Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Cotizaci#U00f3n#12643283.exe

Overview

General Information

Sample name:Cotizaci#U00f3n#12643283.exe
renamed because original name is a hash value
Original sample name:Cotizacin#12643283.exe
Analysis ID:1501088
MD5:23788e22bc2ee1417a5c7fdf0f58715f
SHA1:f47805df01143591bc654056b9fda905850e9539
SHA256:d613473068f000318d1015b85a0f49f9191263041ae8debcc7250876ae146304
Tags:exeFormbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Cotizaci#U00f3n#12643283.exe (PID: 2968 cmdline: "C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exe" MD5: 23788E22BC2EE1417A5C7FDF0F58715F)
    • powershell.exe (PID: 4160 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SoEOsZIV.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 6772 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7164 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SoEOsZIV" /XML "C:\Users\user\AppData\Local\Temp\tmpAC01.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 1804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • vbc.exe (PID: 4144 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)
  • SoEOsZIV.exe (PID: 4788 cmdline: C:\Users\user\AppData\Roaming\SoEOsZIV.exe MD5: 23788E22BC2EE1417A5C7FDF0F58715F)
    • schtasks.exe (PID: 5664 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SoEOsZIV" /XML "C:\Users\user\AppData\Local\Temp\tmpBE22.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • vbc.exe (PID: 3428 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)
    • vbc.exe (PID: 3604 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)
    • vbc.exe (PID: 1016 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)
    • vbc.exe (PID: 5156 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)
    • vbc.exe (PID: 3236 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.2862181424.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000007.00000002.2862181424.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2f913:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x17a42:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000007.00000002.2862655444.0000000000E50000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000007.00000002.2862655444.0000000000E50000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2bc50:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      Process Memory Space: Cotizaci#U00f3n#12643283.exe PID: 2968JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        Click to see the 1 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        7.2.vbc.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          7.2.vbc.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2f913:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x17a42:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          7.2.vbc.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            7.2.vbc.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2ed13:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x16e42:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SoEOsZIV.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SoEOsZIV.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exe", ParentImage: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exe, ParentProcessId: 2968, ParentProcessName: Cotizaci#U00f3n#12643283.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SoEOsZIV.exe", ProcessId: 4160, ProcessName: powershell.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SoEOsZIV.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SoEOsZIV.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exe", ParentImage: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exe, ParentProcessId: 2968, ParentProcessName: Cotizaci#U00f3n#12643283.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SoEOsZIV.exe", ProcessId: 4160, ProcessName: powershell.exe
            Sigma detected: Suspicious Add Scheduled Task Parent
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SoEOsZIV" /XML "C:\Users\user\AppData\Local\Temp\tmpBE22.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SoEOsZIV" /XML "C:\Users\user\AppData\Local\Temp\tmpBE22.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\SoEOsZIV.exe, ParentImage: C:\Users\user\AppData\Roaming\SoEOsZIV.exe, ParentProcessId: 4788, ParentProcessName: SoEOsZIV.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SoEOsZIV" /XML "C:\Users\user\AppData\Local\Temp\tmpBE22.tmp", ProcessId: 5664, ProcessName: schtasks.exe
            Sigma detected: Suspicious Schtasks From Env Var Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SoEOsZIV" /XML "C:\Users\user\AppData\Local\Temp\tmpAC01.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SoEOsZIV" /XML "C:\Users\user\AppData\Local\Temp\tmpAC01.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exe", ParentImage: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exe, ParentProcessId: 2968, ParentProcessName: Cotizaci#U00f3n#12643283.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SoEOsZIV" /XML "C:\Users\user\AppData\Local\Temp\tmpAC01.tmp", ProcessId: 7164, ProcessName: schtasks.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SoEOsZIV.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SoEOsZIV.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exe", ParentImage: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exe, ParentProcessId: 2968, ParentProcessName: Cotizaci#U00f3n#12643283.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SoEOsZIV.exe", ProcessId: 4160, ProcessName: powershell.exe

            Persistence and Installation Behavior

            barindex
            Sigma detected: Scheduled temp file as task from temp location
            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SoEOsZIV" /XML "C:\Users\user\AppData\Local\Temp\tmpAC01.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SoEOsZIV" /XML "C:\Users\user\AppData\Local\Temp\tmpAC01.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exe", ParentImage: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exe, ParentProcessId: 2968, ParentProcessName: Cotizaci#U00f3n#12643283.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SoEOsZIV" /XML "C:\Users\user\AppData\Local\Temp\tmpAC01.tmp", ProcessId: 7164, ProcessName: schtasks.exe

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeReversingLabs: Detection: 78%
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeVirustotal: Detection: 68%Perma Link
            Multi AV Scanner detection for submitted file
            Source: Cotizaci#U00f3n#12643283.exeReversingLabs: Detection: 78%
            Source: Cotizaci#U00f3n#12643283.exeVirustotal: Detection: 68%Perma Link
            Yara detected FormBook
            Source: Yara matchFile source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.2862181424.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2862655444.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: Cotizaci#U00f3n#12643283.exeJoe Sandbox ML: detected
            Source: Cotizaci#U00f3n#12643283.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: Cotizaci#U00f3n#12643283.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: ziKI.pdbSHA256OWjP source: Cotizaci#U00f3n#12643283.exe, SoEOsZIV.exe.0.dr
            Source: Binary string: wntdll.pdbUGP source: vbc.exe, 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: ziKI.pdb source: Cotizaci#U00f3n#12643283.exe, SoEOsZIV.exe.0.dr
            Source: Cotizaci#U00f3n#12643283.exe, 00000000.00000002.2200126332.0000000002797000.00000004.00000800.00020000.00000000.sdmp, SoEOsZIV.exe, 00000008.00000002.2254774684.00000000031A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.2862181424.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2862655444.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.2862181424.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.2862655444.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess Stats: CPU usage > 49%
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0042CC13 NtClose,7_2_0042CC13
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA2C70 NtFreeVirtualMemory,LdrInitializeThunk,7_2_06FA2C70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA2DF0 NtQuerySystemInformation,LdrInitializeThunk,7_2_06FA2DF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA2B60 NtClose,LdrInitializeThunk,7_2_06FA2B60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA35C0 NtCreateMutant,LdrInitializeThunk,7_2_06FA35C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA4650 NtSuspendThread,7_2_06FA4650
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA4340 NtSetContextThread,7_2_06FA4340
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA2EE0 NtQueueApcThread,7_2_06FA2EE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA2EA0 NtAdjustPrivilegesToken,7_2_06FA2EA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA2E80 NtReadVirtualMemory,7_2_06FA2E80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA2E30 NtWriteVirtualMemory,7_2_06FA2E30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA2FE0 NtCreateFile,7_2_06FA2FE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA2FB0 NtResumeThread,7_2_06FA2FB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA2FA0 NtQuerySection,7_2_06FA2FA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA2F90 NtProtectVirtualMemory,7_2_06FA2F90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA2F60 NtCreateProcessEx,7_2_06FA2F60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA2F30 NtCreateSection,7_2_06FA2F30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA2CF0 NtOpenProcess,7_2_06FA2CF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA2CC0 NtQueryVirtualMemory,7_2_06FA2CC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA2CA0 NtQueryInformationToken,7_2_06FA2CA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA2C60 NtCreateKey,7_2_06FA2C60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA2C00 NtQueryInformationProcess,7_2_06FA2C00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA2DD0 NtDelayExecution,7_2_06FA2DD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA2DB0 NtEnumerateKey,7_2_06FA2DB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA2D30 NtUnmapViewOfSection,7_2_06FA2D30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA2D10 NtMapViewOfSection,7_2_06FA2D10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA2D00 NtSetInformationFile,7_2_06FA2D00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA2AF0 NtWriteFile,7_2_06FA2AF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA2AD0 NtReadFile,7_2_06FA2AD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA2AB0 NtWaitForSingleObject,7_2_06FA2AB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA2BF0 NtAllocateVirtualMemory,7_2_06FA2BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA2BE0 NtQueryValueKey,7_2_06FA2BE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA2BA0 NtEnumerateValueKey,7_2_06FA2BA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA2B80 NtQueryInformationFile,7_2_06FA2B80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA3090 NtSetValueKey,7_2_06FA3090
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA3010 NtOpenDirectoryObject,7_2_06FA3010
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA3D70 NtOpenThread,7_2_06FA3D70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA3D10 NtOpenProcessToken,7_2_06FA3D10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA39B0 NtGetContextThread,7_2_06FA39B0
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeCode function: 0_2_00CDE0740_2_00CDE074
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_004018EC7_2_004018EC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_004018F07_2_004018F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_00403A407_2_00403A40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0042F2037_2_0042F203
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_00401AD07_2_00401AD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_004014407_2_00401440
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_004034C07_2_004034C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_00402CD07_2_00402CD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_004034B87_2_004034B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_004105137_2_00410513
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_00416DAF7_2_00416DAF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_00416DB37_2_00416DB3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_004107337_2_00410733
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_004017B07_2_004017B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0040E7B37_2_0040E7B3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F8C6E07_2_06F8C6E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F6C7C07_2_06F6C7C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F707707_2_06F70770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F947507_2_06F94750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_070305917_2_07030591
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_070144207_2_07014420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_070224467_2_07022446
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F705357_2_06F70535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0701E4F67_2_0701E4F6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FF02C07_2_06FF02C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0702A3527_2_0702A352
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_070303E67_2_070303E6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F7E3F07_2_06F7E3F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_070102747_2_07010274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0700A1187_2_0700A118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_070241A27_2_070241A2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_070301AA7_2_070301AA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_070281CC7_2_070281CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_070020007_2_07002000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FF81587_2_06FF8158
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F601007_2_06F60100
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07012F307_2_07012F30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F82E907_2_06F82E90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F70E597_2_06F70E59
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F7CFE07_2_06F7CFE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0702EE267_2_0702EE26
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F62FC87_2_06F62FC8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FEEFA07_2_06FEEFA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0702CE937_2_0702CE93
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE4F407_2_06FE4F40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F90F307_2_06F90F30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FB2F287_2_06FB2F28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0702EEDB7_2_0702EEDB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F60CF27_2_06F60CF2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0700CD1F7_2_0700CD1F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F70C007_2_06F70C00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F6ADE07_2_06F6ADE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F88DBF7_2_06F88DBF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07010CB57_2_07010CB5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F7AD007_2_06F7AD00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0702AB407_2_0702AB40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F6EA807_2_06F6EA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07026BD77_2_07026BD7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F9E8F07_2_06F9E8F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F568B87_2_06F568B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0703A9A67_2_0703A9A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F728407_2_06F72840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F7A8407_2_06F7A840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F729A07_2_06F729A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F869627_2_06F86962
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0702F7B07_2_0702F7B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FB56307_2_06FB5630
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_070216CC7_2_070216CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_070275717_2_07027571
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F614607_2_06F61460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0700D5B07_2_0700D5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_070395C37_2_070395C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0702F43F7_2_0702F43F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0702132D7_2_0702132D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F8B2C07_2_06F8B2C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F752A07_2_06F752A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FB739A7_2_06FB739A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F5D34C7_2_06F5D34C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_070112ED7_2_070112ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F770C07_2_06F770C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0703B16B7_2_0703B16B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F7B1B07_2_06F7B1B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F5F1727_2_06F5F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA516C7_2_06FA516C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0701F0CC7_2_0701F0CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0702F0E07_2_0702F0E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_070270E97_2_070270E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0702FF097_2_0702FF09
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F79EB07_2_06F79EB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0702FFB17_2_0702FFB1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F71F927_2_06F71F92
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07021D5A7_2_07021D5A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07027D737_2_07027D73
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE9C327_2_06FE9C32
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F8FDC07_2_06F8FDC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F73D407_2_06F73D40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0702FCF27_2_0702FCF2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FB5AA07_2_06FB5AA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0702FB767_2_0702FB76
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE3A6C7_2_06FE3A6C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FADBF97_2_06FADBF9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE5BF07_2_06FE5BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07027A467_2_07027A46
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0702FA497_2_0702FA49
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F8FB807_2_06F8FB80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07011AA37_2_07011AA3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0700DAAC7_2_0700DAAC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0701DAC67_2_0701DAC6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_070059107_2_07005910
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F738E07_2_06F738E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FDD8007_2_06FDD800
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F799507_2_06F79950
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F8B9507_2_06F8B950
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeCode function: 8_2_0190E0748_2_0190E074
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 06FDEA12 appears 86 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 06F5B970 appears 280 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 06FA5130 appears 58 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 06FEF290 appears 105 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 06FB7E54 appears 111 times
            Source: Cotizaci#U00f3n#12643283.exe, 00000000.00000002.2200126332.0000000002751000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCasio.dllD vs Cotizaci#U00f3n#12643283.exe
            Source: Cotizaci#U00f3n#12643283.exe, 00000000.00000000.2182180428.0000000000408000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamezi vs Cotizaci#U00f3n#12643283.exe
            Source: Cotizaci#U00f3n#12643283.exe, 00000000.00000002.2199273038.0000000000A2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Cotizaci#U00f3n#12643283.exe
            Source: Cotizaci#U00f3n#12643283.exe, 00000000.00000002.2202816597.000000000392E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Cotizaci#U00f3n#12643283.exe
            Source: Cotizaci#U00f3n#12643283.exe, 00000000.00000002.2210589976.00000000051B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCasio.dllD vs Cotizaci#U00f3n#12643283.exe
            Source: Cotizaci#U00f3n#12643283.exe, 00000000.00000002.2210800655.00000000051C0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSalmun.dll. vs Cotizaci#U00f3n#12643283.exe
            Source: Cotizaci#U00f3n#12643283.exe, 00000000.00000002.2211398389.0000000006A90000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Cotizaci#U00f3n#12643283.exe
            Source: Cotizaci#U00f3n#12643283.exeBinary or memory string: OriginalFilenameziKI.exe4 vs Cotizaci#U00f3n#12643283.exe
            Source: Cotizaci#U00f3n#12643283.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.2862181424.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.2862655444.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: Cotizaci#U00f3n#12643283.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: SoEOsZIV.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.3b26650.2.raw.unpack, X64Lfi1jtVl3jyEt1i.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.3b26650.2.raw.unpack, X64Lfi1jtVl3jyEt1i.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.3b26650.2.raw.unpack, X64Lfi1jtVl3jyEt1i.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.6a90000.6.raw.unpack, O6gQHwN7UIkW5MiRmW.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.3b26650.2.raw.unpack, O6gQHwN7UIkW5MiRmW.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.6a90000.6.raw.unpack, X64Lfi1jtVl3jyEt1i.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.6a90000.6.raw.unpack, X64Lfi1jtVl3jyEt1i.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.6a90000.6.raw.unpack, X64Lfi1jtVl3jyEt1i.csSecurity API names: _0020.AddAccessRule
            Source: classification engineClassification label: mal100.troj.evad.winEXE@24/11@0/0
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeFile created: C:\Users\user\AppData\Roaming\SoEOsZIV.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3080:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7028:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1804:120:WilError_03
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeFile created: C:\Users\user\AppData\Local\Temp\tmpAC01.tmpJump to behavior
            Source: Cotizaci#U00f3n#12643283.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: Cotizaci#U00f3n#12643283.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: Cotizaci#U00f3n#12643283.exeReversingLabs: Detection: 78%
            Source: Cotizaci#U00f3n#12643283.exeVirustotal: Detection: 68%
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeFile read: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exe "C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exe"
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SoEOsZIV.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SoEOsZIV" /XML "C:\Users\user\AppData\Local\Temp\tmpAC01.tmp"
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\SoEOsZIV.exe C:\Users\user\AppData\Roaming\SoEOsZIV.exe
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SoEOsZIV" /XML "C:\Users\user\AppData\Local\Temp\tmpBE22.tmp"
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SoEOsZIV.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SoEOsZIV" /XML "C:\Users\user\AppData\Local\Temp\tmpAC01.tmp"Jump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SoEOsZIV" /XML "C:\Users\user\AppData\Local\Temp\tmpBE22.tmp"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: Cotizaci#U00f3n#12643283.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Cotizaci#U00f3n#12643283.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Cotizaci#U00f3n#12643283.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: ziKI.pdbSHA256OWjP source: Cotizaci#U00f3n#12643283.exe, SoEOsZIV.exe.0.dr
            Source: Binary string: wntdll.pdbUGP source: vbc.exe, 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: ziKI.pdb source: Cotizaci#U00f3n#12643283.exe, SoEOsZIV.exe.0.dr

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.2787c50.0.raw.unpack, hrlPDhZiofKOntEGsn.cs.Net Code: DguLQ26lK
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.2787c50.0.raw.unpack, hrlPDhZiofKOntEGsn.cs.Net Code: zF7AknH7e System.Reflection.Assembly.Load(byte[])
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.3b26650.2.raw.unpack, X64Lfi1jtVl3jyEt1i.cs.Net Code: klJtkkAvFm System.Reflection.Assembly.Load(byte[])
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.51b0000.4.raw.unpack, hrlPDhZiofKOntEGsn.cs.Net Code: DguLQ26lK
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.51b0000.4.raw.unpack, hrlPDhZiofKOntEGsn.cs.Net Code: zF7AknH7e System.Reflection.Assembly.Load(byte[])
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.6a90000.6.raw.unpack, X64Lfi1jtVl3jyEt1i.cs.Net Code: klJtkkAvFm System.Reflection.Assembly.Load(byte[])
            Source: 8.2.SoEOsZIV.exe.3167c08.0.raw.unpack, hrlPDhZiofKOntEGsn.cs.Net Code: DguLQ26lK
            Source: 8.2.SoEOsZIV.exe.3167c08.0.raw.unpack, hrlPDhZiofKOntEGsn.cs.Net Code: zF7AknH7e System.Reflection.Assembly.Load(byte[])
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_004489BB LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,7_2_004489BB
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeCode function: 0_2_00CDD958 push esp; iretd 0_2_00CDD959
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_00412876 push A7A06875h; ret 7_2_0041287B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0040D8FE push esp; retf 7_2_0040D8FF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_00424A62 push D336233Ah; ret 7_2_00424A67
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0041FACF push edx; iretd 7_2_0041FAD2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0042446A push ebp; ret 7_2_00424470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_00403CC0 push eax; ret 7_2_00403CC2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_004164D3 pushad ; retn 81BAh7_2_004164A5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_00422CF2 push es; retn 0000h7_2_00422CFA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_00423D08 push edx; retf 7_2_00423D26
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_00447DF5 push ecx; ret 7_2_00447E08
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0040D699 push es; ret 7_2_0040D6A2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_00411F68 pushfd ; iretd 7_2_00411F69
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F327FA pushad ; ret 7_2_06F327F9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F3225F pushad ; ret 7_2_06F327F9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F3283D push eax; iretd 7_2_06F32858
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F609AD push ecx; mov dword ptr [esp], ecx7_2_06F609B6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F3135D push eax; iretd 7_2_06F31369
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeCode function: 8_2_0190D958 push esp; iretd 8_2_0190D959
            Source: Cotizaci#U00f3n#12643283.exeStatic PE information: section name: .text entropy: 7.890900297629251
            Source: SoEOsZIV.exe.0.drStatic PE information: section name: .text entropy: 7.890900297629251
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.2787c50.0.raw.unpack, hrlPDhZiofKOntEGsn.csHigh entropy of concatenated method names: 'HW1ErlPDh', 'sofPKOntE', 'SsnflUJon', 'aMB144uHG', 'b2TDraJQL', 'DooTW4SZv', 'e6wSRoREk', 'eiIOxF2Ts', 'n4FpBtydB', 'kDGIyt7hv'
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.3b26650.2.raw.unpack, KmMxWwdtUcVDYnuVm6.csHigh entropy of concatenated method names: 'Va5POCurro', 'qXcPGTlL6R', 'AKVPdZs0YC', 'krCPpR15EF', 'h7ZPc3JhCZ', 'SSqPu6uBnA', 'G9qP0uU0Nk', 'LRUPm9VNFY', 'fmEP6yjMOP', 'pFLPwEb3h6'
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.3b26650.2.raw.unpack, vHJJC5K2tkViAevmvn.csHigh entropy of concatenated method names: 'vF7kUDD5S', 'uPBTWIxTy', 'pVGZuCfFJ', 'raCo1Q9Wj', 'wyGbdq4oq', 'Y7O84LPik', 'lK6JgIpMboRXfCqDvw', 'IsY6KeOSoxKPUdqrk4', 'zqpRlWC3C', 'UxOsSXNdj'
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.3b26650.2.raw.unpack, QbHdNKqxbkGkrecOev.csHigh entropy of concatenated method names: 'tPURY8AlVg', 'Q04RXhxLsb', 'T92RnkNuRA', 'ynnRx1R7nk', 'Hi7R2QoFwI', 'YGwRa0FL7l', 'yRhR1cNBXI', 'RrtRVq1nxm', 'RJwRSEgp7E', 'FSoRgynnLL'
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.3b26650.2.raw.unpack, uAN4lGHduACvYLIf1A.csHigh entropy of concatenated method names: 'BIUjq2HKfW', 'TGUjMcKjTQ', 'VacRWW1K5o', 'Xb2R4XdqoP', 'soSjD0QldI', 'QxBjGxftVT', 'VdJj9CA0Nq', 'gtsjdqWfBG', 'jUAjpeT0iB', 'hguj5DC3pA'
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.3b26650.2.raw.unpack, R8VZhIzTf41kQxEkhy.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'AMuvrQRqqt', 'uWOvPJftXW', 'nVNvLbmsTA', 'uluvjtnkct', 'xwNvR7gt1l', 'ysOvvEPG7R', 'PJwvsf43Z6'
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.3b26650.2.raw.unpack, udjcIv0ZJTDs7tAotk.csHigh entropy of concatenated method names: 'AlR2QBFtnA', 'jTa2iv6MoE', 'QXy2k71nNK', 'hc72Tw3L5C', 'AHl2Z9sGRX', 'r5T2ogH7aq', 'U0s2bQdGyy', 'FaE28HaG2V', 'pkK8Qpx3JRJY4dPtHBV', 'V110otxcbsu73kW0lIN'
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.3b26650.2.raw.unpack, CQlmh8tyhe0P1mxveN.csHigh entropy of concatenated method names: 'leD4a6gQHw', 'tUI41kW5Mi', 'UZo4SGdc3O', 'MGW4gJyZtH', 'IXR4POP3sV', 'O7p4LGcJlb', 'VaxxroHD6Mfk3HdKFa', 'GWxdQVow58qY81kZB1', 'RGu449Gtap', 'k0u4ecE4QN'
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.3b26650.2.raw.unpack, FiU0TP4eTmYM2TDeF7T.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'tcnsdZCPm6', 'ko7spSSK4N', 'Vq0s5WgaFV', 'sdUsyOsZtD', 'hBAs3Rlr8B', 'RtqsHNnpmU', 'edPsE3QaYe'
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.3b26650.2.raw.unpack, UsVD7pFGcJlbMYMWlC.csHigh entropy of concatenated method names: 'FdS2l25BU4', 'JRw2XlFnV0', 'ERt2xeFZHv', 'nX22amB96b', 'tWa21FmSpi', 'Ridx3u3b8c', 's8QxHC91Mh', 'IbXxEU13nP', 'cpQxqYKPIa', 'OcHxJuJIyb'
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.3b26650.2.raw.unpack, yFYUTH9dQCSihIrfN8.csHigh entropy of concatenated method names: 'YwSrNVtAdC', 'BGxrbdZu93', 'qdgrF8tAjb', 'mJIrcPp3aa', 'sKTr0MDwym', 'QMNrmDEICw', 'wWqrw3QVJ6', 'pcdrfOecUT', 'btNrOd5e0j', 'KxFrDkmbrY'
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.3b26650.2.raw.unpack, I2ndhq4W97PQL4Zt1A3.csHigh entropy of concatenated method names: 'FYwviwHB8i', 'Mh8vA8aIZU', 'LHvvkUuerj', 'pf6vTmeTka', 'rXOvCGhtyu', 'hOjvZpO7KE', 'CJJvoWSwtS', 'oGSvN3yQiW', 'OjOvbPJYmJ', 'Yn6v8kmGNs'
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.3b26650.2.raw.unpack, TNwhmrJA7QUJEq8IpZ.csHigh entropy of concatenated method names: 'uDGRFMWkjP', 'Rd2RcLcfdX', 'QXlRuNkdAl', 'QYJR0RH88G', 'pOXRdQVa25', 'BctRmR8X7O', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.3b26650.2.raw.unpack, fen0wCMSaQ3bSmWfmi.csHigh entropy of concatenated method names: 'oQLv4YAehA', 'LUVveqfn38', 'joyvtDYoXP', 'j6KvYOhL3R', 'gX6vXtJUH6', 'F1SvxtQHIe', 'ATDv2IWj92', 'o6RREiLioC', 'hLpRqX5Ode', 'XqcRJddLU7'
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.3b26650.2.raw.unpack, TZtHoF8fslOLl0XROP.csHigh entropy of concatenated method names: 'yblxC9POl0', 'PKXxooB5L9', 'cJ2nuyAGrI', 'X52n0wFwJC', 'PIynmBwXvt', 'krwn6MAdRs', 'rh8nw2xd9b', 'DVenf7Z6oW', 'Ts7nBtHHNE', 'bJEnOrGGbw'
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.3b26650.2.raw.unpack, O6gQHwN7UIkW5MiRmW.csHigh entropy of concatenated method names: 'gOFXd3lGW0', 'aYNXptvlMo', 'npYX5tJ0eY', 'VneXy32l5T', 'mlQX3LQDak', 'M8yXHOd8BB', 's6hXEGyOpG', 'XbRXqsyK95', 'LeGXJgdeaa', 'AdJXM0GQdw'
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.3b26650.2.raw.unpack, X64Lfi1jtVl3jyEt1i.csHigh entropy of concatenated method names: 'gtJelSBVwC', 'iUOeYbaPPm', 'Vd8eX83icW', 'xe0enfv5Tg', 'iwhexnxAUo', 'aFWe2twW6h', 'mXEearZTiv', 'yW0e1q5q0o', 'VkTeVO6ije', 'te4eS2pBrB'
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.3b26650.2.raw.unpack, Pk5KK3bZoGdc3OfGWJ.csHigh entropy of concatenated method names: 'E1CnT4R3Lb', 'ds8nZcJyLU', 'iaCnNuHfW8', 'JcHnbyrf1r', 'gDenPj2DwS', 'iE9nLmC8id', 'ioXnjJZ9to', 'jwunRltyMT', 'nsgnvE8W2G', 'CLdnsIUVVr'
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.3b26650.2.raw.unpack, rkjV03XSm4YnJI5K1S.csHigh entropy of concatenated method names: 'Dispose', 'bGY4JmC5rt', 'WFoKcZQ5oM', 'UPcVVpljWh', 'G9b4MHdNKx', 'EkG4zkrecO', 'ProcessDialogKey', 'cvyKWNwhmr', 'y7QK4UJEq8', 'upZKKXen0w'
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.3b26650.2.raw.unpack, bNq9YewEONQ0p6tZpQ.csHigh entropy of concatenated method names: 'bsiaYUnFLJ', 'Fn1anqe7O5', 'NSKa2tvdgn', 'VhQ2MZ1OMS', 'zVC2z8UFKY', 'xmDaWfXjXs', 'M4na4yafAM', 'fPjaKXXS6r', 'pZ4aeMW6O7', 'eMIatxG3v7'
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.3b26650.2.raw.unpack, XK7PdiBrxU3m1lOQsS.csHigh entropy of concatenated method names: 'NVBaiF2lyn', 'qJRaAxtiI4', 'Ry3akcScvE', 'dcUaTqgDBb', 'd74aCMNJkM', 'w3caZb4AHa', 'kEmaoDOCFw', 'uqBaNf5o0w', 'sXWabd7ssS', 'w7Ra8OqrUR'
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.51b0000.4.raw.unpack, hrlPDhZiofKOntEGsn.csHigh entropy of concatenated method names: 'HW1ErlPDh', 'sofPKOntE', 'SsnflUJon', 'aMB144uHG', 'b2TDraJQL', 'DooTW4SZv', 'e6wSRoREk', 'eiIOxF2Ts', 'n4FpBtydB', 'kDGIyt7hv'
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.6a90000.6.raw.unpack, KmMxWwdtUcVDYnuVm6.csHigh entropy of concatenated method names: 'Va5POCurro', 'qXcPGTlL6R', 'AKVPdZs0YC', 'krCPpR15EF', 'h7ZPc3JhCZ', 'SSqPu6uBnA', 'G9qP0uU0Nk', 'LRUPm9VNFY', 'fmEP6yjMOP', 'pFLPwEb3h6'
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.6a90000.6.raw.unpack, vHJJC5K2tkViAevmvn.csHigh entropy of concatenated method names: 'vF7kUDD5S', 'uPBTWIxTy', 'pVGZuCfFJ', 'raCo1Q9Wj', 'wyGbdq4oq', 'Y7O84LPik', 'lK6JgIpMboRXfCqDvw', 'IsY6KeOSoxKPUdqrk4', 'zqpRlWC3C', 'UxOsSXNdj'
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.6a90000.6.raw.unpack, QbHdNKqxbkGkrecOev.csHigh entropy of concatenated method names: 'tPURY8AlVg', 'Q04RXhxLsb', 'T92RnkNuRA', 'ynnRx1R7nk', 'Hi7R2QoFwI', 'YGwRa0FL7l', 'yRhR1cNBXI', 'RrtRVq1nxm', 'RJwRSEgp7E', 'FSoRgynnLL'
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.6a90000.6.raw.unpack, uAN4lGHduACvYLIf1A.csHigh entropy of concatenated method names: 'BIUjq2HKfW', 'TGUjMcKjTQ', 'VacRWW1K5o', 'Xb2R4XdqoP', 'soSjD0QldI', 'QxBjGxftVT', 'VdJj9CA0Nq', 'gtsjdqWfBG', 'jUAjpeT0iB', 'hguj5DC3pA'
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.6a90000.6.raw.unpack, R8VZhIzTf41kQxEkhy.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'AMuvrQRqqt', 'uWOvPJftXW', 'nVNvLbmsTA', 'uluvjtnkct', 'xwNvR7gt1l', 'ysOvvEPG7R', 'PJwvsf43Z6'
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.6a90000.6.raw.unpack, udjcIv0ZJTDs7tAotk.csHigh entropy of concatenated method names: 'AlR2QBFtnA', 'jTa2iv6MoE', 'QXy2k71nNK', 'hc72Tw3L5C', 'AHl2Z9sGRX', 'r5T2ogH7aq', 'U0s2bQdGyy', 'FaE28HaG2V', 'pkK8Qpx3JRJY4dPtHBV', 'V110otxcbsu73kW0lIN'
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.6a90000.6.raw.unpack, CQlmh8tyhe0P1mxveN.csHigh entropy of concatenated method names: 'leD4a6gQHw', 'tUI41kW5Mi', 'UZo4SGdc3O', 'MGW4gJyZtH', 'IXR4POP3sV', 'O7p4LGcJlb', 'VaxxroHD6Mfk3HdKFa', 'GWxdQVow58qY81kZB1', 'RGu449Gtap', 'k0u4ecE4QN'
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.6a90000.6.raw.unpack, FiU0TP4eTmYM2TDeF7T.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'tcnsdZCPm6', 'ko7spSSK4N', 'Vq0s5WgaFV', 'sdUsyOsZtD', 'hBAs3Rlr8B', 'RtqsHNnpmU', 'edPsE3QaYe'
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.6a90000.6.raw.unpack, UsVD7pFGcJlbMYMWlC.csHigh entropy of concatenated method names: 'FdS2l25BU4', 'JRw2XlFnV0', 'ERt2xeFZHv', 'nX22amB96b', 'tWa21FmSpi', 'Ridx3u3b8c', 's8QxHC91Mh', 'IbXxEU13nP', 'cpQxqYKPIa', 'OcHxJuJIyb'
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.6a90000.6.raw.unpack, yFYUTH9dQCSihIrfN8.csHigh entropy of concatenated method names: 'YwSrNVtAdC', 'BGxrbdZu93', 'qdgrF8tAjb', 'mJIrcPp3aa', 'sKTr0MDwym', 'QMNrmDEICw', 'wWqrw3QVJ6', 'pcdrfOecUT', 'btNrOd5e0j', 'KxFrDkmbrY'
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.6a90000.6.raw.unpack, I2ndhq4W97PQL4Zt1A3.csHigh entropy of concatenated method names: 'FYwviwHB8i', 'Mh8vA8aIZU', 'LHvvkUuerj', 'pf6vTmeTka', 'rXOvCGhtyu', 'hOjvZpO7KE', 'CJJvoWSwtS', 'oGSvN3yQiW', 'OjOvbPJYmJ', 'Yn6v8kmGNs'
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.6a90000.6.raw.unpack, TNwhmrJA7QUJEq8IpZ.csHigh entropy of concatenated method names: 'uDGRFMWkjP', 'Rd2RcLcfdX', 'QXlRuNkdAl', 'QYJR0RH88G', 'pOXRdQVa25', 'BctRmR8X7O', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.6a90000.6.raw.unpack, fen0wCMSaQ3bSmWfmi.csHigh entropy of concatenated method names: 'oQLv4YAehA', 'LUVveqfn38', 'joyvtDYoXP', 'j6KvYOhL3R', 'gX6vXtJUH6', 'F1SvxtQHIe', 'ATDv2IWj92', 'o6RREiLioC', 'hLpRqX5Ode', 'XqcRJddLU7'
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.6a90000.6.raw.unpack, TZtHoF8fslOLl0XROP.csHigh entropy of concatenated method names: 'yblxC9POl0', 'PKXxooB5L9', 'cJ2nuyAGrI', 'X52n0wFwJC', 'PIynmBwXvt', 'krwn6MAdRs', 'rh8nw2xd9b', 'DVenf7Z6oW', 'Ts7nBtHHNE', 'bJEnOrGGbw'
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.6a90000.6.raw.unpack, O6gQHwN7UIkW5MiRmW.csHigh entropy of concatenated method names: 'gOFXd3lGW0', 'aYNXptvlMo', 'npYX5tJ0eY', 'VneXy32l5T', 'mlQX3LQDak', 'M8yXHOd8BB', 's6hXEGyOpG', 'XbRXqsyK95', 'LeGXJgdeaa', 'AdJXM0GQdw'
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.6a90000.6.raw.unpack, X64Lfi1jtVl3jyEt1i.csHigh entropy of concatenated method names: 'gtJelSBVwC', 'iUOeYbaPPm', 'Vd8eX83icW', 'xe0enfv5Tg', 'iwhexnxAUo', 'aFWe2twW6h', 'mXEearZTiv', 'yW0e1q5q0o', 'VkTeVO6ije', 'te4eS2pBrB'
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.6a90000.6.raw.unpack, Pk5KK3bZoGdc3OfGWJ.csHigh entropy of concatenated method names: 'E1CnT4R3Lb', 'ds8nZcJyLU', 'iaCnNuHfW8', 'JcHnbyrf1r', 'gDenPj2DwS', 'iE9nLmC8id', 'ioXnjJZ9to', 'jwunRltyMT', 'nsgnvE8W2G', 'CLdnsIUVVr'
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.6a90000.6.raw.unpack, rkjV03XSm4YnJI5K1S.csHigh entropy of concatenated method names: 'Dispose', 'bGY4JmC5rt', 'WFoKcZQ5oM', 'UPcVVpljWh', 'G9b4MHdNKx', 'EkG4zkrecO', 'ProcessDialogKey', 'cvyKWNwhmr', 'y7QK4UJEq8', 'upZKKXen0w'
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.6a90000.6.raw.unpack, bNq9YewEONQ0p6tZpQ.csHigh entropy of concatenated method names: 'bsiaYUnFLJ', 'Fn1anqe7O5', 'NSKa2tvdgn', 'VhQ2MZ1OMS', 'zVC2z8UFKY', 'xmDaWfXjXs', 'M4na4yafAM', 'fPjaKXXS6r', 'pZ4aeMW6O7', 'eMIatxG3v7'
            Source: 0.2.Cotizaci#U00f3n#12643283.exe.6a90000.6.raw.unpack, XK7PdiBrxU3m1lOQsS.csHigh entropy of concatenated method names: 'NVBaiF2lyn', 'qJRaAxtiI4', 'Ry3akcScvE', 'dcUaTqgDBb', 'd74aCMNJkM', 'w3caZb4AHa', 'kEmaoDOCFw', 'uqBaNf5o0w', 'sXWabd7ssS', 'w7Ra8OqrUR'
            Source: 8.2.SoEOsZIV.exe.3167c08.0.raw.unpack, hrlPDhZiofKOntEGsn.csHigh entropy of concatenated method names: 'HW1ErlPDh', 'sofPKOntE', 'SsnflUJon', 'aMB144uHG', 'b2TDraJQL', 'DooTW4SZv', 'e6wSRoREk', 'eiIOxF2Ts', 'n4FpBtydB', 'kDGIyt7hv'
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeFile created: C:\Users\user\AppData\Roaming\SoEOsZIV.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SoEOsZIV" /XML "C:\Users\user\AppData\Local\Temp\tmpAC01.tmp"

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: Cotizaci#U00f3n#12643283.exe PID: 2968, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: SoEOsZIV.exe PID: 4788, type: MEMORYSTR
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeMemory allocated: C20000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeMemory allocated: 2750000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeMemory allocated: 4750000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeMemory allocated: 7270000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeMemory allocated: 8270000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeMemory allocated: 8410000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeMemory allocated: 9410000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeMemory allocated: 1900000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeMemory allocated: 3130000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeMemory allocated: 5230000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeMemory allocated: 79B0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeMemory allocated: 89B0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeMemory allocated: 8B40000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeMemory allocated: 9B40000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA096E rdtsc 7_2_06FA096E
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6126Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1716Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeAPI coverage: 0.6 %
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exe TID: 4996Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1032Thread sleep time: -3689348814741908s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5764Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 2736Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exe TID: 6992Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA096E rdtsc 7_2_06FA096E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_00417D63 LdrLoadDll,7_2_00417D63
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_004469B8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_004469B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_004489BB LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,7_2_004489BB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FDE6F2 mov eax, dword ptr fs:[00000030h]7_2_06FDE6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FDE6F2 mov eax, dword ptr fs:[00000030h]7_2_06FDE6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FDE6F2 mov eax, dword ptr fs:[00000030h]7_2_06FDE6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FDE6F2 mov eax, dword ptr fs:[00000030h]7_2_06FDE6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE06F1 mov eax, dword ptr fs:[00000030h]7_2_06FE06F1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE06F1 mov eax, dword ptr fs:[00000030h]7_2_06FE06F1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F9A6C7 mov ebx, dword ptr fs:[00000030h]7_2_06F9A6C7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F9A6C7 mov eax, dword ptr fs:[00000030h]7_2_06F9A6C7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F966B0 mov eax, dword ptr fs:[00000030h]7_2_06F966B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F9C6A6 mov eax, dword ptr fs:[00000030h]7_2_06F9C6A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F64690 mov eax, dword ptr fs:[00000030h]7_2_06F64690
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F64690 mov eax, dword ptr fs:[00000030h]7_2_06F64690
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F92674 mov eax, dword ptr fs:[00000030h]7_2_06F92674
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0700678E mov eax, dword ptr fs:[00000030h]7_2_0700678E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F9A660 mov eax, dword ptr fs:[00000030h]7_2_06F9A660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F9A660 mov eax, dword ptr fs:[00000030h]7_2_06F9A660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_070147A0 mov eax, dword ptr fs:[00000030h]7_2_070147A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F7C640 mov eax, dword ptr fs:[00000030h]7_2_06F7C640
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F7E627 mov eax, dword ptr fs:[00000030h]7_2_06F7E627
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F96620 mov eax, dword ptr fs:[00000030h]7_2_06F96620
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F98620 mov eax, dword ptr fs:[00000030h]7_2_06F98620
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F6262C mov eax, dword ptr fs:[00000030h]7_2_06F6262C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA2619 mov eax, dword ptr fs:[00000030h]7_2_06FA2619
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FDE609 mov eax, dword ptr fs:[00000030h]7_2_06FDE609
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F7260B mov eax, dword ptr fs:[00000030h]7_2_06F7260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F7260B mov eax, dword ptr fs:[00000030h]7_2_06F7260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F7260B mov eax, dword ptr fs:[00000030h]7_2_06F7260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F7260B mov eax, dword ptr fs:[00000030h]7_2_06F7260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F7260B mov eax, dword ptr fs:[00000030h]7_2_06F7260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F7260B mov eax, dword ptr fs:[00000030h]7_2_06F7260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F7260B mov eax, dword ptr fs:[00000030h]7_2_06F7260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F647FB mov eax, dword ptr fs:[00000030h]7_2_06F647FB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F647FB mov eax, dword ptr fs:[00000030h]7_2_06F647FB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F827ED mov eax, dword ptr fs:[00000030h]7_2_06F827ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F827ED mov eax, dword ptr fs:[00000030h]7_2_06F827ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F827ED mov eax, dword ptr fs:[00000030h]7_2_06F827ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FEE7E1 mov eax, dword ptr fs:[00000030h]7_2_06FEE7E1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F6C7C0 mov eax, dword ptr fs:[00000030h]7_2_06F6C7C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE07C3 mov eax, dword ptr fs:[00000030h]7_2_06FE07C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F607AF mov eax, dword ptr fs:[00000030h]7_2_06F607AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0702866E mov eax, dword ptr fs:[00000030h]7_2_0702866E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0702866E mov eax, dword ptr fs:[00000030h]7_2_0702866E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F68770 mov eax, dword ptr fs:[00000030h]7_2_06F68770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F70770 mov eax, dword ptr fs:[00000030h]7_2_06F70770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F70770 mov eax, dword ptr fs:[00000030h]7_2_06F70770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F70770 mov eax, dword ptr fs:[00000030h]7_2_06F70770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F70770 mov eax, dword ptr fs:[00000030h]7_2_06F70770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F70770 mov eax, dword ptr fs:[00000030h]7_2_06F70770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F70770 mov eax, dword ptr fs:[00000030h]7_2_06F70770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F70770 mov eax, dword ptr fs:[00000030h]7_2_06F70770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F70770 mov eax, dword ptr fs:[00000030h]7_2_06F70770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F70770 mov eax, dword ptr fs:[00000030h]7_2_06F70770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F70770 mov eax, dword ptr fs:[00000030h]7_2_06F70770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F70770 mov eax, dword ptr fs:[00000030h]7_2_06F70770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F70770 mov eax, dword ptr fs:[00000030h]7_2_06F70770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FEE75D mov eax, dword ptr fs:[00000030h]7_2_06FEE75D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F60750 mov eax, dword ptr fs:[00000030h]7_2_06F60750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA2750 mov eax, dword ptr fs:[00000030h]7_2_06FA2750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA2750 mov eax, dword ptr fs:[00000030h]7_2_06FA2750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE4755 mov eax, dword ptr fs:[00000030h]7_2_06FE4755
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F9674D mov esi, dword ptr fs:[00000030h]7_2_06F9674D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F9674D mov eax, dword ptr fs:[00000030h]7_2_06F9674D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F9674D mov eax, dword ptr fs:[00000030h]7_2_06F9674D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F9273C mov eax, dword ptr fs:[00000030h]7_2_06F9273C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F9273C mov ecx, dword ptr fs:[00000030h]7_2_06F9273C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F9273C mov eax, dword ptr fs:[00000030h]7_2_06F9273C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FDC730 mov eax, dword ptr fs:[00000030h]7_2_06FDC730
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F9C720 mov eax, dword ptr fs:[00000030h]7_2_06F9C720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F9C720 mov eax, dword ptr fs:[00000030h]7_2_06F9C720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F60710 mov eax, dword ptr fs:[00000030h]7_2_06F60710
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F90710 mov eax, dword ptr fs:[00000030h]7_2_06F90710
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F9C700 mov eax, dword ptr fs:[00000030h]7_2_06F9C700
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07034500 mov eax, dword ptr fs:[00000030h]7_2_07034500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07034500 mov eax, dword ptr fs:[00000030h]7_2_07034500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07034500 mov eax, dword ptr fs:[00000030h]7_2_07034500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07034500 mov eax, dword ptr fs:[00000030h]7_2_07034500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07034500 mov eax, dword ptr fs:[00000030h]7_2_07034500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07034500 mov eax, dword ptr fs:[00000030h]7_2_07034500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07034500 mov eax, dword ptr fs:[00000030h]7_2_07034500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F604E5 mov ecx, dword ptr fs:[00000030h]7_2_06F604E5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F944B0 mov ecx, dword ptr fs:[00000030h]7_2_06F944B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FEA4B0 mov eax, dword ptr fs:[00000030h]7_2_06FEA4B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F664AB mov eax, dword ptr fs:[00000030h]7_2_06F664AB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F8A470 mov eax, dword ptr fs:[00000030h]7_2_06F8A470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F8A470 mov eax, dword ptr fs:[00000030h]7_2_06F8A470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F8A470 mov eax, dword ptr fs:[00000030h]7_2_06F8A470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FEC460 mov ecx, dword ptr fs:[00000030h]7_2_06FEC460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F8245A mov eax, dword ptr fs:[00000030h]7_2_06F8245A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F5645D mov eax, dword ptr fs:[00000030h]7_2_06F5645D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F9E443 mov eax, dword ptr fs:[00000030h]7_2_06F9E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F9E443 mov eax, dword ptr fs:[00000030h]7_2_06F9E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F9E443 mov eax, dword ptr fs:[00000030h]7_2_06F9E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F9E443 mov eax, dword ptr fs:[00000030h]7_2_06F9E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F9E443 mov eax, dword ptr fs:[00000030h]7_2_06F9E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F9E443 mov eax, dword ptr fs:[00000030h]7_2_06F9E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F9E443 mov eax, dword ptr fs:[00000030h]7_2_06F9E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F9E443 mov eax, dword ptr fs:[00000030h]7_2_06F9E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F9A430 mov eax, dword ptr fs:[00000030h]7_2_06F9A430
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F5C427 mov eax, dword ptr fs:[00000030h]7_2_06F5C427
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F5E420 mov eax, dword ptr fs:[00000030h]7_2_06F5E420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F5E420 mov eax, dword ptr fs:[00000030h]7_2_06F5E420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F5E420 mov eax, dword ptr fs:[00000030h]7_2_06F5E420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE6420 mov eax, dword ptr fs:[00000030h]7_2_06FE6420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE6420 mov eax, dword ptr fs:[00000030h]7_2_06FE6420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE6420 mov eax, dword ptr fs:[00000030h]7_2_06FE6420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE6420 mov eax, dword ptr fs:[00000030h]7_2_06FE6420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE6420 mov eax, dword ptr fs:[00000030h]7_2_06FE6420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE6420 mov eax, dword ptr fs:[00000030h]7_2_06FE6420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE6420 mov eax, dword ptr fs:[00000030h]7_2_06FE6420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F98402 mov eax, dword ptr fs:[00000030h]7_2_06F98402
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F98402 mov eax, dword ptr fs:[00000030h]7_2_06F98402
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F98402 mov eax, dword ptr fs:[00000030h]7_2_06F98402
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F9C5ED mov eax, dword ptr fs:[00000030h]7_2_06F9C5ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F9C5ED mov eax, dword ptr fs:[00000030h]7_2_06F9C5ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F625E0 mov eax, dword ptr fs:[00000030h]7_2_06F625E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F8E5E7 mov eax, dword ptr fs:[00000030h]7_2_06F8E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F8E5E7 mov eax, dword ptr fs:[00000030h]7_2_06F8E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F8E5E7 mov eax, dword ptr fs:[00000030h]7_2_06F8E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F8E5E7 mov eax, dword ptr fs:[00000030h]7_2_06F8E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F8E5E7 mov eax, dword ptr fs:[00000030h]7_2_06F8E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F8E5E7 mov eax, dword ptr fs:[00000030h]7_2_06F8E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F8E5E7 mov eax, dword ptr fs:[00000030h]7_2_06F8E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F8E5E7 mov eax, dword ptr fs:[00000030h]7_2_06F8E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F665D0 mov eax, dword ptr fs:[00000030h]7_2_06F665D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F9A5D0 mov eax, dword ptr fs:[00000030h]7_2_06F9A5D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F9A5D0 mov eax, dword ptr fs:[00000030h]7_2_06F9A5D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F9E5CF mov eax, dword ptr fs:[00000030h]7_2_06F9E5CF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F9E5CF mov eax, dword ptr fs:[00000030h]7_2_06F9E5CF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F845B1 mov eax, dword ptr fs:[00000030h]7_2_06F845B1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F845B1 mov eax, dword ptr fs:[00000030h]7_2_06F845B1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0701A456 mov eax, dword ptr fs:[00000030h]7_2_0701A456
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE05A7 mov eax, dword ptr fs:[00000030h]7_2_06FE05A7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE05A7 mov eax, dword ptr fs:[00000030h]7_2_06FE05A7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE05A7 mov eax, dword ptr fs:[00000030h]7_2_06FE05A7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F9E59C mov eax, dword ptr fs:[00000030h]7_2_06F9E59C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F94588 mov eax, dword ptr fs:[00000030h]7_2_06F94588
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F62582 mov eax, dword ptr fs:[00000030h]7_2_06F62582
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F62582 mov ecx, dword ptr fs:[00000030h]7_2_06F62582
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F9656A mov eax, dword ptr fs:[00000030h]7_2_06F9656A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F9656A mov eax, dword ptr fs:[00000030h]7_2_06F9656A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F9656A mov eax, dword ptr fs:[00000030h]7_2_06F9656A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0701A49A mov eax, dword ptr fs:[00000030h]7_2_0701A49A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F68550 mov eax, dword ptr fs:[00000030h]7_2_06F68550
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F68550 mov eax, dword ptr fs:[00000030h]7_2_06F68550
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F70535 mov eax, dword ptr fs:[00000030h]7_2_06F70535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F70535 mov eax, dword ptr fs:[00000030h]7_2_06F70535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F70535 mov eax, dword ptr fs:[00000030h]7_2_06F70535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F70535 mov eax, dword ptr fs:[00000030h]7_2_06F70535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F70535 mov eax, dword ptr fs:[00000030h]7_2_06F70535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F70535 mov eax, dword ptr fs:[00000030h]7_2_06F70535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F8E53E mov eax, dword ptr fs:[00000030h]7_2_06F8E53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F8E53E mov eax, dword ptr fs:[00000030h]7_2_06F8E53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F8E53E mov eax, dword ptr fs:[00000030h]7_2_06F8E53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F8E53E mov eax, dword ptr fs:[00000030h]7_2_06F8E53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F8E53E mov eax, dword ptr fs:[00000030h]7_2_06F8E53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FF6500 mov eax, dword ptr fs:[00000030h]7_2_06FF6500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F702E1 mov eax, dword ptr fs:[00000030h]7_2_06F702E1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F702E1 mov eax, dword ptr fs:[00000030h]7_2_06F702E1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F702E1 mov eax, dword ptr fs:[00000030h]7_2_06F702E1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07038324 mov eax, dword ptr fs:[00000030h]7_2_07038324
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07038324 mov ecx, dword ptr fs:[00000030h]7_2_07038324
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07038324 mov eax, dword ptr fs:[00000030h]7_2_07038324
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07038324 mov eax, dword ptr fs:[00000030h]7_2_07038324
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F6A2C3 mov eax, dword ptr fs:[00000030h]7_2_06F6A2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F6A2C3 mov eax, dword ptr fs:[00000030h]7_2_06F6A2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F6A2C3 mov eax, dword ptr fs:[00000030h]7_2_06F6A2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F6A2C3 mov eax, dword ptr fs:[00000030h]7_2_06F6A2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F6A2C3 mov eax, dword ptr fs:[00000030h]7_2_06F6A2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0703634F mov eax, dword ptr fs:[00000030h]7_2_0703634F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0702A352 mov eax, dword ptr fs:[00000030h]7_2_0702A352
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07008350 mov ecx, dword ptr fs:[00000030h]7_2_07008350
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FF62A0 mov eax, dword ptr fs:[00000030h]7_2_06FF62A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FF62A0 mov ecx, dword ptr fs:[00000030h]7_2_06FF62A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FF62A0 mov eax, dword ptr fs:[00000030h]7_2_06FF62A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FF62A0 mov eax, dword ptr fs:[00000030h]7_2_06FF62A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FF62A0 mov eax, dword ptr fs:[00000030h]7_2_06FF62A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FF62A0 mov eax, dword ptr fs:[00000030h]7_2_06FF62A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0700437C mov eax, dword ptr fs:[00000030h]7_2_0700437C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE0283 mov eax, dword ptr fs:[00000030h]7_2_06FE0283
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE0283 mov eax, dword ptr fs:[00000030h]7_2_06FE0283
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE0283 mov eax, dword ptr fs:[00000030h]7_2_06FE0283
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F9E284 mov eax, dword ptr fs:[00000030h]7_2_06F9E284
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F9E284 mov eax, dword ptr fs:[00000030h]7_2_06F9E284
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F64260 mov eax, dword ptr fs:[00000030h]7_2_06F64260
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F64260 mov eax, dword ptr fs:[00000030h]7_2_06F64260
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F64260 mov eax, dword ptr fs:[00000030h]7_2_06F64260
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F5826B mov eax, dword ptr fs:[00000030h]7_2_06F5826B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F5A250 mov eax, dword ptr fs:[00000030h]7_2_06F5A250
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F66259 mov eax, dword ptr fs:[00000030h]7_2_06F66259
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE8243 mov eax, dword ptr fs:[00000030h]7_2_06FE8243
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE8243 mov ecx, dword ptr fs:[00000030h]7_2_06FE8243
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0701C3CD mov eax, dword ptr fs:[00000030h]7_2_0701C3CD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F5823B mov eax, dword ptr fs:[00000030h]7_2_06F5823B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_070043D4 mov eax, dword ptr fs:[00000030h]7_2_070043D4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_070043D4 mov eax, dword ptr fs:[00000030h]7_2_070043D4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0700E3DB mov eax, dword ptr fs:[00000030h]7_2_0700E3DB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0700E3DB mov eax, dword ptr fs:[00000030h]7_2_0700E3DB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0700E3DB mov ecx, dword ptr fs:[00000030h]7_2_0700E3DB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0700E3DB mov eax, dword ptr fs:[00000030h]7_2_0700E3DB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F963FF mov eax, dword ptr fs:[00000030h]7_2_06F963FF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F7E3F0 mov eax, dword ptr fs:[00000030h]7_2_06F7E3F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F7E3F0 mov eax, dword ptr fs:[00000030h]7_2_06F7E3F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F7E3F0 mov eax, dword ptr fs:[00000030h]7_2_06F7E3F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F703E9 mov eax, dword ptr fs:[00000030h]7_2_06F703E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F703E9 mov eax, dword ptr fs:[00000030h]7_2_06F703E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F703E9 mov eax, dword ptr fs:[00000030h]7_2_06F703E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F703E9 mov eax, dword ptr fs:[00000030h]7_2_06F703E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F703E9 mov eax, dword ptr fs:[00000030h]7_2_06F703E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F703E9 mov eax, dword ptr fs:[00000030h]7_2_06F703E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F703E9 mov eax, dword ptr fs:[00000030h]7_2_06F703E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F703E9 mov eax, dword ptr fs:[00000030h]7_2_06F703E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F683C0 mov eax, dword ptr fs:[00000030h]7_2_06F683C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F683C0 mov eax, dword ptr fs:[00000030h]7_2_06F683C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F683C0 mov eax, dword ptr fs:[00000030h]7_2_06F683C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F683C0 mov eax, dword ptr fs:[00000030h]7_2_06F683C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F6A3C0 mov eax, dword ptr fs:[00000030h]7_2_06F6A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F6A3C0 mov eax, dword ptr fs:[00000030h]7_2_06F6A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F6A3C0 mov eax, dword ptr fs:[00000030h]7_2_06F6A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F6A3C0 mov eax, dword ptr fs:[00000030h]7_2_06F6A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F6A3C0 mov eax, dword ptr fs:[00000030h]7_2_06F6A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F6A3C0 mov eax, dword ptr fs:[00000030h]7_2_06F6A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE63C0 mov eax, dword ptr fs:[00000030h]7_2_06FE63C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0701A250 mov eax, dword ptr fs:[00000030h]7_2_0701A250
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0701A250 mov eax, dword ptr fs:[00000030h]7_2_0701A250
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0703625D mov eax, dword ptr fs:[00000030h]7_2_0703625D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F58397 mov eax, dword ptr fs:[00000030h]7_2_06F58397
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F58397 mov eax, dword ptr fs:[00000030h]7_2_06F58397
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F58397 mov eax, dword ptr fs:[00000030h]7_2_06F58397
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07010274 mov eax, dword ptr fs:[00000030h]7_2_07010274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07010274 mov eax, dword ptr fs:[00000030h]7_2_07010274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07010274 mov eax, dword ptr fs:[00000030h]7_2_07010274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07010274 mov eax, dword ptr fs:[00000030h]7_2_07010274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07010274 mov eax, dword ptr fs:[00000030h]7_2_07010274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07010274 mov eax, dword ptr fs:[00000030h]7_2_07010274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07010274 mov eax, dword ptr fs:[00000030h]7_2_07010274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07010274 mov eax, dword ptr fs:[00000030h]7_2_07010274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07010274 mov eax, dword ptr fs:[00000030h]7_2_07010274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07010274 mov eax, dword ptr fs:[00000030h]7_2_07010274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07010274 mov eax, dword ptr fs:[00000030h]7_2_07010274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07010274 mov eax, dword ptr fs:[00000030h]7_2_07010274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F8438F mov eax, dword ptr fs:[00000030h]7_2_06F8438F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F8438F mov eax, dword ptr fs:[00000030h]7_2_06F8438F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F5E388 mov eax, dword ptr fs:[00000030h]7_2_06F5E388
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F5E388 mov eax, dword ptr fs:[00000030h]7_2_06F5E388
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F5E388 mov eax, dword ptr fs:[00000030h]7_2_06F5E388
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE035C mov eax, dword ptr fs:[00000030h]7_2_06FE035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE035C mov eax, dword ptr fs:[00000030h]7_2_06FE035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE035C mov eax, dword ptr fs:[00000030h]7_2_06FE035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE035C mov ecx, dword ptr fs:[00000030h]7_2_06FE035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE035C mov eax, dword ptr fs:[00000030h]7_2_06FE035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE035C mov eax, dword ptr fs:[00000030h]7_2_06FE035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE2349 mov eax, dword ptr fs:[00000030h]7_2_06FE2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE2349 mov eax, dword ptr fs:[00000030h]7_2_06FE2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE2349 mov eax, dword ptr fs:[00000030h]7_2_06FE2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE2349 mov eax, dword ptr fs:[00000030h]7_2_06FE2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE2349 mov eax, dword ptr fs:[00000030h]7_2_06FE2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE2349 mov eax, dword ptr fs:[00000030h]7_2_06FE2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE2349 mov eax, dword ptr fs:[00000030h]7_2_06FE2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE2349 mov eax, dword ptr fs:[00000030h]7_2_06FE2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE2349 mov eax, dword ptr fs:[00000030h]7_2_06FE2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE2349 mov eax, dword ptr fs:[00000030h]7_2_06FE2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE2349 mov eax, dword ptr fs:[00000030h]7_2_06FE2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE2349 mov eax, dword ptr fs:[00000030h]7_2_06FE2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE2349 mov eax, dword ptr fs:[00000030h]7_2_06FE2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE2349 mov eax, dword ptr fs:[00000030h]7_2_06FE2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE2349 mov eax, dword ptr fs:[00000030h]7_2_06FE2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_070362D6 mov eax, dword ptr fs:[00000030h]7_2_070362D6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F5C310 mov ecx, dword ptr fs:[00000030h]7_2_06F5C310
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F80310 mov ecx, dword ptr fs:[00000030h]7_2_06F80310
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F9A30B mov eax, dword ptr fs:[00000030h]7_2_06F9A30B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F9A30B mov eax, dword ptr fs:[00000030h]7_2_06F9A30B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F9A30B mov eax, dword ptr fs:[00000030h]7_2_06F9A30B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F5C0F0 mov eax, dword ptr fs:[00000030h]7_2_06F5C0F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA20F0 mov ecx, dword ptr fs:[00000030h]7_2_06FA20F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0700E10E mov eax, dword ptr fs:[00000030h]7_2_0700E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0700E10E mov ecx, dword ptr fs:[00000030h]7_2_0700E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0700E10E mov eax, dword ptr fs:[00000030h]7_2_0700E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0700E10E mov eax, dword ptr fs:[00000030h]7_2_0700E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0700E10E mov ecx, dword ptr fs:[00000030h]7_2_0700E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0700E10E mov eax, dword ptr fs:[00000030h]7_2_0700E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0700E10E mov eax, dword ptr fs:[00000030h]7_2_0700E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0700E10E mov ecx, dword ptr fs:[00000030h]7_2_0700E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0700E10E mov eax, dword ptr fs:[00000030h]7_2_0700E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0700E10E mov ecx, dword ptr fs:[00000030h]7_2_0700E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F5A0E3 mov ecx, dword ptr fs:[00000030h]7_2_06F5A0E3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07020115 mov eax, dword ptr fs:[00000030h]7_2_07020115
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0700A118 mov ecx, dword ptr fs:[00000030h]7_2_0700A118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0700A118 mov eax, dword ptr fs:[00000030h]7_2_0700A118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0700A118 mov eax, dword ptr fs:[00000030h]7_2_0700A118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0700A118 mov eax, dword ptr fs:[00000030h]7_2_0700A118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE60E0 mov eax, dword ptr fs:[00000030h]7_2_06FE60E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F680E9 mov eax, dword ptr fs:[00000030h]7_2_06F680E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE20DE mov eax, dword ptr fs:[00000030h]7_2_06FE20DE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F580A0 mov eax, dword ptr fs:[00000030h]7_2_06F580A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FF80A8 mov eax, dword ptr fs:[00000030h]7_2_06FF80A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07034164 mov eax, dword ptr fs:[00000030h]7_2_07034164
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07034164 mov eax, dword ptr fs:[00000030h]7_2_07034164
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F6208A mov eax, dword ptr fs:[00000030h]7_2_06F6208A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07004180 mov eax, dword ptr fs:[00000030h]7_2_07004180
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07004180 mov eax, dword ptr fs:[00000030h]7_2_07004180
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0701C188 mov eax, dword ptr fs:[00000030h]7_2_0701C188
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0701C188 mov eax, dword ptr fs:[00000030h]7_2_0701C188
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F8C073 mov eax, dword ptr fs:[00000030h]7_2_06F8C073
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F62050 mov eax, dword ptr fs:[00000030h]7_2_06F62050
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE6050 mov eax, dword ptr fs:[00000030h]7_2_06FE6050
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_070261C3 mov eax, dword ptr fs:[00000030h]7_2_070261C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_070261C3 mov eax, dword ptr fs:[00000030h]7_2_070261C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FF6030 mov eax, dword ptr fs:[00000030h]7_2_06FF6030
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F5A020 mov eax, dword ptr fs:[00000030h]7_2_06F5A020
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F5C020 mov eax, dword ptr fs:[00000030h]7_2_06F5C020
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F7E016 mov eax, dword ptr fs:[00000030h]7_2_06F7E016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F7E016 mov eax, dword ptr fs:[00000030h]7_2_06F7E016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F7E016 mov eax, dword ptr fs:[00000030h]7_2_06F7E016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F7E016 mov eax, dword ptr fs:[00000030h]7_2_06F7E016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_070361E5 mov eax, dword ptr fs:[00000030h]7_2_070361E5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE4000 mov ecx, dword ptr fs:[00000030h]7_2_06FE4000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07002000 mov eax, dword ptr fs:[00000030h]7_2_07002000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07002000 mov eax, dword ptr fs:[00000030h]7_2_07002000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07002000 mov eax, dword ptr fs:[00000030h]7_2_07002000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07002000 mov eax, dword ptr fs:[00000030h]7_2_07002000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07002000 mov eax, dword ptr fs:[00000030h]7_2_07002000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07002000 mov eax, dword ptr fs:[00000030h]7_2_07002000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07002000 mov eax, dword ptr fs:[00000030h]7_2_07002000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07002000 mov eax, dword ptr fs:[00000030h]7_2_07002000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F901F8 mov eax, dword ptr fs:[00000030h]7_2_06F901F8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FDE1D0 mov eax, dword ptr fs:[00000030h]7_2_06FDE1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FDE1D0 mov eax, dword ptr fs:[00000030h]7_2_06FDE1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FDE1D0 mov ecx, dword ptr fs:[00000030h]7_2_06FDE1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FDE1D0 mov eax, dword ptr fs:[00000030h]7_2_06FDE1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FDE1D0 mov eax, dword ptr fs:[00000030h]7_2_06FDE1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE019F mov eax, dword ptr fs:[00000030h]7_2_06FE019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE019F mov eax, dword ptr fs:[00000030h]7_2_06FE019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE019F mov eax, dword ptr fs:[00000030h]7_2_06FE019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE019F mov eax, dword ptr fs:[00000030h]7_2_06FE019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F5A197 mov eax, dword ptr fs:[00000030h]7_2_06F5A197
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F5A197 mov eax, dword ptr fs:[00000030h]7_2_06F5A197
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F5A197 mov eax, dword ptr fs:[00000030h]7_2_06F5A197
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA0185 mov eax, dword ptr fs:[00000030h]7_2_06FA0185
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F66154 mov eax, dword ptr fs:[00000030h]7_2_06F66154
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F66154 mov eax, dword ptr fs:[00000030h]7_2_06F66154
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F5C156 mov eax, dword ptr fs:[00000030h]7_2_06F5C156
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FF8158 mov eax, dword ptr fs:[00000030h]7_2_06FF8158
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_070260B8 mov eax, dword ptr fs:[00000030h]7_2_070260B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_070260B8 mov ecx, dword ptr fs:[00000030h]7_2_070260B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FF4144 mov eax, dword ptr fs:[00000030h]7_2_06FF4144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FF4144 mov eax, dword ptr fs:[00000030h]7_2_06FF4144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FF4144 mov ecx, dword ptr fs:[00000030h]7_2_06FF4144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FF4144 mov eax, dword ptr fs:[00000030h]7_2_06FF4144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FF4144 mov eax, dword ptr fs:[00000030h]7_2_06FF4144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F90124 mov eax, dword ptr fs:[00000030h]7_2_06F90124
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07016F00 mov eax, dword ptr fs:[00000030h]7_2_07016F00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F98EF5 mov eax, dword ptr fs:[00000030h]7_2_06F98EF5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F66EE0 mov eax, dword ptr fs:[00000030h]7_2_06F66EE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F66EE0 mov eax, dword ptr fs:[00000030h]7_2_06F66EE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F66EE0 mov eax, dword ptr fs:[00000030h]7_2_06F66EE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F66EE0 mov eax, dword ptr fs:[00000030h]7_2_06F66EE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07004F42 mov eax, dword ptr fs:[00000030h]7_2_07004F42
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FFAEB0 mov eax, dword ptr fs:[00000030h]7_2_06FFAEB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FFAEB0 mov eax, dword ptr fs:[00000030h]7_2_06FFAEB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07000F50 mov eax, dword ptr fs:[00000030h]7_2_07000F50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FECEA0 mov eax, dword ptr fs:[00000030h]7_2_06FECEA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FECEA0 mov eax, dword ptr fs:[00000030h]7_2_06FECEA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FECEA0 mov eax, dword ptr fs:[00000030h]7_2_06FECEA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07002F60 mov eax, dword ptr fs:[00000030h]7_2_07002F60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07002F60 mov eax, dword ptr fs:[00000030h]7_2_07002F60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F92E9C mov eax, dword ptr fs:[00000030h]7_2_06F92E9C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F92E9C mov ecx, dword ptr fs:[00000030h]7_2_06F92E9C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F5AE90 mov eax, dword ptr fs:[00000030h]7_2_06F5AE90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F5AE90 mov eax, dword ptr fs:[00000030h]7_2_06F5AE90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F5AE90 mov eax, dword ptr fs:[00000030h]7_2_06F5AE90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07034F68 mov eax, dword ptr fs:[00000030h]7_2_07034F68
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE0E7F mov eax, dword ptr fs:[00000030h]7_2_06FE0E7F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE0E7F mov eax, dword ptr fs:[00000030h]7_2_06FE0E7F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE0E7F mov eax, dword ptr fs:[00000030h]7_2_06FE0E7F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F66E71 mov eax, dword ptr fs:[00000030h]7_2_06F66E71
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F5EE5A mov eax, dword ptr fs:[00000030h]7_2_06F5EE5A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FF6E20 mov eax, dword ptr fs:[00000030h]7_2_06FF6E20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FF6E20 mov eax, dword ptr fs:[00000030h]7_2_06FF6E20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FF6E20 mov ecx, dword ptr fs:[00000030h]7_2_06FF6E20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07034FE7 mov eax, dword ptr fs:[00000030h]7_2_07034FE7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F58E1D mov eax, dword ptr fs:[00000030h]7_2_06F58E1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07016FF7 mov eax, dword ptr fs:[00000030h]7_2_07016FF7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F8AE00 mov eax, dword ptr fs:[00000030h]7_2_06F8AE00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F8AE00 mov eax, dword ptr fs:[00000030h]7_2_06F8AE00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F8AE00 mov eax, dword ptr fs:[00000030h]7_2_06F8AE00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F8AE00 mov ecx, dword ptr fs:[00000030h]7_2_06F8AE00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F8AE00 mov eax, dword ptr fs:[00000030h]7_2_06F8AE00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F8AE00 mov eax, dword ptr fs:[00000030h]7_2_06F8AE00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F8AE00 mov eax, dword ptr fs:[00000030h]7_2_06F8AE00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F8AE00 mov eax, dword ptr fs:[00000030h]7_2_06F8AE00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F8AE00 mov eax, dword ptr fs:[00000030h]7_2_06F8AE00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F8AE00 mov eax, dword ptr fs:[00000030h]7_2_06F8AE00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA0FF6 mov eax, dword ptr fs:[00000030h]7_2_06FA0FF6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA0FF6 mov eax, dword ptr fs:[00000030h]7_2_06FA0FF6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA0FF6 mov eax, dword ptr fs:[00000030h]7_2_06FA0FF6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FA0FF6 mov eax, dword ptr fs:[00000030h]7_2_06FA0FF6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F7CFE0 mov eax, dword ptr fs:[00000030h]7_2_06F7CFE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F7CFE0 mov eax, dword ptr fs:[00000030h]7_2_06F7CFE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F5EFD8 mov eax, dword ptr fs:[00000030h]7_2_06F5EFD8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F5EFD8 mov eax, dword ptr fs:[00000030h]7_2_06F5EFD8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F5EFD8 mov eax, dword ptr fs:[00000030h]7_2_06F5EFD8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F62FC8 mov eax, dword ptr fs:[00000030h]7_2_06F62FC8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F62FC8 mov eax, dword ptr fs:[00000030h]7_2_06F62FC8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F62FC8 mov eax, dword ptr fs:[00000030h]7_2_06F62FC8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F62FC8 mov eax, dword ptr fs:[00000030h]7_2_06F62FC8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07032E4F mov eax, dword ptr fs:[00000030h]7_2_07032E4F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07032E4F mov eax, dword ptr fs:[00000030h]7_2_07032E4F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F92F98 mov eax, dword ptr fs:[00000030h]7_2_06F92F98
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F92F98 mov eax, dword ptr fs:[00000030h]7_2_06F92F98
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F9CF80 mov eax, dword ptr fs:[00000030h]7_2_06F9CF80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F8AF69 mov eax, dword ptr fs:[00000030h]7_2_06F8AF69
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F8AF69 mov eax, dword ptr fs:[00000030h]7_2_06F8AF69
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F5CF50 mov eax, dword ptr fs:[00000030h]7_2_06F5CF50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F5CF50 mov eax, dword ptr fs:[00000030h]7_2_06F5CF50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F5CF50 mov eax, dword ptr fs:[00000030h]7_2_06F5CF50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F5CF50 mov eax, dword ptr fs:[00000030h]7_2_06F5CF50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F5CF50 mov eax, dword ptr fs:[00000030h]7_2_06F5CF50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F5CF50 mov eax, dword ptr fs:[00000030h]7_2_06F5CF50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F9CF50 mov eax, dword ptr fs:[00000030h]7_2_06F9CF50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE4F40 mov eax, dword ptr fs:[00000030h]7_2_06FE4F40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE4F40 mov eax, dword ptr fs:[00000030h]7_2_06FE4F40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE4F40 mov eax, dword ptr fs:[00000030h]7_2_06FE4F40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE4F40 mov eax, dword ptr fs:[00000030h]7_2_06FE4F40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F8EF28 mov eax, dword ptr fs:[00000030h]7_2_06F8EF28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07016ED0 mov ecx, dword ptr fs:[00000030h]7_2_07016ED0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F62F12 mov eax, dword ptr fs:[00000030h]7_2_06F62F12
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F9CF1F mov eax, dword ptr fs:[00000030h]7_2_06F9CF1F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F92CF0 mov eax, dword ptr fs:[00000030h]7_2_06F92CF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F92CF0 mov eax, dword ptr fs:[00000030h]7_2_06F92CF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F92CF0 mov eax, dword ptr fs:[00000030h]7_2_06F92CF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F92CF0 mov eax, dword ptr fs:[00000030h]7_2_06F92CF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07018D10 mov eax, dword ptr fs:[00000030h]7_2_07018D10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07018D10 mov eax, dword ptr fs:[00000030h]7_2_07018D10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F58CD0 mov eax, dword ptr fs:[00000030h]7_2_06F58CD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07034D30 mov eax, dword ptr fs:[00000030h]7_2_07034D30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F5CCC8 mov eax, dword ptr fs:[00000030h]7_2_06F5CCC8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F88CB1 mov eax, dword ptr fs:[00000030h]7_2_06F88CB1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F88CB1 mov eax, dword ptr fs:[00000030h]7_2_06F88CB1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FDCCA0 mov ecx, dword ptr fs:[00000030h]7_2_06FDCCA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FDCCA0 mov eax, dword ptr fs:[00000030h]7_2_06FDCCA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FDCCA0 mov eax, dword ptr fs:[00000030h]7_2_06FDCCA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FDCCA0 mov eax, dword ptr fs:[00000030h]7_2_06FDCCA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F58C8D mov eax, dword ptr fs:[00000030h]7_2_06F58C8D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F94C59 mov eax, dword ptr fs:[00000030h]7_2_06F94C59
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F6AC50 mov eax, dword ptr fs:[00000030h]7_2_06F6AC50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F6AC50 mov eax, dword ptr fs:[00000030h]7_2_06F6AC50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F6AC50 mov eax, dword ptr fs:[00000030h]7_2_06F6AC50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F6AC50 mov eax, dword ptr fs:[00000030h]7_2_06F6AC50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F6AC50 mov eax, dword ptr fs:[00000030h]7_2_06F6AC50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F6AC50 mov eax, dword ptr fs:[00000030h]7_2_06F6AC50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F66C50 mov eax, dword ptr fs:[00000030h]7_2_06F66C50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F66C50 mov eax, dword ptr fs:[00000030h]7_2_06F66C50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F66C50 mov eax, dword ptr fs:[00000030h]7_2_06F66C50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07028DAE mov eax, dword ptr fs:[00000030h]7_2_07028DAE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07028DAE mov eax, dword ptr fs:[00000030h]7_2_07028DAE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07034DAD mov eax, dword ptr fs:[00000030h]7_2_07034DAD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F5EC20 mov eax, dword ptr fs:[00000030h]7_2_06F5EC20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FFCC20 mov eax, dword ptr fs:[00000030h]7_2_06FFCC20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FFCC20 mov eax, dword ptr fs:[00000030h]7_2_06FFCC20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07000DF0 mov eax, dword ptr fs:[00000030h]7_2_07000DF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07000DF0 mov eax, dword ptr fs:[00000030h]7_2_07000DF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE4C0F mov eax, dword ptr fs:[00000030h]7_2_06FE4C0F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F70C00 mov eax, dword ptr fs:[00000030h]7_2_06F70C00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F70C00 mov eax, dword ptr fs:[00000030h]7_2_06F70C00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F70C00 mov eax, dword ptr fs:[00000030h]7_2_06F70C00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F70C00 mov eax, dword ptr fs:[00000030h]7_2_06F70C00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F9CC00 mov eax, dword ptr fs:[00000030h]7_2_06F9CC00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F56DF6 mov eax, dword ptr fs:[00000030h]7_2_06F56DF6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F8CDF0 mov eax, dword ptr fs:[00000030h]7_2_06F8CDF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F8CDF0 mov ecx, dword ptr fs:[00000030h]7_2_06F8CDF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F6ADE0 mov eax, dword ptr fs:[00000030h]7_2_06F6ADE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F6ADE0 mov eax, dword ptr fs:[00000030h]7_2_06F6ADE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F6ADE0 mov eax, dword ptr fs:[00000030h]7_2_06F6ADE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F6ADE0 mov eax, dword ptr fs:[00000030h]7_2_06F6ADE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F6ADE0 mov eax, dword ptr fs:[00000030h]7_2_06F6ADE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F6ADE0 mov eax, dword ptr fs:[00000030h]7_2_06F6ADE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F80DE1 mov eax, dword ptr fs:[00000030h]7_2_06F80DE1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F5CDEA mov eax, dword ptr fs:[00000030h]7_2_06F5CDEA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F5CDEA mov eax, dword ptr fs:[00000030h]7_2_06F5CDEA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE4DD7 mov eax, dword ptr fs:[00000030h]7_2_06FE4DD7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FE4DD7 mov eax, dword ptr fs:[00000030h]7_2_06FE4DD7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F8EDD3 mov eax, dword ptr fs:[00000030h]7_2_06F8EDD3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F8EDD3 mov eax, dword ptr fs:[00000030h]7_2_06F8EDD3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07004C34 mov eax, dword ptr fs:[00000030h]7_2_07004C34
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07004C34 mov eax, dword ptr fs:[00000030h]7_2_07004C34
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07004C34 mov eax, dword ptr fs:[00000030h]7_2_07004C34
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07004C34 mov eax, dword ptr fs:[00000030h]7_2_07004C34
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07004C34 mov eax, dword ptr fs:[00000030h]7_2_07004C34
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07004C34 mov eax, dword ptr fs:[00000030h]7_2_07004C34
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_07004C34 mov ecx, dword ptr fs:[00000030h]7_2_07004C34
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F88DBF mov eax, dword ptr fs:[00000030h]7_2_06F88DBF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F88DBF mov eax, dword ptr fs:[00000030h]7_2_06F88DBF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F9CDB1 mov ecx, dword ptr fs:[00000030h]7_2_06F9CDB1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F9CDB1 mov eax, dword ptr fs:[00000030h]7_2_06F9CDB1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F9CDB1 mov eax, dword ptr fs:[00000030h]7_2_06F9CDB1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F96DA0 mov eax, dword ptr fs:[00000030h]7_2_06F96DA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06FF8D6B mov eax, dword ptr fs:[00000030h]7_2_06FF8D6B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F60D59 mov eax, dword ptr fs:[00000030h]7_2_06F60D59
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F60D59 mov eax, dword ptr fs:[00000030h]7_2_06F60D59
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_06F60D59 mov eax, dword ptr fs:[00000030h]7_2_06F60D59
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_004469B8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_004469B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_0044846B _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_0044846B
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SoEOsZIV.exe"
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SoEOsZIV.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SoEOsZIV.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SoEOsZIV" /XML "C:\Users\user\AppData\Local\Temp\tmpAC01.tmp"Jump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SoEOsZIV" /XML "C:\Users\user\AppData\Local\Temp\tmpBE22.tmp"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeQueries volume information: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeQueries volume information: C:\Users\user\AppData\Roaming\SoEOsZIV.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\SoEOsZIV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 7_2_00447F9F GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,7_2_00447F9F
            Source: C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.2862181424.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2862655444.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.2862181424.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2862655444.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Scheduled Task/Job            		1
            Scheduled Task/Job            		11
            Process Injection            		1
            Masquerading            		OS Credential Dumping1
            System Time Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Native API            		1
            DLL Side-Loading            		1
            Scheduled Task/Job            		11
            Disable or Modify Tools            		LSASS Memory13
            Security Software Discovery            		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		41
            Virtualization/Sandbox Evasion            		Security Account Manager1
            Process Discovery            		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
            Process Injection            		NTDS41
            Virtualization/Sandbox Evasion            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            Application Window Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
            Obfuscated Files or Information            		Cached Domain Credentials1
            File and Directory Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
            Software Packing            		DCSync13
            System Information Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1501088 Sample: Cotizaci#U00f3n#12643283.exe Startdate: 29/08/2024 Architecture: WINDOWS Score: 100 44 Malicious sample detected (through community Yara rule) 2->44 46 Sigma detected: Scheduled temp file as task from temp location 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 6 other signatures 2->50 7 Cotizaci#U00f3n#12643283.exe 7 2->7         started        11 SoEOsZIV.exe 5 2->11         started        process3 file4 36 C:\Users\user\AppData\Roaming\SoEOsZIV.exe, PE32 7->36 dropped 38 C:\Users\...\SoEOsZIV.exe:Zone.Identifier, ASCII 7->38 dropped 40 C:\Users\user\AppData\Local\...\tmpAC01.tmp, XML 7->40 dropped 42 C:\Users\...\Cotizaci#U00f3n#12643283.exe.log, ASCII 7->42 dropped 52 Uses schtasks.exe or at.exe to add and modify task schedules 7->52 54 Adds a directory exclusion to Windows Defender 7->54 13 powershell.exe 23 7->13         started        16 schtasks.exe 1 7->16         started        18 vbc.exe 7->18         started        56 Multi AV Scanner detection for dropped file 11->56 58 Machine Learning detection for dropped file 11->58 20 schtasks.exe 1 11->20         started        22 vbc.exe 11->22         started        24 vbc.exe 11->24         started        26 3 other processes 11->26 signatures5 process6 signatures7 60 Loading BitLocker PowerShell Module 13->60 28 WmiPrvSE.exe 13->28         started        30 conhost.exe 13->30         started        32 conhost.exe 16->32         started        34 conhost.exe 20->34         started        process8

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Cotizaci#U00f3n#12643283.exe79%ReversingLabsWin32.Trojan.Leonem
            Cotizaci#U00f3n#12643283.exe68%VirustotalBrowse
            Cotizaci#U00f3n#12643283.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\SoEOsZIV.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\SoEOsZIV.exe79%ReversingLabsWin32.Trojan.Leonem
            C:\Users\user\AppData\Roaming\SoEOsZIV.exe68%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameCotizaci#U00f3n#12643283.exe, 00000000.00000002.2200126332.0000000002797000.00000004.00000800.00020000.00000000.sdmp, SoEOsZIV.exe, 00000008.00000002.2254774684.00000000031A0000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1501088
            Start date and time:2024-08-29 12:14:42 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 7m 18s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:21
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:Cotizaci#U00f3n#12643283.exe
            renamed because original name is a hash value
            Original Sample Name:Cotizacin#12643283.exe
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@24/11@0/0
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 99%
            • Number of executed functions: 46
            • Number of non-executed functions: 269
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
            • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size getting too big, too many NtCreateKey calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            06:15:38API Interceptor1x Sleep call for process: Cotizaci#U00f3n#12643283.exe modified
            06:15:39API Interceptor17x Sleep call for process: powershell.exe modified
            06:15:43API Interceptor1x Sleep call for process: SoEOsZIV.exe modified
            06:16:39API Interceptor3x Sleep call for process: vbc.exe modified
            12:15:40Task SchedulerRun new task: SoEOsZIV path: C:\Users\user\AppData\Roaming\SoEOsZIV.exe

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Cotizaci#U00f3n#12643283.exe.log

            Download File
            Process:C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):1216
            Entropy (8bit):5.34331486778365
            Encrypted:false
            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
            MD5:1330C80CAAC9A0FB172F202485E9B1E8
            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
            Malicious:true
            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SoEOsZIV.exe.log

            Download File
            Process:C:\Users\user\AppData\Roaming\SoEOsZIV.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):1216
            Entropy (8bit):5.34331486778365
            Encrypted:false
            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
            MD5:1330C80CAAC9A0FB172F202485E9B1E8
            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
            Malicious:false
            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:data
            Category:dropped
            Size (bytes):2232
            Entropy (8bit):5.3810236212315665
            Encrypted:false
            SSDEEP:48:lylWSU4xympx4RfoUP7gZ9tK8NPZHUx7u1iMugeC/ZPUyus:lGLHxv/IwLZ2KRH6Oug8s
            MD5:2F4F72178757F51960EC430BB427B04A
            SHA1:920BF6703FE6658EC1422070D6D045667D2D34AD
            SHA-256:398F684D254628BC3030D723A723D8423E0A55FEFE507F7894323B04E86B588B
            SHA-512:666E63AAB96255A8F7F0645262257F65DF0A2E5805D74F7488CC8101368A123A3E52DAB555094C191C2ACC22156E86F4B5C565854371564B988549626F940327
            Malicious:false
            Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3krzvh1h.pyy.ps1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5l2phtpf.2em.psm1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_stkvzaoe.fqi.ps1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xmmeswp1.5q5.psm1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\tmpAC01.tmp

            Download File
            Process:C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exe
            File Type:XML 1.0 document, ASCII text
            Category:dropped
            Size (bytes):1595
            Entropy (8bit):5.095145383839613
            Encrypted:false
            SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLZoxvn:cge7QYrFdOFzOzN33ODOiDdKrsuTdIv
            MD5:03DE63DA9EE4C228EFC4A33DA5356CF8
            SHA1:716FA0C89F420972F1AEF30032386C755BA7C100
            SHA-256:E526D89E1D4CA0A2C181685ADCE9781F5A3765126E3E575F1F091945141BDE27
            SHA-512:18C4DEBFA09576782C7E25BA082CB241CFB00AE1379422648B23B56F8F4E1E2985ED94E7E3993B110149539060AABC0E61D622A00F837B8D8D7B559AC27A77F4
            Malicious:true
            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

            C:\Users\user\AppData\Local\Temp\tmpBE22.tmp

            Download File
            Process:C:\Users\user\AppData\Roaming\SoEOsZIV.exe
            File Type:XML 1.0 document, ASCII text
            Category:dropped
            Size (bytes):1595
            Entropy (8bit):5.095145383839613
            Encrypted:false
            SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLZoxvn:cge7QYrFdOFzOzN33ODOiDdKrsuTdIv
            MD5:03DE63DA9EE4C228EFC4A33DA5356CF8
            SHA1:716FA0C89F420972F1AEF30032386C755BA7C100
            SHA-256:E526D89E1D4CA0A2C181685ADCE9781F5A3765126E3E575F1F091945141BDE27
            SHA-512:18C4DEBFA09576782C7E25BA082CB241CFB00AE1379422648B23B56F8F4E1E2985ED94E7E3993B110149539060AABC0E61D622A00F837B8D8D7B559AC27A77F4
            Malicious:false
            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

            C:\Users\user\AppData\Roaming\SoEOsZIV.exe

            Download File
            Process:C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):940032
            Entropy (8bit):7.884846579967524
            Encrypted:false
            SSDEEP:24576:WNxC/qaSuo6UosAvsSrnDtNVWmcBaHEiZK:WTiUunoAvsSrImcz
            MD5:23788E22BC2EE1417A5C7FDF0F58715F
            SHA1:F47805DF01143591BC654056B9FDA905850E9539
            SHA-256:D613473068F000318D1015B85A0F49F9191263041AE8DEBCC7250876AE146304
            SHA-512:941D4B85E50642580C3882706BE0C5985DDA91BEC545F2E78D5CC8A7AE5568EB1E525A3B20B4444FECCAB02A44D471261B1220160B5D5DD0882C7800DBCA067A
            Malicious:true
            Antivirus:
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: ReversingLabs, Detection: 79%
            • Antivirus: Virustotal, Detection: 68%, Browse
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.f..............0..B..........*a... ........@.. ....................................@..................................`..O.......................................T............................................ ............... ..H............text...0A... ...B.................. ..`.rsrc................D..............@..@.reloc...............V..............@..B.................a......H...........\............"..............................................F(.....(....o....*...0...........(.......R.....,......io....&.*J.(.....o....(....*V...i(.........io....*..o....*..o....*..o....*..o....*"..o....*"..o....*"..o....*"..o....*..o....*..o....*"..o....*"..o....*...0...........(.......d.._s(...*..0..+........ ..../...c.._s(...*.(.....b.`...d.._s(...*..0...........o$....b.o&...`...(....*.0..x........o&.....E....(.........../.../.......+-..j.o....&*..j.o....&*..(

            C:\Users\user\AppData\Roaming\SoEOsZIV.exe:Zone.Identifier

            Download File
            Process:C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:true
            Preview:[ZoneTransfer]....ZoneId=0

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Entropy (8bit):7.884846579967524
            TrID:
            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            • Win32 Executable (generic) a (10002005/4) 49.75%
            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
            • Windows Screen Saver (13104/52) 0.07%
            • Generic Win/DOS Executable (2004/3) 0.01%
            File name:Cotizaci#U00f3n#12643283.exe
            File size:940'032 bytes
            MD5:23788e22bc2ee1417a5c7fdf0f58715f
            SHA1:f47805df01143591bc654056b9fda905850e9539
            SHA256:d613473068f000318d1015b85a0f49f9191263041ae8debcc7250876ae146304
            SHA512:941d4b85e50642580c3882706be0c5985dda91bec545f2e78d5cc8a7ae5568eb1e525a3b20b4444feccab02a44d471261b1220160b5d5dd0882c7800dbca067a
            SSDEEP:24576:WNxC/qaSuo6UosAvsSrnDtNVWmcBaHEiZK:WTiUunoAvsSrImcz
            TLSH:E61512282751C916C2AF5AB45950E67883B4DE88D023E70BEFD1FDBF7A5B38391502D2
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.f..............0..B..........*a... ........@.. ....................................@................................

            File Icon

            Icon Hash:4c4d8c98abd6661c

            Static PE Info

            General

            Entrypoint:0x4e612a
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Time Stamp:0x66C346D8 [Mon Aug 19 13:21:28 2024 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

            Entrypoint Preview

            Instruction
            jmp dword ptr [00402000h]
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0xe60d70x4f.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0xe80000x1080.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0xea0000xc.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0xe1efc0x54.text
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x20000xe41300xe4200f1a30ee9b9970a9a4e2293c73565170cFalse0.9359728167808219data7.890900297629251IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rsrc0xe80000x10800x120083bd5f441dd034face5f75b3c713dd1eFalse0.7814670138888888data6.685874283660875IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0xea0000xc0x2009768eda1aa9c129987cd60a714a9ae02False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_ICON0xe80c80xd44PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9508244994110718
            RT_GROUP_ICON0xe8e1c0x14data1.05
            RT_VERSION0xe8e400x23cdata0.46853146853146854

            Imports

            DLLImport
            mscoree.dll_CorExeMain

            Network Behavior

            No network behavior found

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:06:15:38
            Start date:29/08/2024
            Path:C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\Cotizaci#U00f3n#12643283.exe"
            Imagebase:0x320000
            File size:940'032 bytes
            MD5 hash:23788E22BC2EE1417A5C7FDF0F58715F
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:3
            Start time:06:15:39
            Start date:29/08/2024
            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SoEOsZIV.exe"
            Imagebase:0x1b0000
            File size:433'152 bytes
            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:4
            Start time:06:15:39
            Start date:29/08/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff66e660000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:5
            Start time:06:15:39
            Start date:29/08/2024
            Path:C:\Windows\SysWOW64\schtasks.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SoEOsZIV" /XML "C:\Users\user\AppData\Local\Temp\tmpAC01.tmp"
            Imagebase:0xdc0000
            File size:187'904 bytes
            MD5 hash:48C2FE20575769DE916F48EF0676A965
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:6
            Start time:06:15:39
            Start date:29/08/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff66e660000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:7
            Start time:06:15:39
            Start date:29/08/2024
            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
            Imagebase:0xeb0000
            File size:2'625'616 bytes
            MD5 hash:0A7608DB01CAE07792CEA95E792AA866
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2862181424.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.2862181424.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2862655444.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.2862655444.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
            Reputation:moderate
            Has exited:true

            General

            Target ID:8
            Start time:06:15:40
            Start date:29/08/2024
            Path:C:\Users\user\AppData\Roaming\SoEOsZIV.exe
            Wow64 process (32bit):true
            Commandline:C:\Users\user\AppData\Roaming\SoEOsZIV.exe
            Imagebase:0xe90000
            File size:940'032 bytes
            MD5 hash:23788E22BC2EE1417A5C7FDF0F58715F
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Antivirus matches:
            • Detection: 100%, Joe Sandbox ML
            • Detection: 79%, ReversingLabs
            • Detection: 68%, Virustotal, Browse
            Reputation:low
            Has exited:true

            General

            Target ID:9
            Start time:06:15:41
            Start date:29/08/2024
            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Imagebase:0x7ff717f30000
            File size:496'640 bytes
            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
            Has elevated privileges:true
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:10
            Start time:06:15:44
            Start date:29/08/2024
            Path:C:\Windows\SysWOW64\schtasks.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SoEOsZIV" /XML "C:\Users\user\AppData\Local\Temp\tmpBE22.tmp"
            Imagebase:0xdc0000
            File size:187'904 bytes
            MD5 hash:48C2FE20575769DE916F48EF0676A965
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:11
            Start time:06:15:44
            Start date:29/08/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff66e660000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:12
            Start time:06:15:44
            Start date:29/08/2024
            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
            Wow64 process (32bit):false
            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
            Imagebase:0xeb0000
            File size:2'625'616 bytes
            MD5 hash:0A7608DB01CAE07792CEA95E792AA866
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:moderate
            Has exited:true

            General

            Target ID:13
            Start time:06:15:44
            Start date:29/08/2024
            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
            Wow64 process (32bit):false
            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
            Imagebase:0x7ff66e660000
            File size:2'625'616 bytes
            MD5 hash:0A7608DB01CAE07792CEA95E792AA866
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:moderate
            Has exited:true

            General

            Target ID:14
            Start time:06:15:44
            Start date:29/08/2024
            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
            Wow64 process (32bit):false
            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
            Imagebase:0xeb0000
            File size:2'625'616 bytes
            MD5 hash:0A7608DB01CAE07792CEA95E792AA866
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:moderate
            Has exited:true

            General

            Target ID:15
            Start time:06:15:44
            Start date:29/08/2024
            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
            Wow64 process (32bit):false
            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
            Imagebase:0xeb0000
            File size:2'625'616 bytes
            MD5 hash:0A7608DB01CAE07792CEA95E792AA866
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:16
            Start time:06:15:44
            Start date:29/08/2024
            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
            Wow64 process (32bit):false
            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
            Imagebase:0xeb0000
            File size:2'625'616 bytes
            MD5 hash:0A7608DB01CAE07792CEA95E792AA866
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Has exited:true

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:7.9%
              Dynamic/Decrypted Code Coverage:100%
              Signature Coverage:0%
              Total number of Nodes:44
              Total number of Limit Nodes:4
              execution_graph 14201 cdd768 DuplicateHandle 14202 cdd7fe 14201->14202 14203 cd4668 14204 cd4672 14203->14204 14206 cd4758 14203->14206 14207 cd477d 14206->14207 14211 cd4858 14207->14211 14215 cd4868 14207->14215 14212 cd488f 14211->14212 14213 cd496c 14212->14213 14219 cd4514 14212->14219 14216 cd488f 14215->14216 14217 cd4514 CreateActCtxA 14216->14217 14218 cd496c 14216->14218 14217->14218 14220 cd58f8 CreateActCtxA 14219->14220 14222 cd59bb 14220->14222 14222->14222 14233 cdb478 14234 cdb4ba 14233->14234 14235 cdb4c0 GetModuleHandleW 14233->14235 14234->14235 14236 cdb4ed 14235->14236 14223 cdd520 14224 cdd566 GetCurrentProcess 14223->14224 14226 cdd5b8 GetCurrentThread 14224->14226 14228 cdd5b1 14224->14228 14227 cdd5f5 GetCurrentProcess 14226->14227 14229 cdd5ee 14226->14229 14232 cdd62b 14227->14232 14228->14226 14229->14227 14230 cdd653 GetCurrentThreadId 14231 cdd684 14230->14231 14232->14230 14237 cdb190 14238 cdb19f 14237->14238 14240 cdb279 14237->14240 14241 cdb299 14240->14241 14242 cdb2b4 14240->14242 14241->14242 14245 cdb510 14241->14245 14249 cdb520 14241->14249 14242->14238 14246 cdb534 14245->14246 14247 cdb559 14246->14247 14253 cdaf98 14246->14253 14247->14242 14250 cdb534 14249->14250 14251 cdaf98 LoadLibraryExW 14250->14251 14252 cdb559 14250->14252 14251->14252 14252->14242 14254 cdb700 LoadLibraryExW 14253->14254 14256 cdb779 14254->14256 14256->14247

              Executed Functions

              Function 00CDD51F Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetCurrentProcess.KERNEL32 ref: 00CDD59E
              • GetCurrentThread.KERNEL32 ref: 00CDD5DB
              • GetCurrentProcess.KERNEL32 ref: 00CDD618
              • GetCurrentThreadId.KERNEL32 ref: 00CDD671
              Memory Dump Source
              • Source File: 00000000.00000002.2199663894.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_cd0000_Cotizaci#U00f3n#12643283.jbxd
              Similarity
              • API ID: Current$ProcessThread
              • String ID:
              • API String ID: 2063062207-0
              • Opcode ID: 65ca83c56a6936e6999b34240a7835e3e9f1086561e1c925b1c717adbd9beb8f
              • Instruction ID: 4a9c3d85e95d4288761093e175aaaf2ed2413c56b3ffb94d8e96c5faf2e32fc1
              • Opcode Fuzzy Hash: 65ca83c56a6936e6999b34240a7835e3e9f1086561e1c925b1c717adbd9beb8f
              • Instruction Fuzzy Hash: FB5185B0900309DFDB44CFA9D548BEEBBF1EF88304F20841AE019A7360DB74A945CB66
              Function 00CDD520 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetCurrentProcess.KERNEL32 ref: 00CDD59E
              • GetCurrentThread.KERNEL32 ref: 00CDD5DB
              • GetCurrentProcess.KERNEL32 ref: 00CDD618
              • GetCurrentThreadId.KERNEL32 ref: 00CDD671
              Memory Dump Source
              • Source File: 00000000.00000002.2199663894.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_cd0000_Cotizaci#U00f3n#12643283.jbxd
              Similarity
              • API ID: Current$ProcessThread
              • String ID:
              • API String ID: 2063062207-0
              • Opcode ID: 698d9dfdc93417f06f94480441f7ad00aa04850a8d04327e528e3ca70c7c0963
              • Instruction ID: c52c6060387b8a089a8af48cfb1fe1e7ada5b5734d4f38974b4793431200a24b
              • Opcode Fuzzy Hash: 698d9dfdc93417f06f94480441f7ad00aa04850a8d04327e528e3ca70c7c0963
              • Instruction Fuzzy Hash: 225177B0900709DFDB44DFA9D548BDEBBF1EF88314F20845AE019A7360D774A944CB66
              Function 00CD4514 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 44 cd4514-cd59b9 CreateActCtxA 47 cd59bb-cd59c1 44->47 48 cd59c2-cd5a1c 44->48 47->48 55 cd5a1e-cd5a21 48->55 56 cd5a2b-cd5a2f 48->56 55->56 57 cd5a31-cd5a3d 56->57 58 cd5a40 56->58 57->58 60 cd5a41 58->60 60->60
              APIs
              • CreateActCtxA.KERNEL32(?), ref: 00CD59A9
              Memory Dump Source
              • Source File: 00000000.00000002.2199663894.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_cd0000_Cotizaci#U00f3n#12643283.jbxd
              Similarity
              • API ID: Create
              • String ID:
              • API String ID: 2289755597-0
              • Opcode ID: a9188aa954a42f395de034f81b948d4ac1026312401d9501cd346dd781899280
              • Instruction ID: d40ddbbbc62e6b60b8a25ce83c76c0c39fcac8be7f62f1365c1b4378eb775883
              • Opcode Fuzzy Hash: a9188aa954a42f395de034f81b948d4ac1026312401d9501cd346dd781899280
              • Instruction Fuzzy Hash: 2341F2B0C00B1DCBDB24DFA9C884B9EBBF5BF49304F20816AD508AB251DB716945CF91
              Function 00CD58ED Relevance: 1.6, APIs: 1, Instructions: 96COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 61 cd58ed-cd59b9 CreateActCtxA 63 cd59bb-cd59c1 61->63 64 cd59c2-cd5a1c 61->64 63->64 71 cd5a1e-cd5a21 64->71 72 cd5a2b-cd5a2f 64->72 71->72 73 cd5a31-cd5a3d 72->73 74 cd5a40 72->74 73->74 76 cd5a41 74->76 76->76
              APIs
              • CreateActCtxA.KERNEL32(?), ref: 00CD59A9
              Memory Dump Source
              • Source File: 00000000.00000002.2199663894.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_cd0000_Cotizaci#U00f3n#12643283.jbxd
              Similarity
              • API ID: Create
              • String ID:
              • API String ID: 2289755597-0
              • Opcode ID: 400c409e952c669283e6e36b0b2eb53dfeea20faa551a8d831a23fb400eaa139
              • Instruction ID: b53c5e9a00b8ee32930dd069a6f1a76d917c6b166a58ac59c50a3da7cd45e2bd
              • Opcode Fuzzy Hash: 400c409e952c669283e6e36b0b2eb53dfeea20faa551a8d831a23fb400eaa139
              • Instruction Fuzzy Hash: 3A4101B0C00B1DCFDB24CFA9C88479DBBB1BF49304F20816AD558AB291DB725946CF91
              Function 00CDD768 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 82 cdd768-cdd7fc DuplicateHandle 83 cdd7fe-cdd804 82->83 84 cdd805-cdd822 82->84 83->84
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CDD7EF
              Memory Dump Source
              • Source File: 00000000.00000002.2199663894.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_cd0000_Cotizaci#U00f3n#12643283.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: d4c0e25b328a38a3df97b6b71b13fbb294711d4cf80cb35e6def2d14bfecad2d
              • Instruction ID: edd236b6123c1347713d10a9c8ecffefd9fb7f60ee13c7eaa2612cf3dd611d78
              • Opcode Fuzzy Hash: d4c0e25b328a38a3df97b6b71b13fbb294711d4cf80cb35e6def2d14bfecad2d
              • Instruction Fuzzy Hash: 5A21E4B5D00248DFDB10CFAAD884ADEBBF8EB48310F14801AE918A3350D379A944CFA5
              Function 00CDD767 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 77 cdd767-cdd7fc DuplicateHandle 78 cdd7fe-cdd804 77->78 79 cdd805-cdd822 77->79 78->79
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CDD7EF
              Memory Dump Source
              • Source File: 00000000.00000002.2199663894.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_cd0000_Cotizaci#U00f3n#12643283.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: 95f808f48458f8363e4426dd01b7cdca91b3d449acb106396b32d8c518ec8e0c
              • Instruction ID: 6a059263187a76b75fb32ea60c4429b23bfe7840b8b1f649d3c893dbb9726eaa
              • Opcode Fuzzy Hash: 95f808f48458f8363e4426dd01b7cdca91b3d449acb106396b32d8c518ec8e0c
              • Instruction Fuzzy Hash: C121E4B5D00248DFDB10CFAAD884ADEBFF4EB48310F14801AE918A7350D379A944CFA5
              Function 00CDAF98 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 87 cdaf98-cdb740 89 cdb748-cdb777 LoadLibraryExW 87->89 90 cdb742-cdb745 87->90 91 cdb779-cdb77f 89->91 92 cdb780-cdb79d 89->92 90->89 91->92
              APIs
              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00CDB559,00000800,00000000,00000000), ref: 00CDB76A
              Memory Dump Source
              • Source File: 00000000.00000002.2199663894.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_cd0000_Cotizaci#U00f3n#12643283.jbxd
              Similarity
              • API ID: LibraryLoad
              • String ID:
              • API String ID: 1029625771-0
              • Opcode ID: c683325d1eb0180469fc659dd8ab857276f9dabef2ebcb9411b8c24ae6b57e5f
              • Instruction ID: baf9be5bafc8411bd74af7c32780e3566e83435e02f14f29c189bc484d3d1976
              • Opcode Fuzzy Hash: c683325d1eb0180469fc659dd8ab857276f9dabef2ebcb9411b8c24ae6b57e5f
              • Instruction Fuzzy Hash: B41103B6800349DFDB10DF9AC444A9EFBF8EB88710F11842ED529A7300C375A944CFA5
              Function 00CDB6F9 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 95 cdb6f9-cdb740 96 cdb748-cdb777 LoadLibraryExW 95->96 97 cdb742-cdb745 95->97 98 cdb779-cdb77f 96->98 99 cdb780-cdb79d 96->99 97->96 98->99
              APIs
              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00CDB559,00000800,00000000,00000000), ref: 00CDB76A
              Memory Dump Source
              • Source File: 00000000.00000002.2199663894.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_cd0000_Cotizaci#U00f3n#12643283.jbxd
              Similarity
              • API ID: LibraryLoad
              • String ID:
              • API String ID: 1029625771-0
              • Opcode ID: 673cc4ba607c69c40b580d75607081b4e9735fb3c4cb6897a57beb7d152a11b3
              • Instruction ID: bcdc3b447544c364a982e3086ef181b39493f3eef8a197a0becb1beebd81fa39
              • Opcode Fuzzy Hash: 673cc4ba607c69c40b580d75607081b4e9735fb3c4cb6897a57beb7d152a11b3
              • Instruction Fuzzy Hash: 6F1103B6C00349DFDB14CFAAC444ADEFBF4AB88310F11842AD569A7210C375A945CFA5
              Function 00CDB478 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 108 cdb478-cdb4b8 109 cdb4ba-cdb4bd 108->109 110 cdb4c0-cdb4eb GetModuleHandleW 108->110 109->110 111 cdb4ed-cdb4f3 110->111 112 cdb4f4-cdb508 110->112 111->112
              APIs
              • GetModuleHandleW.KERNELBASE(00000000), ref: 00CDB4DE
              Memory Dump Source
              • Source File: 00000000.00000002.2199663894.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_cd0000_Cotizaci#U00f3n#12643283.jbxd
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: 6df9730e12b7fe405f184bfd872985f10c73d62dadc434ae3296d4ad24306470
              • Instruction ID: 74c12f215f99f8e656b977a6f3ce3a21005e90308d4f8031652d7822cd5277c2
              • Opcode Fuzzy Hash: 6df9730e12b7fe405f184bfd872985f10c73d62dadc434ae3296d4ad24306470
              • Instruction Fuzzy Hash: 6A110FB6C00649CFDB10CF9AC444A9EFBF4AB88714F11841AD928A7300C379A945CFA5
              Function 00CDB477 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 102 cdb477-cdb4b8 103 cdb4ba-cdb4bd 102->103 104 cdb4c0-cdb4eb GetModuleHandleW 102->104 103->104 105 cdb4ed-cdb4f3 104->105 106 cdb4f4-cdb508 104->106 105->106
              APIs
              • GetModuleHandleW.KERNELBASE(00000000), ref: 00CDB4DE
              Memory Dump Source
              • Source File: 00000000.00000002.2199663894.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_cd0000_Cotizaci#U00f3n#12643283.jbxd
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: ead92c4e0e316e68b199a9bf953025f92e55057920f9fb7eeb7004aadc4b5858
              • Instruction ID: 5fa89f85288392b93b8aa2091efc89953e17fed1b80bf90a629095d5b0aa2a77
              • Opcode Fuzzy Hash: ead92c4e0e316e68b199a9bf953025f92e55057920f9fb7eeb7004aadc4b5858
              • Instruction Fuzzy Hash: 35110FB6C00649CFDB10CF9AC444ADEFBF4EB88714F11841AD928A7300C379AA45CFA5
              Function 009BD1FC Relevance: .1, Instructions: 76COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2199072965.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9bd000_Cotizaci#U00f3n#12643283.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c2faee4ee92987a9aed726ce5a3d2e498bee65b50a48d2e08608de967b07e62f
              • Instruction ID: 1f4469c785fd73aed5be0de5feff0fc5fe70ddbdd7c6e8e26d48749e0e2c4fb0
              • Opcode Fuzzy Hash: c2faee4ee92987a9aed726ce5a3d2e498bee65b50a48d2e08608de967b07e62f
              • Instruction Fuzzy Hash: A3212572504284EFDF05DF54DAC0B66BF65FB88324F20C569ED190B246D33AD816CBA1
              Function 009BD4C4 Relevance: .1, Instructions: 75COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2199072965.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9bd000_Cotizaci#U00f3n#12643283.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b7aa7db6a8f3b369f3cdf09fe235b9997158024caa88a50acddd7e4a8039f016
              • Instruction ID: 8ee75e105b5aa7648568d3a1c65018895e66c22e6b8e2ec7ad82cb7acc25ab46
              • Opcode Fuzzy Hash: b7aa7db6a8f3b369f3cdf09fe235b9997158024caa88a50acddd7e4a8039f016
              • Instruction Fuzzy Hash: E3214871500204EFDB10DF14DAC0B66BF65FB84328F20C56DE8090B25AD37AD846CAA1
              Function 009CD01C Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2199111214.00000000009CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009CD000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9cd000_Cotizaci#U00f3n#12643283.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 698bea0bfeed76b4396678fcff14a8d2bf01dbd8e51079f1413a26441b201a6c
              • Instruction ID: f3d486fc350f8613a008d71552eeb4740cad5e411e79d536e2d3a517181e1974
              • Opcode Fuzzy Hash: 698bea0bfeed76b4396678fcff14a8d2bf01dbd8e51079f1413a26441b201a6c
              • Instruction Fuzzy Hash: 1E21F571A04204EFDB14DF28D5C0F26BB65FB84314F20C97DD90A4B286C33AD847CA62
              Function 009CD1D4 Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2199111214.00000000009CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009CD000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9cd000_Cotizaci#U00f3n#12643283.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ded1fac6767e042f6ac4549fb7ccce24bb23b92b596275736403e6b1a31d15e7
              • Instruction ID: 191c1bd83d328a739a2df851c3057a1420f30a7ae2c78d75a25e5640c635529a
              • Opcode Fuzzy Hash: ded1fac6767e042f6ac4549fb7ccce24bb23b92b596275736403e6b1a31d15e7
              • Instruction Fuzzy Hash: AC21D471A05204EFDB05DF24D9C0F26BBA5FB84314F24C97DE9594B292C37AD846CB62
              Function 009CD006 Relevance: .1, Instructions: 62COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2199111214.00000000009CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009CD000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9cd000_Cotizaci#U00f3n#12643283.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 811646b19093924d038218f3fbe58a7b86f06412740a610913323f019ea5e248
              • Instruction ID: 021b86354b0545994f8d7da1ea03dab57d526ae4114286a0ee78fca63efa2061
              • Opcode Fuzzy Hash: 811646b19093924d038218f3fbe58a7b86f06412740a610913323f019ea5e248
              • Instruction Fuzzy Hash: 1A218E755093809FCB02CF24D990B15BF71EB46314F28C5EED8498F6A7C33A980ACB62
              Function 009BD1F7 Relevance: .1, Instructions: 57COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2199072965.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9bd000_Cotizaci#U00f3n#12643283.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8a958cd7c859b04241e3965f2995fa9ff46dd324e9e88069bdc96e2e9819e0d2
              • Instruction ID: 750389299216eb5e9b3fdd251e82daf286460292326496f3d57c4c45a5efef4b
              • Opcode Fuzzy Hash: 8a958cd7c859b04241e3965f2995fa9ff46dd324e9e88069bdc96e2e9819e0d2
              • Instruction Fuzzy Hash: 3E21AF76504284DFDB06CF50DAC4B56BF72FB84324F24C5A9DC090B656C33AD82ACBA2
              Function 009BD4BF Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2199072965.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9bd000_Cotizaci#U00f3n#12643283.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
              • Instruction ID: ed60578df9b0af23083b3f2d5541d4c62fea53e2d9e3a8ec6c02b2fbc1b821b6
              • Opcode Fuzzy Hash: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
              • Instruction Fuzzy Hash: 64112672504284DFCB11CF10D6C4B56BF71FB84324F24C6A9E8090B25AC33AD85ACBA2
              Function 009CD1CF Relevance: .1, Instructions: 53COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2199111214.00000000009CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009CD000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9cd000_Cotizaci#U00f3n#12643283.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
              • Instruction ID: 2c12904799427032634a86995b45edfa181ce77b079435a705b5537f82a87a22
              • Opcode Fuzzy Hash: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
              • Instruction Fuzzy Hash: EE118B76904284DFDB15CF10D9D4B15FBA1FB84314F24C6AED8494B696C33AD84ACB62
              Function 009BD731 Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2199072965.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9bd000_Cotizaci#U00f3n#12643283.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 28911312ddc44d7f05db27b79f5295635dd718da8a92751e0a8c3597e68d6138
              • Instruction ID: b7347ec414b604d4fd3f91236df8e2d38b63b4490d905b5e4693c6138e46a2ea
              • Opcode Fuzzy Hash: 28911312ddc44d7f05db27b79f5295635dd718da8a92751e0a8c3597e68d6138
              • Instruction Fuzzy Hash: D201A7B1406344EAE7104A25DEC4BE6FFDCEF51734F148419ED494A282EA799844C6B1
              Function 009BD730 Relevance: .0, Instructions: 36COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2199072965.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9bd000_Cotizaci#U00f3n#12643283.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 52e63f628fc4929b802aed55fd59c27fc08be564b4f27a673a6668fba067a106
              • Instruction ID: 5040acd25d044959cd73c0f591febde5f72bbcdaad2e32fec91a2d35d32398e7
              • Opcode Fuzzy Hash: 52e63f628fc4929b802aed55fd59c27fc08be564b4f27a673a6668fba067a106
              • Instruction Fuzzy Hash: 43F06271406344AAF7108A16D9C4BA6FFDCEB91734F18C55AED484F282D2799844CAB1

              Non-executed Functions

              Function 00CDE074 Relevance: .3, Instructions: 264COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2199663894.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_cd0000_Cotizaci#U00f3n#12643283.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d9d3ad89d62707d2493e95731ca7f27e07f506f1aac16299cb2c4fe000159214
              • Instruction ID: b964ba7d23c291185f53c06bd57cd3a4beb6442081d48e100e34f9bc47a6d325
              • Opcode Fuzzy Hash: d9d3ad89d62707d2493e95731ca7f27e07f506f1aac16299cb2c4fe000159214
              • Instruction Fuzzy Hash: 10A16D32E002198FCF05DFB5C8405AEB7B2FF85300B15857AEA16AB365DB71E956DB80

              Execution Graph

              Execution Coverage:0.7%
              Dynamic/Decrypted Code Coverage:5.4%
              Signature Coverage:8.9%
              Total number of Nodes:112
              Total number of Limit Nodes:12
              execution_graph 98295 424fc3 98296 424fdf 98295->98296 98297 425007 98296->98297 98298 42501b 98296->98298 98299 42cc13 NtClose 98297->98299 98305 42cc13 98298->98305 98301 425010 98299->98301 98302 425024 98308 42edc3 RtlAllocateHeap 98302->98308 98304 42502f 98306 42cc30 98305->98306 98307 42cc41 NtClose 98306->98307 98307->98302 98308->98304 98309 42fe03 98312 42eca3 98309->98312 98315 42cf73 98312->98315 98314 42ecbc 98316 42cf90 98315->98316 98317 42cfa1 RtlFreeHeap 98316->98317 98317->98314 98318 42fda3 98319 42fdb3 98318->98319 98320 42fdb9 98318->98320 98323 42ed83 98320->98323 98322 42fddf 98326 42cf23 98323->98326 98325 42ed9e 98325->98322 98327 42cf40 98326->98327 98328 42cf51 RtlAllocateHeap 98327->98328 98328->98325 98397 425353 98402 42536c 98397->98402 98398 4253f9 98399 4253b7 98400 42eca3 RtlFreeHeap 98399->98400 98401 4253c4 98400->98401 98402->98398 98402->98399 98403 4253f4 98402->98403 98404 42eca3 RtlFreeHeap 98403->98404 98404->98398 98405 42c213 98406 42c230 98405->98406 98409 6fa2df0 LdrInitializeThunk 98406->98409 98407 42c258 98409->98407 98329 417d63 98331 417d87 98329->98331 98330 417d8e 98331->98330 98332 417dc3 LdrLoadDll 98331->98332 98332->98330 98415 4142d3 98416 4142f3 98415->98416 98418 41435c 98416->98418 98420 41b9e3 RtlFreeHeap LdrInitializeThunk 98416->98420 98419 414352 98420->98419 98421 424b54 98422 424b75 98421->98422 98423 424b93 98422->98423 98424 424ba8 98422->98424 98425 42cc13 NtClose 98423->98425 98426 42cc13 NtClose 98424->98426 98427 424b9c 98425->98427 98429 424bb1 98426->98429 98428 424be8 98429->98428 98430 42eca3 RtlFreeHeap 98429->98430 98431 424bdc 98430->98431 98432 6fa2b60 LdrInitializeThunk 98333 40232c 98335 402333 98333->98335 98334 40230e 98335->98334 98338 430273 98335->98338 98341 42e873 98338->98341 98342 42e896 98341->98342 98351 407e63 98342->98351 98344 42e8ac 98350 40240e 98344->98350 98354 41b6d3 98344->98354 98346 42e8cb 98347 42e8e0 98346->98347 98348 42cfc3 ExitProcess 98346->98348 98365 42cfc3 98347->98365 98348->98347 98353 407e70 98351->98353 98368 416a13 98351->98368 98353->98344 98355 41b6ff 98354->98355 98386 41b5c3 98355->98386 98358 41b72c 98359 41b737 98358->98359 98362 42cc13 NtClose 98358->98362 98359->98346 98360 41b744 98361 41b760 98360->98361 98363 42cc13 NtClose 98360->98363 98361->98346 98362->98359 98364 41b756 98363->98364 98364->98346 98366 42cfe0 98365->98366 98367 42cff1 ExitProcess 98366->98367 98367->98350 98369 416a30 98368->98369 98371 416a49 98369->98371 98372 42d653 98369->98372 98371->98353 98374 42d66d 98372->98374 98373 42d69c 98373->98371 98374->98373 98379 42c263 98374->98379 98377 42eca3 RtlFreeHeap 98378 42d712 98377->98378 98378->98371 98380 42c280 98379->98380 98383 6fa2c0a 98380->98383 98381 42c2ac 98381->98377 98384 6fa2c1f LdrInitializeThunk 98383->98384 98385 6fa2c11 98383->98385 98384->98381 98385->98381 98387 41b5dd 98386->98387 98391 41b6b9 98386->98391 98392 42c303 98387->98392 98390 42cc13 NtClose 98390->98391 98391->98358 98391->98360 98393 42c320 98392->98393 98396 6fa35c0 LdrInitializeThunk 98393->98396 98394 41b6ad 98394->98390 98396->98394 98433 4252dc 98434 4252e2 98433->98434 98435 42cc13 NtClose 98434->98435 98437 4252e7 98434->98437 98436 42530c 98435->98436

              Executed Functions

              Function 00417D63 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417DD5
              Memory Dump Source
              • Source File: 00000007.00000002.2862181424.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_400000_vbc.jbxd
              Yara matches
              Similarity
              • API ID: Load
              • String ID:
              • API String ID: 2234796835-0
              • Opcode ID: aeaf35db904327ee291bd4294847016d078a6574073def54f6b086fe3cf0cb1f
              • Instruction ID: 93d96d1cf7ad6864c9f12606391abf966695fb56d7ea5be247524e857d4772c2
              • Opcode Fuzzy Hash: aeaf35db904327ee291bd4294847016d078a6574073def54f6b086fe3cf0cb1f
              • Instruction Fuzzy Hash: B20112B5E0010DBBDF10DAE5EC42FDEB7789F54308F0481A6E90897241F635EB588B55
              Function 0042CC13 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 25 42cc13-42cc4f call 405163 call 42de43 NtClose
              APIs
              • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042CC4A
              Memory Dump Source
              • Source File: 00000007.00000002.2862181424.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_400000_vbc.jbxd
              Yara matches
              Similarity
              • API ID: Close
              • String ID:
              • API String ID: 3535843008-0
              • Opcode ID: 4c571d5112e974ae63107c0078184ddcdf89d488993b29b07eeb219e2e91cc0f
              • Instruction ID: 825a3de1da12956b8adfc1d726b132c040e37ff359455631fa9205b79255aa4b
              • Opcode Fuzzy Hash: 4c571d5112e974ae63107c0078184ddcdf89d488993b29b07eeb219e2e91cc0f
              • Instruction Fuzzy Hash: 88E086316446157BC210EA5AEC41FA7776CDFC5714F04842AFA486B141C7757E0087F5
              Function 06FA2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 40 6fa2c70-6fa2c7c LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: be7029e6ec3eb2e654aa415d9ee2070508afb71d8ab5c41b2e65c3c5d0c7c97c
              • Instruction ID: 611a43c46ee454825a9b07879652f5d8e6119fb6dfd9cc225d1e12860811d930
              • Opcode Fuzzy Hash: be7029e6ec3eb2e654aa415d9ee2070508afb71d8ab5c41b2e65c3c5d0c7c97c
              • Instruction Fuzzy Hash: 6F90023120148812D1507159C80478A000D87D0341F59D411A453569CD869589917921
              Function 06FA2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 41 6fa2df0-6fa2dfc LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: b688ee9cccbfac21de5dc56e2fcad1605399b49cd7f86ab3dc404f7bdf7d7f63
              • Instruction ID: 937dc1d3c1f13f47289edf9cbbb032d386be1eae13733ed9d6f0abfa386e989d
              • Opcode Fuzzy Hash: b688ee9cccbfac21de5dc56e2fcad1605399b49cd7f86ab3dc404f7bdf7d7f63
              • Instruction Fuzzy Hash: 2290023120140423D15171598904747000D87D0281F95D412A053559CD96568A52A921
              Function 06FA2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 39 6fa2b60-6fa2b6c LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 35d47dbaa5a7b642654c3eb44623e96b0bb5c54b4493b7032c5637850b9be8ce
              • Instruction ID: e3c8d1e5420220165a55822bf3da4dcc24aa7427a69f91d8261de372358db535
              • Opcode Fuzzy Hash: 35d47dbaa5a7b642654c3eb44623e96b0bb5c54b4493b7032c5637850b9be8ce
              • Instruction Fuzzy Hash: AA90026120240013414571598814656400E87E0241B55D021E11255D4DC52589916925
              Function 06FA35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 42 6fa35c0-6fa35cc LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 14db91d7533f151cf70cd4d0267ee5bda3af373cd40432ea116149944277e283
              • Instruction ID: a6c8b428909d173b26a9c2d9cda35ff5f65c1a8b37dcdba134d792632fdb7a25
              • Opcode Fuzzy Hash: 14db91d7533f151cf70cd4d0267ee5bda3af373cd40432ea116149944277e283
              • Instruction Fuzzy Hash: 6290023160550412D14071598914746100D87D0241F65D411A05355ACD87958A516DA2
              Function 0042CF73 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 20 42cf73-42cfb7 call 405163 call 42de43 RtlFreeHeap
              APIs
              • RtlFreeHeap.NTDLL(00000000,00000004,00000000,5C468B08,00000007,00000000,00000004,00000000,004175E6,000000F4), ref: 0042CFB2
              Memory Dump Source
              • Source File: 00000007.00000002.2862181424.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_400000_vbc.jbxd
              Yara matches
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: 8c793a66d5f9b0ae66736856956607f756cedbeda714acd4b5b7666506bb67bc
              • Instruction ID: 32f4bbbe2ce4349e255bc549438686f4980119a85a152b2c780f960f282c3c5a
              • Opcode Fuzzy Hash: 8c793a66d5f9b0ae66736856956607f756cedbeda714acd4b5b7666506bb67bc
              • Instruction Fuzzy Hash: 82E092716406087BC714EE59EC41FEB77ACEFC4710F004419F918A7242D670BE108BB8
              Function 0042CF23 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 15 42cf23-42cf67 call 405163 call 42de43 RtlAllocateHeap
              APIs
              • RtlAllocateHeap.NTDLL(?,0041EB8E,?,?,00000000,?,0041EB8E,?,?,?), ref: 0042CF62
              Memory Dump Source
              • Source File: 00000007.00000002.2862181424.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_400000_vbc.jbxd
              Yara matches
              Similarity
              • API ID: AllocateHeap
              • String ID:
              • API String ID: 1279760036-0
              • Opcode ID: 52759d53c583911f149e1d12c476774973c33b32fccfa86493e10e8cfc91d16b
              • Instruction ID: be0692bfd31e56388e057b90133f472b1ac063aa7c70629f5b9973c2c660ffa8
              • Opcode Fuzzy Hash: 52759d53c583911f149e1d12c476774973c33b32fccfa86493e10e8cfc91d16b
              • Instruction Fuzzy Hash: EDE06D716442057BC614EE59EC41FAB73ACEFC4710F000419F908AB242D770B9108BB8
              Function 0042CFC3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 30 42cfc3-42cfff call 405163 call 42de43 ExitProcess
              APIs
              Memory Dump Source
              • Source File: 00000007.00000002.2862181424.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_400000_vbc.jbxd
              Yara matches
              Similarity
              • API ID: ExitProcess
              • String ID:
              • API String ID: 621844428-0
              • Opcode ID: aeaa9d9a064cab733e13c54153e80c41c2bea10c399ef7a346d6dfb6e0e8dc8a
              • Instruction ID: f23014ab5d3ac2739bcf0a531b728fc4be022cec0a8441b0cad64111b9d2383e
              • Opcode Fuzzy Hash: aeaa9d9a064cab733e13c54153e80c41c2bea10c399ef7a346d6dfb6e0e8dc8a
              • Instruction Fuzzy Hash: B7E086356406147BC220FA6ADC41FA7775CEFC5714F04842AFA18BB142C6707E0187F4
              Function 06FA2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 35 6fa2c0a-6fa2c0f 36 6fa2c1f-6fa2c26 LdrInitializeThunk 35->36 37 6fa2c11-6fa2c18 35->37
              APIs
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 7fbd738429840b1e84e04ab81df1d8139f427ad73a1f18ab8c11920f07ac9986
              • Instruction ID: 1bb97f7e7def11eda5e271fc985e2de4ef4833cff20d1379ff45a5b5e2c00898
              • Opcode Fuzzy Hash: 7fbd738429840b1e84e04ab81df1d8139f427ad73a1f18ab8c11920f07ac9986
              • Instruction Fuzzy Hash: 0AB09B71D015C5D6DA51E7604A0871779046BD0751F19C061D2130685E4738C1D1E575

              Non-executed Functions

              Function 07018D10 Relevance: 37.8, Strings: 30, Instructions: 268COMMONLIBRARYCODE
              Download Yara Rule
              Strings
              • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 07018F2D
              • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 07018F34
              • The critical section is owned by thread %p., xrefs: 07018E69
              • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 07018E3F
              • *** enter .cxr %p for the context, xrefs: 07018FBD
              • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 07018F26
              • *** A stack buffer overrun occurred in %ws:%s, xrefs: 07018DA3
              • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 07018D8C
              • <unknown>, xrefs: 07018D2E, 07018D81, 07018E00, 07018E49, 07018EC7, 07018F3E
              • The resource is owned shared by %d threads, xrefs: 07018E2E
              • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 07018E86
              • The resource is owned exclusively by thread %p, xrefs: 07018E24
              • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 07018DB5
              • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 07018DD3
              • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 07018DC4
              • *** Resource timeout (%p) in %ws:%s, xrefs: 07018E02
              • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 07018FEF
              • Go determine why that thread has not released the critical section., xrefs: 07018E75
              • The instruction at %p referenced memory at %p., xrefs: 07018EE2
              • *** Inpage error in %ws:%s, xrefs: 07018EC8
              • *** then kb to get the faulting stack, xrefs: 07018FCC
              • *** enter .exr %p for the exception record, xrefs: 07018FA1
              • This failed because of error %Ix., xrefs: 07018EF6
              • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 07018E4B
              • a NULL pointer, xrefs: 07018F90
              • write to, xrefs: 07018F56
              • read from, xrefs: 07018F5D, 07018F62
              • The instruction at %p tried to %s , xrefs: 07018F66
              • *** An Access Violation occurred in %ws:%s, xrefs: 07018F3F
              • an invalid address, %p, xrefs: 07018F7F
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
              • API String ID: 0-108210295
              • Opcode ID: 34311f24054545f4fa865278248957a508f36e7c8602a268cfab3e1b165ea14d
              • Instruction ID: 09172fbc15d6bce57cdb306c0735d22d8cf4ca94819cce0592fac6444c18c5c6
              • Opcode Fuzzy Hash: 34311f24054545f4fa865278248957a508f36e7c8602a268cfab3e1b165ea14d
              • Instruction Fuzzy Hash: 5F814AB6A00214BFCB969B18CC49E6F3FB5EFA6B64F028148FA145F1A1E375C911C761
              Function 06FE2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
              • API String ID: 0-2160512332
              • Opcode ID: b9d84849946cd4bdc3d28a599484de391240daf56eded96ed90a4142db39576b
              • Instruction ID: cd7537275ceb21cedfa8506ca922a1da513a1d7c56c0b4d7429ef662c3ffd124
              • Opcode Fuzzy Hash: b9d84849946cd4bdc3d28a599484de391240daf56eded96ed90a4142db39576b
              • Instruction Fuzzy Hash: 77928172A043419FE7A0DF24CC44B6BBBE9BB84754F04492DFA94D7290E774EA44CB92
              Function 06F98620 Relevance: 19.0, Strings: 15, Instructions: 223COMMON
              Download Yara Rule
              Strings
              • Critical section debug info address, xrefs: 06FD541F, 06FD552E
              • Critical section address, xrefs: 06FD5425, 06FD54BC, 06FD5534
              • ICw(JCw@4Cw@4Cw, xrefs: 06FD5341, 06FD534D
              • Address of the debug info found in the active list., xrefs: 06FD54AE, 06FD54FA
              • corrupted critical section, xrefs: 06FD54C2
              • double initialized or corrupted critical section, xrefs: 06FD5508
              • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 06FD54CE
              • Invalid debug info address of this critical section, xrefs: 06FD54B6
              • Thread is in a state in which it cannot own a critical section, xrefs: 06FD5543
              • undeleted critical section in freed memory, xrefs: 06FD542B
              • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 06FD54E2
              • Thread identifier, xrefs: 06FD553A
              • 8, xrefs: 06FD52E3
              • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 06FD540A, 06FD5496, 06FD5519
              • Critical section address., xrefs: 06FD5502
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory$ICw(JCw@4Cw@4Cw
              • API String ID: 0-3651113152
              • Opcode ID: 3d266ae96ac435a6b939f30376f2ae05e6597862ccf0b8b75d9b6bf138d43263
              • Instruction ID: 73c1617b18640425bedeb14ce827961fe7ac77e38d6f9438904e826bd58b918d
              • Opcode Fuzzy Hash: 3d266ae96ac435a6b939f30376f2ae05e6597862ccf0b8b75d9b6bf138d43263
              • Instruction Fuzzy Hash: DB81AEB1E00348AFEBA0DF98CC41BAEBBB6BB09754F144159F515BB680D375E940CBA0
              Function 00401440 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 204COMMON
              Download Yara Rule
              APIs
              • DefWindowProcW.USER32(?,?,?,?), ref: 00401502
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2862181424.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_400000_vbc.jbxd
              Yara matches
              Similarity
              • API ID: ProcWindow
              • String ID: `A
              • API String ID: 181713994-637470814
              • Opcode ID: 5c7237ebf1d141759fbebf334b4c2c36f89625384cce43a3931cf9a7cde9a634
              • Instruction ID: 3432f80c2adcbe8c3611745740274b8368c8ce1fc6e5843346bf659f840b527b
              • Opcode Fuzzy Hash: 5c7237ebf1d141759fbebf334b4c2c36f89625384cce43a3931cf9a7cde9a634
              • Instruction Fuzzy Hash: E35192716042055BC70CCF29DC4556BB7A6FBD8305F188A2EF986DB3E0E778D901879A
              Function 004469B8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • IsDebuggerPresent.KERNEL32 ref: 00446C22
              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00446C37
              • UnhandledExceptionFilter.KERNEL32(0D), ref: 00446C42
              • GetCurrentProcess.KERNEL32(C0000409), ref: 00446C5E
              • TerminateProcess.KERNEL32(00000000), ref: 00446C65
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2862181424.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_400000_vbc.jbxd
              Yara matches
              Similarity
              • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
              • String ID: 0D
              • API String ID: 2579439406-130544292
              • Opcode ID: 515d0bd23e47634ef54c6b203e159a92e547c34d15f4de998d216c0c8f775b23
              • Instruction ID: 06fbe44512db5b265e596114f54688fbbc9037229763663bcdadfccb248df8bf
              • Opcode Fuzzy Hash: 515d0bd23e47634ef54c6b203e159a92e547c34d15f4de998d216c0c8f775b23
              • Instruction Fuzzy Hash: 4B21E0BD800208DFE715DF6AF98A6447BA0FB0A315F10447AE50983361EBB4A9858F5E
              Function 07010274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
              • API String ID: 0-1700792311
              • Opcode ID: 06fd652b5b0db1105da29a760147e6b62b131a6118848dac5bb84e24d00fb41b
              • Instruction ID: 6331b3dec72f2654bc73e8a00606e8f45305c461a9d3a84561f3eb773db4bacc
              • Opcode Fuzzy Hash: 06fd652b5b0db1105da29a760147e6b62b131a6118848dac5bb84e24d00fb41b
              • Instruction Fuzzy Hash: 93D113B1600786DFCB92DF68C851AAEBBF1FF4A700F098259E8959B651C738D9C0CB50
              Function 06F92F98 Relevance: 9.1, Strings: 7, Instructions: 307COMMON
              Download Yara Rule
              Strings
              • SXS: Assembly storage resolution failing probe because combined path length does not fit in an UNICODE_STRING., xrefs: 06FD2856
              • SXS: %s() bad parametersSXS: Flags: 0x%lxSXS: Root: %pSXS: AssemblyDirectory: %pSXS: PreAllocatedString: %pSXS: DynamicString: %pSXS: StringUsed: %pSXS: OpenDirectoryHandle: %p, xrefs: 06FD29B1
              • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 06FD292E
              • RtlpProbeAssemblyStorageRootForAssembly, xrefs: 06FD29AC
              • SXS: Assembly storage resolution failing probe because attempt to allocate %u bytes failed., xrefs: 06FD2881
              • @, xrefs: 06F93180
              • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 06FD28B2
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: @$RtlpProbeAssemblyStorageRootForAssembly$SXS: %s() bad parametersSXS: Flags: 0x%lxSXS: Root: %pSXS: AssemblyDirectory: %pSXS: PreAllocatedString: %pSXS: DynamicString: %pSXS: StringUsed: %pSXS: OpenDirectoryHandle: %p$SXS: Assembly storage resolution failing probe because attempt to allocate %u bytes failed.$SXS: Assembly storage resolution failing probe because combined path length does not fit in an UNICODE_STRING.$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx
              • API String ID: 0-541586583
              • Opcode ID: 75581d4f9e9554deafea462ac97ea68173a8f33fd61ebb2079f2024cceb8a642
              • Instruction ID: fe4f94b41dfbc8db46dc7933b8dceb21664ef9afa16a2f9bdee7b35fbb512825
              • Opcode Fuzzy Hash: 75581d4f9e9554deafea462ac97ea68173a8f33fd61ebb2079f2024cceb8a642
              • Instruction Fuzzy Hash: 08C1A676D002299FEBB19F15CC84BBAB7B5EF84710F1440D9E948AB290D7749E81CFA1
              Function 06FE4DD7 Relevance: 8.8, Strings: 7, Instructions: 86COMMON
              Download Yara Rule
              Strings
              • LdrpGenericExceptionFilter, xrefs: 06FE4DFC
              • Execute '.cxr %p' to dump context, xrefs: 06FE4EB1
              • Break repeatedly, break Once, Ignore, terminate Process or terminate Thread (boipt)? , xrefs: 06FE4E38
              • ***Exception thrown within loader***, xrefs: 06FE4E27
              • Function %s raised exception 0x%08lxException record: .exr %pContext record: .cxr %p, xrefs: 06FE4DF5
              • LdrpProtectedCopyMemory, xrefs: 06FE4DF4
              • minkernel\ntdll\ldrutil.c, xrefs: 06FE4E06
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: ***Exception thrown within loader***$Break repeatedly, break Once, Ignore, terminate Process or terminate Thread (boipt)? $Execute '.cxr %p' to dump context$Function %s raised exception 0x%08lxException record: .exr %pContext record: .cxr %p$LdrpGenericExceptionFilter$LdrpProtectedCopyMemory$minkernel\ntdll\ldrutil.c
              • API String ID: 0-2973941816
              • Opcode ID: 4545ff2897cefd52dfbd037e913c7cf4e5ea37f51eb88d0a403b4c70b7efc8af
              • Instruction ID: b93e6fe5e66587c7a631fa031eb0996a8ac02ee688d7c56ba5d9b38276e13771
              • Opcode Fuzzy Hash: 4545ff2897cefd52dfbd037e913c7cf4e5ea37f51eb88d0a403b4c70b7efc8af
              • Instruction Fuzzy Hash: 6F215B73A806047FD7E8EB6C8C45E367FDCEF829A0F140109F531AAE80C950DE50C665
              Function 06F6ADE0 Relevance: 8.1, Strings: 6, Instructions: 573COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI
              • API String ID: 0-4098886588
              • Opcode ID: 0cbf4056ba0d41cedb57532bfd4fbfeb4cf8e54ee4c942d75c70070dc8ee2466
              • Instruction ID: b65637c13b1a53940d2c6003e29e18452baf945cd61b5052b07c26fe20e9f540
              • Opcode Fuzzy Hash: 0cbf4056ba0d41cedb57532bfd4fbfeb4cf8e54ee4c942d75c70070dc8ee2466
              • Instruction Fuzzy Hash: FC32C272E0426A9FEBA2CF15CD94BEEB7B5AF45340F1040EAE449A7250D7319E91CF80
              Function 06F963FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
              • API String ID: 0-792281065
              • Opcode ID: 0b9d747c9fa6ccbb5eaa529ef3fb313b589f054a98b1d7eeb9436d610ad04765
              • Instruction ID: 6492ccffea498fb63da2ac2ceef33ffbf4817300e67f36bc5fd66978713868eb
              • Opcode Fuzzy Hash: 0b9d747c9fa6ccbb5eaa529ef3fb313b589f054a98b1d7eeb9436d610ad04765
              • Instruction Fuzzy Hash: A6911971E003159BFBE5DF58DC55B6A7BE2BF41B28F090229E510AB6C1D778A801CBE0
              Function 06F92CF0 Relevance: 7.7, Strings: 6, Instructions: 218COMMON
              Download Yara Rule
              Strings
              • SXS: Unable to enumerate assembly storage subkey #%lu Status = 0x%08lx, xrefs: 06FD2706
              • .Local\, xrefs: 06F92D91
              • @, xrefs: 06F92E4D
              • SXS: Attempt to get storage location from subkey %wZ failed; Status = 0x%08lx, xrefs: 06FD276F
              • SXS: Unable to open registry key %wZ Status = 0x%08lx, xrefs: 06FD279C
              • \WinSxS\, xrefs: 06F92E23
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: .Local\$@$SXS: Attempt to get storage location from subkey %wZ failed; Status = 0x%08lx$SXS: Unable to enumerate assembly storage subkey #%lu Status = 0x%08lx$SXS: Unable to open registry key %wZ Status = 0x%08lx$\WinSxS\
              • API String ID: 0-3926108909
              • Opcode ID: 9a5e24dcd26340ed97e51cd2c1c71e43faac1f3aab7fc6b8656319b93d2f72fc
              • Instruction ID: 7a65d3f7316b04621121c2e390545f9797568deb37ae430bc1430dd092447032
              • Opcode Fuzzy Hash: 9a5e24dcd26340ed97e51cd2c1c71e43faac1f3aab7fc6b8656319b93d2f72fc
              • Instruction Fuzzy Hash: 0B81AFB1914341AFEB91CF14C890A6BBBE5AF85700F04895EF894DB391D774E644CBE2
              Function 06F5645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
              Download Yara Rule
              Strings
              • apphelp.dll, xrefs: 06F56496
              • LdrpInitShimEngine, xrefs: 06FB99F4, 06FB9A07, 06FB9A30
              • Loading the shim user DLL failed with status 0x%08lx, xrefs: 06FB9A2A
              • Getting the shim user exports failed with status 0x%08lx, xrefs: 06FB9A01
              • Building shim user DLL system32 filename failed with status 0x%08lx, xrefs: 06FB99ED
              • minkernel\ntdll\ldrinit.c, xrefs: 06FB9A11, 06FB9A3A
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: Building shim user DLL system32 filename failed with status 0x%08lx$Getting the shim user exports failed with status 0x%08lx$LdrpInitShimuser$Loading the shim user DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
              • API String ID: 0-204845295
              • Opcode ID: dcdf594af35950cd5f4ad8b1b8193f71dc1decf9bf8555c0e4bfb0df63596066
              • Instruction ID: 5a85bdce50d2555e7dc017f8bdbafdb024ebbadbd3e96d559005bfb77578945b
              • Opcode Fuzzy Hash: dcdf594af35950cd5f4ad8b1b8193f71dc1decf9bf8555c0e4bfb0df63596066
              • Instruction Fuzzy Hash: B551E571A583049FE3A0EF24CC41BABBBE8FF85644F410519FAA5971A1D774ED04CB92
              Function 06F9C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
              Download Yara Rule
              Strings
              • LdrpInitializeProcess, xrefs: 06F9C6C4
              • minkernel\ntdll\ldrredirect.c, xrefs: 06FD8181, 06FD81F5
              • LdrpInitializeImportRedirection, xrefs: 06FD8177, 06FD81EB
              • Unable to build import redirection Table, Status = 0x%x, xrefs: 06FD81E5
              • Loading import redirection DLL: '%wZ', xrefs: 06FD8170
              • minkernel\ntdll\ldrinit.c, xrefs: 06F9C6C3
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
              • API String ID: 0-475462383
              • Opcode ID: be2b52dd6e1c9a98826c3dca974b693f0465c16179cef12c7cf83e124ef9cf7a
              • Instruction ID: 8e52d979a58a639e9aefcde41f6356cc48e3491eed8106e3dcfd08fdccd83d61
              • Opcode Fuzzy Hash: be2b52dd6e1c9a98826c3dca974b693f0465c16179cef12c7cf83e124ef9cf7a
              • Instruction Fuzzy Hash: 1431E6B2A443069FD394FF28DC46E2ABBE5EFC5B54F050568F8546B2D0D624ED08C7A2
              Function 06F92674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
              Download Yara Rule
              Strings
              • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 06FD2180
              • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 06FD2178
              • SXS: %s() passed the empty activation context, xrefs: 06FD2165
              • RtlGetAssemblyStorageRoot, xrefs: 06FD2160, 06FD219A, 06FD21BA
              • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 06FD219F
              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 06FD21BF
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
              • API String ID: 0-861424205
              • Opcode ID: aa1565d581f182e7587c43ddd18c354f5194106c454f3b8217c1bf4681884724
              • Instruction ID: 94089497f0944862084f8640f5577315ada2528a4e14324d46d714da494d5a5b
              • Opcode Fuzzy Hash: aa1565d581f182e7587c43ddd18c354f5194106c454f3b8217c1bf4681884724
              • Instruction Fuzzy Hash: FC31E532F412147BFBA1AA958C81F5A7A69DB95A50F094059FA14BB240D370EB00C6E1
              Function 06FA096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 06FA2DF0: LdrInitializeThunk.NTDLL ref: 06FA2DFA
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 06FA0BA3
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 06FA0BB6
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 06FA0D60
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 06FA0D74
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
              • String ID:
              • API String ID: 1404860816-0
              • Opcode ID: ee6fb682cfaef8dec25da6f596134d22c960ca3bdddf10cba4793b3ed5ae05b6
              • Instruction ID: b3e095c1c8c13e2f038a8a1072a512aa80af947a58c691bb562e6cfaef156e3e
              • Opcode Fuzzy Hash: ee6fb682cfaef8dec25da6f596134d22c960ca3bdddf10cba4793b3ed5ae05b6
              • Instruction Fuzzy Hash: 52427EB2900715DFDBA0CF64C880BAAB7F5FF04304F1445A9D999EB245DB70AA84CF61
              Function 06FE4F40 Relevance: 6.5, Strings: 5, Instructions: 246COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: .DLL$.Local$/$\$\microsoft.system.package.metadata\Application
              • API String ID: 0-2518169356
              • Opcode ID: ed0c689d8f2bcc5988319d5e98fb9191b8d49dfca338f530f818a83c738933a0
              • Instruction ID: 485db699f5b08f1a12dde5b3e50ed16f28cf82b6bd2eda540098284ad6586df4
              • Opcode Fuzzy Hash: ed0c689d8f2bcc5988319d5e98fb9191b8d49dfca338f530f818a83c738933a0
              • Instruction Fuzzy Hash: EE91C072D1061A9FCB61CF98C880AAEBBF1EF48718F594169E911E7350D77AD901CB90
              Function 06FECEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
              Download Yara Rule
              APIs
              • @_EH4_CallFilterFunc@8.LIBCMT ref: 06FECFBD
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID: CallFilterFunc@8
              • String ID: @$@4Cw@4Cw
              • API String ID: 4062629308-3101775584
              • Opcode ID: e168426041b9249ec0f1dde25d43a788b735a28f7d61bb8bc7037779c8075198
              • Instruction ID: 6fbd5bd77d225650b7495413e693c41f9c3cd580e77ceaa60e6a15ae7ec5eeed
              • Opcode Fuzzy Hash: e168426041b9249ec0f1dde25d43a788b735a28f7d61bb8bc7037779c8075198
              • Instruction Fuzzy Hash: 0341BFB2D00218DFCBA19FA9CC40AAEBBB8FF44B10F04412AE924DB694D7759901CB61
              Function 06F6A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
              • API String ID: 0-379654539
              • Opcode ID: 8515460e53c9ae1e47edd3df201afc5992799a3df5469259fec4315ea71a3925
              • Instruction ID: d0451e8a1bac8297f292f931ed355fab512b6028f08657f03af7b8863bf4d85a
              • Opcode Fuzzy Hash: 8515460e53c9ae1e47edd3df201afc5992799a3df5469259fec4315ea71a3925
              • Instruction Fuzzy Hash: D0C1AF75908382CFD791CF19C940B6AB7E4FF84714F04496EF896AB2A0E774CA45CB92
              Function 06F98402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
              Download Yara Rule
              Strings
              • LdrpInitializeProcess, xrefs: 06F98422
              • @, xrefs: 06F98591
              • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 06F9855E
              • minkernel\ntdll\ldrinit.c, xrefs: 06F98421
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
              • API String ID: 0-1918872054
              • Opcode ID: 8b8ea21930fa023dd849dea95c5a9a3f11b16affec81c52a220177b3e10ff953
              • Instruction ID: 5f4fa5baabe67bff273ba7c4671867409d02965b5feb377cc39fd6fdb968d60f
              • Opcode Fuzzy Hash: 8b8ea21930fa023dd849dea95c5a9a3f11b16affec81c52a220177b3e10ff953
              • Instruction Fuzzy Hash: 3091AFB1908344AFEBA1DF64CC41F6BB6ECBF85694F440D2EF59592190E734D908CB62
              Function 06F70C00 Relevance: 5.3, Strings: 4, Instructions: 260COMMON
              Download Yara Rule
              Strings
              • HEAP: , xrefs: 06FC54E0, 06FC55A1
              • ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 06FC54ED
              • ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 06FC55AE
              • HEAP[%wZ]: , xrefs: 06FC54D1, 06FC5592
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
              • API String ID: 0-1657114761
              • Opcode ID: 685bce16ca267f64c154363630fd1ab231a1d6a8a54578bd891af18d5156d41f
              • Instruction ID: 55bf29f7a4b0d88e1b6d6c286790c3d87903051527dd7e5b8c18ea671e29257b
              • Opcode Fuzzy Hash: 685bce16ca267f64c154363630fd1ab231a1d6a8a54578bd891af18d5156d41f
              • Instruction Fuzzy Hash: 04A1D1B1A007069FD7A4CF28C850BBAB7E2AF45314F14856EE4968B781DB74F845CBA1
              Function 06F9273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
              Download Yara Rule
              Strings
              • SXS: %s() passed the empty activation context, xrefs: 06FD21DE
              • .Local, xrefs: 06F928D8
              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 06FD22B6
              • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 06FD21D9, 06FD22B1
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
              • API String ID: 0-1239276146
              • Opcode ID: adb61f5e12a64c65cbd3567fd897eb97b7fb0a4b36fe7f4cac3641b65ee7873d
              • Instruction ID: 9a83b9746eb14a59f43596ed3f7fd57dc988c2a4f517add3fef1493d56a73ec0
              • Opcode Fuzzy Hash: adb61f5e12a64c65cbd3567fd897eb97b7fb0a4b36fe7f4cac3641b65ee7873d
              • Instruction Fuzzy Hash: 5AA17E31D11229ABEFA4DF54DC84BA9B3B1AF58314F1541EAE918A7255D730AF80CF90
              Function 06F664AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
              Download Yara Rule
              Strings
              • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 06FC106B
              • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 06FC1028
              • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 06FC0FE5
              • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 06FC10AE
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
              • API String ID: 0-1468400865
              • Opcode ID: f6727706056dd5ca77147b2393034eb7eeb4f202af173de2a25673bba50c53da
              • Instruction ID: a6c6a242e197f50cde2c987d19063ac95a1ddc9823256d4a4753397a458ae845
              • Opcode Fuzzy Hash: f6727706056dd5ca77147b2393034eb7eeb4f202af173de2a25673bba50c53da
              • Instruction Fuzzy Hash: 2471DDB19043449FCBE0DF19CC85B9B7FA8AF857A4F000568F9588B286D735D988CBD2
              Function 06F8245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
              Download Yara Rule
              Strings
              • LdrpDynamicShimModule, xrefs: 06FCA998
              • apphelp.dll, xrefs: 06F82462
              • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 06FCA992
              • minkernel\ntdll\ldrinit.c, xrefs: 06FCA9A2
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
              • API String ID: 0-176724104
              • Opcode ID: b281710bc6e2667085b3486a62940a4e6deaee402d145d962dd63945f994130d
              • Instruction ID: 3064b4572687ecd7ef0d676dc22e2382fc8b54d36d9e5bba764e3789a7cd244b
              • Opcode Fuzzy Hash: b281710bc6e2667085b3486a62940a4e6deaee402d145d962dd63945f994130d
              • Instruction Fuzzy Hash: 13312872E00306EFDBA0AF599D46A6BB7F5FBC0B24F160259E8106B250C779B981C790
              Function 06F70770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
              • API String ID: 0-4253913091
              • Opcode ID: 2154073c16872edca2221deaf49f6ac69159267c817e6c3f799a6597d5d042ef
              • Instruction ID: 2901e8c4f6afb82c83fbf81762818a9823471a073f4361bc1d9c62a51f14db80
              • Opcode Fuzzy Hash: 2154073c16872edca2221deaf49f6ac69159267c817e6c3f799a6597d5d042ef
              • Instruction Fuzzy Hash: 7DF1BEB1A00606DFEB94CF68C994BAAB7F5FF44314F148269E4169B391DB34F981CB90
              Function 06F5A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: FilterFullPath$UseFilter$\??\
              • API String ID: 0-2779062949
              • Opcode ID: b5602562b1d9b348d14ead6b2205e88406b76c747022cbe585a783d83887ee5e
              • Instruction ID: 224ddae571e85cbeea75573efa6e0275915f07d747d41c69ca2a670dc66df7a0
              • Opcode Fuzzy Hash: b5602562b1d9b348d14ead6b2205e88406b76c747022cbe585a783d83887ee5e
              • Instruction Fuzzy Hash: 2EA14972D112299BDBA1DF65CC89BEAB7B8FF44700F1501EAE908A7250D7359E84CF50
              Function 06F5CCC8 Relevance: 3.9, Strings: 3, Instructions: 164COMMON
              Download Yara Rule
              Strings
              • @, xrefs: 06F5CD63
              • InstallLanguageFallback, xrefs: 06F5CD7F
              • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 06F5CD34
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
              • API String ID: 0-1757540487
              • Opcode ID: 268d15cafe98ad2ef31b470c2ae367fe123468c4218c8f78292dc4d92c2ffeb1
              • Instruction ID: bb1a6f7ef8fd3017e629330727f97cb995a0738c6ce955ef51f835090f2d993d
              • Opcode Fuzzy Hash: 268d15cafe98ad2ef31b470c2ae367fe123468c4218c8f78292dc4d92c2ffeb1
              • Instruction Fuzzy Hash: 9451DFB6914345DBC790DF65C844AABB3E8FF88614F05096EFA95D7250EB30DE04CBA2
              Function 06F9C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
              Download Yara Rule
              Strings
              • Failed to reallocate the system dirs string !, xrefs: 06FD82D7
              • LdrpInitializePerUserWindowsDirectory, xrefs: 06FD82DE
              • minkernel\ntdll\ldrinit.c, xrefs: 06FD82E8
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
              • API String ID: 0-1783798831
              • Opcode ID: a16b947e4aee95211947a7d53bc2a74f49dc0e04adbe19a0f2a81d740f0ee3ae
              • Instruction ID: 8b1988bf9c249da92f2ff80c178ab55ebbeb4b98463cfafc301ad6dfde69cc06
              • Opcode Fuzzy Hash: a16b947e4aee95211947a7d53bc2a74f49dc0e04adbe19a0f2a81d740f0ee3ae
              • Instruction Fuzzy Hash: F741EB71954304ABDBE0EB64DC45F5B77E8EF84750F05462AF954D7290E778E800CBA2
              Function 0701C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
              Download Yara Rule
              Strings
              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0701C1C5
              • PreferredUILanguages, xrefs: 0701C212
              • @, xrefs: 0701C1F1
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
              • API String ID: 0-2968386058
              • Opcode ID: 827b02aef459a3c4dc9eecac43d54bf15fbf6b3078e672407c1e96a46d758e58
              • Instruction ID: 529dd51112a740762fed042969c48ba8b40024b4c4f3439de88a6f693b81f505
              • Opcode Fuzzy Hash: 827b02aef459a3c4dc9eecac43d54bf15fbf6b3078e672407c1e96a46d758e58
              • Instruction Fuzzy Hash: 584162B2A4021AEBEB91DAD4CC41FEFB7F8AB04700F1441AAE915A7280D774DE448B60
              Function 06FE4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
              Download Yara Rule
              Strings
              • minkernel\ntdll\ldrredirect.c, xrefs: 06FE4899
              • LdrpCheckRedirection, xrefs: 06FE488F
              • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 06FE4888
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
              • API String ID: 0-3154609507
              • Opcode ID: a266396b3430402fea004151b3cb0fa6c9b9ea3076a0ba05779d2a333f0ade8d
              • Instruction ID: 6372278670409d941fc54464b6a1d8640f99850b8df185fec6c229318774b922
              • Opcode Fuzzy Hash: a266396b3430402fea004151b3cb0fa6c9b9ea3076a0ba05779d2a333f0ade8d
              • Instruction Fuzzy Hash: 2241AF32E187509FCBA1CE69D840A277FE5AF89A50F06066DEC5997351D734ED00CBD1
              Function 06FF4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
              • API String ID: 0-1373925480
              • Opcode ID: 01036fb5c4ba3f4a4729bbc55f1a1ca4602c924784b14ea360476edc83b161b6
              • Instruction ID: 346fe821527106cbb82fcdc7c5dd7e335b5c483506681dc424f2fa49afbafbbe
              • Opcode Fuzzy Hash: 01036fb5c4ba3f4a4729bbc55f1a1ca4602c924784b14ea360476edc83b161b6
              • Instruction Fuzzy Hash: 0241F472D202988FEBA2DBA4CC40BAEB7F5FF45340F14046ADA11EB7A2D7358901CB51
              Function 06FE20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
              Download Yara Rule
              Strings
              • LdrpInitializationFailure, xrefs: 06FE20FA
              • Process initialization failed with status 0x%08lx, xrefs: 06FE20F3
              • minkernel\ntdll\ldrinit.c, xrefs: 06FE2104
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
              • API String ID: 0-2986994758
              • Opcode ID: a7f25fd156f3c63c117c333e08ec3d580e5c3e86a6e3838edf0625fc9bf362f0
              • Instruction ID: fa0a2b160dfb944f690661eb5c134e6ceb1de3be8c6581d292a0800cf7e4d959
              • Opcode Fuzzy Hash: a7f25fd156f3c63c117c333e08ec3d580e5c3e86a6e3838edf0625fc9bf362f0
              • Instruction Fuzzy Hash: 78F0C871E4030C7BE7A4EA48CC43F9A7FACEB81B54F110065F6006B681D6F9EB50CA51
              Function 06F703E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: #%u
              • API String ID: 48624451-232158463
              • Opcode ID: dd0a41ff0fb244b39a288e66c28ea0d485b7e66f3f49f887d4023ffbc3d3b0ab
              • Instruction ID: 68720b11f602a10358e17e40cec2aea8f5dc64f1e7a919d57c7ede3129a0592d
              • Opcode Fuzzy Hash: dd0a41ff0fb244b39a288e66c28ea0d485b7e66f3f49f887d4023ffbc3d3b0ab
              • Instruction Fuzzy Hash: 27712BB2E0014A9FDB81DF98CD90BAEB7F8BF08704F154069E915A7291EA34E901CB61
              Function 06F62FC8 Relevance: 2.9, Strings: 2, Instructions: 410COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: @4Cw@4Cw$PATH
              • API String ID: 0-1794901795
              • Opcode ID: a011931d94b07e0697068b215ebdf5e0d8b90791a109d38b8c61dd68fc9e3360
              • Instruction ID: 57a9b9db19d211ac6004beeb500cc434b8f36b12964f212431e6430b9179292a
              • Opcode Fuzzy Hash: a011931d94b07e0697068b215ebdf5e0d8b90791a109d38b8c61dd68fc9e3360
              • Instruction Fuzzy Hash: FBF1AF72D10218AFDB94CF9ADC82ABEB7F1FF88710F555129F811AB240D779A941CB90
              Function 0702A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: `$`
              • API String ID: 0-197956300
              • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
              • Instruction ID: be689494f0a4947830b1d9dcf4c6d5a9e160d60a53134f024321a50779950ed4
              • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
              • Instruction Fuzzy Hash: 77C1D0F23043529FD764CE24C844B6BBBE5AF84318F048B2DF9958A290DB74D506DB46
              Function 07002F60 Relevance: 2.8, Strings: 2, Instructions: 327COMMON
              Download Yara Rule
              Strings
              • , xrefs: 070032B8
              • *** ASSERT FAILED: Input parameter pwmszLanguage for function RtlGetUILanguageInfo is not a valid multi-string!, xrefs: 07003011
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: $*** ASSERT FAILED: Input parameter pwmszLanguage for function RtlGetUILanguageInfo is not a valid multi-string!
              • API String ID: 0-4088147954
              • Opcode ID: ee517cd2b4dd5c13d136c99d782d14c51a88e3b047ba343c733474000fc6269a
              • Instruction ID: f4dc1ae6432a8e14c5cd79bfa582059e23bd8f1aa0dc380feff8f9dc02d11f71
              • Opcode Fuzzy Hash: ee517cd2b4dd5c13d136c99d782d14c51a88e3b047ba343c733474000fc6269a
              • Instruction Fuzzy Hash: DAC1ABB16083429BE762CF25C890B6BF7E5BF89724F048A2DF99587280DB70D945C7D2
              Function 06FDE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID: Legacy$UEFI
              • API String ID: 2994545307-634100481
              • Opcode ID: 6b8991dfcf2213c5578d160606af056e77b3d9684a4affcea3568268d0249e7c
              • Instruction ID: 92c4e9b4ae1beb5a652d2e68b325bc037cd4951f9bba644e6deb006f4b4f10f1
              • Opcode Fuzzy Hash: 6b8991dfcf2213c5578d160606af056e77b3d9684a4affcea3568268d0249e7c
              • Instruction Fuzzy Hash: FB614C72E047189FDB94DFA8CD80BADBBB6FB48700F18406DE559EB291D731A940CB50
              Function 06F6AC50 Relevance: 2.7, Strings: 2, Instructions: 178COMMON
              Download Yara Rule
              Strings
              • LdrpResGetMappingSize Enter, xrefs: 06F6AC6A
              • LdrpResGetMappingSize Exit, xrefs: 06F6AC7C
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: LdrpResGetMappingSize Enter$LdrpResGetMappingSize Exit
              • API String ID: 0-1497657909
              • Opcode ID: 23daec4eec5a560f1db366b9d84dde943a8576ea7a03ace12a5cd1cb43b92b68
              • Instruction ID: b94226e43bbc1ecae310c5f1697b35c0328729195953155ecf3d47b28dbb74fa
              • Opcode Fuzzy Hash: 23daec4eec5a560f1db366b9d84dde943a8576ea7a03ace12a5cd1cb43b92b68
              • Instruction Fuzzy Hash: 4E610072E046499FEB91CFAAC850BADB7B6FF04751F044129F811EB290D774D900C7A0
              Function 070043D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: @$MUI
              • API String ID: 0-17815947
              • Opcode ID: b8f9ee0c5bb132a7df7c6fda495a1ad28735214d040321750229dda28f60916f
              • Instruction ID: 839c582446a5ba646a09c202ddb9d676545ec79bf9f511fc48db83a2effe3006
              • Opcode Fuzzy Hash: b8f9ee0c5bb132a7df7c6fda495a1ad28735214d040321750229dda28f60916f
              • Instruction Fuzzy Hash: F6513FB1E0025DAFDB51DFA5CC80AEEBBB8EB45754F100629F911B7280D6709E05CBA0
              Function 06F94C59 Relevance: 2.7, Strings: 2, Instructions: 164COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: 0$Flst
              • API String ID: 0-758220159
              • Opcode ID: 1f4be9b15805907121430f72a58f88818bc343c42654e99f3142fc9a57c61902
              • Instruction ID: 589d1c19bb214199453dd39b475e79ad12b25001c3f0abde4ee6c9e54388fbcc
              • Opcode Fuzzy Hash: 1f4be9b15805907121430f72a58f88818bc343c42654e99f3142fc9a57c61902
              • Instruction Fuzzy Hash: 1851CDB2E10219CFEFA4CF99C88476DFBF6EF55304F14802AD1199B250E770A986CB90
              Function 06F604E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
              Download Yara Rule
              Strings
              • kLsE, xrefs: 06F60540
              • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 06F6063D
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
              • API String ID: 0-2547482624
              • Opcode ID: d2b305fb636bff1406ec52fc0c1c4226667cf8e68eb49d35dc7e9ca788556c78
              • Instruction ID: 2e9c4c152ea8d95a15aefea82651fe67232415769824050f7120f748b1ceb056
              • Opcode Fuzzy Hash: d2b305fb636bff1406ec52fc0c1c4226667cf8e68eb49d35dc7e9ca788556c78
              • Instruction Fuzzy Hash: 4951F4719107468FC7A4DF2ACA406A3B7E4AF85300F20493EF5A987280EB75D945CF91
              Function 06F92E9C Relevance: 2.6, Strings: 2, Instructions: 130COMMON
              Download Yara Rule
              Strings
              • RtlpInsertAssemblyStorageMapEntry, xrefs: 06FD2807
              • SXS: %s() bad parametersSXS: Map : %pSXS: AssemblyRosterIndex : 0x%lxSXS: Map->AssemblyCount : 0x%lxSXS: StorageLocation : %pSXS: StorageLocation->Length: 0x%xSXS: StorageLocation->Buffer: %pSXS: OpenDirectoryHand, xrefs: 06FD280C
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: RtlpInsertAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: AssemblyRosterIndex : 0x%lxSXS: Map->AssemblyCount : 0x%lxSXS: StorageLocation : %pSXS: StorageLocation->Length: 0x%xSXS: StorageLocation->Buffer: %pSXS: OpenDirectoryHand
              • API String ID: 0-2104531740
              • Opcode ID: 3777b1fb9f618126c868c23ca604bb484b72db415f6c9f8818178adbe4cf7d74
              • Instruction ID: b4cc177034d31c534dec3c10e251733fa6782c9887abadb8465ea0159c6a272b
              • Opcode Fuzzy Hash: 3777b1fb9f618126c868c23ca604bb484b72db415f6c9f8818178adbe4cf7d74
              • Instruction Fuzzy Hash: 7341E036A00211FFEB64DF55C840A6AB7B6EF94B14F188129EA558B640D730EE41CBE0
              Function 06F6A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
              Download Yara Rule
              Strings
              • RtlpResUltimateFallbackInfo Enter, xrefs: 06F6A2FB
              • RtlpResUltimateFallbackInfo Exit, xrefs: 06F6A309
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
              • API String ID: 0-2876891731
              • Opcode ID: d935ae715ba3c06cb8c6a5ea67f1d031bf9530d3f1a2f960eff1522beb7f25f5
              • Instruction ID: 46a2a2e76529f5315f4e4696bf8745e14372ab3b9961347465a683b0ec875877
              • Opcode Fuzzy Hash: d935ae715ba3c06cb8c6a5ea67f1d031bf9530d3f1a2f960eff1522beb7f25f5
              • Instruction Fuzzy Hash: D841BE31E04659DFDB91CF5AC942B6E77B4FF85710F1440A9E910EB291E336DA00CB90
              Function 06FA0FF6 Relevance: 2.6, Strings: 2, Instructions: 92COMMON
              Download Yara Rule
              Strings
              • @, xrefs: 06FA1050
              • \Registry\Machine\System\CurrentControlSet\Control, xrefs: 06FA1025
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: @$\Registry\Machine\System\CurrentControlSet\Control
              • API String ID: 0-2976085014
              • Opcode ID: 63e306d397cd1c0dc00e978f8df19374e774c71d29925de243191023b7bbd813
              • Instruction ID: d09e82fad7248d0e1fd9e64ac2ea006d26239ba8c3906f0e6fdd34c873c87525
              • Opcode Fuzzy Hash: 63e306d397cd1c0dc00e978f8df19374e774c71d29925de243191023b7bbd813
              • Instruction Fuzzy Hash: 813181B2A00698AFDB91EFA5CC84E9FBBBDEB84750F014525E510A7290DB74DD01CBA0
              Function 06F9A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID: Cleanup Group$Threadpool!
              • API String ID: 2994545307-4008356553
              • Opcode ID: 953fdc4e2565ca9aa2aba7f1779fdf030ade52d5bdcce4c03629e34d9da747fc
              • Instruction ID: c709f3137c92303736c8883b82e701539a15f2343fe09a9f621b25e69e8434b2
              • Opcode Fuzzy Hash: 953fdc4e2565ca9aa2aba7f1779fdf030ade52d5bdcce4c03629e34d9da747fc
              • Instruction Fuzzy Hash: CE01FFB2240704AFE791DF28CD86F2677F8EB85B16F018A39A558C7190E738E904CB56
              Function 06F6C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: MUI
              • API String ID: 0-1339004836
              • Opcode ID: 619dce6208f8478e0d397cdd9036457ab027e69622fe710307b741202c264918
              • Instruction ID: e865b25e76014f5e011daf31283b55a78686cdb715bf8b49118943760e3debe6
              • Opcode Fuzzy Hash: 619dce6208f8478e0d397cdd9036457ab027e69622fe710307b741202c264918
              • Instruction Fuzzy Hash: 8A824C75E002589FEBA4CFAAC980BADB7B5FF48310F148169E899AB394D7709D41CF50
              Function 06FFCC20 Relevance: 1.6, Strings: 1, Instructions: 353COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: w
              • API String ID: 0-476252946
              • Opcode ID: 3b59e57f9cf61c26c035a9225a37b088efb718029daa7cb1b31a50917aa67e5e
              • Instruction ID: aef131f002f54205732e41d300a71d8706d22fb454965b40ed80ddbfce0a820f
              • Opcode Fuzzy Hash: 3b59e57f9cf61c26c035a9225a37b088efb718029daa7cb1b31a50917aa67e5e
              • Instruction Fuzzy Hash: 62D1DD30D10229ABDBA4CF54C881ABFFBF1FF44700F148459E9A997291E375E982D790
              Function 07004C34 Relevance: 1.5, Strings: 1, Instructions: 271COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: @
              • API String ID: 0-2766056989
              • Opcode ID: 89f527b55bfe7a4f0811dd71fcfc3e06bd55def568a9094adf0b6a96f076d154
              • Instruction ID: 9b4fde62a958380c20aa13265af89682bc240a4563d082d95005f6dc92c25c9f
              • Opcode Fuzzy Hash: 89f527b55bfe7a4f0811dd71fcfc3e06bd55def568a9094adf0b6a96f076d154
              • Instruction Fuzzy Hash: ADA142F1E0028A9FEB95DF94CC80ABEB7F9EF09754F14412AFA11A7290D7709940CB94
              Function 06FE6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID: 0-3916222277
              • Opcode ID: ce35651136ec3beba2629e0c10022d0cec891a2e964efa862aa9f469ccb9ffd4
              • Instruction ID: 01a8b29ddc29bbcc370d646877dcdd27dde019430bbea198f1fbb3ceb598a39d
              • Opcode Fuzzy Hash: ce35651136ec3beba2629e0c10022d0cec891a2e964efa862aa9f469ccb9ffd4
              • Instruction Fuzzy Hash: 67915272A50219AFEB61DB94CD85FAE7BB8EF19B50F100065F610EB1D1D774AD00CBA0
              Function 0700E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID: 0-3916222277
              • Opcode ID: 83b43704cde0eb962371f6d0a5f0334350b14c95c9c946fbde059e262a5fc300
              • Instruction ID: e76ff73db4ae06d4d6d854610e39f8ee5d08f50304dfaa86a92513ee36f1477d
              • Opcode Fuzzy Hash: 83b43704cde0eb962371f6d0a5f0334350b14c95c9c946fbde059e262a5fc300
              • Instruction Fuzzy Hash: A691D4B2901609BFEB62AFA0DC44FAFBBB9EF45750F100529F521B7290DB749901CB90
              Function 06F9A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: GlobalTags
              • API String ID: 0-1106856819
              • Opcode ID: e5a619b8d82d713bc1acf8ed576c5b8322fc629396d7d097ad323b4d0716d0a8
              • Instruction ID: 5d402a43c153d833b0a8954c5bdd419ee060458e447b45d9fbb86a857f74e368
              • Opcode Fuzzy Hash: e5a619b8d82d713bc1acf8ed576c5b8322fc629396d7d097ad323b4d0716d0a8
              • Instruction Fuzzy Hash: 27716475E0421ADFDFA8DF98D9906EDBBB2BF48710F18812EE405E7240DB75A941CB60
              Function 06F7E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: EXT-
              • API String ID: 0-1948896318
              • Opcode ID: 07e2125fbfed66a291c7db9291f9018e535b99048cde6c112dbbdfc4f084740b
              • Instruction ID: 74559beb7d83efb174800285efdce420e3a3a77ca76051d4433cb62662d1e225
              • Opcode Fuzzy Hash: 07e2125fbfed66a291c7db9291f9018e535b99048cde6c112dbbdfc4f084740b
              • Instruction Fuzzy Hash: AC41B072908312AFD790DA74CC40B6BB7E8AF88714F44096FF9A4D7180EA74DA05C793
              Function 06F5CDEA Relevance: 1.4, Strings: 1, Instructions: 138COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: AlternateCodePage
              • API String ID: 0-3889302423
              • Opcode ID: cd3521857ae299c6edb85b4779fb16dae9338d9f4ed38c847510f2339e58254b
              • Instruction ID: ca2bf7280d9b7cbc1d403656cee40587ec6bcf89640252d4f1b71b812b38cdcf
              • Opcode Fuzzy Hash: cd3521857ae299c6edb85b4779fb16dae9338d9f4ed38c847510f2339e58254b
              • Instruction Fuzzy Hash: F94181B6D00218EBDF64DF99CC81AEEB7F8FF44710F15415AE912A7290DA70AB41CB94
              Function 06FDC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: BinaryHash
              • API String ID: 0-2202222882
              • Opcode ID: 9846b74f7c3072a49c48a94d20fe3c5d9d63dd6023fdc34456f179fb2d15beac
              • Instruction ID: f01f51913802d944f4529997271c8d19b3be9d4b72c1c3d1c1ba70f17eac71c5
              • Opcode Fuzzy Hash: 9846b74f7c3072a49c48a94d20fe3c5d9d63dd6023fdc34456f179fb2d15beac
              • Instruction Fuzzy Hash: DD4157F1D1022CAFDBA1DA60CC84FDEB77DAB44754F0445A5E618A7180DB70AE49CF94
              Function 06FDCCA0 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: TrustedInstaller
              • API String ID: 0-565535830
              • Opcode ID: 8106536849496e0e304fd219334615a277b9afe1a918cc8df676af6b4a29019c
              • Instruction ID: cd152e451d7b043de43eaa7cdf39eb3b91259d5dc8f1b7bc4a3dc2a722709c91
              • Opcode Fuzzy Hash: 8106536849496e0e304fd219334615a277b9afe1a918cc8df676af6b4a29019c
              • Instruction Fuzzy Hash: 45317472D40619BFDBA2AB94CC40FEEBBBEEB54750F050166FA20EB190D6709D41CB90
              Function 07000F50 Relevance: 1.3, Strings: 1, Instructions: 99COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: @
              • API String ID: 0-2766056989
              • Opcode ID: 82e9b14cf91a5a6f37c9e4009f2ae5fbb7a03b243ebd8f8edba72d545418d4d2
              • Instruction ID: c89defbb9b10d65f9754d6f45442c27d3357dbf33739a8b091e9a7216f6bc78c
              • Opcode Fuzzy Hash: 82e9b14cf91a5a6f37c9e4009f2ae5fbb7a03b243ebd8f8edba72d545418d4d2
              • Instruction Fuzzy Hash: 5F313EB1118345AFD351DF14CC45EAFBBE8FB84760F444A1EB594861D0E7B1E908CB92
              Function 06FFAEB0 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
              Download Yara Rule
              Strings
              • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 06FFAF2F
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
              • API String ID: 0-1911121157
              • Opcode ID: a6ca98b697ab15105823f22e56f0020bd86ed4dfc34a3f984a34875290476103
              • Instruction ID: caa7a0eb208423c1aa7b79b5def47a6d1e34d7897b0810e194ea97b14991df6e
              • Opcode Fuzzy Hash: a6ca98b697ab15105823f22e56f0020bd86ed4dfc34a3f984a34875290476103
              • Instruction Fuzzy Hash: 7131F4F2E10644EFD791DF64CC41F5ABBB9EF84B10F158665FA15AB690D738A800CB90
              Function 06F88CB1 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: WindowsExcludedProcs
              • API String ID: 0-3583428290
              • Opcode ID: 34a5547e051765790c2c8ceff76a078c61e809f66b40f98c98d16d0ff40d25f6
              • Instruction ID: 92e9d89b3c41c83743b7173140fc250264163e4775e5af1c5180dd66975c6da6
              • Opcode Fuzzy Hash: 34a5547e051765790c2c8ceff76a078c61e809f66b40f98c98d16d0ff40d25f6
              • Instruction Fuzzy Hash: CB212937D00215AFEBA2AA58CD84F5FB7BEAF516E0F45406BB925DB114C630DD00C7A0
              Function 07016FF7 Relevance: 1.3, Strings: 1, Instructions: 47COMMON
              Download Yara Rule
              Strings
              • Critical error detected %lx, xrefs: 07017027
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: Critical error detected %lx
              • API String ID: 0-802127002
              • Opcode ID: 195fda091ecfe11a11d2a6c8e013b345194023d6c4b8b5b269d796e1879ec55a
              • Instruction ID: c295fa20cb101cfc66b04c5bae1f0864f415cec7b9fa83b989f135f65bb713f7
              • Opcode Fuzzy Hash: 195fda091ecfe11a11d2a6c8e013b345194023d6c4b8b5b269d796e1879ec55a
              • Instruction Fuzzy Hash: 34118BB6E00348CBDB62DFA8C8017DDBBF1EB04714F20522AD125AB282E3754501CF10
              Function 07002000 Relevance: .8, Instructions: 757COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 84870822cc9536a69fb8fd164bc75b15f35a325413416147d692851cf1ab619e
              • Instruction ID: 0c1757212b8f97aa0136b1aca7f3d5e53ea7384c98b073d046744b86f8e50c31
              • Opcode Fuzzy Hash: 84870822cc9536a69fb8fd164bc75b15f35a325413416147d692851cf1ab619e
              • Instruction Fuzzy Hash: D342C3B56083429FE7A5CF64C898A6FB7E5BF88320F040A2DF995872D0D770D945CB92
              Function 06FF8158 Relevance: .6, Instructions: 617COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 83bda7b6788861d094f980b1fe8128351a69fe7d2b769a745b82b87782f8f608
              • Instruction ID: cb138ef5c1548a807c698daf95587bdaa669b17fac5b14e66443a06916390fbe
              • Opcode Fuzzy Hash: 83bda7b6788861d094f980b1fe8128351a69fe7d2b769a745b82b87782f8f608
              • Instruction Fuzzy Hash: E0425B76E202198FEB64CF69CC81BADB7F5BF88340F148099E959EB251D734A981CF50
              Function 0700A118 Relevance: .6, Instructions: 591COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2a9590aa7d68d532fd39db17157c3933b411c59b2353fab50b61f3c29f5a4aaf
              • Instruction ID: 6db18926a5b523a810609370fd18f6397ac5ba38ad287013ee225d9181e5c6eb
              • Opcode Fuzzy Hash: 2a9590aa7d68d532fd39db17157c3933b411c59b2353fab50b61f3c29f5a4aaf
              • Instruction Fuzzy Hash: 2822CCF43147528BEB64CF29C494376B7F1AF45320F08C65AE8968B2C6D775E482CBA0
              Function 06F88DBF Relevance: .6, Instructions: 554COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 17758d649592b30994356811e59840dd39f802523a0a41864f9544b831d5429b
              • Instruction ID: f0988c10683ddcf8cbbd2acadd86231806fc54a5bc0c760e5702a6c54dbe6928
              • Opcode Fuzzy Hash: 17758d649592b30994356811e59840dd39f802523a0a41864f9544b831d5429b
              • Instruction Fuzzy Hash: CB228D71E0021ADFDB94DF95C9809BEFBF2BF48350B5480AAE855AB241E774DD41CBA0
              Function 06F665D0 Relevance: .4, Instructions: 383COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0dee3ea2b681b13e5e5fbf3126a3d114a45a9cb14a5e811f2cc2a85fb14c99f2
              • Instruction ID: 9beab335b57800e2437888e5aea70e61ff5b3a9764c38e46f7f439026f6f1b4b
              • Opcode Fuzzy Hash: 0dee3ea2b681b13e5e5fbf3126a3d114a45a9cb14a5e811f2cc2a85fb14c99f2
              • Instruction Fuzzy Hash: 19E16A719083428FC754CF29C590A6ABBE0FF89318F158A6DF899CB351DB31E905CB92
              Function 06F58397 Relevance: .4, Instructions: 380COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0b0e75bd1e6936f3fa7cae5fe87e04a51a72c8bcf174c1bf565292010276c52a
              • Instruction ID: e017d251a45ea3db507c7983053c440a40ec271777aadc0533af73f58dda1260
              • Opcode Fuzzy Hash: 0b0e75bd1e6936f3fa7cae5fe87e04a51a72c8bcf174c1bf565292010276c52a
              • Instruction Fuzzy Hash: 25D1E472A00226DFDB94DF25CC80ABA77A5BF45354F064269EE22DB2C0EB30DD41CB90
              Function 06FF6E20 Relevance: .4, Instructions: 379COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3ee75d387b7c975f327da49f9acd748c21a0edfdb2ae6524f73b8048063d41b0
              • Instruction ID: f6d42ddd641d4a8c6c80993c19d01e16fd65e0a50fec8d1c97732eae3b74e02e
              • Opcode Fuzzy Hash: 3ee75d387b7c975f327da49f9acd748c21a0edfdb2ae6524f73b8048063d41b0
              • Instruction Fuzzy Hash: 62E15770D202599FCF94DFA8D880AAEFBF1BF49304F14809AE954EB251E735D945CBA0
              Function 06F8EF28 Relevance: .3, Instructions: 347COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 38292e4a6b64060bf8679bd99c8a21c4e4e1f1e6beef9997feac677224cc5105
              • Instruction ID: 8c8069f12e06490e87fab413947c18cfd54063ef2db857933e1126c69d4f49b3
              • Opcode Fuzzy Hash: 38292e4a6b64060bf8679bd99c8a21c4e4e1f1e6beef9997feac677224cc5105
              • Instruction Fuzzy Hash: 62E132B1D01608DFCBA4EFA9D984AADFBF1FF48350F2445AAE456A7260D734A840CF50
              Function 06F7CFE0 Relevance: .3, Instructions: 345COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f08ba73505177005cfc4f686b9a5c5cc91ab66bdc8c35af56cdba8ed92412b00
              • Instruction ID: 7b32d127c99ef29616b7b53784cb7849321cd2596f3d43a1c04b11b040a80def
              • Opcode Fuzzy Hash: f08ba73505177005cfc4f686b9a5c5cc91ab66bdc8c35af56cdba8ed92412b00
              • Instruction Fuzzy Hash: F1D1C331E003198FEBA4DF14CC81BAAB7B5BF49314F8541EAD909A7280DB74AD85CF91
              Function 06FE8243 Relevance: .3, Instructions: 322COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
              • Instruction ID: 3580d73129216a46723197140165213e7ad6ab194ec8621e2cd5deed7561e870
              • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
              • Instruction Fuzzy Hash: D0B14075E00604AFDFA4EF95CD40AABBBB9FF84384F14446EA96297790DA34E905CB10
              Function 06F70535 Relevance: .3, Instructions: 300COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
              • Instruction ID: 1fbfc023eb0faf960d35528fcd9982fe74ff5d22e5cd69f6ffe36b7fc39d8334
              • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
              • Instruction Fuzzy Hash: FFB108B2A00646AFDB95DB68CD50BBEB7F6AF44314F14016AD552D7381DB30EE41CB90
              Function 06F80DE1 Relevance: .3, Instructions: 295COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7250a22adba44b14256553700bcb46161e24357f07c355a742e4f6a0ebcdb8f7
              • Instruction ID: 81f22e09f5656f2d759d2b2e1ee4ba3f10d70e1bf362d621877919264b6575c1
              • Opcode Fuzzy Hash: 7250a22adba44b14256553700bcb46161e24357f07c355a742e4f6a0ebcdb8f7
              • Instruction Fuzzy Hash: 05C18E71E00359DFDB94DFA9CD80AAEBBB5FF88304F10412AE415AB385DB35A855CB90
              Function 06F683C0 Relevance: .3, Instructions: 281COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 84a3ce3031d5a9aa4d0e1668b9e126a53ddb5e31656791d8fc52d03016ccc0c4
              • Instruction ID: 2f0cb0958363cebc81737ff4352901aea05723d89c7ee6c3ac7bdd7dc909d781
              • Opcode Fuzzy Hash: 84a3ce3031d5a9aa4d0e1668b9e126a53ddb5e31656791d8fc52d03016ccc0c4
              • Instruction Fuzzy Hash: C1C16774A08341CFD7A4CF19C884BABB7E5BF88344F44496DE99987291D774E908CFA2
              Function 06F5C427 Relevance: .3, Instructions: 280COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a17897248aea68b1f522606face29fe05dcf9d0bddd45924c42426c4841871b7
              • Instruction ID: 1702e6eb1ff461e7f5893df7b032bb0b2dc2e379e7ef8174860bc1d834e1842c
              • Opcode Fuzzy Hash: a17897248aea68b1f522606face29fe05dcf9d0bddd45924c42426c4841871b7
              • Instruction Fuzzy Hash: 51B15070E002658FDBA4DF59CC90BA9B3B1EF44740F0585EDD90AA7280EB749E85CB21
              Function 06F8E5E7 Relevance: .3, Instructions: 278COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1d95aa4f65b3327a29512dc7a4030d1ad3487027c89df7ccb25b2de9d36c0d71
              • Instruction ID: 917e6edef76fa0ec326c024ab7c00f7ca149c44a2f226fc319811bbe2349a498
              • Opcode Fuzzy Hash: 1d95aa4f65b3327a29512dc7a4030d1ad3487027c89df7ccb25b2de9d36c0d71
              • Instruction Fuzzy Hash: 8BA14A32E01219AFEBA1EB54CD44BAEFBB5AF01724F050265EA21A72D0D7789D40CBD1
              Function 06FA0185 Relevance: .3, Instructions: 276COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 49f7932891e7f28572630978d06fe322d556e1028ad73ee86af9284cde799215
              • Instruction ID: 1d697fbb6c8a5a439a74eb74b6a875e21a9bfdac77b4b5c91672f38496aa62f7
              • Opcode Fuzzy Hash: 49f7932891e7f28572630978d06fe322d556e1028ad73ee86af9284cde799215
              • Instruction Fuzzy Hash: AFA1F2B1F007169FDBA4DFA5D890BAAB7F1FF54308F044129EA5597281EB78E811CB90
              Function 07034500 Relevance: .3, Instructions: 275COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 684a92c73db6eb86a6ba052aa783118ff5b60d4306d24e1708dd5091ed123937
              • Instruction ID: 6acae7647ee7047c68d2640819b198cbb4dc31ced9f33b29b9d9ed00a852b1ea
              • Opcode Fuzzy Hash: 684a92c73db6eb86a6ba052aa783118ff5b60d4306d24e1708dd5091ed123937
              • Instruction Fuzzy Hash: C6A1DCB2A14292AFC791DF28CD80B2AB7E9FF49704F450B29F5959B690D734ED00CB91
              Function 06FE60E0 Relevance: .3, Instructions: 264COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 67b2c9e5c833af785b081760906f6cbc29b8e69e0fc0ed92291e6fc609389c1d
              • Instruction ID: e7d03d414fdaaddc7b994cf22396353452d3b56afe7976dc425141d24c052811
              • Opcode Fuzzy Hash: 67b2c9e5c833af785b081760906f6cbc29b8e69e0fc0ed92291e6fc609389c1d
              • Instruction Fuzzy Hash: A5918F71E00219AFDF95CFA8DC85BAEBFB5AB58700F154169E510EB391D738E900DBA0
              Function 06F7E3F0 Relevance: .3, Instructions: 261COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 22e920ca062690161d98e9229c1241f5fda32db0a33466eb8a2727afc523f689
              • Instruction ID: b88c0265b559cc956b7ffdbd810f02a9d43d25133351dd92d6edddc830860517
              • Opcode Fuzzy Hash: 22e920ca062690161d98e9229c1241f5fda32db0a33466eb8a2727afc523f689
              • Instruction Fuzzy Hash: BC910376E006168FEBA4DF68D944B7EB7A1FF84720F0541ABEC15DB280EA74D901C791
              Function 06F9E284 Relevance: .2, Instructions: 212COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f23fcacd3cf1a2278726288ee972e0377c6b70573fcdffe45ee6d49e5442cdc7
              • Instruction ID: 45fd011217940690870d59cafc1573edef89eec1dd8e1cd6e013a18201b2daf1
              • Opcode Fuzzy Hash: f23fcacd3cf1a2278726288ee972e0377c6b70573fcdffe45ee6d49e5442cdc7
              • Instruction Fuzzy Hash: 66816D71E00609AFEBA5CFA5C880EEEBBBAFF48340F144429E555A7250DB70AC45CB60
              Function 06F7C640 Relevance: .2, Instructions: 206COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8b36d010ee905c52e49a561fc06c523ccc5e5992bbe08304324e66d51b2677a4
              • Instruction ID: 52f7ba334e5e099de23378dad3f419b37cf15f69076ee71fc45470af626da53a
              • Opcode Fuzzy Hash: 8b36d010ee905c52e49a561fc06c523ccc5e5992bbe08304324e66d51b2677a4
              • Instruction Fuzzy Hash: C671CDB5C002669FCB658F58D9907BEBBB5FF48750F15415FE852AB350D7349801CBA0
              Function 06FF8D6B Relevance: .2, Instructions: 206COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e445f5f26a9167f6ef006604f2b24af63b8513033e22478bafc8abc187e8ff19
              • Instruction ID: 066dfa08132ea6cc1235fde07bd35f40f83b09e918a2c35d9e9e5fd50efe32a7
              • Opcode Fuzzy Hash: e445f5f26a9167f6ef006604f2b24af63b8513033e22478bafc8abc187e8ff19
              • Instruction Fuzzy Hash: 4571D271D242569FCB94DF59C840AFEBBF1EF49340F048099E9A4DB261E335DA45C7A0
              Function 070147A0 Relevance: .2, Instructions: 202COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b06174f0f4de5d45505130ba76da2cd84d3c3d563dccec93ee7073f5722afd83
              • Instruction ID: f5a4627559fd790ae6e229a41206dee83284c52403a2511551eb82524fec19a3
              • Opcode Fuzzy Hash: b06174f0f4de5d45505130ba76da2cd84d3c3d563dccec93ee7073f5722afd83
              • Instruction Fuzzy Hash: F3716FF0900345EFDB50CF95D941AABBBF9EF85B00F96475AF510AB2A4C73A8904CB64
              Function 06F7260B Relevance: .2, Instructions: 201COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2d65cd0e0b768bf3f2d2a257eb7f636d90ea10732f2c0a58db6aea37f8a68cb8
              • Instruction ID: 0ed3055e06ae2d87381e1cc6843cf90a5ad853fba91e9dc8f711630e829cf373
              • Opcode Fuzzy Hash: 2d65cd0e0b768bf3f2d2a257eb7f636d90ea10732f2c0a58db6aea37f8a68cb8
              • Instruction Fuzzy Hash: 9571E376A042429FD391DF28C980B6AB7E5FF85310F0585ABE894CB351DB34EA46CB91
              Function 06FF62A0 Relevance: .2, Instructions: 198COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ef914e178ae6d50111f7f09895ac066eecdeb895deb58ecd1deb95853fc3c03d
              • Instruction ID: e36cce7d183209cd2b26a5e263990b8670731b0d701a9e67bb883af89a74a0d4
              • Opcode Fuzzy Hash: ef914e178ae6d50111f7f09895ac066eecdeb895deb58ecd1deb95853fc3c03d
              • Instruction Fuzzy Hash: 7171EE32A20B01AFEBA19F24CC55F5AB7A5FF44760F144928E226CB6F0DB75E944CB50
              Function 06FE035C Relevance: .2, Instructions: 198COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
              • Instruction ID: d3319e43dbdb784e3df9e1deab3b628d037a90f3ad99b172e2758542d777cfd4
              • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
              • Instruction Fuzzy Hash: 11716D71E00619AFDB90DFA9CD84E9EBBB9FF48300F104569E515E7290DB74EA11CB90
              Function 06F9CDB1 Relevance: .2, Instructions: 197COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8eea91f0cc92a42f65e512963b4e05cc9bf5d32aa311fbf3ff4956e7f915ad93
              • Instruction ID: 47cfc54db27bf5f72c6d5a7f6be1ca15a9e68245e0a10f696c9b2593b2066994
              • Opcode Fuzzy Hash: 8eea91f0cc92a42f65e512963b4e05cc9bf5d32aa311fbf3ff4956e7f915ad93
              • Instruction Fuzzy Hash: C661C471E10205EFDF98DF68C881AAEB7B5FF48350F15416AE522EB2D0D730A901CB60
              Function 07038324 Relevance: .2, Instructions: 192COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d524d72cd907d517c89f939f61ceed03ff38196a386e48a64fe25ef90c209e93
              • Instruction ID: 976076fa965dfa67178f9ca85764ec11a3d84adebd7840178d3b94c411ac848b
              • Opcode Fuzzy Hash: d524d72cd907d517c89f939f61ceed03ff38196a386e48a64fe25ef90c209e93
              • Instruction Fuzzy Hash: C5710AB1E00219BFDB55DB94CC81FEEBBB9EB04350F104259F625A7290D774AA05CBA0
              Function 06F5CF50 Relevance: .2, Instructions: 190COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c039dac4d0c79e4adae2489b980ce8c838fb626483c5f982736a6a658be53934
              • Instruction ID: 3c55f9799e12f4c472932f8a3d4c4da1e55915d7c8f44a8acc707703fcfb37f4
              • Opcode Fuzzy Hash: c039dac4d0c79e4adae2489b980ce8c838fb626483c5f982736a6a658be53934
              • Instruction Fuzzy Hash: F771AC72D11B018FE7F19E25C900B62B7E1FF81761F111A2EDEE2029E1E370A841CB80
              Function 0701A250 Relevance: .2, Instructions: 184COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ed9888d055249bd093d6d2aa962bec81fdc7094b8d7673f2277955bc8c3cc995
              • Instruction ID: 2025dae7e66f8c7d38013950cc9368768470af48da135f6283661082982cb4c3
              • Opcode Fuzzy Hash: ed9888d055249bd093d6d2aa962bec81fdc7094b8d7673f2277955bc8c3cc995
              • Instruction Fuzzy Hash: B051BDF2605712AFD751DA68C884F5BB7E8EBC9750F008A3ABA50DB150D7B1ED04C7A2
              Function 06F8EDD3 Relevance: .2, Instructions: 166COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b2d0c4d2d33716c515820023681c7b93d2cb320dd22d1dc0a3bd253eb10a0469
              • Instruction ID: 5c6917e6ddbefdb9be4bc4585f262f4d63448444bb89ab7eb8769050d952ef83
              • Opcode Fuzzy Hash: b2d0c4d2d33716c515820023681c7b93d2cb320dd22d1dc0a3bd253eb10a0469
              • Instruction Fuzzy Hash: 89519072A00741DFEBA0EF59DC84A6BB7F9FF44219F11096EE05297691C774E844CB90
              Function 06F8CDF0 Relevance: .2, Instructions: 165COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6851680e3e689f07d8311deac1a97bfa9ae5f47be04d730b0759b45304561ce1
              • Instruction ID: 9b24e88ac8532bdc2bb06766fdd820ac3b1b4fdb4223e1738c1f96a104f3ef39
              • Opcode Fuzzy Hash: 6851680e3e689f07d8311deac1a97bfa9ae5f47be04d730b0759b45304561ce1
              • Instruction Fuzzy Hash: 3351A076E0060BDFDB94CF98CA816EEBBB1FB48220F15816DD915BB340D734AA44CB94
              Function 07028DAE Relevance: .2, Instructions: 162COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 27daacedac1b155230bd99d53b0e7e20133af067ed185dc9288bb824b21253ae
              • Instruction ID: 2c108c96f62488cc1cc9c6136d5591dabd46198345cb2a448da765fd50a9055b
              • Opcode Fuzzy Hash: 27daacedac1b155230bd99d53b0e7e20133af067ed185dc9288bb824b21253ae
              • Instruction Fuzzy Hash: EE5103B6614312AFD751CF28C840BAAB7E5FF84354F048A2CF99597290D734E90ADB92
              Function 07008350 Relevance: .2, Instructions: 161COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: da1ba4b4ce452b67b220f4a8f727e33c10e9ff97c6705393498f151a4d988a66
              • Instruction ID: 927bc5958f54325331504a7e1a274a552ae1754f68803cafa1dafaa9ebf32a27
              • Opcode Fuzzy Hash: da1ba4b4ce452b67b220f4a8f727e33c10e9ff97c6705393498f151a4d988a66
              • Instruction Fuzzy Hash: 27514BB0900B05DFEB60DF56C884AAAFBF9BF94720F10871ED1A6576E0D7B0A545CB90
              Function 06F9E443 Relevance: .2, Instructions: 158COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b20b28e47dc4df2b9477447bdc321df3531df92bc2bd7b1f089414d1ba7dc144
              • Instruction ID: 06b4fc66c83574f6445122e29b01342489fd187d32acc4e0ce31b45c97b6f1e1
              • Opcode Fuzzy Hash: b20b28e47dc4df2b9477447bdc321df3531df92bc2bd7b1f089414d1ba7dc144
              • Instruction Fuzzy Hash: 9E516C72A00A14EFEBA1DFA8CD80EAAB3F9FF04744F45052AE555976A0D734F940CB61
              Function 06F8AE00 Relevance: .2, Instructions: 158COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0dd880a76b3c9ad43efb921dc5a3afa35dc6003f9888093ab0210770e1e55351
              • Instruction ID: be4b0e8483a86a97edba4cc5879b07607deddc856d1f2f9b1124746abbaa65ca
              • Opcode Fuzzy Hash: 0dd880a76b3c9ad43efb921dc5a3afa35dc6003f9888093ab0210770e1e55351
              • Instruction Fuzzy Hash: B551E172E21601EFDBA6AF55CE50B2A7775FF81764F1540AAF8118B2A0D734EC01CB80
              Function 06F845B1 Relevance: .2, Instructions: 156COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
              • Instruction ID: ffcf0b4bba1251570cbf786e974002863be7dde5cfc0c1d0b20eeec6df321a3b
              • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
              • Instruction Fuzzy Hash: 1251AF75E0021AAFDF95EFA4C840BEEBBF5AF45754F0440AAE911AB280D734DD44CBA0
              Function 07004180 Relevance: .2, Instructions: 156COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 92afeb96b34a92e09ec254b1dce31ad78d3b406fffca5f982b17439a6bf311c2
              • Instruction ID: 71f126183528d15275a58505d7c86818268cd82b9f3aa0582e05efb0fb00833a
              • Opcode Fuzzy Hash: 92afeb96b34a92e09ec254b1dce31ad78d3b406fffca5f982b17439a6bf311c2
              • Instruction Fuzzy Hash: 76518BB16083829FD384DF29C880A6FB7E5BFC9254F444A2DF599C7290DB30D905CB96
              Function 06F5EFD8 Relevance: .2, Instructions: 153COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0f3ad77b3d0f5b711f7471c2ebe55b876ecf0dfebae1bfd048d01dce7a181245
              • Instruction ID: 96881639f6293dd63c95bf6e99b91ef0493d690ecda8b1f4fbdeaf498913f6fd
              • Opcode Fuzzy Hash: 0f3ad77b3d0f5b711f7471c2ebe55b876ecf0dfebae1bfd048d01dce7a181245
              • Instruction Fuzzy Hash: B8518F71A09341AFD380DF29DC84A6BB7E9EF88314F05496EF9A5C7291D730E905CB92
              Function 06F5AE90 Relevance: .2, Instructions: 151COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4d67431525e3e8f0d6e727d6e64bd94dc8fe65080f38cf565d5dfa1cd999bcb0
              • Instruction ID: 6a5f1839ad32a3b2fac6194b7b2e494d42d2df41ee64799dbc7943d77c482da7
              • Opcode Fuzzy Hash: 4d67431525e3e8f0d6e727d6e64bd94dc8fe65080f38cf565d5dfa1cd999bcb0
              • Instruction Fuzzy Hash: 2B5121B2E00644DFDB95DF69D8807AEBBE2BF48714F16132ADD22A7280C334AC50C795
              Function 06F9CC00 Relevance: .1, Instructions: 147COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d618c073e64fe6aba002cdb3099f4fb44f8f271928ea6688c6820c63cc66b4cf
              • Instruction ID: 3e77e93b4ceadf0767357fc6b0225914865d948fcb4f31fdece20514957ac2ca
              • Opcode Fuzzy Hash: d618c073e64fe6aba002cdb3099f4fb44f8f271928ea6688c6820c63cc66b4cf
              • Instruction Fuzzy Hash: 9951F871E10386CFFFE48F26C94073A7FA5EB42695F188629E816CA251D631D581C7B2
              Function 06F9A430 Relevance: .1, Instructions: 139COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2b94b8f8048c9e7cc3bf0b4bc0d4869b78a4f8a7785d9ad07b67fda8e0573a42
              • Instruction ID: 8b4918e509454ce59ba607ef54c4b5472fa75f70ca33912c549308c049766889
              • Opcode Fuzzy Hash: 2b94b8f8048c9e7cc3bf0b4bc0d4869b78a4f8a7785d9ad07b67fda8e0573a42
              • Instruction Fuzzy Hash: 0241E772B50301DBEFD4EF68DC91B6B37A5EB85704F060529ED159B281DB79B800CBA1
              Function 06F901F8 Relevance: .1, Instructions: 138COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1732aac46eed81216d2107861253ab721710d3e332a576da86c62aad588db88b
              • Instruction ID: 293b9b733e090bb9306622a3cd816530c743c84a8b59bc5d29560d45f28839d7
              • Opcode Fuzzy Hash: 1732aac46eed81216d2107861253ab721710d3e332a576da86c62aad588db88b
              • Instruction Fuzzy Hash: 27417936E002199BEF95DFA8C840AEEB7B5AF48710F14816EE815E7290DB359D41CBB4
              Function 06FA2750 Relevance: .1, Instructions: 137COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
              • Instruction ID: 340077598686f2af7a794a2119b53f16ec548c858708d249b5df18c0548f305d
              • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
              • Instruction Fuzzy Hash: 82515B75E00215DFCB54CF98C480AAEF7B2FF85724F2881A9D815A7390D730AE42CB94
              Function 06F66154 Relevance: .1, Instructions: 133COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ed33b20d45e9c309f9fb329d442993a7789958f6513f3d58d4b1f5cd81264c26
              • Instruction ID: 5d65f82982bcb2905c1fa32e7899a211d6ccf02c2e11e8f0c95775ae21c9010c
              • Opcode Fuzzy Hash: ed33b20d45e9c309f9fb329d442993a7789958f6513f3d58d4b1f5cd81264c26
              • Instruction Fuzzy Hash: C95104B1D00216DFDFA5CB64CD00BA9B7B5EF01318F1482A9E429D76D0DB39A981CF81
              Function 06F60D59 Relevance: .1, Instructions: 130COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5fbe59f148a5e177196db253f59f32b259b7aec77c7b33dd3860366e57299007
              • Instruction ID: 49e39634cb2ac77227f1dae7c4ac0870de771bd96c359c4c26f7662672414fda
              • Opcode Fuzzy Hash: 5fbe59f148a5e177196db253f59f32b259b7aec77c7b33dd3860366e57299007
              • Instruction Fuzzy Hash: D041E671E00324AFEBA1DF25CD41FABB7A9EB55710F10059AF84597281DBB4ED40CB91
              Function 0702866E Relevance: .1, Instructions: 129COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
              • Instruction ID: a1f9dd756412b5a5862b330d520596d3b723f701eb9c04baa022504ee1f7a85a
              • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
              • Instruction Fuzzy Hash: 804186FAB10125AFDB15DF95CC84AAFB7FAAF84610F148169E804A7381DA70DD42D750
              Function 06F8A470 Relevance: .1, Instructions: 127COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 802bbdf812235d9b80e7f96bbbb9e9b8cbc17c9ac48932b48e4059f01e839d41
              • Instruction ID: aba4886a84bdc646874d8b76cf08cfd8a9aeaf4e1444a538645ec9b3ac37cd53
              • Opcode Fuzzy Hash: 802bbdf812235d9b80e7f96bbbb9e9b8cbc17c9ac48932b48e4059f01e839d41
              • Instruction Fuzzy Hash: D9417D32E40355CFDF95EF6CD9917EA77B0FB44360F15029AE421AB291DB389980CBA0
              Function 06F5A020 Relevance: .1, Instructions: 122COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
              • Instruction ID: a19515ae20c3452da046250d4497f322b03f0e7a1f9e6c8b8214b847e732ea10
              • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
              • Instruction Fuzzy Hash: 1D413B36E10211DFDBA0DF96C8507FAB761EF40714F16A16BEE458B280DA318D50CB90
              Function 06F90710 Relevance: .1, Instructions: 121COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
              • Instruction ID: 7c287575af7499ba45bf17df762c57092cc18c171dbe1c7d1f4dbbea95f19b09
              • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
              • Instruction Fuzzy Hash: A9415B71A00705EFEBA4CF98C980AAAB7F4FF08710B10496DE556D7690DB30EA44CFA1
              Function 06F6262C Relevance: .1, Instructions: 119COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: df9bcf92771d1c49dd29a6abdf73f6f93bef844a9211a33563deb03ed94d58f7
              • Instruction ID: 5679826059921f8804af71d270baf39ee705858b5100087d02c174c955f64b0f
              • Opcode Fuzzy Hash: df9bcf92771d1c49dd29a6abdf73f6f93bef844a9211a33563deb03ed94d58f7
              • Instruction Fuzzy Hash: F441C1B1D01700DFDBE1EF26DD40A69B7F1FF45314F1082AAE8169B6A0EB319A41CB91
              Function 06FE07C3 Relevance: .1, Instructions: 114COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 049a878750d4767ecb810c066b9a1ab5da69b734b321a133e5930a4779670c12
              • Instruction ID: 612103d1360d5000c27c654b6fe8451e189ab2d364b63139a29592f4c3178f55
              • Opcode Fuzzy Hash: 049a878750d4767ecb810c066b9a1ab5da69b734b321a133e5930a4779670c12
              • Instruction Fuzzy Hash: C74172B19183059FD3A0DF24C845B9BBBE8FF88654F004A2AF5A8D7290DB74D914CB92
              Function 07032E4F Relevance: .1, Instructions: 112COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 81a04aa6e8f716182105713d3f190816b803b6ed99c1f7ed8e7a94d59025a880
              • Instruction ID: 1bfa72368e1a36e958c78471bf7cbe70d2f245bc0325b09bcffb61d926d67383
              • Opcode Fuzzy Hash: 81a04aa6e8f716182105713d3f190816b803b6ed99c1f7ed8e7a94d59025a880
              • Instruction Fuzzy Hash: 414172B2A0010AEFCB15CF98CD81AAEB7B5FF85754F244169E515AB341D731EA41CB90
              Function 06FE05A7 Relevance: .1, Instructions: 111COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7b7d5f8a1f080aa2512413d7abf1c46b44d21e9be9181520b6e4ab754b28b555
              • Instruction ID: 08c8cf9914f433fc14260f3a701bc16eb593f0b75320aefca82a98562f4ff6f6
              • Opcode Fuzzy Hash: 7b7d5f8a1f080aa2512413d7abf1c46b44d21e9be9181520b6e4ab754b28b555
              • Instruction Fuzzy Hash: 6441C172A047459FC360DF68CC40B6ABBE9FFC9700F044A29F89597680EB70E955C7A6
              Function 06F580A0 Relevance: .1, Instructions: 111COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8b5270954d55f017cb320b15adb5f952508f45a47eb3bb0a2f777a0887a887d5
              • Instruction ID: 0c5cb3423e595507234e4f409c9d2d39030a41ab273862aff919a683d9db0dd8
              • Opcode Fuzzy Hash: 8b5270954d55f017cb320b15adb5f952508f45a47eb3bb0a2f777a0887a887d5
              • Instruction Fuzzy Hash: 5641C372E05525AFDB80DF19CD406A8B7B1BF447A0F268229DD36A7290DB30ED41CBD0
              Function 06F66EE0 Relevance: .1, Instructions: 107COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 477dc91422517e1c9b4bc4a62d85dcae24f51106e2a4ddc0fc59af1af092edb6
              • Instruction ID: 0b7050ad0eed0408757ad9085472cac9573f6cc623d8a5c7f853559af2beb957
              • Opcode Fuzzy Hash: 477dc91422517e1c9b4bc4a62d85dcae24f51106e2a4ddc0fc59af1af092edb6
              • Instruction Fuzzy Hash: FB418B36A10A46EFDB96DF26CD44B5ABBA5FF85300F044055F80187691DB75F820DB91
              Function 06F58CD0 Relevance: .1, Instructions: 107COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 831ace38baa51b42cbdd2c408c0adf711c72c39843838c0188f467e006179895
              • Instruction ID: 1cd2f5959d981da7c91aeae9dfb432787e63893a9a7e1198fa566f60dea98b98
              • Opcode Fuzzy Hash: 831ace38baa51b42cbdd2c408c0adf711c72c39843838c0188f467e006179895
              • Instruction Fuzzy Hash: 3931D572D042249FDBA0DF55CC405AAB7F2FF54360F26452AE976A7290CB319D01CB80
              Function 06F702E1 Relevance: .1, Instructions: 106COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
              • Instruction ID: efdb797016e0ea7b600aa4a7f88fbd22b9ce4723c985bf6d8900aeeb57a0b85b
              • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
              • Instruction Fuzzy Hash: 2E311672E04244AFDBD1CB78CC80F9ABBE9EF04350F0441AAF865D7391DA749984CBA4
              Function 0700E3DB Relevance: .1, Instructions: 105COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 19179c8304b29dfffdac3a3fad04cb2ae093199a175b3097982ce6d03d3e1714
              • Instruction ID: bc9baeb83e294eb9ba278ef4be829108763e7f55aa1c6c2a6f075e5ade38aefe
              • Opcode Fuzzy Hash: 19179c8304b29dfffdac3a3fad04cb2ae093199a175b3097982ce6d03d3e1714
              • Instruction Fuzzy Hash: 3E31A3B1750715ABE762AF65CC41F6F76A9AB49B60F100568B610BB2D0CAA4DD00C7E0
              Function 06F5EE5A Relevance: .1, Instructions: 104COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 864a77293ea42d93d8ad5c71b5163843ac4aeb641fe1a98b96ed771a02d3faeb
              • Instruction ID: 74d0f08c1059b9ccbc9b8c91a71471937fcda1a8bd74273e4ddabd840bfe20b1
              • Opcode Fuzzy Hash: 864a77293ea42d93d8ad5c71b5163843ac4aeb641fe1a98b96ed771a02d3faeb
              • Instruction Fuzzy Hash: A3412731E047848FDBA0DB69D8003EEBBF2AF49308F15492DD5AAA7380CB345904CB95
              Function 06F64260 Relevance: .1, Instructions: 102COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 75a55ae04374743e353f31f259b523a53bfe37d9394720d4268970f9542b0739
              • Instruction ID: 7a9ba8b44db3566a71662f1483e84f9cd5aa802d520469fe5cd4de61f3028354
              • Opcode Fuzzy Hash: 75a55ae04374743e353f31f259b523a53bfe37d9394720d4268970f9542b0739
              • Instruction Fuzzy Hash: F641DF72600B45DFD7A2DF28CA92FD677E8AF49314F01852DE56A8B290CB35E804DB90
              Function 07000DF0 Relevance: .1, Instructions: 101COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f7347ad76c9c86dc65c89daed89238317501206b72f65cd682cfb8c4669e39ed
              • Instruction ID: d99de0810fae8ff9e4e719284c908d0ebc1e5c17adba5102a0f7f80a4bd32130
              • Opcode Fuzzy Hash: f7347ad76c9c86dc65c89daed89238317501206b72f65cd682cfb8c4669e39ed
              • Instruction Fuzzy Hash: A231B4B2105389AFE715DA14CC01F6BB7ECEB40664F05462EF85197290E770ED05CBE2
              Function 070261C3 Relevance: .1, Instructions: 97COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c5ff625b933edea636decb5760c3ba8ce6ed54cbe82d6c7eeedc6dd5828f7709
              • Instruction ID: 1d0c5e4f6866173de01b8b0d075d1f1f1802396dcdfe5acda546d5a8f979db34
              • Opcode Fuzzy Hash: c5ff625b933edea636decb5760c3ba8ce6ed54cbe82d6c7eeedc6dd5828f7709
              • Instruction Fuzzy Hash: 4531E6B6A00666ABDB55DF98CC40FAEB3F9EB44740F414269E410AB280D770ED05CBA4
              Function 06F607AF Relevance: .1, Instructions: 95COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 13e8eed9e86feb8bc77583c1415d7564de87dc4b3683415de14fa7c7a5891cfc
              • Instruction ID: 69f22c3d7b9226f632985c383834efdeb4dfd915e0de4f93c58224e85da8363b
              • Opcode Fuzzy Hash: 13e8eed9e86feb8bc77583c1415d7564de87dc4b3683415de14fa7c7a5891cfc
              • Instruction Fuzzy Hash: EA31B172A08611DFD792DE268D80AABBBA5AF84650F124529FC6597260DE30DC11C7E1
              Function 070260B8 Relevance: .1, Instructions: 95COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cc4c5b09bd2a443c67ab04f63c6cf8d2846bc65ead97ce24c9d61f009668a9e5
              • Instruction ID: 74daebc1d09239e711d9fa78cbe5392990c4113401af1564f01b925a3af298b3
              • Opcode Fuzzy Hash: cc4c5b09bd2a443c67ab04f63c6cf8d2846bc65ead97ce24c9d61f009668a9e5
              • Instruction Fuzzy Hash: A43102B2B00221EFDB129FA8CC40A6FB7F9AB44754F040269E411DB791DA31ED02AB90
              Function 06F68550 Relevance: .1, Instructions: 94COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dd0bbd5fb44454f6c3df59049c4345a7b85af81c58c2879a236308d51c0fea85
              • Instruction ID: 699e9fe69df6b96c53fae37b8cc5782dfbcb9df415dbcae1ce0c19000f49b5c7
              • Opcode Fuzzy Hash: dd0bbd5fb44454f6c3df59049c4345a7b85af81c58c2879a236308d51c0fea85
              • Instruction Fuzzy Hash: 48317A72A093028FE3A0CF19C940B2AB7E4FF88760F05496EF89597291D771ED44CBA1
              Function 06F8AF69 Relevance: .1, Instructions: 93COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a24227ed6bf09dcf0c9226f422895b670722f0b7540b0553b68bd4ac18161c45
              • Instruction ID: e44aea8106bbf3e5f94643c9fff1e45ea3dd69ff5f4344ede53c5787a7a76428
              • Opcode Fuzzy Hash: a24227ed6bf09dcf0c9226f422895b670722f0b7540b0553b68bd4ac18161c45
              • Instruction Fuzzy Hash: 18318476A011299FDB61AF25CD48FAFB7B8FF44344F0500EAE818E7250DA349E40CB91
              Function 06F9A6C7 Relevance: .1, Instructions: 92COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
              • Instruction ID: 599e906cedbb3427b3f00b34a7b55128331751a30908d6b863710d1d203c17c0
              • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
              • Instruction Fuzzy Hash: AF310A72F04B01AFEBA4CF69DD41B57B7F8AF49A50F18092DA59AC3654E630E900CB61
              Function 06F8438F Relevance: .1, Instructions: 89COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4ff9f4115f9769bf51c40584479977fdeb5186bbb2c0d2084dacbc49319a7213
              • Instruction ID: 6a062821be5bc0a761dfdaca8c7b422a7f11928eaac6ebc94bab8185acc4dd4d
              • Opcode Fuzzy Hash: 4ff9f4115f9769bf51c40584479977fdeb5186bbb2c0d2084dacbc49319a7213
              • Instruction Fuzzy Hash: E631C032F006069FD790EFA8CD81A6EB7F9BB84704F1085AAD415D7290D734E945CB90
              Function 06F5E420 Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 099e7c23221e57a7890039772ae6ccf15e6ba256194eaf59b8256a1079d1e91b
              • Instruction ID: 7024faa5c581cef0d196ae8e4a73c199577a438011bc1d901430d85a446f5773
              • Opcode Fuzzy Hash: 099e7c23221e57a7890039772ae6ccf15e6ba256194eaf59b8256a1079d1e91b
              • Instruction Fuzzy Hash: 8931C476E4012C9BDBA1DF14CC41FEEB7B9AB05740F0201A1EA55A7290D674AF80CF91
              Function 0701C3CD Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
              • Instruction ID: f84250624f0c765ee592f17c2aacea53be38ad51aad9c03317ccf5405cc130c6
              • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
              • Instruction Fuzzy Hash: 0C212BBA640651BBEB15ABA58C00BBBB7B6EF40710F40812AF9A587691E674DD50C370
              Function 06F5C156 Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e67eb5bacfd3e942bcf7255f9f98c9698cf4a93f203c459526a63de9181c520a
              • Instruction ID: 3d5f29c8a28293c03f59ba4ed9c1193f4e5bf70b86f3624c3227eaeed7787f69
              • Opcode Fuzzy Hash: e67eb5bacfd3e942bcf7255f9f98c9698cf4a93f203c459526a63de9181c520a
              • Instruction Fuzzy Hash: B03139B2D003108BDBA0AF29CC81BE977B5EF41314F5492A9DC459B381DA78D982CB91
              Function 06F66E71 Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: aaf9cbdbc1c47e90855f8a3ee9dcdf307d9d9b574182199a90be0b03dafc7302
              • Instruction ID: 91a3eb7ba8e39bebadc0fac4099a42f5eeddb89f714cf38781547468a5f044e8
              • Opcode Fuzzy Hash: aaf9cbdbc1c47e90855f8a3ee9dcdf307d9d9b574182199a90be0b03dafc7302
              • Instruction Fuzzy Hash: FC31CF7190020AAFEB64DF69C940BAAF7B4BF41324F14075AE5159B1D2CB74A941C791
              Function 06F944B0 Relevance: .1, Instructions: 87COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7df777ea8940080c381a367b62b934dbbe66b4cab24291d46dfe2729843d6337
              • Instruction ID: 9f4cf6266d1ea194acee33774a02c1d577a84f14da276c64c5b21beb50e94e3c
              • Opcode Fuzzy Hash: 7df777ea8940080c381a367b62b934dbbe66b4cab24291d46dfe2729843d6337
              • Instruction Fuzzy Hash: 6B21E372A047059FDBA2DF58C840B6B77E4FB88760F044619F9549B280C730E901CBE2
              Function 06F94588 Relevance: .1, Instructions: 87COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
              • Instruction ID: 0c041e53d890e1ae92960f2403f920eb1b7f6390299a785fa7dd69bac2fb363e
              • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
              • Instruction Fuzzy Hash: 84217471A00608EFDF55CF58C980A8EB7F5FF59714F108165ED259B281D671DA06CBA0
              Function 06FDE609 Relevance: .1, Instructions: 86COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8bca1cd97cffcbc4e8809419c58ce80e31f51a9113b82d3b2a43070a04b7f001
              • Instruction ID: cdf5515ba34165bbb82e6a2906e35c53a0e19f3a835e746418b955e5bc495f7a
              • Opcode Fuzzy Hash: 8bca1cd97cffcbc4e8809419c58ce80e31f51a9113b82d3b2a43070a04b7f001
              • Instruction Fuzzy Hash: A431CE75A20205DFCB54CF18C8809AEB7B6FF89700B198569F9099F390E772FA41CB90
              Function 06F5E388 Relevance: .1, Instructions: 86COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
              • Instruction ID: 3374145f42ff7fae30facdeca16e531ac6ece2e4a76912f7152aba67a3f3b53c
              • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
              • Instruction Fuzzy Hash: 9431AB32A00604EFE761CF68C884F6AB7F9FF44354F1545A9EA528B290E730EE02CB51
              Function 06FE06F1 Relevance: .1, Instructions: 79COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: adf6e0d9c0e0be4c372f4b9c5d8b9a428750eaa8fc44c17660084f394f50abe0
              • Instruction ID: 560dd31ad511a1f59b070098c74c521ae094f4b8187cb1df37d6d92fcd98bc6c
              • Opcode Fuzzy Hash: adf6e0d9c0e0be4c372f4b9c5d8b9a428750eaa8fc44c17660084f394f50abe0
              • Instruction Fuzzy Hash: A9219F72D00229ABCF50DF59CC81ABEBBF4FF48740B55006AE951AB240DB78AD51CFA0
              Function 06FE019F Relevance: .1, Instructions: 78COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 61ed219bfc6a12b51a1045df7d6e4c4ea45ec8a0ac00911a0dbfc1dca73e9717
              • Instruction ID: 8a1ba3d06f546fa9922216b76e664d130ae531e28c4bbd972237ba020b37c292
              • Opcode Fuzzy Hash: 61ed219bfc6a12b51a1045df7d6e4c4ea45ec8a0ac00911a0dbfc1dca73e9717
              • Instruction Fuzzy Hash: EF218B72A00644BFD755DBA8DD40F6AB7E8FF48744F14006AF904DB690DA78ED50CBA8
              Function 06FE0283 Relevance: .1, Instructions: 74COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c0004a3fa77db2a3bc67ed77cc4b0833c73c6963f423abdb94bbe3fac62a7b0d
              • Instruction ID: a4b2f168bd3c951868356f75d1730749e7592adeb5aa2ab05de1f8ca07fed4f4
              • Opcode Fuzzy Hash: c0004a3fa77db2a3bc67ed77cc4b0833c73c6963f423abdb94bbe3fac62a7b0d
              • Instruction Fuzzy Hash: C221B072D043459FD791EF59CC44F5BBBECAF90640F080466BC90C7291DB74D918C6A2
              Function 06F66C50 Relevance: .1, Instructions: 73COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e8ccae6e2f7e35f84e7bb989f2678c939a5afa5094da6a1dc038476e0161c08b
              • Instruction ID: bfba60c4b89a4fd4e9d669fbcadef54ef6c18b6434d9c0bf7d1be73c1d8c0a28
              • Opcode Fuzzy Hash: e8ccae6e2f7e35f84e7bb989f2678c939a5afa5094da6a1dc038476e0161c08b
              • Instruction Fuzzy Hash: 0A318B75A00601CFC760CF19C590B16BBE9FF48718F2484ADE949CB752DB31E942CB91
              Function 0701A49A Relevance: .1, Instructions: 70COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0b8695154efcfe287a216ad352371aa8802c79e1faa777210f329a7cce9ddfb8
              • Instruction ID: f111adb663677a251ecba537683e45b4afa9b6eb6211b7eb1716821e47d7afe8
              • Opcode Fuzzy Hash: 0b8695154efcfe287a216ad352371aa8802c79e1faa777210f329a7cce9ddfb8
              • Instruction Fuzzy Hash: AD113AF2385B10BFD76255589C10F2B769ADFC4BB0F104224B728CB1C0DA70DC008795
              Function 06F9A30B Relevance: .1, Instructions: 70COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 657ce9847e2516f1ce88a912f43c9ffa004dfbd6193675bb8d508e785b269cd8
              • Instruction ID: d204ef04d38963b767c5693da6c01f781f9bfdd45116464497f0efb03688acce
              • Opcode Fuzzy Hash: 657ce9847e2516f1ce88a912f43c9ffa004dfbd6193675bb8d508e785b269cd8
              • Instruction Fuzzy Hash: 3F21BB76600A10EFDBA4DF28CC01F56B3F5EF48B04F248569A459CBB61E332E842CB94
              Function 06FF80A8 Relevance: .1, Instructions: 69COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
              • Instruction ID: 345539ea50fd2d809ddab1c4e9c7cd42bc857c5bb05075364eefcc1d784f3526
              • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
              • Instruction Fuzzy Hash: 0E216D72A10209AFEB529F94CC40BAEBBB9EF48350F200416FA21A7260D774D950DB50
              Function 06FE0E7F Relevance: .1, Instructions: 69COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 82ade68d7041f6a704a0f5f31481440f6bfdcdec75c97d135f366d1e6f0681cc
              • Instruction ID: 3f4ac79bac793540d83de84719526bb2073e34fd151327ce10f9a0ed792fcf6b
              • Opcode Fuzzy Hash: 82ade68d7041f6a704a0f5f31481440f6bfdcdec75c97d135f366d1e6f0681cc
              • Instruction Fuzzy Hash: 5E21C372900A44AFC765DB65CC90E9BBBB9EF88740F10052AF516D7690DB38E910CB64
              Function 06F68770 Relevance: .1, Instructions: 68COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9098233259fa2d2572fff588d76e3f1d6f535d55c8f72abd396769d0e934deab
              • Instruction ID: 61b25fd79f59c3a6a94e3bb202aae15edfe7d323df87cb6ecab7e16978f62124
              • Opcode Fuzzy Hash: 9098233259fa2d2572fff588d76e3f1d6f535d55c8f72abd396769d0e934deab
              • Instruction Fuzzy Hash: 75119476F01611DBCB91CF5BC5C0A66B7E9AF4AB90B18416DFD189F204D6B2D901C7A0
              Function 06F90124 Relevance: .1, Instructions: 68COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
              • Instruction ID: 8bf8940a356775b2cbe5a8203e6ba78659dd3470c5212fc32ecb728426859402
              • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
              • Instruction Fuzzy Hash: 3711E273A00614BFEB629B54CC41F9ABBB8EF81754F204029E6108B180DA71ED84CB64
              Function 07004F42 Relevance: .1, Instructions: 68COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7c72c45912d47683c52433c96848dfb8decf3587e712a2c85a6b68d0e49ae640
              • Instruction ID: 57a2df62c20cfabf96906431a5fac77317959b247fbac05887e41d0a815a4aa6
              • Opcode Fuzzy Hash: 7c72c45912d47683c52433c96848dfb8decf3587e712a2c85a6b68d0e49ae640
              • Instruction Fuzzy Hash: 0A216FB5E00219EFDB05CF89C8809AEFBB9FF59314F1141A9E905AB351DB719E41CBA0
              Function 06F680E9 Relevance: .1, Instructions: 66COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0ac2fe2de6c50ca2921962440de6dc108ee82c92e286c795f48bc2a8a01cf461
              • Instruction ID: 7edd86f61c151516f88956b50ee72e01cae1995db310e72bc580d33a2a0c9dca
              • Opcode Fuzzy Hash: 0ac2fe2de6c50ca2921962440de6dc108ee82c92e286c795f48bc2a8a01cf461
              • Instruction Fuzzy Hash: 4D218E72E00209DFCB14CF59C581A6EBBB5FB88358F20416DE115A7311CB71AD06CBE0
              Function 06F9674D Relevance: .1, Instructions: 65COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4663ae9e688efb986cb68f3bed88112466002aa22a008ce0f495b1658ee9ca14
              • Instruction ID: cb3539bd4c11df86c551ed5f48e1f0418f5e062a011bdd177982a0d50c809419
              • Opcode Fuzzy Hash: 4663ae9e688efb986cb68f3bed88112466002aa22a008ce0f495b1658ee9ca14
              • Instruction Fuzzy Hash: 75216075910B00EFEBA48F69C881F66B3F8FF44750F44882DE4AAC7650DA70B850CBA1
              Function 06F966B0 Relevance: .1, Instructions: 61COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0c90e869dd037baefd7a1bf620b6572be257d74a5b2440f6cbeee5115b38afa3
              • Instruction ID: 5fe8a3f012867d9af8a0cbbfc5b4c2f1e052b0609c1654b82fb157cd7659cfbf
              • Opcode Fuzzy Hash: 0c90e869dd037baefd7a1bf620b6572be257d74a5b2440f6cbeee5115b38afa3
              • Instruction Fuzzy Hash: C6119E76E01204EFEFA5CF59D980E5ABBE8EF84750B06417AD905DB310DA34DD00CBA1
              Function 06F62F12 Relevance: .1, Instructions: 61COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: da5553a09d481c78daee07c4364dc49062729ba42bc6770b521928975ad07ae5
              • Instruction ID: 2e63b435a2e6ba2444128be80235a155e3d88cef4e49872f58097a8d742e81f3
              • Opcode Fuzzy Hash: da5553a09d481c78daee07c4364dc49062729ba42bc6770b521928975ad07ae5
              • Instruction Fuzzy Hash: 39112531B043105BD7E0A72F9C82B1BB7E9AB80E60F950266F505AB2C0D9B6DD00C2A4
              Function 06FEE7E1 Relevance: .1, Instructions: 59COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
              • Instruction ID: 62680d55dbda3f67ca65e272166cf838cf1a95167be03197fc551aa89e4abafb
              • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
              • Instruction Fuzzy Hash: 9F11CE32E04601EFEBA09F45EC40B5ABFE6EF45750F058429F8599B2A0EB71DE44DB90
              Function 06F827ED Relevance: .1, Instructions: 58COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 44c107f47fbff65ccad995d2fb037729fed8b9ac551a8a38fb16fb2c4ef6cd1a
              • Instruction ID: c43997c41a7660385bdd48c7645ea29979185ad14113deed5cc359a2666da516
              • Opcode Fuzzy Hash: 44c107f47fbff65ccad995d2fb037729fed8b9ac551a8a38fb16fb2c4ef6cd1a
              • Instruction Fuzzy Hash: 6001D672F09649AFE796A269DD54F27779DEF807A4F0500BAF8008B290DB54EC00C2F1
              Function 06F64690 Relevance: .1, Instructions: 57COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b371e374336e52af3892cdd217f9d1427d2ac4ab150ea18c2b525086fe31fdbb
              • Instruction ID: 29074771433167918e7736a13d3793baaa8fe698e51740e28a0642bb1b2832e1
              • Opcode Fuzzy Hash: b371e374336e52af3892cdd217f9d1427d2ac4ab150ea18c2b525086fe31fdbb
              • Instruction Fuzzy Hash: CE11E576A40744AFDB65EF5AD980F5677E8EB86B65F048215F814CB250C774E840CFA0
              Function 06F96620 Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2f1b12ddba3f28d5027e8f7f0ac58565ab3fc0a5bba98ddaeb710bf76e963c9d
              • Instruction ID: c91851f4f3c18e7c2b683aab968d07bb6922cb7d25a4d66b56e0428ece6e6f90
              • Opcode Fuzzy Hash: 2f1b12ddba3f28d5027e8f7f0ac58565ab3fc0a5bba98ddaeb710bf76e963c9d
              • Instruction Fuzzy Hash: 3F11C272D00714ABEBA1DF69CD80B5EF7B8EF85740F500059E900AB240C730AD01CB60
              Function 06F8E53E Relevance: .1, Instructions: 55COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
              • Instruction ID: 5e87ae923b6fbb76befd9524642abbdb2ae20fa885c3038cdca078a81f88cf2f
              • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
              • Instruction Fuzzy Hash: 4F112533E027C6AFEBA2AB28CE44B25B795EF41764F1900E5DD01CBA81E328C842C251
              Function 06FEE75D Relevance: .1, Instructions: 54COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
              • Instruction ID: f9cd660e60447f3891d6fd933353aa97276325cfbbb8bd9c2db94eb379897c39
              • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
              • Instruction Fuzzy Hash: 8F012832E00105AFE7A19F54DC00F5A7FA9EF49750F098534F9259B2A1E771DD40CB90
              Function 06F5A250 Relevance: .1, Instructions: 52COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
              • Instruction ID: d41795e11b875c4865f109425d0553b2f9c7a6794060fe63b53b6d5115172602
              • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
              • Instruction Fuzzy Hash: F701D672D15715AFCBB08F16EC41A367BA5EF45B607018A2DFDA58B680D731D821CBA0
              Function 06F66259 Relevance: .1, Instructions: 51COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a0b132b9dc7c3b02c61561cca92c05a39b674f37dde3c949e3e0fe6f79a00749
              • Instruction ID: e7dfd79de5e7143c164a7c2a04cc9941c8d7ecefb9bffee2d87d1ae8c222ab0d
              • Opcode Fuzzy Hash: a0b132b9dc7c3b02c61561cca92c05a39b674f37dde3c949e3e0fe6f79a00749
              • Instruction Fuzzy Hash: 091173B1A41218ABDFA5DF64CD41FD9B374AF44710F5442D4A324E60E0DB709E81CF95
              Function 06FDE1D0 Relevance: .1, Instructions: 51COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cac56eadcb55bc3009f0a92ca97b148976f36567c38cfbdf023c73186d8821eb
              • Instruction ID: c9da317a842c930407aa1a3345ecc52726dc57d0ac82f5de7a86bfb37b33fc1d
              • Opcode Fuzzy Hash: cac56eadcb55bc3009f0a92ca97b148976f36567c38cfbdf023c73186d8821eb
              • Instruction Fuzzy Hash: 6611AD32641240EFDB95EF19DD90F16BBB9FF44B94F2400A5F9059F6A1C235ED01CA90
              Function 06F56DF6 Relevance: .1, Instructions: 51COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3422c997390722079a56d0ce09cb5d95b19a396ae887d94f94e6676b77cb0da3
              • Instruction ID: 99a2e7461dd9d96b8a5ceaf366ca581f9f490c2af4fc79996221d72a0e736c3d
              • Opcode Fuzzy Hash: 3422c997390722079a56d0ce09cb5d95b19a396ae887d94f94e6676b77cb0da3
              • Instruction Fuzzy Hash: 0701B532B14702AFCB906A66DC448AB77A5FF86220B401228FA5587691DBA5EC21C7E1
              Function 06F96DA0 Relevance: .1, Instructions: 51COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c0ec4d266471c9547166acc1fd1eb763428ac71706b94ce862d4cb5f0fc29682
              • Instruction ID: cc30ee06a83a7185d5fac272027a217442743254ad36e7157f173416b51e76f6
              • Opcode Fuzzy Hash: c0ec4d266471c9547166acc1fd1eb763428ac71706b94ce862d4cb5f0fc29682
              • Instruction Fuzzy Hash: C2012472A082156BFFA9AB25DC04B9F7B68DB80B50F15405AA906DB2C0DB74D880C3F4
              Function 06FF6500 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6eaac038886acfa3b2f3c88514bb287a91bbd7eb7d56f95541bf744ea34a9248
              • Instruction ID: 61c81f492b82a1bd81b1d05841f36b05957797ebb0ef2edc2378247be38f4fb6
              • Opcode Fuzzy Hash: 6eaac038886acfa3b2f3c88514bb287a91bbd7eb7d56f95541bf744ea34a9248
              • Instruction Fuzzy Hash: BF11A532A541459FD710CF58D850BA6B7B5FF5A314F0C8159E944DF366DB32E844CBA0
              Function 06F6208A Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
              • Instruction ID: 0a62ddd1008a72c7de1b5d67359d99ea5f3e7c21ffda7bf0e4f8aa88a9dfe024
              • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
              • Instruction Fuzzy Hash: 6E012833E01100AFEF909A1ADC90B927766BFC4700F1565A5FC018F246DA71C981C390
              Function 06FE6050 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: de7a2ae7461acd4181af26a8436861714fa81d6084c30c8c13441171d5216131
              • Instruction ID: ba5eb5f5ee4dc7dced1e08a999f83dd4fa874a11998fb851970dc2c373f5e519
              • Opcode Fuzzy Hash: de7a2ae7461acd4181af26a8436861714fa81d6084c30c8c13441171d5216131
              • Instruction Fuzzy Hash: 0C11177390011DABDB51DB94CC80EDFBBBCEF48258F044166A916E7210EA34AA15CBE0
              Function 07034D30 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2e93805516ac9f86794deecfb06cad0303980ef614e07cf4ca6cb2a0b24c7f14
              • Instruction ID: 2d425a3d6765eda0d53867dff2efc1f959763ce1ed617549482f60eeb99cdfa0
              • Opcode Fuzzy Hash: 2e93805516ac9f86794deecfb06cad0303980ef614e07cf4ca6cb2a0b24c7f14
              • Instruction Fuzzy Hash: 880196B2600258AFCB10DF99CC45EAFBFFDEB48650F050254F515D7251C634D910CB60
              Function 06F9E5CF Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 82efccb4981d38f510a702369dd08864bd97ee34c9b4d5e085ff7e8e8212019b
              • Instruction ID: c21c006a691ec1b20694caf3cff19b86cadf2890614afddbf27764459060ebe7
              • Opcode Fuzzy Hash: 82efccb4981d38f510a702369dd08864bd97ee34c9b4d5e085ff7e8e8212019b
              • Instruction Fuzzy Hash: ED01F2B2600A00BFD3D1BB7CDD80E27B7ACFF856A0B00062AB51483691DB64EC01C6E0
              Function 06FA20F0 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7cd1fbd808970214b50e604ae1b10dc6236569676eb22b0696d33816d264997e
              • Instruction ID: 834063d97d8172fa25336d23b2261c4e8075b05ac0ce2b612a4d5f97bebe1982
              • Opcode Fuzzy Hash: 7cd1fbd808970214b50e604ae1b10dc6236569676eb22b0696d33816d264997e
              • Instruction Fuzzy Hash: 04118CB2A0020CEFDB84EFA4CC51FAE7BB6EB44744F004059F9259B290DB35AE11CB90
              Function 06F5C020 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
              • Instruction ID: c5bbe5607f7dd28571135ee8e7f661a0992035a8fbf8e6e2d0dae30fb5e8a5d2
              • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
              • Instruction Fuzzy Hash: C101F572A007049FEFA2A66ACC40EA773E9FFC4210F05541EAA56CB540DA70E801CBA1
              Function 06FEC460 Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 546c7daa8cae21466d8b78e85e83f653f90758bbe8a693f73ced68744fa52369
              • Instruction ID: b073688b6fa3fdbd41ec679b7726abdb9ec6c7f4136eac63ade4bd32c86c88fc
              • Opcode Fuzzy Hash: 546c7daa8cae21466d8b78e85e83f653f90758bbe8a693f73ced68744fa52369
              • Instruction Fuzzy Hash: B6115B71A0020CAFCB45EF64CC40EAE7BB5FB48240F00405AB82197380DB34EA11CB90
              Function 06F5826B Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e971d6637e72b0eb3e971bd1929a0f7d3352ecafe4536fbe3997f592db8cc7d7
              • Instruction ID: 466cc160b7a77e51f1793c741229f54ca43a5eb3d978c005b70ecd8b0f31f55a
              • Opcode Fuzzy Hash: e971d6637e72b0eb3e971bd1929a0f7d3352ecafe4536fbe3997f592db8cc7d7
              • Instruction Fuzzy Hash: 2001A272B00618EFD784EB6ADC019AFBBA9EF80290B164169DE11E7694DE70ED01C691
              Function 06F7E016 Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
              • Instruction ID: 039272d1540dfce30faf183a9c9e20b75ebc333ba1a62069d7d17134d8f42b2c
              • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
              • Instruction Fuzzy Hash: FA018F32A006849FE3A2871DC948F6677ECEF46754F0D14A7F909CB6A1DB78DC40C661
              Function 06FE4C0F Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: afce48688db40d02bd591ab7a5b1d7d7478b25608bd522519287114360b00fb2
              • Instruction ID: 74cf961e489c82c1a3a29f2dce12e81834946292bf058f6aad3adde82a214b7d
              • Opcode Fuzzy Hash: afce48688db40d02bd591ab7a5b1d7d7478b25608bd522519287114360b00fb2
              • Instruction Fuzzy Hash: 49018FB2F00315ABDB50DF9DDDC0A5EBBE8AB88B50F110269E91497240D7B99D088764
              Function 06F62582 Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f5220ea6ade0e74038ed153cda68d4542a588263ba85acfff651e58c8f8d4c08
              • Instruction ID: d39c8d16d8cc6eb65dc4155a7a49a58c152dbc10e1125282b79283088d7f8343
              • Opcode Fuzzy Hash: f5220ea6ade0e74038ed153cda68d4542a588263ba85acfff651e58c8f8d4c08
              • Instruction Fuzzy Hash: F9F0F433B41A20BBC7719B5BCC40F47BAAAEB84BA0F004529B50597640CA30ED01CBA0
              Function 07034F68 Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 72298d33a8d799b48d9ea226cd6f7c2025d3dfd7921d1fb0cb8329d9927d67ec
              • Instruction ID: 81e5d7cd57022c93339715b0cb7d1cce7f80279e02eed105aafcc3c8a9c6059f
              • Opcode Fuzzy Hash: 72298d33a8d799b48d9ea226cd6f7c2025d3dfd7921d1fb0cb8329d9927d67ec
              • Instruction Fuzzy Hash: D20125B1A0024DABCB40DFA9D8419AEB7F8FF48304F14456AF911E7380D774EA008BA4
              Function 0703634F Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 24dd623792850bcd2d5d2ffce6557d69739931c87e7a8f16611fb3dca48ebf6d
              • Instruction ID: f808cd1bc80bbeaefd0f7770332ffc870af18bbf1b14fe9382a3a0fbd590be18
              • Opcode Fuzzy Hash: 24dd623792850bcd2d5d2ffce6557d69739931c87e7a8f16611fb3dca48ebf6d
              • Instruction Fuzzy Hash: 060144B1A1020DEFCB44DFA9D95199EB7F8EF48304F10405AF914E7390D778AA018BA4
              Function 0703625D Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c1ed9da0ea3038f05d4b5930b2e1eda3ef6421900b8e2d14a85a05817ff1d3e4
              • Instruction ID: 8e2d5d90871498268196e0791ae31914a3f4af9474f6e56d72c1a9e97817d338
              • Opcode Fuzzy Hash: c1ed9da0ea3038f05d4b5930b2e1eda3ef6421900b8e2d14a85a05817ff1d3e4
              • Instruction Fuzzy Hash: F40121B1A10609ABCB44DFA9D851DAEB7F8EF48304F11405AF914E7391D674AA018BA5
              Function 070362D6 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1b4a0f571166a47cabe4638f25cb7a00cb3d9211c2cf0759654aacfa5772b4cc
              • Instruction ID: 7016391265a03babd5e6df72f2cd1cd7e7c14e1cb7e60e68b7e4edef6ee24448
              • Opcode Fuzzy Hash: 1b4a0f571166a47cabe4638f25cb7a00cb3d9211c2cf0759654aacfa5772b4cc
              • Instruction Fuzzy Hash: 470121B1A10209ABCB44DFA9D8519AEB7F8EF48304F50445AE514E7390D674AA018BA4
              Function 06F5C310 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
              • Instruction ID: 16d5e5a1052c0e89f0d5b1cfb74191a048103708acf8a5e978dac84a8d1f197f
              • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
              • Instruction Fuzzy Hash: A9F0FC33605B329FD7F217594C45B6BB6D58FC1A64F1B003DEB179B244CAA18C01D6D1
              Function 06F8C073 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
              • Instruction ID: 564b443714da879d238990f71473a5bb06f9bd49a32160a469059fc95ae7ee1b
              • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
              • Instruction Fuzzy Hash: 7BF0C2F2A00614AFD364DF4DDC40E57F7EADFC4A80F048169A655C7220EA31DD04CB90
              Function 07034FE7 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b4801504b5871db1b408b1902c4bdb462a2c34133977cb8020bd04aa1852dae3
              • Instruction ID: 45949ca2bb345125f120577b7134a950d718f21c2044dcb6ad9a6431ee79aa9c
              • Opcode Fuzzy Hash: b4801504b5871db1b408b1902c4bdb462a2c34133977cb8020bd04aa1852dae3
              • Instruction Fuzzy Hash: D1012CB5A1020DABCB40DFA9DD819EEBBF8EF48344F10405AE515F7390E775EA018BA4
              Function 06FE63C0 Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
              • Instruction ID: cf3b49c80a0b1617055c6e12edf00119a424568903edfd1e676556162961af15
              • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
              • Instruction Fuzzy Hash: 42F01D7220001DBFEF419F94DD80DAF7BBDEB59298B104125FA11921A0D631DE21EBA0
              Function 070361E5 Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0a421c0df6b301f9f64f8deb173024c57c82fa428540c1ac2f3d20e65687bc94
              • Instruction ID: 5b0a2e97cdf0e358ca3b534f5ca44711c6ecf0d261e609274eb1667c653faafe
              • Opcode Fuzzy Hash: 0a421c0df6b301f9f64f8deb173024c57c82fa428540c1ac2f3d20e65687bc94
              • Instruction Fuzzy Hash: 23018FB1A00649ABCB00DFA9D841EEEB7F8EF48310F14405AE500E7380D778EA01CBA5
              Function 06FEA4B0 Relevance: .0, Instructions: 40COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 96ed031f5178fb25dcaef87b6c6df31eb318d81fe5078c3bc497ecc40d480c5e
              • Instruction ID: 5822cb004c1df31a32a916b57cc73c5613c6c222594bd5c8185fc7c1d50313f3
              • Opcode Fuzzy Hash: 96ed031f5178fb25dcaef87b6c6df31eb318d81fe5078c3bc497ecc40d480c5e
              • Instruction Fuzzy Hash: F8019736510219EBCF129F94DC40EDE3FA6FB8C764F068201FE1866220C636E970EB91
              Function 06F9656A Relevance: .0, Instructions: 39COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d49554f68c358eb809f2ec4ec752005ac5b1025bfaebce855d4994516b8cf890
              • Instruction ID: 088ceeebf8bf491153da7863b21b8235918d6f3e3cda8fcbb1ad237ef2b5c3e6
              • Opcode Fuzzy Hash: d49554f68c358eb809f2ec4ec752005ac5b1025bfaebce855d4994516b8cf890
              • Instruction Fuzzy Hash: D30144B1A007849FF7E69B6CCD49B2537E9AB40B44F4D0294F911CBAD2D778E401D525
              Function 06F5C0F0 Relevance: .0, Instructions: 39COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ab77aa7aaebe9aaaaa5b0ccc88529a247813625b9e434fd1a03f242197b3085d
              • Instruction ID: df72633d6b2635a124cab6ce1ab35a967ea7c96dd41892cb640eea87b0fc4bf9
              • Opcode Fuzzy Hash: ab77aa7aaebe9aaaaa5b0ccc88529a247813625b9e434fd1a03f242197b3085d
              • Instruction Fuzzy Hash: E2F0B4B2B143115FF7D4A61A9C01B623296EBC0B91F26806EEF078B2D0EA71DC01C398
              Function 0700437C Relevance: .0, Instructions: 37COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
              • Instruction ID: 632ae571b1824abc4db24d807f847d643b26cf5e69b8d2296af06c3e23bd946f
              • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
              • Instruction Fuzzy Hash: 31F0B4F534199387EBF5AA299C60A2AB2D69F819A0F05272CA6519B6C0DF50D80087D4
              Function 06F647FB Relevance: .0, Instructions: 33COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3b0ae335deea649aabc884da282d0aa39971ed469f17f4d67555dcd15d00f170
              • Instruction ID: 3b02ac11c36abc2085d0ca10cb9d472db00286db47dbe4bf76e3d069a7f4b00a
              • Opcode Fuzzy Hash: 3b0ae335deea649aabc884da282d0aa39971ed469f17f4d67555dcd15d00f170
              • Instruction Fuzzy Hash: F8F0B471D2A6E0DFD7F3EBBAC444B6177D49B00624F0CC96AF45987561CB24D884C6D1
              Function 07020115 Relevance: .0, Instructions: 32COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e1d105b095b6efbbad63752a63cb6dc9ac189bf2e65702492f0fe66a9fa8b875
              • Instruction ID: a7dc353da5eef9f3ab92bcb8953bf6f3e5cb1e3a6b666189bd8c86a8199aeef1
              • Opcode Fuzzy Hash: e1d105b095b6efbbad63752a63cb6dc9ac189bf2e65702492f0fe66a9fa8b875
              • Instruction Fuzzy Hash: 09F05CF76167D24ACFA15B38B8623D2ABE89781514F0A17C9C8A057300D67E8483D221
              Function 06FA2619 Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
              • Instruction ID: 8a4246a6c5ac136bbc48ebd2420c2a1375d663d0d2929ef8d2f321c4ba13a12a
              • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
              • Instruction Fuzzy Hash: F7E092723016002BD7919E59CC80F47776EAF86B10F040479B5045E391C9E29D0986A4
              Function 06F9C5ED Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 12d92769a7f3badaf1acef4a406d415d46998bee27c2c8cbe69471d2b100f53e
              • Instruction ID: 25461d8d0b824ab5319f99d9a3376cc2bbde1eb6a4b083f36f58419558f84410
              • Opcode Fuzzy Hash: 12d92769a7f3badaf1acef4a406d415d46998bee27c2c8cbe69471d2b100f53e
              • Instruction Fuzzy Hash: 1CF0E272D116909FFBF2D758C548B7177D89B42BA5F089526E40EC7552C260C880CAB1
              Function 06F9CF80 Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0f2503cf4af7cb7b09027b56ae64a80349c60eadc7eba6a9026732afcc48f9fb
              • Instruction ID: 0564724bbd05a99515774ccc8d71aa8c52aa269d1d53edccc7127608c345053d
              • Opcode Fuzzy Hash: 0f2503cf4af7cb7b09027b56ae64a80349c60eadc7eba6a9026732afcc48f9fb
              • Instruction Fuzzy Hash: EAF0A773604149EFEB519B56DC00E9EFB6AEF81754F188012F9148B290D731B861C761
              Function 06FF6030 Relevance: .0, Instructions: 29COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
              • Instruction ID: ac79825c4b8cf5ddd2f3e7ef556400e8f00e29f0285462472ca6f980ec8266cc
              • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
              • Instruction Fuzzy Hash: 6DF030725242049FE3608F05DD84F52B7E8EB05364F55C026E709DB560D7BAEC40CBA4
              Function 06F60710 Relevance: .0, Instructions: 28COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
              • Instruction ID: 6ccb7be1c7932b9dd73d4053b026b3a9071397aff8cfb3148b020c446ffb1263
              • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
              • Instruction Fuzzy Hash: 9AF0227A604344EFEB99CF17D140AE57BE8EB413A0F100095FC428B340EB31E982CB85
              Function 06F58E1D Relevance: .0, Instructions: 28COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c5ac96555e1ec1962fc4665ffe23dc7a07e101a6c105c12571c57001ed977efc
              • Instruction ID: 3a46d9b74c882eb4033381462457e69ad44b9422cdd228f258b5e4560386a56d
              • Opcode Fuzzy Hash: c5ac96555e1ec1962fc4665ffe23dc7a07e101a6c105c12571c57001ed977efc
              • Instruction Fuzzy Hash: 03F05E31501B20DFE7B16A16CC40B5276A1AB416A1F064A19A1761A8F0CB20AC42DA40
              Function 06F5EC20 Relevance: .0, Instructions: 28COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 996ac50646acec401b5b4ec6e6a79d216cdcf7e2fbd334b6c0b4cd53c06c704f
              • Instruction ID: 1dc96d615d42b4a09f6ff6c23a28e9f6c99ebb460f99c829c753f0afa5870859
              • Opcode Fuzzy Hash: 996ac50646acec401b5b4ec6e6a79d216cdcf7e2fbd334b6c0b4cd53c06c704f
              • Instruction Fuzzy Hash: 7BF0A071500288AFEB988B00C808F253B99AB04324F02851AFE188A192C774DE84CB45
              Function 0700678E Relevance: .0, Instructions: 27COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
              • Instruction ID: d94b69144ea1682c41bc8d84f5ce0bc914b240810e1d09b9c48a13bec98f2319
              • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
              • Instruction Fuzzy Hash: 3CE0DFB2A00114BBEBA197998D05F9ABAEDDB94EB0F050059B604E71D0D531DE10C6D0
              Function 07034164 Relevance: .0, Instructions: 27COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3e6c62c580a59889ded709ed10e072f9813b7d1312db74ccde80b18ffbbd94bb
              • Instruction ID: 49db0f20d5cb310b1bc70762a55b651a5be8107ce98f3d056f8341c40d098325
              • Opcode Fuzzy Hash: 3e6c62c580a59889ded709ed10e072f9813b7d1312db74ccde80b18ffbbd94bb
              • Instruction Fuzzy Hash: 70F065B1936DD28FE7F1D764E554F6573E8AB10634F2A07A5E4058FA61C724DC80C690
              Function 06F98EF5 Relevance: .0, Instructions: 27COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 683f3aeb4b7c5750ec91adc0e5b52bee0789091cf13a2c775a432d1a3d5deadf
              • Instruction ID: 9be419787423a551499dcfbb451fe974936089d070c349665af317804943a066
              • Opcode Fuzzy Hash: 683f3aeb4b7c5750ec91adc0e5b52bee0789091cf13a2c775a432d1a3d5deadf
              • Instruction Fuzzy Hash: FCE02B35F366104FEF754B2095003993BD26B427DCB4929CAD8149F201C31CD803E660
              Function 06F625E0 Relevance: .0, Instructions: 23COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 5845347fde9aa155882b7bd6eb80fc93bf4b33ff62af88a3e768ccfd76db7d39
              • Instruction ID: 8e142b5b87db8e54428790c3a94eb9082795e2603689582c5d938d73ebd2bc81
              • Opcode Fuzzy Hash: 5845347fde9aa155882b7bd6eb80fc93bf4b33ff62af88a3e768ccfd76db7d39
              • Instruction Fuzzy Hash: 0DE09272100654ABC791BB2ADD01F8B77EAEB90765F014615B125571D0CB35A910C784
              Function 0701A456 Relevance: .0, Instructions: 23COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
              • Instruction ID: e43b3a98dd79da36cf58f2df5f5764be37f5435fc78e125b2d8493fe99378b90
              • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
              • Instruction Fuzzy Hash: 57E092B1111611DFD7F26F25DC48B5276E0BF80711F14CD2DA0AA014F0C7B498C0CA40
              Function 06FE4000 Relevance: .0, Instructions: 22COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
              • Instruction ID: de109ee6c4ea9cdfb1674def6326f0b0b558fbf81bb6b7a9e8c4dc2c6e060c94
              • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
              • Instruction Fuzzy Hash: 9AE0AE34B002058BD755CF19C040B627BA6BFE5A10F28C079A9488F205EB32A842CA40
              Function 06F5823B Relevance: .0, Instructions: 21COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
              • Instruction ID: d0e166472507da237ed349cd63f65ee489e257118da890afa6415c5d050618b4
              • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
              • Instruction Fuzzy Hash: 2DE0CD32914A30EFE7F12F16DC00F517AA5FF44B90F154919E551064F4C7705C81DB45
              Function 06F58C8D Relevance: .0, Instructions: 21COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e11a57143702242364d2b83303e293bdba6231e0197df2e73aa18f92c330474f
              • Instruction ID: 29118819ac889f34ff444937f8b8e87901457cceba6d0b56d8074564b249c1f2
              • Opcode Fuzzy Hash: e11a57143702242364d2b83303e293bdba6231e0197df2e73aa18f92c330474f
              • Instruction Fuzzy Hash: D5E08632811630EFE7F16F12ED08F5276A5AB40751F014529E123058E08B70DCC5D685
              Function 06F62050 Relevance: .0, Instructions: 20COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a39c0dff2181c8543a3f61d99fc90a36c8c9e33a4946051f26ff724bbc859e28
              • Instruction ID: 6df78d7d55d6b9aff5f5361cd72ab7dc4187035c83f75dc917cb835dfdcdc833
              • Opcode Fuzzy Hash: a39c0dff2181c8543a3f61d99fc90a36c8c9e33a4946051f26ff724bbc859e28
              • Instruction Fuzzy Hash: D7E0C2331005606BC791FB6EEE41F4A73EEEF95660F014221F161872D0CB25ED00C794
              Function 07016ED0 Relevance: .0, Instructions: 17COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 060d296e8d26ecb49ad336c8a787268f93ccbb25a937a2f458a648f6d28e60a5
              • Instruction ID: eb41ddb256e0280b5c35b6e4623ff045ab907a7781487f663c72a0f4f4eeb5ff
              • Opcode Fuzzy Hash: 060d296e8d26ecb49ad336c8a787268f93ccbb25a937a2f458a648f6d28e60a5
              • Instruction Fuzzy Hash: 99D02EB800C2C583CA12490888603BA3F8E4743E0CF28A3BCC4660FA02CE074893E22A
              Function 06F9E59C Relevance: .0, Instructions: 16COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
              • Instruction ID: ab975aa695d2483e1c3b52e8d81dfe754af8adb03faf4bae4117df7d4c31fe0a
              • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
              • Instruction Fuzzy Hash: 9CD0A7335145206BD7B19A1CFC00FC333D9AB48721F050459B014C7050C360AC41C644
              Function 06F5A0E3 Relevance: .0, Instructions: 15COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
              • Instruction ID: 4b6cfec568731c610bebb14c7769ef7f3df8ca90e41e6b0f8e2fc976206b5920
              • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
              • Instruction Fuzzy Hash: BAD02233626030A7DBA856606C00F637945AB80A90F0B012E390A93800C0048C53D6E0
              Function 06F9CF50 Relevance: .0, Instructions: 14COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 95ea3e574bfba59b0c53b657ae23fb24f247aa4af7fd6c4300a043e19f5f7273
              • Instruction ID: 3872a0c31aafa5d9a6f80bbdfb8f27080afe9f7d9a3479ae37becd79bf6e2887
              • Opcode Fuzzy Hash: 95ea3e574bfba59b0c53b657ae23fb24f247aa4af7fd6c4300a043e19f5f7273
              • Instruction Fuzzy Hash: 5AD0A732000244ABC741EF19DD41F063BAAEB94740F010020B404472A1CA35ED60D648
              Function 06F9CF1F Relevance: .0, Instructions: 13COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c2a8838ef917f9b1898341fb7a202d48a20324806ef93f58a187b5d7e259d96a
              • Instruction ID: 5610b6844010f32c8bb612792333b5db40dcfc72f15cc3bcb7e9a56749ebcc20
              • Opcode Fuzzy Hash: c2a8838ef917f9b1898341fb7a202d48a20324806ef93f58a187b5d7e259d96a
              • Instruction Fuzzy Hash: 14D05E72511540EFEB66CB04CD46F2673E4F740B09F4542B8A0058B920C729E800DB50
              Function 06F9C700 Relevance: .0, Instructions: 12COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
              • Instruction ID: 7dc7ca946df04f0cd468b0837fcdcf73dd8f7a8e635e1a122f7e4d9c8b49e70e
              • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
              • Instruction Fuzzy Hash: CCC01233290648AFD752AAA8DD01F027BA9EB98B40F000022F2048B6B0C631E820EA84
              Function 06F80310 Relevance: .0, Instructions: 11COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
              • Instruction ID: afd55eb6468bafd5b5279fe7270b32ae5e5e4367ec2373d848e431d8db74f86d
              • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
              • Instruction Fuzzy Hash: A5D01236100248EFCB42EF41DC90D9A772AFBC8710F508019FD19076508A31ED62DA50
              Function 06F60750 Relevance: .0, Instructions: 9COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
              • Instruction ID: 8d98dedf7590bd8ed073a1a7eccee5073f1b530cb9c128ef9f72c1e14f63f531
              • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
              • Instruction Fuzzy Hash: 26C04C75B115458FCF55DB1AD694F8577E4F744740F151890E805CB721E724E801DA11
              Function 07016F00 Relevance: .0, Instructions: 9COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e0308ce5ee14c24fb886fb9f14b489cdec504b92c80768c2a23305a5c2b521e7
              • Instruction ID: a7fc830137e1b1f4a1d57755c2a89ffabfbd9e48707c1d462b16920c1a0d2e97
              • Opcode Fuzzy Hash: e0308ce5ee14c24fb886fb9f14b489cdec504b92c80768c2a23305a5c2b521e7
              • Instruction Fuzzy Hash: ACC09B3F1556C189CD178F3553127D4BFA0D7435D4F5D14C5D4D11F512C5154513D625
              Function 07034DAD Relevance: .0, Instructions: 6COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
              • Instruction ID: 0ad212a91ea61d4e797a1f9f2659f576862f348a710b079626cb13d521b1e9d2
              • Opcode Fuzzy Hash: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
              • Instruction Fuzzy Hash: 81B01232222544CFD7427720CF00B1832E9BF017D0F0900F0650089870D61C9A10E601
              Function 06FA4650 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7aa8a82b591639e982e8da5b27ea20b1f46c2dbd6f51997862f82ed822de6243
              • Instruction ID: ba08b051b77ecc9b4fe6daa671d1f047e9dc24e469904f8df9e07ff10f6cbab4
              • Opcode Fuzzy Hash: 7aa8a82b591639e982e8da5b27ea20b1f46c2dbd6f51997862f82ed822de6243
              • Instruction Fuzzy Hash: FE90026160150052418071598C04446600D97E1341395D115A06655A4C861889559A69
              Function 06FA4340 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0d4c7b138f29c08b28bb38a59456bb09f27d7c5e4ea6a643272fd986b8386098
              • Instruction ID: bdd51274f80678aaeaa86beb61863956efdf24673547556a5aaf10690e8e7e4f
              • Opcode Fuzzy Hash: 0d4c7b138f29c08b28bb38a59456bb09f27d7c5e4ea6a643272fd986b8386098
              • Instruction Fuzzy Hash: 2990023160580022918071598C84586400D97E0341B55D011E0535598C8A148A565B61
              Function 06FA2EE0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 13f619d130d75664f15265f6190254e3d6ab8e8fbae51818069c92b3bb5928d2
              • Instruction ID: 19ca3ea9ccb935d284cf58b812db5bbe25e14a2a020efbbfe53ef3459d35cb26
              • Opcode Fuzzy Hash: 13f619d130d75664f15265f6190254e3d6ab8e8fbae51818069c92b3bb5928d2
              • Instruction Fuzzy Hash: 1490026120180413D18075598C04647000D87D0342F55D011A2175599E8A298D516935
              Function 06FA2EA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6639a9cb2e66a41066094b074a004b07718c6f47ebc3c4369de13ea55e213066
              • Instruction ID: 6d75c5f9177d74b810beadb54b7feb1d416ad317e3f282a89429ed50f76ea2ec
              • Opcode Fuzzy Hash: 6639a9cb2e66a41066094b074a004b07718c6f47ebc3c4369de13ea55e213066
              • Instruction Fuzzy Hash: 3390027120140412D18071598804786000D87D0341F55D011A5175598E86598ED56E65
              Function 06FA2E80 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9c5c39d70a67cc8ae9f778c656b5f9df7c6e6383b1086d601e5c02e0b60b5618
              • Instruction ID: d8c57a814ff2cf4067ae815964126810c17a24d5c26c8c78dae081cb8ddfd159
              • Opcode Fuzzy Hash: 9c5c39d70a67cc8ae9f778c656b5f9df7c6e6383b1086d601e5c02e0b60b5618
              • Instruction Fuzzy Hash: 7990022160140512D14171598804656000E87D0281F95D022A1135599ECA258A92A931
              Function 06FA2E30 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 988e50e9da007f5a9989ab9fb3f64f38a735e3d47a2aaf3f635301d5d8c36181
              • Instruction ID: d01508d44a8e64702d51f43120eee8521be1147272ebf39f67aae336915b6558
              • Opcode Fuzzy Hash: 988e50e9da007f5a9989ab9fb3f64f38a735e3d47a2aaf3f635301d5d8c36181
              • Instruction Fuzzy Hash: D990022130140412D14271598814646000DC7D1385F95D012E1535599D86258A53A932
              Function 06FA2FE0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8fbcd900b2ebf9352b7dea25240f0ea39f865b122cd31ca2b904ec61c774f20e
              • Instruction ID: 06753373523db2e951f2a4b2d51373a30c3698498e245f6ce63aad459c946a7d
              • Opcode Fuzzy Hash: 8fbcd900b2ebf9352b7dea25240f0ea39f865b122cd31ca2b904ec61c774f20e
              • Instruction Fuzzy Hash: 2B900221211C0052D24075698C14B47000D87D0343F55D115A0265598CC91589615D21
              Function 06FA2FB0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4d7e4b15d696e8f1b148fe197c4b6315ab46744322794092d98a4ffce6304683
              • Instruction ID: 87d70db9b911f679ab215a402e66aec19b8c50be92582c027c92adef7b49f51a
              • Opcode Fuzzy Hash: 4d7e4b15d696e8f1b148fe197c4b6315ab46744322794092d98a4ffce6304683
              • Instruction Fuzzy Hash: A39002216014005241807169CC44946400DABE1251755D121A0AA9594D855989655E65
              Function 06FA2FA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b22aa740f1fdedfdea76508566ca84989be1d4a8659817c3135969cf1cfb8deb
              • Instruction ID: 88f26493953ebb97a801e96997051752f3ad67a97467b6004c58ae18fe389e80
              • Opcode Fuzzy Hash: b22aa740f1fdedfdea76508566ca84989be1d4a8659817c3135969cf1cfb8deb
              • Instruction Fuzzy Hash: 6090023120180412D14071598C08787000D87D0342F55D011A5275599E8665C9916D31
              Function 06FA2F90 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e3e41171b3ede6961a4a8c709a37f45c049e48d02b49235db48009d1e6c056dd
              • Instruction ID: 178c636a9ff435ce2aec5208a2c68372511c46e670cf4850003c81a728af5cd5
              • Opcode Fuzzy Hash: e3e41171b3ede6961a4a8c709a37f45c049e48d02b49235db48009d1e6c056dd
              • Instruction Fuzzy Hash: 0490023120180412D14071598C1474B000D87D0342F55D011A1275599D862589516D71
              Function 06FA2F60 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fe8812e9760fbbe759d4c7ff02dd40710f0ad1b86373789ed7e3f8554d97bb89
              • Instruction ID: 707839b2a547e04ef163c1cebdf92bf4dcc23ce3f1cee2d894276688d301f527
              • Opcode Fuzzy Hash: fe8812e9760fbbe759d4c7ff02dd40710f0ad1b86373789ed7e3f8554d97bb89
              • Instruction Fuzzy Hash: 2390026121140052D14471598804746004D87E1241F55D012A2265598CC5298D615925
              Function 06FA2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f8d36d866f317b7110475e9e7c106f692a4f6867e33214a9eca8f26712dee5f2
              • Instruction ID: 183726df6c54a9f2572767f446530ce2380d3618d19fd4772c2dbf7bd4b1be54
              • Opcode Fuzzy Hash: f8d36d866f317b7110475e9e7c106f692a4f6867e33214a9eca8f26712dee5f2
              • Instruction Fuzzy Hash: FE90026134140452D14071598814B46000DC7E1341F55D015E1175598D8619CD526926
              Function 06FA2CF0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 29f80e977644ccece9ca2ca3085a2c5c8c0db4c27d56a37590b76cf4340cfc4c
              • Instruction ID: 6d8d3bc676e0b82faee3bb2a71bb755dabcbc74298ba4f773aaff113c826385a
              • Opcode Fuzzy Hash: 29f80e977644ccece9ca2ca3085a2c5c8c0db4c27d56a37590b76cf4340cfc4c
              • Instruction Fuzzy Hash: 7E90023120140413D14071599908747000D87D0241F55E411A053559CDD65689516921
              Function 06FA2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 86da7385fa12faef11c264a6ea5cc760ea9ce3162b669e8730f7801234811ad3
              • Instruction ID: a78974d7ef8fd1e6c0dde863202f60d3878345b6787a21682fa174bb02d1c990
              • Opcode Fuzzy Hash: 86da7385fa12faef11c264a6ea5cc760ea9ce3162b669e8730f7801234811ad3
              • Instruction Fuzzy Hash: 5190022160540412D18071599818746001D87D0241F55E011A0135598DC6598B556EA1
              Function 06FA2CA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e235a2525473b10cb83923d12670ac899e7c9530fefc73c6ad5ce7c60a654d8e
              • Instruction ID: 02db5e75feeeea0013a2e9b8edabc3bb9db67f5d512c56a08936bc4778ee950e
              • Opcode Fuzzy Hash: e235a2525473b10cb83923d12670ac899e7c9530fefc73c6ad5ce7c60a654d8e
              • Instruction Fuzzy Hash: 5990023120140412D14075999808686000D87E0341F55E011A5135599EC66589916931
              Function 06FA2C60 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 09ef9ce06873f1200b5da0f0303714fe545e4fec73fdb48d60d0a233d91c7a3f
              • Instruction ID: 4da1277f01d64026ca4a673172b85fc26f11ca0e8d7630722b944aaf26f9c302
              • Opcode Fuzzy Hash: 09ef9ce06873f1200b5da0f0303714fe545e4fec73fdb48d60d0a233d91c7a3f
              • Instruction Fuzzy Hash: 8C90023120140852D14071598804B86000D87E0341F55D016A0235698D8615C9517D21
              Function 06FA2DD0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6e9f98d570a651e715fa24a0176b1c65703432f8fbed8ca4fdf9b3af80650241
              • Instruction ID: 83af37a85154355d96601dde3185a15b487b70a3e3c213d47ab95348afa0f594
              • Opcode Fuzzy Hash: 6e9f98d570a651e715fa24a0176b1c65703432f8fbed8ca4fdf9b3af80650241
              • Instruction Fuzzy Hash: 8B900221242441625585B1598804547400E97E0281795D012A1525994C85269956DE21
              Function 06FA2DB0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 02029aa8ee30ae4a80e87102f5c263275326e406cd263323729d95c9ee66aa5b
              • Instruction ID: 62a9d9ba0d21de45cf73f07c9a9ae448417ce7f8a54b637412726714b0547933
              • Opcode Fuzzy Hash: 02029aa8ee30ae4a80e87102f5c263275326e406cd263323729d95c9ee66aa5b
              • Instruction Fuzzy Hash: 2490023124140412D18171598804646000D97D0281F95D012A0535598E86558B56AE61
              Function 06FA2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8a02d7c1be3d979a7918762dd651358358623c42cf873b0617d9ca4ab09be466
              • Instruction ID: 28bdf2598667ed3940d2df04209ad55847eb55d1ba4e79ad897cb5656eda2741
              • Opcode Fuzzy Hash: 8a02d7c1be3d979a7918762dd651358358623c42cf873b0617d9ca4ab09be466
              • Instruction Fuzzy Hash: 7590022130140013D18071599818646400DD7E1341F55E011E0525598CD91589565A22
              Function 06FA2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0144b044acc3f958c1588fbb24b4b4988125b116f804886f718a25acf9122ffe
              • Instruction ID: 28642a8eeec6073a7f2535714e1e72a167ca00a407f1ecaeefb0c4cd881ac8de
              • Opcode Fuzzy Hash: 0144b044acc3f958c1588fbb24b4b4988125b116f804886f718a25acf9122ffe
              • Instruction Fuzzy Hash: 0A90022921340012D1C07159980864A000D87D1242F95E415A012659CCC91589695B21
              Function 06FA2D00 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: eaa05dbada7903ba235267234236f5df6567751fb903f79e6dcf40f97d1b4311
              • Instruction ID: 710a761d4202d48f42a2a9b96e81f44d2e8fc1b2c4ae73449998b37578d88832
              • Opcode Fuzzy Hash: eaa05dbada7903ba235267234236f5df6567751fb903f79e6dcf40f97d1b4311
              • Instruction Fuzzy Hash: E890022120544452D14075599808A46000D87D0245F55E011A11755D9DC6358951A931
              Function 06FA2AF0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2db768d26ca39536fd6fbfc97dfc31e067aac838223f14e025e44d45338dad37
              • Instruction ID: 381825d610aae86c11511aee08a59c5e328ff5ca9810c64e5d07b2c3ff46bdfa
              • Opcode Fuzzy Hash: 2db768d26ca39536fd6fbfc97dfc31e067aac838223f14e025e44d45338dad37
              • Instruction Fuzzy Hash: F1900225221400120185B5594A0454B044D97D6391395D015F15275D4CC62189655B21
              Function 06FA2AD0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1bb6c69930e4fad6f819751889beab8bb30511b6cef20c4b523d2885d49ad5cc
              • Instruction ID: cec36f144ef2aa51bd184530b92854974c2600e232f511627fcba61e527f4c99
              • Opcode Fuzzy Hash: 1bb6c69930e4fad6f819751889beab8bb30511b6cef20c4b523d2885d49ad5cc
              • Instruction Fuzzy Hash: 7A900225211400130145B5594B04547004E87D5391355D021F1126594CD62189615921
              Function 06FA2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8a018e8398c0d5513529b85c1fd9edd1cc1302f3de20e50441fb42ddc17240fe
              • Instruction ID: b61fa3f442ad212b439818eb49793ba1fee6b0648cb46c943176b439860ee21e
              • Opcode Fuzzy Hash: 8a018e8398c0d5513529b85c1fd9edd1cc1302f3de20e50441fb42ddc17240fe
              • Instruction Fuzzy Hash: 019002A1201540A24540B259C804B4A450D87E0241B55D016E11655A4CC52589519935
              Function 06FA2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 923cc097c22a89ea15f8d1f3df78f54dc6020ca26f4f154944477b69681768d4
              • Instruction ID: 03669afa5e8925d878a4e93c9ebed35661aa58e934da5ed0c3e06f3faca13e3a
              • Opcode Fuzzy Hash: 923cc097c22a89ea15f8d1f3df78f54dc6020ca26f4f154944477b69681768d4
              • Instruction Fuzzy Hash: 4990023120140812D1C07159880468A000D87D1341F95D015A0136698DCA158B597FA1
              Function 06FA2BE0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6db48c5b03f24b7d9a6a48e6faddb5f8c824c1632308a7ec02c095a362a5fc01
              • Instruction ID: 467b4ee85d11d6543aa1c352eec01140094e9c48d69d90a7dccfd72df27c1103
              • Opcode Fuzzy Hash: 6db48c5b03f24b7d9a6a48e6faddb5f8c824c1632308a7ec02c095a362a5fc01
              • Instruction Fuzzy Hash: B090023120544852D18071598804A86001D87D0345F55D011A01756D8D96258E55BE61
              Function 06FA2BA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ca29e443a8b8bb2c916f979051866c6bec4b2b3a1b0bfd98395d5481b2abb863
              • Instruction ID: 1f4a60f6e378bacbffdfad3adf258b998b4a3b7916c69582446ace5377373f1f
              • Opcode Fuzzy Hash: ca29e443a8b8bb2c916f979051866c6bec4b2b3a1b0bfd98395d5481b2abb863
              • Instruction Fuzzy Hash: D590023160540812D19071598814786000D87D0341F55D011A0135698D87558B557EA1
              Function 06FA2B80 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fefae0547a263503830d69c18b8908fa0ab33d0bcf147af2c068dee0cc412037
              • Instruction ID: 81e93d4f0de39fa7e3257eec2241e39232481d20a826ccfdaa0ce5efbd92219e
              • Opcode Fuzzy Hash: fefae0547a263503830d69c18b8908fa0ab33d0bcf147af2c068dee0cc412037
              • Instruction Fuzzy Hash: 5F90023120140812D14471598C046C6000D87D0341F55D011A6135699E966589917931
              Function 06FA3090 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 000ff28bde2f211083693fc2276ae5427b8f686f64a5fbe4796bf576f0d3dbef
              • Instruction ID: a1faffe56194c605a6b1e5d1c702f23e9144ad4af5e309a85b7b05a7f5680f52
              • Opcode Fuzzy Hash: 000ff28bde2f211083693fc2276ae5427b8f686f64a5fbe4796bf576f0d3dbef
              • Instruction Fuzzy Hash: 1790022124140812D1807159C814747000EC7D0641F55D011A0135598D86168A656EB1
              Function 06FA3010 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ff98b53c32dcf24aa9a624b808bc8d22efc477400f7804565f1bbe25936d59e7
              • Instruction ID: bc2b46f47c229449129cef1958ac05f1e8c1c73a272d6beb62c0dcfe7c00497d
              • Opcode Fuzzy Hash: ff98b53c32dcf24aa9a624b808bc8d22efc477400f7804565f1bbe25936d59e7
              • Instruction Fuzzy Hash: F490022120184452D18072598C04B4F410D87E1242F95D019A4267598CC91589555F21
              Function 06FA3D70 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9f54609a069f253131e0c5384d36138c09a92434e04ede391c3d5815143f87fb
              • Instruction ID: ea19c26b32ae6cde645a7659d91afb686a6edfc7c23e6628ba772603c143d2c4
              • Opcode Fuzzy Hash: 9f54609a069f253131e0c5384d36138c09a92434e04ede391c3d5815143f87fb
              • Instruction Fuzzy Hash: B090023520140412D55071599C04686004E87D0341F55E411A053559CD865489A1A921
              Function 06FA3D10 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f6bab9e7bd15728c2e6c84aec33d0a3e504c2e3c561df834c87f171790629287
              • Instruction ID: a77e59ec3a7de2e612381b2cfedb878a516e4451ed916c406f59145f3efd18b6
              • Opcode Fuzzy Hash: f6bab9e7bd15728c2e6c84aec33d0a3e504c2e3c561df834c87f171790629287
              • Instruction Fuzzy Hash: 3390023120240152958072599C04A8E410D87E1342B95E415A0126598CC91489615A21
              Function 06FA39B0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 44478ecb15e8ec6d8b20436a6e10b47ee977221c79e884b9cb8f796f96b48a96
              • Instruction ID: 8274b7a38eaec510ce1748ab2262c955232c31b6b461106aff9efa8f48eee5b8
              • Opcode Fuzzy Hash: 44478ecb15e8ec6d8b20436a6e10b47ee977221c79e884b9cb8f796f96b48a96
              • Instruction Fuzzy Hash: 7E90022124545112D190715D8804656400DA7E0241F55D021A09255D8D855589556A21
              Function 06FA2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
              • Instruction ID: e0f6933206dd8187a1d8c21205381daf8d87f952576f0416a0bfc83d2e042d83
              • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
              • Instruction Fuzzy Hash:
              Function 00401000 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 163windowCOMMON
              Download Yara Rule
              APIs
              • LoadStringW.USER32(00000005,00000067,0044F960,00000064), ref: 00401074
              • LoadStringW.USER32(00000005,0000006D,0044F898,00000064), ref: 00401080
              • LoadAcceleratorsW.USER32(00000005,0000006D), ref: 004010BA
              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004010CD
              • TranslateAcceleratorW.USER32(?,00000005,?), ref: 00401111
              • TranslateMessage.USER32(?), ref: 0040114D
              • DispatchMessageW.USER32(?), ref: 00401165
              • GetMessageW.USER32(?,0000572B,0000572B,0000572B), ref: 004011B5
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2862181424.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_400000_vbc.jbxd
              Yara matches
              Similarity
              • API ID: Message$Load$StringTranslate$AcceleratorAcceleratorsDispatch
              • String ID: <$R$gfff$K
              • API String ID: 1345915193-865324093
              • Opcode ID: babdac2d740afeafd420dd2b06d7b0c64fe2c63013a391f021e9baaf0cfcdae3
              • Instruction ID: 687b5e3013bd432478fd9b60a25345eaf813476be63483d0274bc0ff6638a4b1
              • Opcode Fuzzy Hash: babdac2d740afeafd420dd2b06d7b0c64fe2c63013a391f021e9baaf0cfcdae3
              • Instruction Fuzzy Hash: 6751B570A00208ABEB18CB59DC45BAFB6B9EB58345F10403BF601FB3D1D7799E418B99
              Function 06FA2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
              • API String ID: 48624451-2108815105
              • Opcode ID: 8db94e91fe2f65a0ae6d814a6f256edfa1f82e913f6813adae40daa2b0442dcb
              • Instruction ID: ac9c1305d6b815ddddfaf7862c4019e83e6de9a0be7e8ef4c3f4e3169d9b44ad
              • Opcode Fuzzy Hash: 8db94e91fe2f65a0ae6d814a6f256edfa1f82e913f6813adae40daa2b0442dcb
              • Instruction Fuzzy Hash: 4751D3B6F04216AFDB90DF98CD8097EF7B8BB08640B18826AE465D7645D634EF40C7E0
              Function 07012410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
              • API String ID: 48624451-2108815105
              • Opcode ID: 6698dd0395abe2cf752f3d493e1a304241156ed38b1fcbdacac176ce5600a63f
              • Instruction ID: fd9360d0b196b88124810cc1f7e00effaf8b8d8a9a767cbe3a2ae26a72344334
              • Opcode Fuzzy Hash: 6698dd0395abe2cf752f3d493e1a304241156ed38b1fcbdacac176ce5600a63f
              • Instruction Fuzzy Hash: 5C5105F1B00646AFCBB4DF9CCC9097FB7F8FB44200B448569E5A6C7681EAB4DA408760
              Function 06F97630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
              Download Yara Rule
              Strings
              • ExecuteOptions, xrefs: 06FD46A0
              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 06FD46FC
              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 06FD4742
              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 06FD4725
              • Execute=1, xrefs: 06FD4713
              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 06FD4655
              • CLIENT(ntdll): Processing section info %ws..., xrefs: 06FD4787
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
              • API String ID: 0-484625025
              • Opcode ID: 829d18107836c953f5a21bb0ae7321c336a530b11e470c9aa5df8379467d0814
              • Instruction ID: a5b5e933a6857b76a70c5d8efc12618d7703119cdd258080b0d0b97533d43f8d
              • Opcode Fuzzy Hash: 829d18107836c953f5a21bb0ae7321c336a530b11e470c9aa5df8379467d0814
              • Instruction Fuzzy Hash: 9751E771A103197BFF90FAA4DC85BAA77A9EB45300F0800A9D615AB1D0E771EA45CF61
              Function 004496FD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __getptd.LIBCMT ref: 00449709
                • Part of subcall function 00447ABF: __getptd_noexit.LIBCMT ref: 00447AC2
                • Part of subcall function 00447ABF: __amsg_exit.LIBCMT ref: 00447ACF
              • __amsg_exit.LIBCMT ref: 00449729
              • __lock.LIBCMT ref: 00449739
              • InterlockedDecrement.KERNEL32(?), ref: 00449756
              • _free.LIBCMT ref: 00449769
              • InterlockedIncrement.KERNEL32(0044E570), ref: 00449781
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2862181424.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_400000_vbc.jbxd
              Yara matches
              Similarity
              • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
              • String ID: pD
              • API String ID: 3470314060-1597287149
              • Opcode ID: 079ad98018924184b81ad0761b7b00a2ac46957e29cc0c5b32cc3075f04b0bca
              • Instruction ID: 51565121fb0b3bb1d9065d51044490b2295867e26e549b179c925c3a201abc25
              • Opcode Fuzzy Hash: 079ad98018924184b81ad0761b7b00a2ac46957e29cc0c5b32cc3075f04b0bca
              • Instruction Fuzzy Hash: 2E015B75951721EBF620AF66984575FB7A0BF05724F14002BE41467390CB3CAD81EBDE
              Function 004011D0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 126windowregistryCOMMON
              Download Yara Rule
              APIs
              • LoadIconW.USER32(00401088,0000006B), ref: 004012AC
              • LoadCursorW.USER32(00003163,00007F00), ref: 004012B7
              • LoadIconW.USER32(?,0000006C), ref: 00401344
              • RegisterClassExW.USER32(00000030), ref: 0040134D
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2862181424.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_400000_vbc.jbxd
              Yara matches
              Similarity
              • API ID: Load$Icon$ClassCursorRegister
              • String ID: 0$m
              • API String ID: 4202395251-432128193
              • Opcode ID: e561e8dbf5576be2441e48dc577818e6788279b9a54656451a83d9ba72106089
              • Instruction ID: a91d458a28549a56fa893156b9d2a77f92cad32096924d3f4f1bbb629e29858a
              • Opcode Fuzzy Hash: e561e8dbf5576be2441e48dc577818e6788279b9a54656451a83d9ba72106089
              • Instruction Fuzzy Hash: F3419FB1E002099BDB18CF99C9546EEBBB5EB94344F14817EE905BF7E0E77859048B88
              Function 07036940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
              • Instruction ID: a6c237bc569a97333c05d9a48b529b8f7ea164ea35671d2aaea85d5a885650f7
              • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
              • Instruction Fuzzy Hash: E20206B1508341AFC345DF18C890A6FBBE9EFC8704F048A2DF9998B254DB72E945CB52
              Function 06FAB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID: __aulldvrm
              • String ID: +$-$0$0
              • API String ID: 1302938615-699404926
              • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
              • Instruction ID: 7bab379215b99e99fc0886bedf978b5bc50852e8ea3e8d411b1c2f6baeca8c71
              • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
              • Instruction Fuzzy Hash: EE818FB0E1934A9FEFA88F68C8917FEBBB1AF46350F184259D861A73D1C7749841CB50
              Function 004010E8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86windowCOMMON
              Download Yara Rule
              APIs
              • TranslateAcceleratorW.USER32(?,00000005,?), ref: 00401111
              • TranslateMessage.USER32(?), ref: 0040114D
              • DispatchMessageW.USER32(?), ref: 00401165
              • GetMessageW.USER32(?,0000572B,0000572B,0000572B), ref: 004011B5
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2862181424.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_400000_vbc.jbxd
              Yara matches
              Similarity
              • API ID: Message$Translate$AcceleratorDispatch
              • String ID: gfff
              • API String ID: 2755951552-1553575800
              • Opcode ID: 7fa5943c61319e3dc3ce68d6430780240cd9e6c8a10d79766d246d410fc07d84
              • Instruction ID: 86c97f06571826ebd5f7ab3e1758448758d9a42374ab80078b679847685c496b
              • Opcode Fuzzy Hash: 7fa5943c61319e3dc3ce68d6430780240cd9e6c8a10d79766d246d410fc07d84
              • Instruction Fuzzy Hash: 7A219171E001099BDB1CCF69DD45ABFB7BAEB9C341F14853BE615EB3A0D63899008B85
              Function 070120E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: %%%u$[$]:%u
              • API String ID: 48624451-2819853543
              • Opcode ID: 16a424567f4efe5e8f55689a6ca9144e74f417b170be83b4e8239d6aa7422cf8
              • Instruction ID: 7d2bedefe57b6f60598169cf718eb38d1e4d9181caf15140d5ed025d63fd18ba
              • Opcode Fuzzy Hash: 16a424567f4efe5e8f55689a6ca9144e74f417b170be83b4e8239d6aa7422cf8
              • Instruction Fuzzy Hash: BB2162F6E0021AABCB50DF79DC50AEEB7F8EF54644F050216E915E3340EB30DA018BA1
              Function 00449FCC Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • _malloc.LIBCMT ref: 00449FDA
                • Part of subcall function 00449EB6: __FF_MSGBANNER.LIBCMT ref: 00449ECF
                • Part of subcall function 00449EB6: __NMSG_WRITE.LIBCMT ref: 00449ED6
                • Part of subcall function 00449EB6: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,00448D71,?,00000001,?,?,00448191,00000018,0044C900,0000000C,00448221), ref: 00449EFB
              • _free.LIBCMT ref: 00449FED
              Memory Dump Source
              • Source File: 00000007.00000002.2862181424.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_400000_vbc.jbxd
              Yara matches
              Similarity
              • API ID: AllocHeap_free_malloc
              • String ID:
              • API String ID: 2734353464-0
              • Opcode ID: 6fba974974cc33a915f5172f2092f52439ff3394304e72623db76a5796c538e4
              • Instruction ID: 4d067cc030600d08ec67212d855f2f140db1694fc4b17b201204d79c73af8bef
              • Opcode Fuzzy Hash: 6fba974974cc33a915f5172f2092f52439ff3394304e72623db76a5796c538e4
              • Instruction Fuzzy Hash: 0E110132444215ABFB213F75A805A5F3695AB423A4F22012FF904DA291EF3CCC51979E
              Function 00449461 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __getptd.LIBCMT ref: 0044946D
                • Part of subcall function 00447ABF: __getptd_noexit.LIBCMT ref: 00447AC2
                • Part of subcall function 00447ABF: __amsg_exit.LIBCMT ref: 00447ACF
              • __getptd.LIBCMT ref: 00449484
              • __amsg_exit.LIBCMT ref: 00449492
              • __lock.LIBCMT ref: 004494A2
              • __updatetlocinfoEx_nolock.LIBCMT ref: 004494B6
              Memory Dump Source
              • Source File: 00000007.00000002.2862181424.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_400000_vbc.jbxd
              Yara matches
              Similarity
              • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
              • String ID:
              • API String ID: 938513278-0
              • Opcode ID: 57c3ac99fa53b67f3081f0b243ad8db986b025689d5649a15b2393bf166aa873
              • Instruction ID: 3a19506c52dd43a905e5763e31cd062429b5d24fa72912c4c9dc21a6abbe29c3
              • Opcode Fuzzy Hash: 57c3ac99fa53b67f3081f0b243ad8db986b025689d5649a15b2393bf166aa873
              • Instruction Fuzzy Hash: CBF06D32948710AAF721BB769806B5E32906F01729F15414FF104673C2CB6C5D02AA6E
              Function 06F8F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
              Download Yara Rule
              Strings
              • RTL: Re-Waiting, xrefs: 06FD031E
              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 06FD02BD
              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 06FD02E7
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
              • API String ID: 0-2474120054
              • Opcode ID: 53fdc05416bd7a9aaad036f84912158173effc6856f6411a5bf74add474d97f2
              • Instruction ID: 4853a802b635b9b572b6a2679c1527c5ab63544dbfa0316670b8c696e7bfa5f0
              • Opcode Fuzzy Hash: 53fdc05416bd7a9aaad036f84912158173effc6856f6411a5bf74add474d97f2
              • Instruction Fuzzy Hash: 88E1E171A05741DFE7A5DF28C884B2AB7E1BF84354F180A5DF4A58B2D0DB74E844CB92
              Function 06F9BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
              Download Yara Rule
              Strings
              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 06FD7B7F
              • RTL: Re-Waiting, xrefs: 06FD7BAC
              • RTL: Resource at %p, xrefs: 06FD7B8E
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
              • API String ID: 0-871070163
              • Opcode ID: 14f2ef6f77f017eeb803cd72d59d13dfcafc32fbea5c533e1e9b192f229f8f8c
              • Instruction ID: a676154695b69289b7f19eba174808c3fa17903d6767c5718bfe2e051f40bd4c
              • Opcode Fuzzy Hash: 14f2ef6f77f017eeb803cd72d59d13dfcafc32fbea5c533e1e9b192f229f8f8c
              • Instruction Fuzzy Hash: C941E535B017029FEBA0EE25DC40B6BB7E5EF88714F100A1DE956DB680DB71E905CBA1
              Function 06F9B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
              Download Yara Rule
              APIs
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 06FD728C
              Strings
              • RTL: Re-Waiting, xrefs: 06FD72C1
              • RTL: Resource at %p, xrefs: 06FD72A3
              • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 06FD7294
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
              • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
              • API String ID: 885266447-605551621
              • Opcode ID: 92413d92301f8a353fb0ba47fec0710720240ab65158cfb1cc13abcf9df01ba9
              • Instruction ID: a9cc76470463c06c877701c7f90fe96916441222b7f956df155dced7b3fd5e94
              • Opcode Fuzzy Hash: 92413d92301f8a353fb0ba47fec0710720240ab65158cfb1cc13abcf9df01ba9
              • Instruction Fuzzy Hash: C9410771B00242AFDB91EE25CC41B66B7A6FF84715F140619F965DB280DB21F812CBE0
              Function 07012300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: %%%u$]:%u
              • API String ID: 48624451-3050659472
              • Opcode ID: 77abb675c6543b06df2766eb42c1d9deec8a65ac42c0e4d21086806821eb1ef6
              • Instruction ID: 3ac1c96183e3689a08da7f512fd3fce6a59eebc0b4269ccb741a16cac34cae24
              • Opcode Fuzzy Hash: 77abb675c6543b06df2766eb42c1d9deec8a65ac42c0e4d21086806821eb1ef6
              • Instruction Fuzzy Hash: AF3166B2A002199FCBA0DF29CC40BEFB7F8FB44650F454555E849E3240EB30EA558BA1
              Function 06FA7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID: __aulldvrm
              • String ID: +$-
              • API String ID: 1302938615-2137968064
              • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
              • Instruction ID: 7341268c960072198ac5ad2495d16cc239a43cc9f6894991c439759523f33160
              • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
              • Instruction Fuzzy Hash: AF9181F9E003169FDBA4EF69C880EBEB7B5AF44760F14451AE865A72C0D7709A40C7A0
              Function 06F69126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2862902887.0000000006F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06F30000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_6f30000_vbc.jbxd
              Similarity
              • API ID:
              • String ID: $$@
              • API String ID: 0-1194432280
              • Opcode ID: 3d83c6452758a42b5e3ef541ec5e99c3099043fae4db34e97b71bd2cf19a6e1c
              • Instruction ID: 487972447e7040cd70533d48ee3b29e4639392d56d105226b2dd579330254e71
              • Opcode Fuzzy Hash: 3d83c6452758a42b5e3ef541ec5e99c3099043fae4db34e97b71bd2cf19a6e1c
              • Instruction Fuzzy Hash: 69810D71D002699FDBA1DB54CD45BEEB7B8EF48750F0041EAA919B7280D7745E84CFA0
              Function 004016A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 101COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2862181424.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_400000_vbc.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: _$gfff
              • API String ID: 0-92725793
              • Opcode ID: 73d8285cd3f49d6a42fd7481d75c21c894924a9b5a251a0f0cbe30768f067a0d
              • Instruction ID: 32c6244104d01d201ea638d9fe095b685ede6c6b1875318da0f4458e2205c5ad
              • Opcode Fuzzy Hash: 73d8285cd3f49d6a42fd7481d75c21c894924a9b5a251a0f0cbe30768f067a0d
              • Instruction Fuzzy Hash: 4F213836B0010987C72C8D2DDC445BB7666E7E0341F18813BF80AEF3E1EA799D459789
              Function 004012C9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54registrywindowCOMMON
              Download Yara Rule
              APIs
              • LoadIconW.USER32(?,0000006C), ref: 00401344
              • RegisterClassExW.USER32(00000030), ref: 0040134D
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2862181424.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_400000_vbc.jbxd
              Yara matches
              Similarity
              • API ID: ClassIconLoadRegister
              • String ID: m
              • API String ID: 507502875-3775001192
              • Opcode ID: e848a6e0b2a7b59dccea917e78902c2354d183a1d435a604e8c9121a1243dedb
              • Instruction ID: a99cf7af54eeb38dc287f88a8895346b7fae4e7f0ff1a716ab96d1d41eef8bfc
              • Opcode Fuzzy Hash: e848a6e0b2a7b59dccea917e78902c2354d183a1d435a604e8c9121a1243dedb
              • Instruction Fuzzy Hash: 1611AD71E0010E97CB1C9A99DD516AEB772EB88302F04817FE502BB7D1E77859008B84

              Execution Graph

              Execution Coverage:9%
              Dynamic/Decrypted Code Coverage:100%
              Signature Coverage:0%
              Total number of Nodes:30
              Total number of Limit Nodes:3
              execution_graph 16089 190b190 16092 190b279 16089->16092 16090 190b19f 16093 190b299 16092->16093 16094 190b2bc 16092->16094 16093->16094 16100 190b510 16093->16100 16104 190b520 16093->16104 16094->16090 16095 190b4c0 GetModuleHandleW 16097 190b4ed 16095->16097 16096 190b2b4 16096->16094 16096->16095 16097->16090 16101 190b520 16100->16101 16102 190b559 16101->16102 16108 190af98 16101->16108 16102->16096 16105 190b525 16104->16105 16106 190b559 16105->16106 16107 190af98 LoadLibraryExW 16105->16107 16106->16096 16107->16106 16109 190b700 LoadLibraryExW 16108->16109 16111 190b779 16109->16111 16111->16102 16112 190d520 16113 190d521 16112->16113 16117 190d700 16113->16117 16121 190d6f1 16113->16121 16114 190d653 16118 190d701 16117->16118 16125 190b174 16118->16125 16122 190d6f4 16121->16122 16123 190b174 DuplicateHandle 16122->16123 16124 190d72e 16123->16124 16124->16114 16126 190d768 DuplicateHandle 16125->16126 16128 190d72e 16126->16128 16128->16114

              Executed Functions

              Function 0190B279 Relevance: 1.7, APIs: 1, Instructions: 201COMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetModuleHandleW.KERNELBASE(00000000), ref: 0190B4DE
              Memory Dump Source
              • Source File: 00000008.00000002.2254395105.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_1900000_SoEOsZIV.jbxd
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: 8e6ca11e6ef32c2d0f00c81e669081aaf274e3c2cf95a219cd7352541ca0add4
              • Instruction ID: 611eea04f68875493cabe8932302a204e4ee058d5ea732810e0c6227b7a22b03
              • Opcode Fuzzy Hash: 8e6ca11e6ef32c2d0f00c81e669081aaf274e3c2cf95a219cd7352541ca0add4
              • Instruction Fuzzy Hash: C0815470A00B058FEB25DF2AD45079ABBF5FF88204F10892DD58ADBB90DB34E845CB91
              Function 019058ED Relevance: 1.6, APIs: 1, Instructions: 101COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 59 19058ed-19058ee 60 19058f0-19058f2 59->60 61 19058f5-19058f6 59->61 64 19058f4 60->64 65 19058f9-19058fc 60->65 62 19058f8 61->62 63 19058fd-19059b9 CreateActCtxA 61->63 62->65 67 19059c2-1905a1c 63->67 68 19059bb-19059c1 63->68 64->61 65->63 75 1905a2b-1905a2f 67->75 76 1905a1e-1905a21 67->76 68->67 77 1905a40 75->77 78 1905a31-1905a3d 75->78 76->75 80 1905a41 77->80 78->77 80->80
              APIs
              • CreateActCtxA.KERNEL32(?), ref: 019059A9
              Memory Dump Source
              • Source File: 00000008.00000002.2254395105.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_1900000_SoEOsZIV.jbxd
              Similarity
              • API ID: Create
              • String ID:
              • API String ID: 2289755597-0
              • Opcode ID: da5538f931f1ab8287d829ccb59648f93ebb422f40792c320d95111ecff5ab52
              • Instruction ID: 2bf88d18db38d9ae3df301e5f4db10b5d539b9d577e44616f5fd4fbbdbf41348
              • Opcode Fuzzy Hash: da5538f931f1ab8287d829ccb59648f93ebb422f40792c320d95111ecff5ab52
              • Instruction Fuzzy Hash: DC41E3B0C0071DCFEB25DFA9C884B8DBBB5BF89704F20805AD518AB294DB756945CF91
              Function 01904514 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 81 1904514-19059b9 CreateActCtxA 86 19059c2-1905a1c 81->86 87 19059bb-19059c1 81->87 94 1905a2b-1905a2f 86->94 95 1905a1e-1905a21 86->95 87->86 96 1905a40 94->96 97 1905a31-1905a3d 94->97 95->94 99 1905a41 96->99 97->96 99->99
              APIs
              • CreateActCtxA.KERNEL32(?), ref: 019059A9
              Memory Dump Source
              • Source File: 00000008.00000002.2254395105.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_1900000_SoEOsZIV.jbxd
              Similarity
              • API ID: Create
              • String ID:
              • API String ID: 2289755597-0
              • Opcode ID: eee125eb9e56c03de8cdc52ff4fd78df7b0100152f5f74db51c0f8d88ca7b4d0
              • Instruction ID: 0fbc8e9a66303ba495f8d9ab997ad11ea0d8126b9cdc4f4fe7bc8f3c0bf0a9dd
              • Opcode Fuzzy Hash: eee125eb9e56c03de8cdc52ff4fd78df7b0100152f5f74db51c0f8d88ca7b4d0
              • Instruction Fuzzy Hash: B141D0B0C0071DCFEB24DFA9C884B8DBBB5BF89304F20806AD518AB295DB756945CF91
              Function 0190B174 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 100 190b174-190d7fc DuplicateHandle 103 190d805-190d822 100->103 104 190d7fe-190d804 100->104 104->103
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0190D72E,?,?,?,?,?), ref: 0190D7EF
              Memory Dump Source
              • Source File: 00000008.00000002.2254395105.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_1900000_SoEOsZIV.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: 630ecc91350b88adf2c09e2d1a2e52a0908f35d0b445e7bd3d02d8a8e5268307
              • Instruction ID: fc8226c698fb4c0913ef1bc8fdecefe188bf94aeed2fea4f931df09461fb37c0
              • Opcode Fuzzy Hash: 630ecc91350b88adf2c09e2d1a2e52a0908f35d0b445e7bd3d02d8a8e5268307
              • Instruction Fuzzy Hash: 9821E5B5900348EFDB10CFAAD584ADEBBF8EB48310F14841AE918A7350D374A954CFA5
              Function 0190D760 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 107 190d760-190d762 108 190d764-190d768 107->108 109 190d769-190d7fc DuplicateHandle 107->109 108->109 111 190d805-190d822 109->111 112 190d7fe-190d804 109->112 112->111
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0190D72E,?,?,?,?,?), ref: 0190D7EF
              Memory Dump Source
              • Source File: 00000008.00000002.2254395105.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_1900000_SoEOsZIV.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: c946e1692a489662851ca610f37d7d98c5c11319bea70056a5fd6bdd7f1e4e0e
              • Instruction ID: 808233ff5b53e4cb1674c0acd5f21fedcd0bca2d47a5dc7621d80b697a0cfad4
              • Opcode Fuzzy Hash: c946e1692a489662851ca610f37d7d98c5c11319bea70056a5fd6bdd7f1e4e0e
              • Instruction Fuzzy Hash: B821D4B5D00249EFDB10CFAAD584ADEBFF8EB48310F14841AE918A7350D375A944CFA5
              Function 0190AF98 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 115 190af98-190b740 117 190b742-190b745 115->117 118 190b748-190b777 LoadLibraryExW 115->118 117->118 119 190b780-190b79d 118->119 120 190b779-190b77f 118->120 120->119
              APIs
              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0190B559,00000800,00000000,00000000), ref: 0190B76A
              Memory Dump Source
              • Source File: 00000008.00000002.2254395105.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_1900000_SoEOsZIV.jbxd
              Similarity
              • API ID: LibraryLoad
              • String ID:
              • API String ID: 1029625771-0
              • Opcode ID: 5c1709a9dfae42e737beb626eadd08204a67c7a78ae3aab1c3d3ccfd178a44c7
              • Instruction ID: 19ff3895ea40c138a10b546e7cfc6860b7463745b25b45f4e696195528220295
              • Opcode Fuzzy Hash: 5c1709a9dfae42e737beb626eadd08204a67c7a78ae3aab1c3d3ccfd178a44c7
              • Instruction Fuzzy Hash: 9F1103B6804349DFDB10CF9AC484B9EFBF8EB88710F14842AE519A7640C375A544CFA5
              Function 0190B6F9 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 123 190b6f9-190b740 125 190b742-190b745 123->125 126 190b748-190b777 LoadLibraryExW 123->126 125->126 127 190b780-190b79d 126->127 128 190b779-190b77f 126->128 128->127
              APIs
              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0190B559,00000800,00000000,00000000), ref: 0190B76A
              Memory Dump Source
              • Source File: 00000008.00000002.2254395105.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_1900000_SoEOsZIV.jbxd
              Similarity
              • API ID: LibraryLoad
              • String ID:
              • API String ID: 1029625771-0
              • Opcode ID: 7eb691331b122c5d0ab13d3d6bbc96894407d5bdd8e3c722e101b6040e9e0f58
              • Instruction ID: 9b6bec15e9d18f15c5c5868c014c12e1dfa2df89d2187e3ff699d3db41785b93
              • Opcode Fuzzy Hash: 7eb691331b122c5d0ab13d3d6bbc96894407d5bdd8e3c722e101b6040e9e0f58
              • Instruction Fuzzy Hash: 341103B6C003099FDB14CF9AC844B9EFBF8AB88710F14842AD519A7640C375A545CFA5
              Function 0190B478 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 131 190b478-190b4b8 133 190b4c0-190b4eb GetModuleHandleW 131->133 134 190b4ba-190b4bd 131->134 135 190b4f4-190b508 133->135 136 190b4ed-190b4f3 133->136 134->133 136->135
              APIs
              • GetModuleHandleW.KERNELBASE(00000000), ref: 0190B4DE
              Memory Dump Source
              • Source File: 00000008.00000002.2254395105.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_1900000_SoEOsZIV.jbxd
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: 776a9ef8e390b20ad5835acc13cda1905f1491c55a23a8a59fbcbaa1a857f45a
              • Instruction ID: 9d95fa208a2556d1cbbd5c3a981cfbfa41061bad98495e128fcb7d320d310fc4
              • Opcode Fuzzy Hash: 776a9ef8e390b20ad5835acc13cda1905f1491c55a23a8a59fbcbaa1a857f45a
              • Instruction Fuzzy Hash: BD11DFB5C00749CFDB10CF9AC544B9EFBF8AB88614F11841AD929A7350C379A645CFA5
              Function 0142D4C4 Relevance: .1, Instructions: 75COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.2251860224.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_142d000_SoEOsZIV.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8039b2aa33785d1e829c70d7c28c8f201992af6194b2afef201139dee1cb1789
              • Instruction ID: c19eda720370ea59e44a19fec3dd57fbe2f89aaafcf1cab56ebce553e87165ee
              • Opcode Fuzzy Hash: 8039b2aa33785d1e829c70d7c28c8f201992af6194b2afef201139dee1cb1789
              • Instruction Fuzzy Hash: 7B210671904240EFDB05DF54D9C0B27BF65FB88318F60C56AE9050B266C376D4D6CAA1
              Function 0161D1D4 Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.2252196261.000000000161D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0161D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_161d000_SoEOsZIV.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 302c984ffa7c66522e56afee175c77792e1b44dad9c742e167b9b0862b7e7f10
              • Instruction ID: 7603991fd66960383354d5a95fbb89ced0f0ae362ee2e62c16e66a42b5c244a9
              • Opcode Fuzzy Hash: 302c984ffa7c66522e56afee175c77792e1b44dad9c742e167b9b0862b7e7f10
              • Instruction Fuzzy Hash: A7214971504300EFDB01DFA4DDC4B25BBA1FB84324F28C66DDA094B35AC336D446CA61
              Function 0161D01C Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.2252196261.000000000161D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0161D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_161d000_SoEOsZIV.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 439025ce62f6c13580075599de524144a1f83cb799a2d5965cb908f4b1ba7e1d
              • Instruction ID: b00b7af2b1d1781c8957197108a60322d3a5b4e6d860efe27b073825e1ab0005
              • Opcode Fuzzy Hash: 439025ce62f6c13580075599de524144a1f83cb799a2d5965cb908f4b1ba7e1d
              • Instruction Fuzzy Hash: B6212275604200EFDB15DF68D9C8B26BB61FB84315F28C56DD90A0B38AC33AD847CA62
              Function 0161D006 Relevance: .1, Instructions: 62COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.2252196261.000000000161D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0161D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_161d000_SoEOsZIV.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fab67cae1c4838054dacdeecc7053cb615bd7a45971fc7acaff1c23685dd54df
              • Instruction ID: ddf85d205e5ef915d6a758f57464d15c50069d96c2ad9292d7f3a22d57f6f7ef
              • Opcode Fuzzy Hash: fab67cae1c4838054dacdeecc7053cb615bd7a45971fc7acaff1c23685dd54df
              • Instruction Fuzzy Hash: 4E21AC75509380DFCB03CF64D994B15BF71EB46214F28C5EAD8498F6A7C33A980ACB62
              Function 0142D4BF Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.2251860224.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_142d000_SoEOsZIV.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
              • Instruction ID: f6f4a8cf8ccc588ca0cf259caf44474edc95d46ccd773bf751f8d5fa24bc4a24
              • Opcode Fuzzy Hash: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
              • Instruction Fuzzy Hash: 3311E172904280DFCB02CF54D9C0B16BF71FB84314F24C6AAD8090B267C33AD49ACBA2
              Function 0161D1CF Relevance: .1, Instructions: 53COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.2252196261.000000000161D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0161D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_161d000_SoEOsZIV.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
              • Instruction ID: 0d9c65ef15a96eec98669f8a7f0c190cdd2c67946b21887fc3269f6d8e5cb489
              • Opcode Fuzzy Hash: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
              • Instruction Fuzzy Hash: EB11BB75904280DFCB02CF54C9C4B15FFA1FB84224F28C6A9D9494B7AAC33AD40ACB62
              Function 0142D731 Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.2251860224.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_142d000_SoEOsZIV.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4ec5e7f81290a928cf27c47c2b0b579c1a12ab3d37c9d13d104c6f84bb72d055
              • Instruction ID: ba8fa09916938a322d2dfa620fe5d1275b9b12ae4f3d7c92fb3b7bbc1f03a705
              • Opcode Fuzzy Hash: 4ec5e7f81290a928cf27c47c2b0b579c1a12ab3d37c9d13d104c6f84bb72d055
              • Instruction Fuzzy Hash: DC01F731804394DAFB104AA9CD80B67FFD8EFC1320F54C42BED084A292C27C9880C6B2
              Function 0142D730 Relevance: .0, Instructions: 36COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.2251860224.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_142d000_SoEOsZIV.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2bdecbaab1f57f3a9d428716ed5994b365e1c213619398b89569e669605e9b50
              • Instruction ID: 3730247b810b3b13716568f8fa495ef4f003baf3b041b7da893ca5f61bb97b54
              • Opcode Fuzzy Hash: 2bdecbaab1f57f3a9d428716ed5994b365e1c213619398b89569e669605e9b50
              • Instruction Fuzzy Hash: B6F06271405394AAEB118A1AC984B67FFD8EB81734F18C55BED084F296C2799844CA71