bd321e8 call 6bd42060 146->153 159 6bd3220d-6bd32214 147->159 162 6bd32716-6bd32738 call 6bd32f00 150->162 163 6bd3270d-6bd32714 150->163 151->141 152->153 153->159 156->89 160 6bd3278e-6bd3279d 156->160 164 6bd32216-6bd32225 159->164 165 6bd32245-6bd32255 159->165 166 6bd327b3-6bd327ba call 6bd40a58 160->166 167 6bd3279f-6bd327ad 160->167 179 6bd32743-6bd32765 call 6bd32f00 162->179 180 6bd3273a-6bd32741 162->180 163->141 170 6bd32227-6bd32235 164->170 171 6bd3223b-6bd32242 call 6bd40a58 164->171 165->45 172 6bd3225b-6bd322cc call 6bd33180 RegOpenKeyExW 165->172 166->89 167->166 173 6bd32959 call 6bd44570 167->173 170->34 170->171 171->165 183 6bd32309-6bd3230b 172->183 184 6bd322ce-6bd322e3 172->184 173->80 179->156 192 6bd32767-6bd32769 179->192 180->141 183->6 188 6bd32311-6bd3234f RegQueryValueExW 183->188 186 6bd322e5-6bd322f3 184->186 187 6bd322f9-6bd32306 call 6bd40a58 184->187 186->58 186->187 187->183 188->6 191 6bd32355-6bd3236e 188->191 194 6bd32375-6bd3237e 191->194 192->141 194->194 195 6bd32380-6bd323b2 call 6bd33ab0 call 6bd32a70 194->195 200 6bd323b4-6bd323c9 195->200 201 6bd323e9-6bd3241b call 6bd32f00 195->201 203 6bd323cb-6bd323d9 200->203 204 6bd323df-6bd323e6 call 6bd40a58 200->204 201->8 208 6bd3241d-6bd3241f 201->208 203->74 203->204 204->201 208->46
                                        APIs
                                        • RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice,00000000,00020219,?,6BD59058,00000000,6BD58DCC,00000002,338DA2DF), ref: 6BD31F16
                                        • RegQueryValueExW.KERNEL32(00000000,Progid,00000000,00000001,?,?), ref: 6BD31F5A
                                        • AssocQueryStringW.SHLWAPI(00000001,00000002,.html,00000001,?,00000104), ref: 6BD325C6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.833909137.000000006BD31000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BD30000, based on PE: true
                                        • Associated: 00000002.00000002.833891383.000000006BD30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.833973560.000000006BD53000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834001056.000000006BD5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834017889.000000006BD5F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6bd30000_MEInstaller.jbxd
                                        Similarity
                                        • API ID: Query$AssocOpenStringValue
                                        • String ID: .html$ChromeHTML$FirefoxURL$FriendlyTypeName$IE.HTTP$MSEdgeHTM$MicrosoftEdge$Progid$SafariURL$Software\Classes\$Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice$chrome$firefox$iexplore$msedge$safari
                                        • API String ID: 1082267866-1774982471
                                        • Opcode ID: 0aaff38eb7b9529b6ff7560c5285925ff5227d323d952bb749ac6022084046df
                                        • Instruction ID: e8dc7e5710ffebbfd8080905f549e51082736fa61ce80d7dd7588c23370dbcf2
                                        • Opcode Fuzzy Hash: 0aaff38eb7b9529b6ff7560c5285925ff5227d323d952bb749ac6022084046df
                                        • Instruction Fuzzy Hash: 1252C4B1E001289BDF24CB24CC95BDDB775AF45328F1041D9E509AB282D739AF89CFA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6BD40A8D Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 51libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(6BD5DC7C,00000FA0,?,?,6BD40A6B), ref: 6BD40A99
                                        • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,6BD40A6B), ref: 6BD40AA4
                                        • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6BD40A6B), ref: 6BD40AB5
                                        • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 6BD40AC7
                                        • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 6BD40AD5
                                        • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,6BD40A6B), ref: 6BD40AF8
                                        • ___scrt_fastfail.LIBCMT ref: 6BD40B09
                                        • DeleteCriticalSection.KERNEL32(6BD5DC7C,00000007,?,?,6BD40A6B), ref: 6BD40B14
                                        • CloseHandle.KERNEL32(00000000,?,?,6BD40A6B), ref: 6BD40B24
                                        Strings
                                        • WakeAllConditionVariable, xrefs: 6BD40ACD
                                        • api-ms-win-core-synch-l1-2-0.dll, xrefs: 6BD40A9F
                                        • SleepConditionVariableCS, xrefs: 6BD40AC1
                                        • kernel32.dll, xrefs: 6BD40AB0
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.833909137.000000006BD31000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BD30000, based on PE: true
                                        • Associated: 00000002.00000002.833891383.000000006BD30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.833973560.000000006BD53000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834001056.000000006BD5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834017889.000000006BD5F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6bd30000_MEInstaller.jbxd
                                        Similarity
                                        • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin___scrt_fastfail
                                        • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                        • API String ID: 3578986977-3242537097
                                        • Opcode ID: fe83f62a68466619fe45350dd88dcf7b4d016a485a05307895185ae217ea83ea
                                        • Instruction ID: 16706d2d1d5a9c267b7dfc799a323533e8bf3c2e4be6037f7fe5e6d4abca80df
                                        • Opcode Fuzzy Hash: fe83f62a68466619fe45350dd88dcf7b4d016a485a05307895185ae217ea83ea
                                        • Instruction Fuzzy Hash: B6015E77981711BBFF215F78980DE6ABB68AB4A7B17000065B906DE100DEB8C4148671
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6BD411F7 Relevance: 12.1, APIs: 8, Instructions: 136COMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • __RTC_Initialize.LIBCMT ref: 6BD4123E
                                        • ___scrt_uninitialize_crt.LIBCMT ref: 6BD41258
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.833909137.000000006BD31000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BD30000, based on PE: true
                                        • Associated: 00000002.00000002.833891383.000000006BD30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.833973560.000000006BD53000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834001056.000000006BD5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834017889.000000006BD5F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6bd30000_MEInstaller.jbxd
                                        Similarity
                                        • API ID: Initialize___scrt_uninitialize_crt
                                        • String ID:
                                        • API String ID: 2442719207-0
                                        • Opcode ID: 33c64a1c2f674781ddefa58c4e71926a41e6f4c69b907a62e8377f16ca1bacf3
                                        • Instruction ID: 00f506f62a067e543877627f4d5ec5284c57b843986083cb11e6362e7072e7cd
                                        • Opcode Fuzzy Hash: 33c64a1c2f674781ddefa58c4e71926a41e6f4c69b907a62e8377f16ca1bacf3
                                        • Instruction Fuzzy Hash: 0941C472D00634EBDB108F65C846BAE7FB8EB45BB4F014159E824AF240D7389E219BB0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6BD412A7 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 271 6bd412a7-6bd412b8 call 6bd41850 274 6bd412c9-6bd412d0 271->274 275 6bd412ba-6bd412c0 271->275 277 6bd412d2-6bd412d5 274->277 278 6bd412dc-6bd412f0 dllmain_raw 274->278 275->274 276 6bd412c2-6bd412c4 275->276 279 6bd413a2-6bd413b1 276->279 277->278 280 6bd412d7-6bd412da 277->280 281 6bd412f6-6bd41307 dllmain_crt_dispatch 278->281 282 6bd41399-6bd413a0 278->282 283 6bd4130d-6bd4131f call 6bd33e80 280->283 281->282 281->283 282->279 286 6bd41321-6bd41323 283->286 287 6bd41348-6bd4134a 283->287 286->287 288 6bd41325-6bd41343 call 6bd33e80 call 6bd411f7 dllmain_raw 286->288 289 6bd41351-6bd41362 dllmain_crt_dispatch 287->289 290 6bd4134c-6bd4134f 287->290 288->287 289->282 292 6bd41364-6bd41396 dllmain_raw 289->292 290->282 290->289 292->282
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.833909137.000000006BD31000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BD30000, based on PE: true
                                        • Associated: 00000002.00000002.833891383.000000006BD30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.833973560.000000006BD53000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834001056.000000006BD5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834017889.000000006BD5F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6bd30000_MEInstaller.jbxd
                                        Similarity
                                        • API ID: dllmain_raw$dllmain_crt_dispatch
                                        • String ID:
                                        • API String ID: 3136044242-0
                                        • Opcode ID: c979603357c2aa691d9dd455d4fac4f8183a1b89e5ea6d3267567d8c232e947d
                                        • Instruction ID: ccdb99fb34d706dc146a2421d2b10989c23b7c194c0940ae1bc026e5133d5461
                                        • Opcode Fuzzy Hash: c979603357c2aa691d9dd455d4fac4f8183a1b89e5ea6d3267567d8c232e947d
                                        • Instruction Fuzzy Hash: 5A218372D01A35EFDB218F65C845A6F3F79EB81AB4F014159F824AF610D7388E619BE0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6BD324B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 191COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 297 6bd324b0-6bd3252d call 6bd33ab0 call 6bd31e80 301 6bd32532-6bd32551 297->301 302 6bd32557-6bd32561 301->302 303 6bd327c9-6bd327df 301->303 306 6bd32563-6bd3256a 302->306 304 6bd327e1-6bd327e5 303->304 305 6bd327ea-6bd327f9 303->305 307 6bd32909-6bd3290c 304->307 308 6bd32815-6bd3283f call 6bd32b00 305->308 309 6bd327fb-6bd32802 305->309 306->303 310 6bd32570-6bd32576 306->310 313 6bd32939-6bd32956 call 6bd40a17 307->313 314 6bd3290e-6bd3291d 307->314 325 6bd32841-6bd3284f 308->325 326 6bd3289d 308->326 311 6bd32804-6bd3280b 309->311 310->306 312 6bd32578-6bd325ce call 6bd425e0 AssocQueryStringW 310->312 311->308 317 6bd3280d-6bd32813 311->317 330 6bd325d4-6bd325f3 312->330 331 6bd327bd-6bd327c3 312->331 319 6bd3292f-6bd32936 call 6bd40a58 314->319 320 6bd3291f-6bd3292d 314->320 317->308 317->311 319->313 320->319 324 6bd3295e-6bd32bf7 call 6bd44570 320->324 346 6bd32bf9-6bd32c2a call 6bd32f90 324->346 347 6bd32c5d-6bd32c5e 324->347 332 6bd32850-6bd3286d 325->332 328 6bd3289f-6bd328a2 326->328 334 6bd328d3-6bd32903 328->334 335 6bd328a4-6bd328b3 328->335 337 6bd325f6-6bd325ff 330->337 331->303 338 6bd3286f-6bd32871 332->338 339 6bd3288c-6bd3289b 332->339 334->307 340 6bd328b5-6bd328c3 335->340 341 6bd328c9-6bd328d0 call 6bd40a58 335->341 337->337 343 6bd32601-6bd32651 call 6bd33ab0 337->343 338->339 344 6bd32873-6bd3288a 338->344 339->328 340->324 340->341 341->334 352 6bd32683-6bd326ab call 6bd32f00 343->352 353 6bd32653-6bd32659 343->353 344->332 357 6bd32c3e-6bd32c5c call 6bd40a58 346->357 358 6bd32c2c-6bd32c3a 346->358 366 6bd326b9-6bd326db call 6bd32f00 352->366 367 6bd326ad-6bd326b4 352->367 355 6bd32660-6bd32675 call 6bd4484d 353->355 370 6bd32677-6bd3267d 355->370 357->347 361 6bd32c5f-6bd32c64 call 6bd44570 358->361 362 6bd32c3c 358->362 362->357 376 6bd326e9-6bd3270b call 6bd32f00 366->376 377 6bd326dd-6bd326e4 366->377 371 6bd3276e-6bd3277f call 6bd33ab0 367->371 370->352 378 6bd32785-6bd3278c 371->378 382 6bd32716-6bd32738 call 6bd32f00 376->382 383 6bd3270d-6bd32714 376->383 377->371 378->331 380 6bd3278e-6bd3279d 378->380 384 6bd327b3-6bd327ba call 6bd40a58 380->384 385 6bd3279f-6bd327ad 380->385 392 6bd32743-6bd32765 call 6bd32f00 382->392 393 6bd3273a-6bd32741 382->393 383->371 384->331 385->384 388 6bd32959 call 6bd44570 385->388 388->324 392->378 396 6bd32767-6bd32769 392->396 393->371 396->371
                                        APIs
                                          • Part of subcall function 6BD31E80: RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice,00000000,00020219,?,6BD59058,00000000,6BD58DCC,00000002,338DA2DF), ref: 6BD31F16
                                          • Part of subcall function 6BD31E80: RegQueryValueExW.KERNEL32(00000000,Progid,00000000,00000001,?,?), ref: 6BD31F5A
                                        • AssocQueryStringW.SHLWAPI(00000001,00000002,.html,00000001,?,00000104), ref: 6BD325C6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.833909137.000000006BD31000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BD30000, based on PE: true
                                        • Associated: 00000002.00000002.833891383.000000006BD30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.833973560.000000006BD53000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834001056.000000006BD5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834017889.000000006BD5F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6bd30000_MEInstaller.jbxd
                                        Similarity
                                        • API ID: Query$AssocOpenStringValue
                                        • String ID: .html$iexplore
                                        • API String ID: 1082267866-828241661
                                        • Opcode ID: d1bf8265b1b0ab5abff1ab52d45415c4627b2e0780e0929affddb10fe5ef3608
                                        • Instruction ID: ab9362dfb2d8ef2d89d6c88f3a528f68f4dec70144dc083ace08c507e3963bfa
                                        • Opcode Fuzzy Hash: d1bf8265b1b0ab5abff1ab52d45415c4627b2e0780e0929affddb10fe5ef3608
                                        • Instruction Fuzzy Hash: C7716C76E01229DBCB20CB28CC99BD9B7B5FB45328F1041D6D909AB251D7396F85CFA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6BD410F0 Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • __RTC_Initialize.LIBCMT ref: 6BD4113D
                                          • Part of subcall function 6BD41945: InitializeSListHead.KERNEL32(6BD5DFF8,6BD41147,6BD5B688,00000010,6BD410D8,?,?,?,6BD41300,?,00000001,?,?,00000001,?,6BD5B6D0), ref: 6BD4194A
                                        • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6BD411A7
                                        • ___scrt_fastfail.LIBCMT ref: 6BD411F1
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.833909137.000000006BD31000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BD30000, based on PE: true
                                        • Associated: 00000002.00000002.833891383.000000006BD30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.833973560.000000006BD53000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834001056.000000006BD5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834017889.000000006BD5F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6bd30000_MEInstaller.jbxd
                                        Similarity
                                        • API ID: Initialize$HeadList___scrt_fastfail___scrt_is_nonwritable_in_current_image
                                        • String ID:
                                        • API String ID: 2097537958-0
                                        • Opcode ID: 8ec37872412ef6e45544c3fa2fd9f2b86e196c4ad76c22dae5f5c0b7e7d30a4e
                                        • Instruction ID: 2c7717c634b571c0fea1c6d1f96b52d15f16bcf62ce4c1c5cf6f7630d828bbde
                                        • Opcode Fuzzy Hash: 8ec37872412ef6e45544c3fa2fd9f2b86e196c4ad76c22dae5f5c0b7e7d30a4e
                                        • Instruction Fuzzy Hash: D9210232648261EEEF006FB49402B9C7BA1AF1337DF00405AD8956F1C1DB6D5224DB75
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Function 6BD33D70 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 97comCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 2547 6bd33d70-6bd33d84 2548 6bd33e6a-6bd33e79 call 6bd40a17 2547->2548 2549 6bd33d8a-6bd33dae CoInitializeEx CoCreateInstance 2547->2549 2550 6bd33e53-6bd33e69 CoUninitialize call 6bd40a17 2549->2550 2551 6bd33db4-6bd33e37 2549->2551 2562 6bd33e39-6bd33e3c 2551->2562 2563 6bd33e4c 2551->2563 2562->2563 2565 6bd33e3e-6bd33e41 2562->2565 2564 6bd33e51-6bd33e52 2563->2564 2564->2550 2565->2563 2566 6bd33e43-6bd33e46 2565->2566 2566->2563 2567 6bd33e48-6bd33e4a 2566->2567 2567->2563 2567->2564
                                        APIs
                                        • CoInitializeEx.OLE32(00000000,00000000), ref: 6BD33D8F
                                        • CoCreateInstance.OLE32(6BD53210,00000000,00000003,6BD59048,00000000), ref: 6BD33DA6
                                        • CoUninitialize.OLE32 ref: 6BD33E53
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.833909137.000000006BD31000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BD30000, based on PE: true
                                        • Associated: 00000002.00000002.833891383.000000006BD30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.833973560.000000006BD53000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834001056.000000006BD5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834017889.000000006BD5F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6bd30000_MEInstaller.jbxd
                                        Similarity
                                        • API ID: CreateInitializeInstanceUninitialize
                                        • String ID: .htm$.html$.pdf$MSEdgeHTM$http$https
                                        • API String ID: 948891078-1444453974
                                        • Opcode ID: 417f26a51cbcce939102d5bc10aa2d3e071436ef9d9a50171d7a5f3964055ef0
                                        • Instruction ID: c00cb971fdd545503845eb10f4042c74f0b97946e84d6be4e8d7ba4a839156b8
                                        • Opcode Fuzzy Hash: 417f26a51cbcce939102d5bc10aa2d3e071436ef9d9a50171d7a5f3964055ef0
                                        • Instruction Fuzzy Hash: 3C316172A00218BFDF20DFA4C848F9E77B9AF59735F1004A9B905EF241C7799945CB60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6BD332A0 Relevance: 4.5, APIs: 3, Instructions: 47COMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadResource.KERNEL32(00000000,00000000,00000002,00000000,6BD5E810,?,6BD32DAD,6BD318C0,?,6BD318C0,office.com,?,?,00000000), ref: 6BD332AC
                                        • LockResource.KERNEL32(00000000,?,6BD32DAD,6BD318C0,?,6BD318C0,office.com,?,?,00000000), ref: 6BD332B7
                                        • SizeofResource.KERNEL32(00000000,00000000,?,6BD32DAD,6BD318C0,?,6BD318C0,office.com,?,?,00000000), ref: 6BD332C5
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.833909137.000000006BD31000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BD30000, based on PE: true
                                        • Associated: 00000002.00000002.833891383.000000006BD30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.833973560.000000006BD53000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834001056.000000006BD5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834017889.000000006BD5F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6bd30000_MEInstaller.jbxd
                                        Similarity
                                        • API ID: Resource$LoadLockSizeof
                                        • String ID:
                                        • API String ID: 2853612939-0
                                        • Opcode ID: c45a8f653161f334ec997b9c49b4d7ecb6ba2542c82e103f0264cfbb08a5bef9
                                        • Instruction ID: 93e7ab50cf653c503ad0e5225f7a3aec28f58d684c5811a941a418d9a291021d
                                        • Opcode Fuzzy Hash: c45a8f653161f334ec997b9c49b4d7ecb6ba2542c82e103f0264cfbb08a5bef9
                                        • Instruction Fuzzy Hash: 91F0FC37A00235D79B311B6B9D85C67F7ACDA83735301092BFD5ADB102E965D84092D0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6BD31020 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 128COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetVersionExW.KERNEL32(?,338DA2DF), ref: 6BD31060
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.833909137.000000006BD31000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BD30000, based on PE: true
                                        • Associated: 00000002.00000002.833891383.000000006BD30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.833973560.000000006BD53000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834001056.000000006BD5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834017889.000000006BD5F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6bd30000_MEInstaller.jbxd
                                        Similarity
                                        • API ID: Version
                                        • String ID: Thv
                                        • API String ID: 1889659487-4269917160
                                        • Opcode ID: d7f55c3305616616aad12e27d237e0dd499b2d65fd9bfa9fc2aa6981a294bb00
                                        • Instruction ID: b364009d538bd2f8a742abc4d95ed188a7b8a00a3ecaf3b8f972c9b4429bc6d8
                                        • Opcode Fuzzy Hash: d7f55c3305616616aad12e27d237e0dd499b2d65fd9bfa9fc2aa6981a294bb00
                                        • Instruction Fuzzy Hash: 7D513AB0904B65CED760CF78C44579ABBF0EF0A328F104A5EC4AEDB681D778A548CB55
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6BD4C847 Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 2147 6bd4c847-6bd4c85b 2148 6bd4c85d-6bd4c862 2147->2148 2149 6bd4c8c9-6bd4c8d1 2147->2149 2148->2149 2150 6bd4c864-6bd4c869 2148->2150 2151 6bd4c8d3-6bd4c8d6 2149->2151 2152 6bd4c918-6bd4c930 call 6bd4c9b8 2149->2152 2150->2149 2154 6bd4c86b-6bd4c86e 2150->2154 2151->2152 2153 6bd4c8d8-6bd4c915 call 6bd4a195 * 4 2151->2153 2162 6bd4c933-6bd4c93a 2152->2162 2153->2152 2154->2149 2157 6bd4c870-6bd4c878 2154->2157 2160 6bd4c892-6bd4c89a 2157->2160 2161 6bd4c87a-6bd4c87d 2157->2161 2164 6bd4c8b4-6bd4c8c8 call 6bd4a195 * 2 2160->2164 2165 6bd4c89c-6bd4c89f 2160->2165 2161->2160 2166 6bd4c87f-6bd4c891 call 6bd4a195 call 6bd4cb80 2161->2166 2167 6bd4c93c-6bd4c940 2162->2167 2168 6bd4c959-6bd4c95d 2162->2168 2164->2149 2165->2164 2170 6bd4c8a1-6bd4c8b3 call 6bd4a195 call 6bd4cc7e 2165->2170 2166->2160 2175 6bd4c956 2167->2175 2176 6bd4c942-6bd4c945 2167->2176 2171 6bd4c975-6bd4c981 2168->2171 2172 6bd4c95f-6bd4c964 2168->2172 2170->2164 2171->2162 2182 6bd4c983-6bd4c98e call 6bd4a195 2171->2182 2179 6bd4c966-6bd4c969 2172->2179 2180 6bd4c972 2172->2180 2175->2168 2176->2175 2184 6bd4c947-6bd4c955 call 6bd4a195 * 2 2176->2184 2179->2180 2189 6bd4c96b-6bd4c971 call 6bd4a195 2179->2189 2180->2171 2184->2175 2189->2180
                                        APIs
                                        • ___free_lconv_mon.LIBCMT ref: 6BD4C88B
                                          • Part of subcall function 6BD4CB80: _free.LIBCMT ref: 6BD4CB9D
                                          • Part of subcall function 6BD4CB80: _free.LIBCMT ref: 6BD4CBAF
                                          • Part of subcall function 6BD4CB80: _free.LIBCMT ref: 6BD4CBC1
                                          • Part of subcall function 6BD4CB80: _free.LIBCMT ref: 6BD4CBD3
                                          • Part of subcall function 6BD4CB80: _free.LIBCMT ref: 6BD4CBE5
                                          • Part of subcall function 6BD4CB80: _free.LIBCMT ref: 6BD4CBF7
                                          • Part of subcall function 6BD4CB80: _free.LIBCMT ref: 6BD4CC09
                                          • Part of subcall function 6BD4CB80: _free.LIBCMT ref: 6BD4CC1B
                                          • Part of subcall function 6BD4CB80: _free.LIBCMT ref: 6BD4CC2D
                                          • Part of subcall function 6BD4CB80: _free.LIBCMT ref: 6BD4CC3F
                                          • Part of subcall function 6BD4CB80: _free.LIBCMT ref: 6BD4CC51
                                          • Part of subcall function 6BD4CB80: _free.LIBCMT ref: 6BD4CC63
                                          • Part of subcall function 6BD4CB80: _free.LIBCMT ref: 6BD4CC75
                                        • _free.LIBCMT ref: 6BD4C880
                                          • Part of subcall function 6BD4A195: HeapFree.KERNEL32(00000000,00000000,?,6BD4CD11,?,00000000,?,?,?,6BD4CD38,?,00000007,?,?,6BD4C9DE,?), ref: 6BD4A1AB
                                          • Part of subcall function 6BD4A195: GetLastError.KERNEL32(?,?,6BD4CD11,?,00000000,?,?,?,6BD4CD38,?,00000007,?,?,6BD4C9DE,?,?), ref: 6BD4A1BD
                                        • _free.LIBCMT ref: 6BD4C8A2
                                        • _free.LIBCMT ref: 6BD4C8B7
                                        • _free.LIBCMT ref: 6BD4C8C2
                                        • _free.LIBCMT ref: 6BD4C8E4
                                        • _free.LIBCMT ref: 6BD4C8F7
                                        • _free.LIBCMT ref: 6BD4C905
                                        • _free.LIBCMT ref: 6BD4C910
                                        • _free.LIBCMT ref: 6BD4C948
                                        • _free.LIBCMT ref: 6BD4C94F
                                        • _free.LIBCMT ref: 6BD4C96C
                                        • _free.LIBCMT ref: 6BD4C984
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.833909137.000000006BD31000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BD30000, based on PE: true
                                        • Associated: 00000002.00000002.833891383.000000006BD30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.833973560.000000006BD53000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834001056.000000006BD5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834017889.000000006BD5F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6bd30000_MEInstaller.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                        • String ID:
                                        • API String ID: 161543041-0
                                        • Opcode ID: 06410838b585f65449cefeef9ff0552923dc52e1409d5b28689601f099302699
                                        • Instruction ID: 82b7690678e2d3cad89919d90db3895c2d6dca8024e460c86734243c9848b66b
                                        • Opcode Fuzzy Hash: 06410838b585f65449cefeef9ff0552923dc52e1409d5b28689601f099302699
                                        • Instruction Fuzzy Hash: B3318132A04705EFEB114F75D805B5677E9AF05374F1844AAE059EF150DF38E948DB20
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6BD42D24 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 308COMMONLIBRARYCODE
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 2422 6bd42d24-6bd42d4d call 6bd43cc9 2425 6bd430d4-6bd430d9 call 6bd496f7 2422->2425 2426 6bd42d53-6bd42d56 2422->2426 2426->2425 2428 6bd42d5c-6bd42d65 2426->2428 2430 6bd42e67 2428->2430 2431 6bd42d6b-6bd42d6f 2428->2431 2433 6bd42e69-6bd42e6f 2430->2433 2431->2430 2432 6bd42d75-6bd42d7c 2431->2432 2434 6bd42d94-6bd42d99 2432->2434 2435 6bd42d7e-6bd42d85 2432->2435 2436 6bd42e77-6bd42e83 2433->2436 2434->2433 2438 6bd42d9f-6bd42da7 call 6bd429df 2434->2438 2435->2434 2437 6bd42d87-6bd42d8e 2435->2437 2439 6bd42e89-6bd42e8d 2436->2439 2440 6bd4303a-6bd4303d 2436->2440 2437->2430 2437->2434 2450 6bd42dad-6bd42dc6 call 6bd429df * 2 2438->2450 2451 6bd4306b-6bd4306f 2438->2451 2439->2440 2444 6bd42e93-6bd42e9a 2439->2444 2442 6bd43061-6bd43069 call 6bd429df 2440->2442 2443 6bd4303f-6bd43043 2440->2443 2442->2425 2442->2451 2443->2425 2446 6bd43049-6bd4305e call 6bd430da 2443->2446 2447 6bd42eb2-6bd42eb5 2444->2447 2448 6bd42e9c-6bd42ea3 2444->2448 2446->2442 2454 6bd42fd0-6bd42fd4 2447->2454 2455 6bd42ebb-6bd42ee2 call 6bd419de 2447->2455 2448->2447 2453 6bd42ea5-6bd42eac 2448->2453 2450->2425 2479 6bd42dcc-6bd42dd2 2450->2479 2453->2440 2453->2447 2457 6bd42fd6-6bd42fdf call 6bd41d85 2454->2457 2458 6bd42fe0-6bd42fe4 2454->2458 2455->2454 2469 6bd42ee8-6bd42eeb 2455->2469 2457->2458 2458->2442 2463 6bd42fe6-6bd42ff2 2458->2463 2463->2442 2467 6bd42ff4-6bd42ff8 2463->2467 2471 6bd4300a-6bd43012 2467->2471 2472 6bd42ffa-6bd43002 2467->2472 2470 6bd42eee-6bd42f03 2469->2470 2474 6bd42fb2-6bd42fc5 2470->2474 2475 6bd42f09-6bd42f0c 2470->2475 2477 6bd43014-6bd43027 call 6bd429df * 2 2471->2477 2478 6bd43029-6bd43036 call 6bd4373f 2471->2478 2472->2442 2476 6bd43004-6bd43008 2472->2476 2474->2470 2480 6bd42fcb-6bd42fce 2474->2480 2475->2474 2481 6bd42f12-6bd42f1a 2475->2481 2476->2442 2476->2471 2505 6bd43070 call 6bd49648 2477->2505 2492 6bd43095-6bd430ad call 6bd429df * 2 2478->2492 2493 6bd43038 2478->2493 2484 6bd42dd4-6bd42dd8 2479->2484 2485 6bd42dfe-6bd42e06 call 6bd429df 2479->2485 2480->2454 2481->2474 2486 6bd42f20-6bd42f34 2481->2486 2484->2485 2490 6bd42dda-6bd42de1 2484->2490 2502 6bd42e71-6bd42e74 2485->2502 2503 6bd42e08-6bd42e28 call 6bd429df * 2 call 6bd4373f 2485->2503 2491 6bd42f37-6bd42f47 2486->2491 2496 6bd42df5-6bd42df8 2490->2496 2497 6bd42de3-6bd42dea 2490->2497 2500 6bd42f6f-6bd42f7c 2491->2500 2501 6bd42f49-6bd42f5c call 6bd43210 2491->2501 2523 6bd430b2-6bd430cf call 6bd41bc2 call 6bd4363f call 6bd437fc call 6bd435b6 2492->2523 2524 6bd430af 2492->2524 2493->2442 2496->2425 2496->2485 2497->2496 2499 6bd42dec-6bd42df3 2497->2499 2499->2485 2499->2496 2500->2491 2509 6bd42f7e 2500->2509 2516 6bd42f80-6bd42fac call 6bd42ca4 2501->2516 2517 6bd42f5e-6bd42f64 2501->2517 2502->2436 2503->2502 2534 6bd42e2a-6bd42e2f 2503->2534 2515 6bd43075-6bd43090 call 6bd41d85 call 6bd433bb call 6bd41fe7 2505->2515 2513 6bd42faf 2509->2513 2513->2474 2515->2492 2516->2513 2517->2501 2521 6bd42f66-6bd42f6c 2517->2521 2521->2500 2523->2425 2524->2523 2534->2505 2538 6bd42e35-6bd42e37 2534->2538 2540 6bd42e3a-6bd42e4d call 6bd433d3 2538->2540 2540->2515 2545 6bd42e53-6bd42e5f 2540->2545 2545->2505 2546 6bd42e65 2545->2546 2546->2540
                                        APIs
                                        • IsInExceptionSpec.LIBVCRUNTIME ref: 6BD42E1F
                                        • type_info::operator==.LIBVCRUNTIME ref: 6BD42E46
                                        • ___TypeMatch.LIBVCRUNTIME ref: 6BD42F52
                                        • IsInExceptionSpec.LIBVCRUNTIME ref: 6BD4302D
                                        • _UnwindNestedFrames.LIBCMT ref: 6BD430B4
                                        • CallUnexpected.LIBVCRUNTIME ref: 6BD430CF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.833909137.000000006BD31000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BD30000, based on PE: true
                                        • Associated: 00000002.00000002.833891383.000000006BD30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.833973560.000000006BD53000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834001056.000000006BD5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834017889.000000006BD5F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6bd30000_MEInstaller.jbxd
                                        Similarity
                                        • API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                        • String ID: csm$csm$csm
                                        • API String ID: 2123188842-393685449
                                        • Opcode ID: c0d3fdeee5393f2e1b06964c79305615321a86ff610384f04f5c579e3a18a3fe
                                        • Instruction ID: d99c2c184f941d19ac08eba48d84567ecdcec4a39095b2bb909fc434933c79d3
                                        • Opcode Fuzzy Hash: c0d3fdeee5393f2e1b06964c79305615321a86ff610384f04f5c579e3a18a3fe
                                        • Instruction Fuzzy Hash: B1C17D71C14209DFCF15CFA8C881A9EBBB5BF04338F0441AAE854AF215D779DA91DBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6BD49A78 Relevance: 15.1, APIs: 10, Instructions: 69COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 2568 6bd49a78-6bd49a8b 2569 6bd49a97-6bd49b44 call 6bd4a195 * 9 call 6bd498a4 call 6bd4990f 2568->2569 2570 6bd49a8d-6bd49a96 call 6bd4a195 2568->2570 2570->2569
                                        APIs
                                        • _free.LIBCMT ref: 6BD49A8E
                                          • Part of subcall function 6BD4A195: HeapFree.KERNEL32(00000000,00000000,?,6BD4CD11,?,00000000,?,?,?,6BD4CD38,?,00000007,?,?,6BD4C9DE,?), ref: 6BD4A1AB
                                          • Part of subcall function 6BD4A195: GetLastError.KERNEL32(?,?,6BD4CD11,?,00000000,?,?,?,6BD4CD38,?,00000007,?,?,6BD4C9DE,?,?), ref: 6BD4A1BD
                                        • _free.LIBCMT ref: 6BD49A9A
                                        • _free.LIBCMT ref: 6BD49AA5
                                        • _free.LIBCMT ref: 6BD49AB0
                                        • _free.LIBCMT ref: 6BD49ABB
                                        • _free.LIBCMT ref: 6BD49AC6
                                        • _free.LIBCMT ref: 6BD49AD1
                                        • _free.LIBCMT ref: 6BD49ADC
                                        • _free.LIBCMT ref: 6BD49AE7
                                        • _free.LIBCMT ref: 6BD49AF5
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.833909137.000000006BD31000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BD30000, based on PE: true
                                        • Associated: 00000002.00000002.833891383.000000006BD30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.833973560.000000006BD53000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834001056.000000006BD5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834017889.000000006BD5F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6bd30000_MEInstaller.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: 0b6ee778d64557b9952889436673955ffd09a641c68dd366a83a29024d6aeb71
                                        • Instruction ID: f7c165ea0bd802f0394d307e0a915cbf177e816e40123ad23fb294d47a0de250
                                        • Opcode Fuzzy Hash: 0b6ee778d64557b9952889436673955ffd09a641c68dd366a83a29024d6aeb71
                                        • Instruction Fuzzy Hash: 3821857690010CAFCB42DFA5C881DDE7FB9BF09364F0145A6A516AF121EB35EB58CB90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6BD427D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                        Download Yara Rule
                                        APIs
                                        • _ValidateLocalCookies.LIBCMT ref: 6BD42807
                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 6BD4280F
                                        • _ValidateLocalCookies.LIBCMT ref: 6BD42898
                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 6BD428C3
                                        • _ValidateLocalCookies.LIBCMT ref: 6BD42918
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.833909137.000000006BD31000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BD30000, based on PE: true
                                        • Associated: 00000002.00000002.833891383.000000006BD30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.833973560.000000006BD53000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834001056.000000006BD5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834017889.000000006BD5F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6bd30000_MEInstaller.jbxd
                                        Similarity
                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                        • String ID: csm
                                        • API String ID: 1170836740-1018135373
                                        • Opcode ID: 54a32116499972b2a61cfd759a6a72917df92fc16dcad3d34f6a4a083e5f579d
                                        • Instruction ID: 7dfc2b7786e9304d07709e0a221a4e64051bb8f2927c91ee015528783bf3d108
                                        • Opcode Fuzzy Hash: 54a32116499972b2a61cfd759a6a72917df92fc16dcad3d34f6a4a083e5f579d
                                        • Instruction Fuzzy Hash: 57415B35A10208EBDF14DF68C881A9EBBB5AF45338F1481A5E814DF251DB39DA15CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6BD4B87C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.833909137.000000006BD31000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BD30000, based on PE: true
                                        • Associated: 00000002.00000002.833891383.000000006BD30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.833973560.000000006BD53000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834001056.000000006BD5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834017889.000000006BD5F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6bd30000_MEInstaller.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: api-ms-$ext-ms-
                                        • API String ID: 0-537541572
                                        • Opcode ID: 526e0a93307aa7424e7abcf886f9674917792961e7b6e2d2d7a61a72c7b0123c
                                        • Instruction ID: 114de8748b38db20082c28bc4b49bb87344a6e925f3525fb579fa243884c8bfd
                                        • Opcode Fuzzy Hash: 526e0a93307aa7424e7abcf886f9674917792961e7b6e2d2d7a61a72c7b0123c
                                        • Instruction Fuzzy Hash: B621A536E45224EBEB254F288C85B5E77689F267B0F110560ED96AF2C1D738ED10D6F0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6BD4CD1F Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 6BD4CCE7: _free.LIBCMT ref: 6BD4CD0C
                                        • _free.LIBCMT ref: 6BD4CD6D
                                          • Part of subcall function 6BD4A195: HeapFree.KERNEL32(00000000,00000000,?,6BD4CD11,?,00000000,?,?,?,6BD4CD38,?,00000007,?,?,6BD4C9DE,?), ref: 6BD4A1AB
                                          • Part of subcall function 6BD4A195: GetLastError.KERNEL32(?,?,6BD4CD11,?,00000000,?,?,?,6BD4CD38,?,00000007,?,?,6BD4C9DE,?,?), ref: 6BD4A1BD
                                        • _free.LIBCMT ref: 6BD4CD78
                                        • _free.LIBCMT ref: 6BD4CD83
                                        • _free.LIBCMT ref: 6BD4CDD7
                                        • _free.LIBCMT ref: 6BD4CDE2
                                        • _free.LIBCMT ref: 6BD4CDED
                                        • _free.LIBCMT ref: 6BD4CDF8
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.833909137.000000006BD31000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BD30000, based on PE: true
                                        • Associated: 00000002.00000002.833891383.000000006BD30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.833973560.000000006BD53000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834001056.000000006BD5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834017889.000000006BD5F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6bd30000_MEInstaller.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: f684ee3bd14a070dd3464a80d5e2c39723c3433437510566982be1aab423c66b
                                        • Instruction ID: 65c21c6dbed274e9977e72ab4250642f076c6ac3290e597c2b32b4c1baf9a82a
                                        • Opcode Fuzzy Hash: f684ee3bd14a070dd3464a80d5e2c39723c3433437510566982be1aab423c66b
                                        • Instruction Fuzzy Hash: 0A112171580B08AAD531ABB0CC07FCB7B9C6F16724F484829E29EAE050DB7DF648C760
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6BD4DBAD Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetConsoleCP.KERNEL32(00000000,00000001,00000000), ref: 6BD4DBF5
                                        • __fassign.LIBCMT ref: 6BD4DDD4
                                        • __fassign.LIBCMT ref: 6BD4DDF1
                                        • WriteFile.KERNEL32(?,6BD4C37E,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BD4DE39
                                        • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6BD4DE79
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BD4DF25
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.833909137.000000006BD31000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BD30000, based on PE: true
                                        • Associated: 00000002.00000002.833891383.000000006BD30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.833973560.000000006BD53000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834001056.000000006BD5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834017889.000000006BD5F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6bd30000_MEInstaller.jbxd
                                        Similarity
                                        • API ID: FileWrite__fassign$ConsoleErrorLast
                                        • String ID:
                                        • API String ID: 4031098158-0
                                        • Opcode ID: 78fbbfd4ef4d9355a9ee8a7699f6c5ad15b55ed039e490c7b7e2f63b9384b1e6
                                        • Instruction ID: 2c5e311de2ab434cfa5e39265cb5f3566fca8d64559018e1300e9bfff309e4c2
                                        • Opcode Fuzzy Hash: 78fbbfd4ef4d9355a9ee8a7699f6c5ad15b55ed039e490c7b7e2f63b9384b1e6
                                        • Instruction Fuzzy Hash: FED1BB75D012989FDF11CFA8C8809EDBBB5FF49324F2401AAE855BB241D735AE02CB60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6BD3CB40 Relevance: 9.2, APIs: 6, Instructions: 231fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(?,?,00000001,00000000,00000003,00000080,00000000,338DA2DF,?,?,?), ref: 6BD3CBBF
                                        • GetFileInformationByHandle.KERNEL32(00000000,?), ref: 6BD3CBD5
                                        • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 6BD3CC12
                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 6BD3CC43
                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 6BD3CC71
                                        • CloseHandle.KERNEL32(00000000), ref: 6BD3CD84
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.833909137.000000006BD31000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BD30000, based on PE: true
                                        • Associated: 00000002.00000002.833891383.000000006BD30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.833973560.000000006BD53000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834001056.000000006BD5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834017889.000000006BD5F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6bd30000_MEInstaller.jbxd
                                        Similarity
                                        • API ID: File$ByteCharHandleMultiWide$CloseCreateInformationRead
                                        • String ID:
                                        • API String ID: 390388180-0
                                        • Opcode ID: 16f0d851d62af21a612d1d2c1a4ae1d517180628d53f505cd4ba594946e05e9e
                                        • Instruction ID: f22732c6386f9e1949ca93edf79700260bdec2a08b09367ab9a9d4e1a424ab94
                                        • Opcode Fuzzy Hash: 16f0d851d62af21a612d1d2c1a4ae1d517180628d53f505cd4ba594946e05e9e
                                        • Instruction Fuzzy Hash: 3771E671A002589BDF14CF74CC45FAEBBB5EB46764F144229F41AEF281DB39AA44CB60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6BD429ED Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(00000001,?,6BD4275E,6BD40CFF,6BD410C8,?,6BD41300,?,00000001,?,?,00000001,?,6BD5B6D0,0000000C,6BD413F9), ref: 6BD429FB
                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6BD42A09
                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6BD42A22
                                        • SetLastError.KERNEL32(00000000,6BD41300,?,00000001,?,?,00000001,?,6BD5B6D0,0000000C,6BD413F9,?,00000001,?), ref: 6BD42A74
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.833909137.000000006BD31000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BD30000, based on PE: true
                                        • Associated: 00000002.00000002.833891383.000000006BD30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.833973560.000000006BD53000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834001056.000000006BD5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834017889.000000006BD5F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6bd30000_MEInstaller.jbxd
                                        Similarity
                                        • API ID: ErrorLastValue___vcrt_
                                        • String ID:
                                        • API String ID: 3852720340-0
                                        • Opcode ID: acd7af7e068afdba4a712ea80f5f5cbbedadbca64e928833ad363df277abcc70
                                        • Instruction ID: 0cdc04b0e4c64034fde9db15f48de0222c6c704855f8141977efced0a55a6f35
                                        • Opcode Fuzzy Hash: acd7af7e068afdba4a712ea80f5f5cbbedadbca64e928833ad363df277abcc70
                                        • Instruction Fuzzy Hash: BC01D8339997159EBA300B7CEC86A17A7A4DB0677E7200239E921CD0E0EF59C9456178
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6BD4ACB3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON
                                        Download Yara Rule
                                        Strings
                                        • C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exe, xrefs: 6BD4ACB8
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.833909137.000000006BD31000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BD30000, based on PE: true
                                        • Associated: 00000002.00000002.833891383.000000006BD30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.833973560.000000006BD53000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834001056.000000006BD5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834017889.000000006BD5F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6bd30000_MEInstaller.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exe
                                        • API String ID: 0-2525331770
                                        • Opcode ID: a4fb05adcf501071cd4d241dcda5c3c52892829d9eb1ceb346594c63dbad2d4e
                                        • Instruction ID: 796dd53ce05d6ec890e14a2b72f7dc5d954551c1c40f847fa5cead0e566795a9
                                        • Opcode Fuzzy Hash: a4fb05adcf501071cd4d241dcda5c3c52892829d9eb1ceb346594c63dbad2d4e
                                        • Instruction Fuzzy Hash: 4921D17AA04605BF9B149F748C8091BB7ADEF013797008534F9188F1A0FB38ED419BB0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6BD43A93 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • FreeLibrary.KERNEL32(00000000,?,?,6BD43B54,00000000,?,00000001,00000000,?,6BD43BCB,00000001,FlsFree,6BD53E3C,FlsFree,00000000), ref: 6BD43B23
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.833909137.000000006BD31000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BD30000, based on PE: true
                                        • Associated: 00000002.00000002.833891383.000000006BD30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.833973560.000000006BD53000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834001056.000000006BD5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834017889.000000006BD5F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6bd30000_MEInstaller.jbxd
                                        Similarity
                                        • API ID: FreeLibrary
                                        • String ID: api-ms-
                                        • API String ID: 3664257935-2084034818
                                        • Opcode ID: 5de6e1a71f72c108bdd8c46cd02e68f46933a16a39b33eac5e00e6886e5abee3
                                        • Instruction ID: e92a3f9bae4e5b4d2b41f6a31f025f617b40d844aee0e2516be4239efed774d6
                                        • Opcode Fuzzy Hash: 5de6e1a71f72c108bdd8c46cd02e68f46933a16a39b33eac5e00e6886e5abee3
                                        • Instruction Fuzzy Hash: 66113332E45625EBEF328F6CDC45B4A77B49F027B0F150271E915EF280D7A8E90096E5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6BD48BED Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6BD48B9F,6BD49C78,?,6BD48B67,?,00000000,6BD49C78), ref: 6BD48C02
                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6BD48C15
                                        • FreeLibrary.KERNEL32(00000000,?,?,6BD48B9F,6BD49C78,?,6BD48B67,?,00000000,6BD49C78), ref: 6BD48C38
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.833909137.000000006BD31000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BD30000, based on PE: true
                                        • Associated: 00000002.00000002.833891383.000000006BD30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.833973560.000000006BD53000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834001056.000000006BD5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834017889.000000006BD5F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6bd30000_MEInstaller.jbxd
                                        Similarity
                                        • API ID: AddressFreeHandleLibraryModuleProc
                                        • String ID: CorExitProcess$mscoree.dll
                                        • API String ID: 4061214504-1276376045
                                        • Opcode ID: c9d2f6a2b40328bb586381a2be954455689a9bae6cae24265a737fb8a724153b
                                        • Instruction ID: 79b4954389cc1527db01d83b575fc6747d7986092bda04e2881a402af7748e37
                                        • Opcode Fuzzy Hash: c9d2f6a2b40328bb586381a2be954455689a9bae6cae24265a737fb8a724153b
                                        • Instruction Fuzzy Hash: 45F0123690121CFBEF119B54CA09B9EFB79EF457B5F1000A4F405A9190CB39CA15EBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6BD4CC7E Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 6BD4CC96
                                          • Part of subcall function 6BD4A195: HeapFree.KERNEL32(00000000,00000000,?,6BD4CD11,?,00000000,?,?,?,6BD4CD38,?,00000007,?,?,6BD4C9DE,?), ref: 6BD4A1AB
                                          • Part of subcall function 6BD4A195: GetLastError.KERNEL32(?,?,6BD4CD11,?,00000000,?,?,?,6BD4CD38,?,00000007,?,?,6BD4C9DE,?,?), ref: 6BD4A1BD
                                        • _free.LIBCMT ref: 6BD4CCA8
                                        • _free.LIBCMT ref: 6BD4CCBA
                                        • _free.LIBCMT ref: 6BD4CCCC
                                        • _free.LIBCMT ref: 6BD4CCDE
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.833909137.000000006BD31000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BD30000, based on PE: true
                                        • Associated: 00000002.00000002.833891383.000000006BD30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.833973560.000000006BD53000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834001056.000000006BD5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834017889.000000006BD5F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6bd30000_MEInstaller.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: d87820c30c328276887cfeee6f891960d22f111e5b591dfc7837bdd9becb810a
                                        • Instruction ID: a4d5a5fcb6fd51a3d2a4f56f7b9989198ca459eeca4eacdb1184096d5d1a8fe7
                                        • Opcode Fuzzy Hash: d87820c30c328276887cfeee6f891960d22f111e5b591dfc7837bdd9becb810a
                                        • Instruction Fuzzy Hash: BFF06232500708DB9A01DF64D181C177BEEBA463343580845F01AEF500CB38F885DBB4
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6BD4A637 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.833909137.000000006BD31000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BD30000, based on PE: true
                                        • Associated: 00000002.00000002.833891383.000000006BD30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.833973560.000000006BD53000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834001056.000000006BD5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834017889.000000006BD5F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6bd30000_MEInstaller.jbxd
                                        Similarity
                                        • API ID: _free
                                        • String ID: *?
                                        • API String ID: 269201875-2564092906
                                        • Opcode ID: fe7d301ba8c6df1b144b88e5622cdbdca0e8054ab37c060bca5b6476da677687
                                        • Instruction ID: 3d310c2c5528a345f647bdf9c54069dfe3f7bc034b4459e24e812b9b1c0f187e
                                        • Opcode Fuzzy Hash: fe7d301ba8c6df1b144b88e5622cdbdca0e8054ab37c060bca5b6476da677687
                                        • Instruction Fuzzy Hash: 12614DB5D042199FDB14CFA8C8815EDFBF5EF48324B1481A9D855EB300E739AE419BA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6BD385C0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 206COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.833909137.000000006BD31000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BD30000, based on PE: true
                                        • Associated: 00000002.00000002.833891383.000000006BD30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.833973560.000000006BD53000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834001056.000000006BD5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834017889.000000006BD5F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6bd30000_MEInstaller.jbxd
                                        Similarity
                                        • API ID: FolderPath
                                        • String ID: Default$\Preferences$\User Data
                                        • API String ID: 1514166925-221605969
                                        • Opcode ID: 3de550a82628d9546a9c6e3d3e4e78978a6a2a597ca9c2a47cb7e5f11dfae64c
                                        • Instruction ID: 9dc6a67685d683560bee08a7e3e4b4a1df1a5ec2cdd3fdf6ae6ccb725bdf15ce
                                        • Opcode Fuzzy Hash: 3de550a82628d9546a9c6e3d3e4e78978a6a2a597ca9c2a47cb7e5f11dfae64c
                                        • Instruction Fuzzy Hash: DB71C070A10258DADF10CBB4CD85BCEBBB1AF46328F104558D045EB286DB7DAA84CB61
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6BD31BC0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 203networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetCrackUrlW.WININET(?,00000000,00000000,0000003C), ref: 6BD31C6E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.833909137.000000006BD31000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BD30000, based on PE: true
                                        • Associated: 00000002.00000002.833891383.000000006BD30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.833973560.000000006BD53000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834001056.000000006BD5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834017889.000000006BD5F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6bd30000_MEInstaller.jbxd
                                        Similarity
                                        • API ID: CrackInternet
                                        • String ID: <$bing.$bing:baseURL
                                        • API String ID: 1381609488-1358390346
                                        • Opcode ID: 7ee96df6ed39ed416698e32bbab0e6bcdd32642bda5ea6297ea5ad0a0f89aa4d
                                        • Instruction ID: d34b68e413d39ca7e9125097ae82f5fc2bd346c96a83de57a5afef43e3e3b7ab
                                        • Opcode Fuzzy Hash: 7ee96df6ed39ed416698e32bbab0e6bcdd32642bda5ea6297ea5ad0a0f89aa4d
                                        • Instruction Fuzzy Hash: E0715F71E001399BDB25CF24CC81BDDB3B4EB09364F1405D9D919AB281EB396F948FA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6BD42ACD Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.833909137.000000006BD31000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BD30000, based on PE: true
                                        • Associated: 00000002.00000002.833891383.000000006BD30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.833973560.000000006BD53000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834001056.000000006BD5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834017889.000000006BD5F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6bd30000_MEInstaller.jbxd
                                        Similarity
                                        • API ID: AdjustPointer
                                        • String ID:
                                        • API String ID: 1740715915-0
                                        • Opcode ID: 76b165e3a305076d2d48d3b72416b765e07274d6c77ddc1f04504a3be65a9256
                                        • Instruction ID: a3c78ea9ab186e8a27d28e9e311f2dd6f96dae5a2b46ebe6447d30594c4bed3a
                                        • Opcode Fuzzy Hash: 76b165e3a305076d2d48d3b72416b765e07274d6c77ddc1f04504a3be65a9256
                                        • Instruction Fuzzy Hash: C0513476A14206EFEB148F64D881BAA77B4FF05338F10416DD851CF294E779E980DB60
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6BD4A54B Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 6BD4AB6D: _free.LIBCMT ref: 6BD4AB7B
                                          • Part of subcall function 6BD4B6C6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,6BD49FF4,?,00000000,00000000), ref: 6BD4B768
                                        • GetLastError.KERNEL32 ref: 6BD4A5B3
                                        • __dosmaperr.LIBCMT ref: 6BD4A5BA
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 6BD4A5F9
                                        • __dosmaperr.LIBCMT ref: 6BD4A600
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.833909137.000000006BD31000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BD30000, based on PE: true
                                        • Associated: 00000002.00000002.833891383.000000006BD30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.833973560.000000006BD53000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834001056.000000006BD5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834017889.000000006BD5F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6bd30000_MEInstaller.jbxd
                                        Similarity
                                        • API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
                                        • String ID:
                                        • API String ID: 167067550-0
                                        • Opcode ID: 556d8d2d8b8c90fb6397c9ea5b97108e01b143922f6feeff3c1132cc4f950bd1
                                        • Instruction ID: 016b9eb6c7d01fe11b4f6908dc74edc5002aacea5252d0a3b20eccbae6fba366
                                        • Opcode Fuzzy Hash: 556d8d2d8b8c90fb6397c9ea5b97108e01b143922f6feeff3c1132cc4f950bd1
                                        • Instruction Fuzzy Hash: 2421B071A04605AF97109F798D8081BBBBDEF053787008938E9689F150EB38ED509FB0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6BD49BBC Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,?,?,6BD44601,?,?,?,?,6BD44667,00000000,?,?,?,?,6BD44865,?), ref: 6BD49BC1
                                        • _free.LIBCMT ref: 6BD49C1E
                                        • _free.LIBCMT ref: 6BD49C54
                                        • SetLastError.KERNEL32(00000000,0000000D,000000FF,?,6BD44667,00000000,?,?,?,?,6BD44865,?,00000000,?,6BD32669,?), ref: 6BD49C5F
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.833909137.000000006BD31000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BD30000, based on PE: true
                                        • Associated: 00000002.00000002.833891383.000000006BD30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.833973560.000000006BD53000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834001056.000000006BD5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834017889.000000006BD5F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6bd30000_MEInstaller.jbxd
                                        Similarity
                                        • API ID: ErrorLast_free
                                        • String ID:
                                        • API String ID: 2283115069-0
                                        • Opcode ID: 8e68545639b4f927fe30942fc1be0c55b876cf927a7de2f91196d9f393fce259
                                        • Instruction ID: 77803ab1b9214f57afb8de9921207431e02f3d64afb67e2c3c00e7544f2116f1
                                        • Opcode Fuzzy Hash: 8e68545639b4f927fe30942fc1be0c55b876cf927a7de2f91196d9f393fce259
                                        • Instruction Fuzzy Hash: 7D11C633688205AFAE1117BA4E86E1F769D9BC277C7200134F5249E1C1EFADCD059130
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6BD49D13 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,?,?,6BD4492B,6BD4A3E8,?,?,6BD40A42,?,?,6BD33CA7,00000008), ref: 6BD49D18
                                        • _free.LIBCMT ref: 6BD49D75
                                        • _free.LIBCMT ref: 6BD49DAB
                                        • SetLastError.KERNEL32(00000000,0000000D,000000FF,?,?,?,6BD4492B,6BD4A3E8,?,?,6BD40A42,?,?,6BD33CA7,00000008), ref: 6BD49DB6
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.833909137.000000006BD31000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BD30000, based on PE: true
                                        • Associated: 00000002.00000002.833891383.000000006BD30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.833973560.000000006BD53000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834001056.000000006BD5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834017889.000000006BD5F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6bd30000_MEInstaller.jbxd
                                        Similarity
                                        • API ID: ErrorLast_free
                                        • String ID:
                                        • API String ID: 2283115069-0
                                        • Opcode ID: 3a0feea202a29c4bda4dfa71b1c9398770856a77c4a101426ebccc20ea71870f
                                        • Instruction ID: 212c4abcb797d4b836796f45ca1b390f548ea9c330f81cf721d664681020302d
                                        • Opcode Fuzzy Hash: 3a0feea202a29c4bda4dfa71b1c9398770856a77c4a101426ebccc20ea71870f
                                        • Instruction Fuzzy Hash: 7411E5732846046FEE1117BA4D86E1F775ADBC2778B200234F5299E1C1EF6CCD059130
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6BD4EF76 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • WriteConsoleW.KERNEL32(?,?,6BD4C3EF,00000000,?,?,6BD4E9CB,?,00000001,?,00000001,?,6BD4DF82,00000000,00000000,00000001), ref: 6BD4EF8D
                                        • GetLastError.KERNEL32(?,6BD4E9CB,?,00000001,?,00000001,?,6BD4DF82,00000000,00000000,00000001,00000000,00000001,?,6BD4E4D6,6BD4C37E), ref: 6BD4EF99
                                          • Part of subcall function 6BD4EF5F: CloseHandle.KERNEL32(FFFFFFFE,6BD4EFA9,?,6BD4E9CB,?,00000001,?,00000001,?,6BD4DF82,00000000,00000000,00000001,00000000,00000001), ref: 6BD4EF6F
                                        • ___initconout.LIBCMT ref: 6BD4EFA9
                                          • Part of subcall function 6BD4EF21: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6BD4EF50,6BD4E9B8,00000001,?,6BD4DF82,00000000,00000000,00000001,00000000), ref: 6BD4EF34
                                        • WriteConsoleW.KERNEL32(?,?,6BD4C3EF,00000000,?,6BD4E9CB,?,00000001,?,00000001,?,6BD4DF82,00000000,00000000,00000001,00000000), ref: 6BD4EFBE
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.833909137.000000006BD31000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BD30000, based on PE: true
                                        • Associated: 00000002.00000002.833891383.000000006BD30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.833973560.000000006BD53000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834001056.000000006BD5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834017889.000000006BD5F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6bd30000_MEInstaller.jbxd
                                        Similarity
                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                        • String ID:
                                        • API String ID: 2744216297-0
                                        • Opcode ID: 820b5319be014d6a95ad828fcdeef8a8d7dd6b04293b5426f9ab2322ed4eaa41
                                        • Instruction ID: 7bb67dc6cb3ff5a3fbd73ff9e33844aac0010f0d6a61ca8732d77c602b5bd8a7
                                        • Opcode Fuzzy Hash: 820b5319be014d6a95ad828fcdeef8a8d7dd6b04293b5426f9ab2322ed4eaa41
                                        • Instruction Fuzzy Hash: 84F0F237415118BBDF266FA5CC09D8ABF66FB0A6B1B014450FA1989120CB32C920EBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6BD40BFD Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                        Download Yara Rule
                                        APIs
                                        • SleepConditionVariableCS.KERNELBASE(?,6BD40B9A,00000064), ref: 6BD40C20
                                        • LeaveCriticalSection.KERNEL32(6BD5DC7C,00000000,?,6BD40B9A,00000064,?,6BD338B3,6BD5E778,6BD31AE4,?,00000000,?,338DA2DF,?,00000000), ref: 6BD40C2A
                                        • WaitForSingleObjectEx.KERNEL32(00000000,00000000,?,6BD40B9A,00000064,?,6BD338B3,6BD5E778,6BD31AE4,?,00000000,?,338DA2DF,?,00000000), ref: 6BD40C3B
                                        • EnterCriticalSection.KERNEL32(6BD5DC7C,?,6BD40B9A,00000064,?,6BD338B3,6BD5E778,6BD31AE4,?,00000000,?,338DA2DF,?,00000000), ref: 6BD40C42
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.833909137.000000006BD31000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BD30000, based on PE: true
                                        • Associated: 00000002.00000002.833891383.000000006BD30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.833973560.000000006BD53000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834001056.000000006BD5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834017889.000000006BD5F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6bd30000_MEInstaller.jbxd
                                        Similarity
                                        • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                        • String ID:
                                        • API String ID: 3269011525-0
                                        • Opcode ID: 6db41e3484feebb288ac9d96c4cbae114ef056e8d42f44c9746dab88ffc29577
                                        • Instruction ID: daf5e54707e60428861d77350d50455d057e21c0d3f1584d7bded412eea01ee6
                                        • Opcode Fuzzy Hash: 6db41e3484feebb288ac9d96c4cbae114ef056e8d42f44c9746dab88ffc29577
                                        • Instruction Fuzzy Hash: B4E01B3B581124E7DE112F64CD08D5EFF24EB0E6B17000055F6066D110CE65D52147F5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6BD49563 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 6BD4956C
                                          • Part of subcall function 6BD4A195: HeapFree.KERNEL32(00000000,00000000,?,6BD4CD11,?,00000000,?,?,?,6BD4CD38,?,00000007,?,?,6BD4C9DE,?), ref: 6BD4A1AB
                                          • Part of subcall function 6BD4A195: GetLastError.KERNEL32(?,?,6BD4CD11,?,00000000,?,?,?,6BD4CD38,?,00000007,?,?,6BD4C9DE,?,?), ref: 6BD4A1BD
                                        • _free.LIBCMT ref: 6BD4957F
                                        • _free.LIBCMT ref: 6BD49590
                                        • _free.LIBCMT ref: 6BD495A1
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.833909137.000000006BD31000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BD30000, based on PE: true
                                        • Associated: 00000002.00000002.833891383.000000006BD30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.833973560.000000006BD53000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834001056.000000006BD5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834017889.000000006BD5F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6bd30000_MEInstaller.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: 5b3318375ba08a27904bc4a7e308cc28794f53beb92be46b986ce14b1198fa71
                                        • Instruction ID: fade94e58c857c4f323526a23ad99fd41e5f740ff85330b7866d95a9b38600e7
                                        • Opcode Fuzzy Hash: 5b3318375ba08a27904bc4a7e308cc28794f53beb92be46b986ce14b1198fa71
                                        • Instruction Fuzzy Hash: 6DE0B6B3834A349FBE027F34D905449BEA9B75B7653060A5AF4052E210DB398716EB92
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6BD48C7B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                        Download Yara Rule
                                        Strings
                                        • C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exe, xrefs: 6BD48CBE, 6BD48CFB
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.833909137.000000006BD31000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BD30000, based on PE: true
                                        • Associated: 00000002.00000002.833891383.000000006BD30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.833973560.000000006BD53000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834001056.000000006BD5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834017889.000000006BD5F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6bd30000_MEInstaller.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\MEInstaller.exe
                                        • API String ID: 0-2525331770
                                        • Opcode ID: 5c9314080fad8aa34872dfd4dff8306c349ad3aa5df013f3ad9e5e066b9023b4
                                        • Instruction ID: 0703daf85a48122db6eeca858684a7dcbb1304aa46b10a66b0615c8ca815df14
                                        • Opcode Fuzzy Hash: 5c9314080fad8aa34872dfd4dff8306c349ad3aa5df013f3ad9e5e066b9023b4
                                        • Instruction Fuzzy Hash: 6C419571E01614EFEB11DFADD88199EBBF8EB99770F1000A6E414AF250D7758A41DBB0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6BD430DA Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 6BD430FF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.833909137.000000006BD31000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BD30000, based on PE: true
                                        • Associated: 00000002.00000002.833891383.000000006BD30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.833973560.000000006BD53000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834001056.000000006BD5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834017889.000000006BD5F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6bd30000_MEInstaller.jbxd
                                        Similarity
                                        • API ID: EncodePointer
                                        • String ID: MOC$RCC
                                        • API String ID: 2118026453-2084237596
                                        • Opcode ID: 5c83501ce2761ecefe1fb680c310d7d4dc71b6d537d12db3bbf0d9ea8322480e
                                        • Instruction ID: 6b292a27e3465691220d015e280d9d64bcefa44b24005b1cdf7d93db67a100cc
                                        • Opcode Fuzzy Hash: 5c83501ce2761ecefe1fb680c310d7d4dc71b6d537d12db3bbf0d9ea8322480e
                                        • Instruction Fuzzy Hash: E1418E71900209EFCF15CFA8CC81ADEBBB5FF49324F1440A9FA14AB214D7399A51EB50
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Function 6BD408FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 6BD33EB0: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,6BD4092E,?,?,6BD5B5E8,?,?,?,?), ref: 6BD33EB5
                                          • Part of subcall function 6BD33EB0: GetLastError.KERNEL32(?,?,6BD5B5E8,?,?,?,?), ref: 6BD33EBF
                                        • IsDebuggerPresent.KERNEL32(?,?,6BD5B5E8,?,?,?,?), ref: 6BD40932
                                        • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,6BD5B5E8,?,?,?,?), ref: 6BD40941
                                        Strings
                                        • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 6BD4093C
                                        Memory Dump Source
                                        • Source File: 00000002.00000002.833909137.000000006BD31000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6BD30000, based on PE: true
                                        • Associated: 00000002.00000002.833891383.000000006BD30000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.833973560.000000006BD53000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834001056.000000006BD5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                        • Associated: 00000002.00000002.834017889.000000006BD5F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_2_2_6bd30000_MEInstaller.jbxd
                                        Similarity
                                        • API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
                                        • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                        • API String ID: 3511171328-631824599
                                        • Opcode ID: 22ff57bd817945ebbfbd286ea72d0e7c1ab352b4862d2163b864019c4bffed43
                                        • Instruction ID: e01cbdcd3ac0fa2c859ff480260defdcd0586e7d05ca857991f1e497dc1ff4d4
                                        • Opcode Fuzzy Hash: 22ff57bd817945ebbfbd286ea72d0e7c1ab352b4862d2163b864019c4bffed43
                                        • Instruction Fuzzy Hash: 45E06D716047118BF7719F39D504702BBE4AF063B5F00886DE49ADE200EBBCD448CB61
                                        Uniqueness

                                        Uniqueness Score: -1.00%