Edit tour

Windows Analysis Report
BL-INV-PL-ISO.exe

Overview

General Information

Sample name:	BL-INV-PL-ISO.exe
Analysis ID:	1522512
MD5:	98764b1ea06180b4a89c043b0fc11914
SHA1:	88cdfcf42452ca0429f31fdd8d7372effe387969
SHA256:	97fb0388618e3d977b390696f4ca19e38f0e706d70a40726bab9ed8dcdcd036c
Tags:	exeuser-abuse_ch
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Loading BitLocker PowerShell Module

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

BL-INV-PL-ISO.exe (PID: 6848 cmdline: "C:\Users\user\Desktop\BL-INV-PL-ISO.exe" MD5: 98764B1EA06180B4A89C043B0FC11914)

powershell.exe (PID: 792 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BL-INV-PL-ISO.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4308 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dZxrrOCj.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7356 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 4908 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dZxrrOCj" /XML "C:\Users\user\AppData\Local\Temp\tmp590C.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

vbc.exe (PID: 7228 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)

vbc.exe (PID: 7236 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)

vbc.exe (PID: 7252 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)

vbc.exe (PID: 7260 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)

vbc.exe (PID: 7268 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)

dZxrrOCj.exe (PID: 7288 cmdline: C:\Users\user\AppData\Roaming\dZxrrOCj.exe MD5: 98764B1EA06180B4A89C043B0FC11914)

schtasks.exe (PID: 7512 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dZxrrOCj" /XML "C:\Users\user\AppData\Local\Temp\tmp68AC.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

vbc.exe (PID: 7564 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000011.00000002.2054400538.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000011.00000002.2054400538.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2f783:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x178d2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000011.00000002.2055413010.00000000058F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000011.00000002.2055413010.00000000058F0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2c390:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x144df:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Process Memory Space: BL-INV-PL-ISO.exe PID: 6848	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: dZxrrOCj.exe PID: 7288	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
17.2.vbc.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
17.2.vbc.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2f783:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x178d2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
17.2.vbc.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
17.2.vbc.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2e983:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16ad2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BL-INV-PL-ISO.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BL-INV-PL-ISO.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\BL-INV-PL-ISO.exe", ParentImage: C:\Users\user\Desktop\BL-INV-PL-ISO.exe, ParentProcessId: 6848, ParentProcessName: BL-INV-PL-ISO.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BL-INV-PL-ISO.exe", ProcessId: 792, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dZxrrOCj" /XML "C:\Users\user\AppData\Local\Temp\tmp68AC.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dZxrrOCj" /XML "C:\Users\user\AppData\Local\Temp\tmp68AC.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\dZxrrOCj.exe, ParentImage: C:\Users\user\AppData\Roaming\dZxrrOCj.exe, ParentProcessId: 7288, ParentProcessName: dZxrrOCj.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dZxrrOCj" /XML "C:\Users\user\AppData\Local\Temp\tmp68AC.tmp", ProcessId: 7512, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dZxrrOCj" /XML "C:\Users\user\AppData\Local\Temp\tmp590C.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dZxrrOCj" /XML "C:\Users\user\AppData\Local\Temp\tmp590C.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\BL-INV-PL-ISO.exe", ParentImage: C:\Users\user\Desktop\BL-INV-PL-ISO.exe, ParentProcessId: 6848, ParentProcessName: BL-INV-PL-ISO.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dZxrrOCj" /XML "C:\Users\user\AppData\Local\Temp\tmp590C.tmp", ProcessId: 4908, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BL-INV-PL-ISO.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BL-INV-PL-ISO.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\BL-INV-PL-ISO.exe", ParentImage: C:\Users\user\Desktop\BL-INV-PL-ISO.exe, ParentProcessId: 6848, ParentProcessName: BL-INV-PL-ISO.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BL-INV-PL-ISO.exe", ProcessId: 792, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dZxrrOCj" /XML "C:\Users\user\AppData\Local\Temp\tmp590C.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dZxrrOCj" /XML "C:\Users\user\AppData\Local\Temp\tmp590C.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\BL-INV-PL-ISO.exe", ParentImage: C:\Users\user\Desktop\BL-INV-PL-ISO.exe, ParentProcessId: 6848, ParentProcessName: BL-INV-PL-ISO.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dZxrrOCj" /XML "C:\Users\user\AppData\Local\Temp\tmp590C.tmp", ProcessId: 4908, ProcessName: schtasks.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe

ReversingLabs: Detection: 26%

Multi AV Scanner detection for submitted file

Source: BL-INV-PL-ISO.exe	ReversingLabs: Detection: 26%
Source: BL-INV-PL-ISO.exe	Virustotal: Detection: 23%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 17.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2054400538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2055413010.00000000058F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: BL-INV-PL-ISO.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: BL-INV-PL-ISO.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: UYWF.pdb source: BL-INV-PL-ISO.exe, dZxrrOCj.exe.0.dr
Source:	Binary string: wntdll.pdbUGP source: vbc.exe, 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: UYWF.pdbSHA256 source: BL-INV-PL-ISO.exe, dZxrrOCj.exe.0.dr
Source:	Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp

Source: BL-INV-PL-ISO.exe, 00000000.00000002.1735961289.0000000002604000.00000004.00000800.00020000.00000000.sdmp, dZxrrOCj.exe, 0000000D.00000002.1773816351.0000000002834000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740573197.0000000004EC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com.
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 17.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2054400538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2055413010.00000000058F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 17.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 17.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.2054400538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.2055413010.00000000058F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_0042CA83 NtClose,	17_2_0042CA83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2DF0 NtQuerySystemInformation,LdrInitializeThunk,	17_2_05AC2DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2C70 NtFreeVirtualMemory,LdrInitializeThunk,	17_2_05AC2C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC35C0 NtCreateMutant,LdrInitializeThunk,	17_2_05AC35C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC4650 NtSuspendThread,	17_2_05AC4650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC4340 NtSetContextThread,	17_2_05AC4340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2DB0 NtEnumerateKey,	17_2_05AC2DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2DD0 NtDelayExecution,	17_2_05AC2DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2D30 NtUnmapViewOfSection,	17_2_05AC2D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2D00 NtSetInformationFile,	17_2_05AC2D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2D10 NtMapViewOfSection,	17_2_05AC2D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2CA0 NtQueryInformationToken,	17_2_05AC2CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2CF0 NtOpenProcess,	17_2_05AC2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2CC0 NtQueryVirtualMemory,	17_2_05AC2CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2C00 NtQueryInformationProcess,	17_2_05AC2C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2C60 NtCreateKey,	17_2_05AC2C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2FA0 NtQuerySection,	17_2_05AC2FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2FB0 NtResumeThread,	17_2_05AC2FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2F90 NtProtectVirtualMemory,	17_2_05AC2F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2FE0 NtCreateFile,	17_2_05AC2FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2F30 NtCreateSection,	17_2_05AC2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2F60 NtCreateProcessEx,	17_2_05AC2F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2EA0 NtAdjustPrivilegesToken,	17_2_05AC2EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2E80 NtReadVirtualMemory,	17_2_05AC2E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2EE0 NtQueueApcThread,	17_2_05AC2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2E30 NtWriteVirtualMemory,	17_2_05AC2E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2BA0 NtEnumerateValueKey,	17_2_05AC2BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2B80 NtQueryInformationFile,	17_2_05AC2B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2BE0 NtQueryValueKey,	17_2_05AC2BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2BF0 NtAllocateVirtualMemory,	17_2_05AC2BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2B60 NtClose,	17_2_05AC2B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2AB0 NtWaitForSingleObject,	17_2_05AC2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2AF0 NtWriteFile,	17_2_05AC2AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2AD0 NtReadFile,	17_2_05AC2AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC3090 NtSetValueKey,	17_2_05AC3090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC3010 NtOpenDirectoryObject,	17_2_05AC3010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC3D10 NtOpenProcessToken,	17_2_05AC3D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC3D70 NtOpenThread,	17_2_05AC3D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC39B0 NtGetContextThread,	17_2_05AC39B0

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Code function: 0_2_00AEE12C	0_2_00AEE12C
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Code function: 13_2_00FDE12C	13_2_00FDE12C
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Code function: 13_2_04D70BEC	13_2_04D70BEC
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Code function: 13_2_04D700D8	13_2_04D700D8
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Code function: 13_2_04D720F0	13_2_04D720F0
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Code function: 13_2_04D70130	13_2_04D70130
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Code function: 13_2_04D70120	13_2_04D70120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_0042F073	17_2_0042F073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_00403170	17_2_00403170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_0040111A	17_2_0040111A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_00401270	17_2_00401270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_004102DA	17_2_004102DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_004102E3	17_2_004102E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_004023EA	17_2_004023EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_004023F0	17_2_004023F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_00416C43	17_2_00416C43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_00416C3E	17_2_00416C3E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_00410503	17_2_00410503
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_0040E583	17_2_0040E583
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_0040258C	17_2_0040258C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_00402590	17_2_00402590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B50591	17_2_05B50591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90535	17_2_05A90535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B3E4F6	17_2_05B3E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B34420	17_2_05B34420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B42446	17_2_05B42446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8C7C0	17_2_05A8C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90770	17_2_05A90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB4750	17_2_05AB4750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAC6E0	17_2_05AAC6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B441A2	17_2_05B441A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B501AA	17_2_05B501AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B481CC	17_2_05B481CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A80100	17_2_05A80100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2A118	17_2_05B2A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B18158	17_2_05B18158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B22000	17_2_05B22000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B503E6	17_2_05B503E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9E3F0	17_2_05A9E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4A352	17_2_05B4A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B102C0	17_2_05B102C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30274	17_2_05B30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA8DBF	17_2_05AA8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8ADE0	17_2_05A8ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9AD00	17_2_05A9AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2CD1F	17_2_05B2CD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30CB5	17_2_05B30CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A80CF2	17_2_05A80CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90C00	17_2_05A90C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0EFA0	17_2_05B0EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A82FC8	17_2_05A82FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B32F30	17_2_05B32F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AD2F28	17_2_05AD2F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB0F30	17_2_05AB0F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B04F40	17_2_05B04F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4CE93	17_2_05B4CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA2E90	17_2_05AA2E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4EEDB	17_2_05B4EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4EE26	17_2_05B4EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90E59	17_2_05A90E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A929A0	17_2_05A929A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B5A9A6	17_2_05B5A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA6962	17_2_05AA6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A768B8	17_2_05A768B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABE8F0	17_2_05ABE8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9A840	17_2_05A9A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A92840	17_2_05A92840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B46BD7	17_2_05B46BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4AB40	17_2_05B4AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8EA80	17_2_05A8EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2D5B0	17_2_05B2D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B47571	17_2_05B47571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4F43F	17_2_05B4F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A81460	17_2_05A81460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4F7B0	17_2_05B4F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B416CC	17_2_05B416CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AD5630	17_2_05AD5630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9B1B0	17_2_05A9B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC516C	17_2_05AC516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7F172	17_2_05A7F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B5B16B	17_2_05B5B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4F0E0	17_2_05B4F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B470E9	17_2_05B470E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A970C0	17_2_05A970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B3F0CC	17_2_05B3F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AD739A	17_2_05AD739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4132D	17_2_05B4132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7D34C	17_2_05A7D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A952A0	17_2_05A952A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B312ED	17_2_05B312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAB2C0	17_2_05AAB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAFDC0	17_2_05AAFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B47D73	17_2_05B47D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A93D40	17_2_05A93D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B41D5A	17_2_05B41D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4FCF2	17_2_05B4FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B09C32	17_2_05B09C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4FFB1	17_2_05B4FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A91F92	17_2_05A91F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4FF09	17_2_05B4FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A99EB0	17_2_05A99EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B25910	17_2_05B25910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A99950	17_2_05A99950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAB950	17_2_05AAB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A938E0	17_2_05A938E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFD800	17_2_05AFD800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAFB80	17_2_05AAFB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B05BF0	17_2_05B05BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ACDBF9	17_2_05ACDBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4FB76	17_2_05B4FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AD5AA0	17_2_05AD5AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B31AA3	17_2_05B31AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2DAAC	17_2_05B2DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B3DAC6	17_2_05B3DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B03A6C	17_2_05B03A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B47A46	17_2_05B47A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4FA49	17_2_05B4FA49

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: String function: 05AD7E54 appears 108 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: String function: 05A7B970 appears 265 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: String function: 05AFEA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: String function: 05B0F290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: String function: 05AC5130 appears 58 times

Source: BL-INV-PL-ISO.exe, 00000000.00000002.1725947037.000000000059E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs BL-INV-PL-ISO.exe
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1741347431.0000000006B2C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs BL-INV-PL-ISO.exe
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1742101789.0000000009700000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs BL-INV-PL-ISO.exe
Source: BL-INV-PL-ISO.exe, 00000000.00000002.1736708833.00000000040AF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs BL-INV-PL-ISO.exe
Source: BL-INV-PL-ISO.exe, 00000000.00000000.1684503221.000000000010E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameUYWF.exe@ vs BL-INV-PL-ISO.exe
Source: BL-INV-PL-ISO.exe	Binary or memory string: OriginalFilenameUYWF.exe@ vs BL-INV-PL-ISO.exe

Source: BL-INV-PL-ISO.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 17.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 17.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.2054400538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.2055413010.00000000058F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: BL-INV-PL-ISO.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: dZxrrOCj.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, uUMOocUIxKVTuplUam.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, cfZycf0kcb26X6tlXo.cs	Security API names: _0020.SetAccessControl
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, cfZycf0kcb26X6tlXo.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, cfZycf0kcb26X6tlXo.cs	Security API names: _0020.AddAccessRule
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, cfZycf0kcb26X6tlXo.cs	Security API names: _0020.SetAccessControl
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, cfZycf0kcb26X6tlXo.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, cfZycf0kcb26X6tlXo.cs	Security API names: _0020.AddAccessRule
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, uUMOocUIxKVTuplUam.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@27/15@0/0

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe

File created: C:\Users\user\AppData\Roaming\dZxrrOCj.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Mutant created: \Sessions\1\BaseNamedObjects\XTpUHwAlqzCYlLXTmffAOhrcva
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5284:120:WilError_03
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7520:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2596:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2932:120:WilError_03

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe

File created: C:\Users\user\AppData\Local\Temp\tmp590C.tmp

Jump to behavior

Source: BL-INV-PL-ISO.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: BL-INV-PL-ISO.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: BL-INV-PL-ISO.exe	ReversingLabs: Detection: 26%
Source: BL-INV-PL-ISO.exe	Virustotal: Detection: 23%

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe

File read: C:\Users\user\Desktop\BL-INV-PL-ISO.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\BL-INV-PL-ISO.exe "C:\Users\user\Desktop\BL-INV-PL-ISO.exe"
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BL-INV-PL-ISO.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dZxrrOCj.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dZxrrOCj" /XML "C:\Users\user\AppData\Local\Temp\tmp590C.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\dZxrrOCj.exe C:\Users\user\AppData\Roaming\dZxrrOCj.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dZxrrOCj" /XML "C:\Users\user\AppData\Local\Temp\tmp68AC.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BL-INV-PL-ISO.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dZxrrOCj.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dZxrrOCj" /XML "C:\Users\user\AppData\Local\Temp\tmp590C.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dZxrrOCj" /XML "C:\Users\user\AppData\Local\Temp\tmp68AC.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: BL-INV-PL-ISO.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: BL-INV-PL-ISO.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: BL-INV-PL-ISO.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: UYWF.pdb source: BL-INV-PL-ISO.exe, dZxrrOCj.exe.0.dr
Source:	Binary string: wntdll.pdbUGP source: vbc.exe, 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: UYWF.pdbSHA256 source: BL-INV-PL-ISO.exe, dZxrrOCj.exe.0.dr
Source:	Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, cfZycf0kcb26X6tlXo.cs	.Net Code: clHhbwHd3t System.Reflection.Assembly.Load(byte[])
Source: 0.2.BL-INV-PL-ISO.exe.3601ea0.1.raw.unpack, MainForm.cs	.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.BL-INV-PL-ISO.exe.50c0000.3.raw.unpack, MainForm.cs	.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, cfZycf0kcb26X6tlXo.cs	.Net Code: clHhbwHd3t System.Reflection.Assembly.Load(byte[])
Source: 0.2.BL-INV-PL-ISO.exe.35e9c80.0.raw.unpack, MainForm.cs	.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])

Source: BL-INV-PL-ISO.exe

Static PE information: 0xC3F91EE2 [Sat Mar 10 04:58:10 2074 UTC]

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Code function: 0_2_00AEDB28 pushad ; retf	0_2_00AEDB29
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Code function: 0_2_07971B05 push FFFFFF8Bh; iretd	0_2_07971B07
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Code function: 13_2_00FDDB28 pushad ; retf	13_2_00FDDB29
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Code function: 13_2_07820D75 push FFFFFF8Bh; iretd	13_2_07820D77
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_0041F058 push esi; ret	17_2_0041F05E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_0041F089 push FFFFFF9Ah; retf	17_2_0041F08D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_0041F8AF push FFFFFFE3h; ret	17_2_0041F8B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_0041F95A push ds; iretd	17_2_0041F971
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_00402178 push es; ret	17_2_004021C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_004021A2 push es; ret	17_2_004021C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_00419A5A push ds; ret	17_2_00419A5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_0040D20B push ebp; retf	17_2_0040D211
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_00424AE3 push edi; ret	17_2_00424AEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_0040ABDA push ebx; ret	17_2_0040ABDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_00423BEF pushfd ; retf	17_2_00423BEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_004033F0 push eax; ret	17_2_004033F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_00423BB8 pushfd ; retf	17_2_00423BEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_0041664B pushad ; retf	17_2_00416653
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_00412634 push edi; iretd	17_2_00412635
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_0040CF05 pushad ; iretd	17_2_0040CF14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_00413FF4 pushad ; iretd	17_2_00413FF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_004137A3 push ecx; retf	17_2_00413868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A809AD push ecx; mov dword ptr [esp], ecx	17_2_05A809B6

Source: BL-INV-PL-ISO.exe	Static PE information: section name: .text entropy: 7.705373741079922
Source: dZxrrOCj.exe.0.dr	Static PE information: section name: .text entropy: 7.705373741079922

Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, l6TFIRal5HdvTuAvFR.cs	High entropy of concatenated method names: 'xVnKMS9NIR', 'dk1KCOIXS1', 'kpVKJMQx0c', 'gQSJLiag9k', 'O9rJz56ISN', 'mQ7KpMXwGS', 'VNXKkrmN3h', 'RMPK84jSg4', 'GDLKGQUqCh', 'qiPKhTghil'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, TqWwAsLkiN3CFtoVfa.cs	High entropy of concatenated method names: 'x0G6kgNAXJ', 'gYt6G1pPDh', 'gGJ6hWYUxe', 'u0t6MrXpIy', 'ARh6rRPoCq', 'LfR6FD03GN', 'Rdo6J5HFrT', 'awKmg46aiP', 'I7nmu7PdvC', 'ARRm56g5SY'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, sGidIWAjxT9DQD2jyC.cs	High entropy of concatenated method names: 'IsjJ2yIoUy', 'nnrJrI5AkK', 'cCFJFR72fI', 'onJJKqCvWx', 'eieJ0kwV1b', 'B5MFi0qPud', 'SwkFxgSipX', 'f2nFg6s3jk', 'J7qFumddEi', 'SS1F55XS5M'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, cfZycf0kcb26X6tlXo.cs	High entropy of concatenated method names: 'RSyG2MIpO4', 'DqMGMh7e3p', 'CmJGre8Fr3', 'fMdGCUoiR8', 'jkNGFU0RLY', 'dBnGJBtVJQ', 'DrDGKvpfiW', 'f2oG0M9mbC', 'utZGSPbAs0', 'jP0GlEHrwP'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, cU6Qf6h8MixZH75icy.cs	High entropy of concatenated method names: 'VQwkKUMOoc', 'QxKk0VTupl', 'dE6klxU8dN', 'Rulko7H16M', 'QOvkZtGnGi', 'qIWkTjxT9D', 'eWWBiDeHQaUZj0yqVI', 'zDTektAmB4mH3u1o1o', 'EoTkkID8Fl', 'lPAkGEUTlO'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, lNDQloxMyDmhpPDOWl.cs	High entropy of concatenated method names: 'OKvdut556a', 'GrwdLEcIOT', 'ia1mpgXeIX', 'R3Wmk6KHWx', 'ydSdXCsjpB', 'zX2dYsFtCi', 'rwUd4aBwHX', 'tZxdIteB8N', 'Gj9deO9W5t', 'A8dd7rTUsV'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, WKKHDvNKxvSnL6SGaH.cs	High entropy of concatenated method names: 'JJMKftASch', 'iw4KDlTtuf', 'D50Kb4dcAR', 'q9uKHyYj7j', 'yJXKBtJpE1', 'zeMK3BMu0g', 'sg1KQue3FM', 'KeGKUYyhav', 'cG0KjT1Ttu', 'U0iKv4j2yu'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, gEl1DV4DciT4JTELMs.cs	High entropy of concatenated method names: 'UW91UoW2lA', 'BoO1jZc9yx', 'Nei1ApWY50', 'r2n19mrd0F', 'wxA1ytqR7S', 'rnx1PZ1noJ', 'mR21a4QMh6', 'G0d1tblOwc', 'pBx1OWhd7m', 'rRE1XKsd7j'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, c0PD99zDASEcV46Xs3.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ctV61a1JCR', 'NHq6ZD7lIZ', 'OI96TFCxsf', 'QCj6dEAIEv', 'Rdt6msmXmP', 'mZn66IAvHu', 'shN6nDyGBX'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, VNv1OU8Walm78ZVDd5.cs	High entropy of concatenated method names: 'WjGbqLonU', 'tr4H2MuXo', 'mra3ZiIVV', 'XSDQETlpd', 'csmjS9elG', 'qJYvjuWpX', 'nGKbCdGf1REIvkBFpn', 'v4OfKVsT91hrS2aPoy', 'OsURx8EB6xhyi4uOwV', 'iyqmxjan7'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, DI7yKUuw3K2T0FjALa.cs	High entropy of concatenated method names: 'MedmM3Eren', 'kgfmrpgF6y', 'RqrmCU3u5D', 'xZ4mFcZVMM', 'FcgmJwRwrw', 'zwQmKuB9lf', 'xvUm0Q7Q6v', 'WXXmSGmYCC', 'b94mlRtUrW', 'zd6moqxxSm'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, WWDxQnkGDXGaylq8aLM.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zR9nIjkxoa', 'st0neacXaH', 'XmVn7aGwMy', 'hPVnsKychO', 'buSniA9TsK', 'n3HnxEeolk', 'DFEngv4Zkd'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, DYI8K0rsEh87KO9w2Y.cs	High entropy of concatenated method names: 'Dispose', 'xKgk5fgPrX', 'spi89IN3bD', 'rnspp8HGlI', 'FUIkL7yKUw', 'BK2kzT0FjA', 'ProcessDialogKey', 'Yah8pfeKFp', 'uvf8kbxJ1R', 'WCT88sqWwA'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, dfeKFp5wvfbxJ1RuCT.cs	High entropy of concatenated method names: 'wDxmA9KR7J', 'xeIm9wmF5c', 'FZ8mR9HPKI', 'yZymyMASVh', 'MAwmIaETuv', 'uPImPIMxk6', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, SPhPfhjE6xU8dNeul7.cs	High entropy of concatenated method names: 'MZ7CHitOBu', 'DuPC3l9MiW', 'OR8CU523v9', 'j5oCjkNu2I', 'xuTCZqUJW1', 'TQaCT98hdL', 'bnnCdVV2nb', 'QQdCmHNqye', 'XAHC6dPgoR', 'A20CnDQcQh'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, uUMOocUIxKVTuplUam.cs	High entropy of concatenated method names: 'UxErIZ2eKJ', 'WUrretkkdt', 'wiXr7GTtus', 'WjlrshmiCX', 'IrGriAAUDv', 'tVErxUNv8x', 'dLxrgvHTkM', 'eEPruMjB3t', 'q0qr5FD2TS', 'zRvrLDWLTt'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, AgDxvokpfb05xEXq3aJ.cs	High entropy of concatenated method names: 'RhF6fwaO6O', 'M6E6DsaVl9', 'kwu6beDUrJ', 'soe6HSCcRU', 'Cnp6BhAKKg', 'O5Z63ZKLpI', 'a1E6Qdvybj', 'AAb6UL6NWc', 'uuQ6jZannN', 'ECL6v2exdr'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, A16MKav3vJLRDIOvtG.cs	High entropy of concatenated method names: 'EZLFBEacCa', 'HSuFQNg93E', 'd7xCRCrOLQ', 'IO3CyWSYdw', 'bc2CPcDMwk', 'JGvCWSUD7F', 'yEECaLTlrc', 'ADyCtBhVSi', 'PLACNQ9o2s', 'OVXCO2mEFM'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, RkTHaNsbNEDWW1Oh0V.cs	High entropy of concatenated method names: 'SKYdloI5vA', 'U9vdoksEWe', 'ToString', 'C4xdMQxeVm', 'q4Wdr7e8BN', 'E0ddCoxYvx', 'g3SdFw58VR', 't35dJbARyf', 'Ab6dKdMR9j', 'XcWd0uExtw'
Source: 0.2.BL-INV-PL-ISO.exe.40d8560.2.raw.unpack, zB1mPmIbOkQbmdJNkb.cs	High entropy of concatenated method names: 'bcqZO42Zws', 'vdbZYDiJJN', 'qrKZIRj5nX', 'IiTZe4MnrD', 'yqEZ9CBLWv', 'mc3ZR9dWJ6', 'x7tZyZopbt', 'oGVZPmGfb6', 'eQ2ZW7WDMt', 'KRVZaBLxmt'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, l6TFIRal5HdvTuAvFR.cs	High entropy of concatenated method names: 'xVnKMS9NIR', 'dk1KCOIXS1', 'kpVKJMQx0c', 'gQSJLiag9k', 'O9rJz56ISN', 'mQ7KpMXwGS', 'VNXKkrmN3h', 'RMPK84jSg4', 'GDLKGQUqCh', 'qiPKhTghil'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, TqWwAsLkiN3CFtoVfa.cs	High entropy of concatenated method names: 'x0G6kgNAXJ', 'gYt6G1pPDh', 'gGJ6hWYUxe', 'u0t6MrXpIy', 'ARh6rRPoCq', 'LfR6FD03GN', 'Rdo6J5HFrT', 'awKmg46aiP', 'I7nmu7PdvC', 'ARRm56g5SY'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, sGidIWAjxT9DQD2jyC.cs	High entropy of concatenated method names: 'IsjJ2yIoUy', 'nnrJrI5AkK', 'cCFJFR72fI', 'onJJKqCvWx', 'eieJ0kwV1b', 'B5MFi0qPud', 'SwkFxgSipX', 'f2nFg6s3jk', 'J7qFumddEi', 'SS1F55XS5M'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, cfZycf0kcb26X6tlXo.cs	High entropy of concatenated method names: 'RSyG2MIpO4', 'DqMGMh7e3p', 'CmJGre8Fr3', 'fMdGCUoiR8', 'jkNGFU0RLY', 'dBnGJBtVJQ', 'DrDGKvpfiW', 'f2oG0M9mbC', 'utZGSPbAs0', 'jP0GlEHrwP'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, cU6Qf6h8MixZH75icy.cs	High entropy of concatenated method names: 'VQwkKUMOoc', 'QxKk0VTupl', 'dE6klxU8dN', 'Rulko7H16M', 'QOvkZtGnGi', 'qIWkTjxT9D', 'eWWBiDeHQaUZj0yqVI', 'zDTektAmB4mH3u1o1o', 'EoTkkID8Fl', 'lPAkGEUTlO'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, lNDQloxMyDmhpPDOWl.cs	High entropy of concatenated method names: 'OKvdut556a', 'GrwdLEcIOT', 'ia1mpgXeIX', 'R3Wmk6KHWx', 'ydSdXCsjpB', 'zX2dYsFtCi', 'rwUd4aBwHX', 'tZxdIteB8N', 'Gj9deO9W5t', 'A8dd7rTUsV'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, WKKHDvNKxvSnL6SGaH.cs	High entropy of concatenated method names: 'JJMKftASch', 'iw4KDlTtuf', 'D50Kb4dcAR', 'q9uKHyYj7j', 'yJXKBtJpE1', 'zeMK3BMu0g', 'sg1KQue3FM', 'KeGKUYyhav', 'cG0KjT1Ttu', 'U0iKv4j2yu'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, gEl1DV4DciT4JTELMs.cs	High entropy of concatenated method names: 'UW91UoW2lA', 'BoO1jZc9yx', 'Nei1ApWY50', 'r2n19mrd0F', 'wxA1ytqR7S', 'rnx1PZ1noJ', 'mR21a4QMh6', 'G0d1tblOwc', 'pBx1OWhd7m', 'rRE1XKsd7j'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, c0PD99zDASEcV46Xs3.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ctV61a1JCR', 'NHq6ZD7lIZ', 'OI96TFCxsf', 'QCj6dEAIEv', 'Rdt6msmXmP', 'mZn66IAvHu', 'shN6nDyGBX'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, VNv1OU8Walm78ZVDd5.cs	High entropy of concatenated method names: 'WjGbqLonU', 'tr4H2MuXo', 'mra3ZiIVV', 'XSDQETlpd', 'csmjS9elG', 'qJYvjuWpX', 'nGKbCdGf1REIvkBFpn', 'v4OfKVsT91hrS2aPoy', 'OsURx8EB6xhyi4uOwV', 'iyqmxjan7'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, DI7yKUuw3K2T0FjALa.cs	High entropy of concatenated method names: 'MedmM3Eren', 'kgfmrpgF6y', 'RqrmCU3u5D', 'xZ4mFcZVMM', 'FcgmJwRwrw', 'zwQmKuB9lf', 'xvUm0Q7Q6v', 'WXXmSGmYCC', 'b94mlRtUrW', 'zd6moqxxSm'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, WWDxQnkGDXGaylq8aLM.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zR9nIjkxoa', 'st0neacXaH', 'XmVn7aGwMy', 'hPVnsKychO', 'buSniA9TsK', 'n3HnxEeolk', 'DFEngv4Zkd'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, DYI8K0rsEh87KO9w2Y.cs	High entropy of concatenated method names: 'Dispose', 'xKgk5fgPrX', 'spi89IN3bD', 'rnspp8HGlI', 'FUIkL7yKUw', 'BK2kzT0FjA', 'ProcessDialogKey', 'Yah8pfeKFp', 'uvf8kbxJ1R', 'WCT88sqWwA'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, dfeKFp5wvfbxJ1RuCT.cs	High entropy of concatenated method names: 'wDxmA9KR7J', 'xeIm9wmF5c', 'FZ8mR9HPKI', 'yZymyMASVh', 'MAwmIaETuv', 'uPImPIMxk6', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, SPhPfhjE6xU8dNeul7.cs	High entropy of concatenated method names: 'MZ7CHitOBu', 'DuPC3l9MiW', 'OR8CU523v9', 'j5oCjkNu2I', 'xuTCZqUJW1', 'TQaCT98hdL', 'bnnCdVV2nb', 'QQdCmHNqye', 'XAHC6dPgoR', 'A20CnDQcQh'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, uUMOocUIxKVTuplUam.cs	High entropy of concatenated method names: 'UxErIZ2eKJ', 'WUrretkkdt', 'wiXr7GTtus', 'WjlrshmiCX', 'IrGriAAUDv', 'tVErxUNv8x', 'dLxrgvHTkM', 'eEPruMjB3t', 'q0qr5FD2TS', 'zRvrLDWLTt'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, AgDxvokpfb05xEXq3aJ.cs	High entropy of concatenated method names: 'RhF6fwaO6O', 'M6E6DsaVl9', 'kwu6beDUrJ', 'soe6HSCcRU', 'Cnp6BhAKKg', 'O5Z63ZKLpI', 'a1E6Qdvybj', 'AAb6UL6NWc', 'uuQ6jZannN', 'ECL6v2exdr'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, A16MKav3vJLRDIOvtG.cs	High entropy of concatenated method names: 'EZLFBEacCa', 'HSuFQNg93E', 'd7xCRCrOLQ', 'IO3CyWSYdw', 'bc2CPcDMwk', 'JGvCWSUD7F', 'yEECaLTlrc', 'ADyCtBhVSi', 'PLACNQ9o2s', 'OVXCO2mEFM'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, RkTHaNsbNEDWW1Oh0V.cs	High entropy of concatenated method names: 'SKYdloI5vA', 'U9vdoksEWe', 'ToString', 'C4xdMQxeVm', 'q4Wdr7e8BN', 'E0ddCoxYvx', 'g3SdFw58VR', 't35dJbARyf', 'Ab6dKdMR9j', 'XcWd0uExtw'
Source: 0.2.BL-INV-PL-ISO.exe.9700000.4.raw.unpack, zB1mPmIbOkQbmdJNkb.cs	High entropy of concatenated method names: 'bcqZO42Zws', 'vdbZYDiJJN', 'qrKZIRj5nX', 'IiTZe4MnrD', 'yqEZ9CBLWv', 'mc3ZR9dWJ6', 'x7tZyZopbt', 'oGVZPmGfb6', 'eQ2ZW7WDMt', 'KRVZaBLxmt'

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe

File created: C:\Users\user\AppData\Roaming\dZxrrOCj.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dZxrrOCj" /XML "C:\Users\user\AppData\Local\Temp\tmp590C.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: BL-INV-PL-ISO.exe PID: 6848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dZxrrOCj.exe PID: 7288, type: MEMORYSTR

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Memory allocated: AA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Memory allocated: 25C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Memory allocated: 22E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Memory allocated: 70D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Memory allocated: 6DF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Memory allocated: 80D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Memory allocated: 90D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Memory allocated: 9790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Memory allocated: A790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Memory allocated: FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Memory allocated: 27F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Memory allocated: 47F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Memory allocated: 6F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Memory allocated: 6D50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Memory allocated: 7F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Memory allocated: 8F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Memory allocated: 96A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Memory allocated: A6A0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 17_2_05AC096E rdtsc

17_2_05AC096E

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5748			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6238			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

API coverage: 0.6 %

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe TID: 6948	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6612	Thread sleep count: 5748 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7244	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7208	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7280	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7216	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe TID: 7432	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 7568	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 17_2_05AC096E rdtsc

17_2_05AC096E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 17_2_00417BF3 LdrLoadDll,

17_2_00417BF3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B005A7 mov eax, dword ptr fs:[00000030h]	17_2_05B005A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B005A7 mov eax, dword ptr fs:[00000030h]	17_2_05B005A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B005A7 mov eax, dword ptr fs:[00000030h]	17_2_05B005A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA45B1 mov eax, dword ptr fs:[00000030h]	17_2_05AA45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA45B1 mov eax, dword ptr fs:[00000030h]	17_2_05AA45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB4588 mov eax, dword ptr fs:[00000030h]	17_2_05AB4588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A82582 mov eax, dword ptr fs:[00000030h]	17_2_05A82582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A82582 mov ecx, dword ptr fs:[00000030h]	17_2_05A82582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABE59C mov eax, dword ptr fs:[00000030h]	17_2_05ABE59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABC5ED mov eax, dword ptr fs:[00000030h]	17_2_05ABC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABC5ED mov eax, dword ptr fs:[00000030h]	17_2_05ABC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A825E0 mov eax, dword ptr fs:[00000030h]	17_2_05A825E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAE5E7 mov eax, dword ptr fs:[00000030h]	17_2_05AAE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAE5E7 mov eax, dword ptr fs:[00000030h]	17_2_05AAE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAE5E7 mov eax, dword ptr fs:[00000030h]	17_2_05AAE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAE5E7 mov eax, dword ptr fs:[00000030h]	17_2_05AAE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAE5E7 mov eax, dword ptr fs:[00000030h]	17_2_05AAE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAE5E7 mov eax, dword ptr fs:[00000030h]	17_2_05AAE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAE5E7 mov eax, dword ptr fs:[00000030h]	17_2_05AAE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAE5E7 mov eax, dword ptr fs:[00000030h]	17_2_05AAE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABE5CF mov eax, dword ptr fs:[00000030h]	17_2_05ABE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABE5CF mov eax, dword ptr fs:[00000030h]	17_2_05ABE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A865D0 mov eax, dword ptr fs:[00000030h]	17_2_05A865D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABA5D0 mov eax, dword ptr fs:[00000030h]	17_2_05ABA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABA5D0 mov eax, dword ptr fs:[00000030h]	17_2_05ABA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAE53E mov eax, dword ptr fs:[00000030h]	17_2_05AAE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAE53E mov eax, dword ptr fs:[00000030h]	17_2_05AAE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAE53E mov eax, dword ptr fs:[00000030h]	17_2_05AAE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAE53E mov eax, dword ptr fs:[00000030h]	17_2_05AAE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAE53E mov eax, dword ptr fs:[00000030h]	17_2_05AAE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90535 mov eax, dword ptr fs:[00000030h]	17_2_05A90535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90535 mov eax, dword ptr fs:[00000030h]	17_2_05A90535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90535 mov eax, dword ptr fs:[00000030h]	17_2_05A90535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90535 mov eax, dword ptr fs:[00000030h]	17_2_05A90535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90535 mov eax, dword ptr fs:[00000030h]	17_2_05A90535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90535 mov eax, dword ptr fs:[00000030h]	17_2_05A90535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B16500 mov eax, dword ptr fs:[00000030h]	17_2_05B16500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B54500 mov eax, dword ptr fs:[00000030h]	17_2_05B54500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B54500 mov eax, dword ptr fs:[00000030h]	17_2_05B54500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B54500 mov eax, dword ptr fs:[00000030h]	17_2_05B54500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B54500 mov eax, dword ptr fs:[00000030h]	17_2_05B54500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B54500 mov eax, dword ptr fs:[00000030h]	17_2_05B54500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B54500 mov eax, dword ptr fs:[00000030h]	17_2_05B54500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B54500 mov eax, dword ptr fs:[00000030h]	17_2_05B54500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB656A mov eax, dword ptr fs:[00000030h]	17_2_05AB656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB656A mov eax, dword ptr fs:[00000030h]	17_2_05AB656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB656A mov eax, dword ptr fs:[00000030h]	17_2_05AB656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A88550 mov eax, dword ptr fs:[00000030h]	17_2_05A88550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A88550 mov eax, dword ptr fs:[00000030h]	17_2_05A88550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0A4B0 mov eax, dword ptr fs:[00000030h]	17_2_05B0A4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A864AB mov eax, dword ptr fs:[00000030h]	17_2_05A864AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB44B0 mov ecx, dword ptr fs:[00000030h]	17_2_05AB44B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B3A49A mov eax, dword ptr fs:[00000030h]	17_2_05B3A49A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A804E5 mov ecx, dword ptr fs:[00000030h]	17_2_05A804E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7C427 mov eax, dword ptr fs:[00000030h]	17_2_05A7C427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7E420 mov eax, dword ptr fs:[00000030h]	17_2_05A7E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7E420 mov eax, dword ptr fs:[00000030h]	17_2_05A7E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7E420 mov eax, dword ptr fs:[00000030h]	17_2_05A7E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B06420 mov eax, dword ptr fs:[00000030h]	17_2_05B06420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B06420 mov eax, dword ptr fs:[00000030h]	17_2_05B06420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B06420 mov eax, dword ptr fs:[00000030h]	17_2_05B06420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B06420 mov eax, dword ptr fs:[00000030h]	17_2_05B06420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B06420 mov eax, dword ptr fs:[00000030h]	17_2_05B06420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B06420 mov eax, dword ptr fs:[00000030h]	17_2_05B06420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B06420 mov eax, dword ptr fs:[00000030h]	17_2_05B06420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABA430 mov eax, dword ptr fs:[00000030h]	17_2_05ABA430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB8402 mov eax, dword ptr fs:[00000030h]	17_2_05AB8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB8402 mov eax, dword ptr fs:[00000030h]	17_2_05AB8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB8402 mov eax, dword ptr fs:[00000030h]	17_2_05AB8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0C460 mov ecx, dword ptr fs:[00000030h]	17_2_05B0C460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAA470 mov eax, dword ptr fs:[00000030h]	17_2_05AAA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAA470 mov eax, dword ptr fs:[00000030h]	17_2_05AAA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAA470 mov eax, dword ptr fs:[00000030h]	17_2_05AAA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B3A456 mov eax, dword ptr fs:[00000030h]	17_2_05B3A456
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABE443 mov eax, dword ptr fs:[00000030h]	17_2_05ABE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABE443 mov eax, dword ptr fs:[00000030h]	17_2_05ABE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABE443 mov eax, dword ptr fs:[00000030h]	17_2_05ABE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABE443 mov eax, dword ptr fs:[00000030h]	17_2_05ABE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABE443 mov eax, dword ptr fs:[00000030h]	17_2_05ABE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABE443 mov eax, dword ptr fs:[00000030h]	17_2_05ABE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABE443 mov eax, dword ptr fs:[00000030h]	17_2_05ABE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABE443 mov eax, dword ptr fs:[00000030h]	17_2_05ABE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA245A mov eax, dword ptr fs:[00000030h]	17_2_05AA245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7645D mov eax, dword ptr fs:[00000030h]	17_2_05A7645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A807AF mov eax, dword ptr fs:[00000030h]	17_2_05A807AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B347A0 mov eax, dword ptr fs:[00000030h]	17_2_05B347A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2678E mov eax, dword ptr fs:[00000030h]	17_2_05B2678E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA27ED mov eax, dword ptr fs:[00000030h]	17_2_05AA27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA27ED mov eax, dword ptr fs:[00000030h]	17_2_05AA27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA27ED mov eax, dword ptr fs:[00000030h]	17_2_05AA27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0E7E1 mov eax, dword ptr fs:[00000030h]	17_2_05B0E7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A847FB mov eax, dword ptr fs:[00000030h]	17_2_05A847FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A847FB mov eax, dword ptr fs:[00000030h]	17_2_05A847FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8C7C0 mov eax, dword ptr fs:[00000030h]	17_2_05A8C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B007C3 mov eax, dword ptr fs:[00000030h]	17_2_05B007C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABC720 mov eax, dword ptr fs:[00000030h]	17_2_05ABC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABC720 mov eax, dword ptr fs:[00000030h]	17_2_05ABC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB273C mov eax, dword ptr fs:[00000030h]	17_2_05AB273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB273C mov ecx, dword ptr fs:[00000030h]	17_2_05AB273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB273C mov eax, dword ptr fs:[00000030h]	17_2_05AB273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFC730 mov eax, dword ptr fs:[00000030h]	17_2_05AFC730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABC700 mov eax, dword ptr fs:[00000030h]	17_2_05ABC700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A80710 mov eax, dword ptr fs:[00000030h]	17_2_05A80710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB0710 mov eax, dword ptr fs:[00000030h]	17_2_05AB0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A88770 mov eax, dword ptr fs:[00000030h]	17_2_05A88770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90770 mov eax, dword ptr fs:[00000030h]	17_2_05A90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90770 mov eax, dword ptr fs:[00000030h]	17_2_05A90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90770 mov eax, dword ptr fs:[00000030h]	17_2_05A90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90770 mov eax, dword ptr fs:[00000030h]	17_2_05A90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90770 mov eax, dword ptr fs:[00000030h]	17_2_05A90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90770 mov eax, dword ptr fs:[00000030h]	17_2_05A90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90770 mov eax, dword ptr fs:[00000030h]	17_2_05A90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90770 mov eax, dword ptr fs:[00000030h]	17_2_05A90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90770 mov eax, dword ptr fs:[00000030h]	17_2_05A90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90770 mov eax, dword ptr fs:[00000030h]	17_2_05A90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90770 mov eax, dword ptr fs:[00000030h]	17_2_05A90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90770 mov eax, dword ptr fs:[00000030h]	17_2_05A90770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B04755 mov eax, dword ptr fs:[00000030h]	17_2_05B04755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB674D mov esi, dword ptr fs:[00000030h]	17_2_05AB674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB674D mov eax, dword ptr fs:[00000030h]	17_2_05AB674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB674D mov eax, dword ptr fs:[00000030h]	17_2_05AB674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0E75D mov eax, dword ptr fs:[00000030h]	17_2_05B0E75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A80750 mov eax, dword ptr fs:[00000030h]	17_2_05A80750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2750 mov eax, dword ptr fs:[00000030h]	17_2_05AC2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2750 mov eax, dword ptr fs:[00000030h]	17_2_05AC2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABC6A6 mov eax, dword ptr fs:[00000030h]	17_2_05ABC6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB66B0 mov eax, dword ptr fs:[00000030h]	17_2_05AB66B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A84690 mov eax, dword ptr fs:[00000030h]	17_2_05A84690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A84690 mov eax, dword ptr fs:[00000030h]	17_2_05A84690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B006F1 mov eax, dword ptr fs:[00000030h]	17_2_05B006F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B006F1 mov eax, dword ptr fs:[00000030h]	17_2_05B006F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFE6F2 mov eax, dword ptr fs:[00000030h]	17_2_05AFE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFE6F2 mov eax, dword ptr fs:[00000030h]	17_2_05AFE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFE6F2 mov eax, dword ptr fs:[00000030h]	17_2_05AFE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFE6F2 mov eax, dword ptr fs:[00000030h]	17_2_05AFE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABA6C7 mov ebx, dword ptr fs:[00000030h]	17_2_05ABA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABA6C7 mov eax, dword ptr fs:[00000030h]	17_2_05ABA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8262C mov eax, dword ptr fs:[00000030h]	17_2_05A8262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB6620 mov eax, dword ptr fs:[00000030h]	17_2_05AB6620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB8620 mov eax, dword ptr fs:[00000030h]	17_2_05AB8620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9E627 mov eax, dword ptr fs:[00000030h]	17_2_05A9E627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9260B mov eax, dword ptr fs:[00000030h]	17_2_05A9260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9260B mov eax, dword ptr fs:[00000030h]	17_2_05A9260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9260B mov eax, dword ptr fs:[00000030h]	17_2_05A9260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9260B mov eax, dword ptr fs:[00000030h]	17_2_05A9260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9260B mov eax, dword ptr fs:[00000030h]	17_2_05A9260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9260B mov eax, dword ptr fs:[00000030h]	17_2_05A9260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9260B mov eax, dword ptr fs:[00000030h]	17_2_05A9260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFE609 mov eax, dword ptr fs:[00000030h]	17_2_05AFE609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC2619 mov eax, dword ptr fs:[00000030h]	17_2_05AC2619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABA660 mov eax, dword ptr fs:[00000030h]	17_2_05ABA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABA660 mov eax, dword ptr fs:[00000030h]	17_2_05ABA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4866E mov eax, dword ptr fs:[00000030h]	17_2_05B4866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4866E mov eax, dword ptr fs:[00000030h]	17_2_05B4866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB2674 mov eax, dword ptr fs:[00000030h]	17_2_05AB2674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9C640 mov eax, dword ptr fs:[00000030h]	17_2_05A9C640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC0185 mov eax, dword ptr fs:[00000030h]	17_2_05AC0185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0019F mov eax, dword ptr fs:[00000030h]	17_2_05B0019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0019F mov eax, dword ptr fs:[00000030h]	17_2_05B0019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0019F mov eax, dword ptr fs:[00000030h]	17_2_05B0019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0019F mov eax, dword ptr fs:[00000030h]	17_2_05B0019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7A197 mov eax, dword ptr fs:[00000030h]	17_2_05A7A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7A197 mov eax, dword ptr fs:[00000030h]	17_2_05A7A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7A197 mov eax, dword ptr fs:[00000030h]	17_2_05A7A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B24180 mov eax, dword ptr fs:[00000030h]	17_2_05B24180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B24180 mov eax, dword ptr fs:[00000030h]	17_2_05B24180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B3C188 mov eax, dword ptr fs:[00000030h]	17_2_05B3C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B3C188 mov eax, dword ptr fs:[00000030h]	17_2_05B3C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B561E5 mov eax, dword ptr fs:[00000030h]	17_2_05B561E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB01F8 mov eax, dword ptr fs:[00000030h]	17_2_05AB01F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B461C3 mov eax, dword ptr fs:[00000030h]	17_2_05B461C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B461C3 mov eax, dword ptr fs:[00000030h]	17_2_05B461C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFE1D0 mov eax, dword ptr fs:[00000030h]	17_2_05AFE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFE1D0 mov eax, dword ptr fs:[00000030h]	17_2_05AFE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFE1D0 mov ecx, dword ptr fs:[00000030h]	17_2_05AFE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFE1D0 mov eax, dword ptr fs:[00000030h]	17_2_05AFE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFE1D0 mov eax, dword ptr fs:[00000030h]	17_2_05AFE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB0124 mov eax, dword ptr fs:[00000030h]	17_2_05AB0124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B40115 mov eax, dword ptr fs:[00000030h]	17_2_05B40115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2A118 mov ecx, dword ptr fs:[00000030h]	17_2_05B2A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2A118 mov eax, dword ptr fs:[00000030h]	17_2_05B2A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2A118 mov eax, dword ptr fs:[00000030h]	17_2_05B2A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2A118 mov eax, dword ptr fs:[00000030h]	17_2_05B2A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2E10E mov eax, dword ptr fs:[00000030h]	17_2_05B2E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2E10E mov ecx, dword ptr fs:[00000030h]	17_2_05B2E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2E10E mov eax, dword ptr fs:[00000030h]	17_2_05B2E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2E10E mov eax, dword ptr fs:[00000030h]	17_2_05B2E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2E10E mov ecx, dword ptr fs:[00000030h]	17_2_05B2E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2E10E mov eax, dword ptr fs:[00000030h]	17_2_05B2E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2E10E mov eax, dword ptr fs:[00000030h]	17_2_05B2E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2E10E mov ecx, dword ptr fs:[00000030h]	17_2_05B2E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2E10E mov eax, dword ptr fs:[00000030h]	17_2_05B2E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2E10E mov ecx, dword ptr fs:[00000030h]	17_2_05B2E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B54164 mov eax, dword ptr fs:[00000030h]	17_2_05B54164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B54164 mov eax, dword ptr fs:[00000030h]	17_2_05B54164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B18158 mov eax, dword ptr fs:[00000030h]	17_2_05B18158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7C156 mov eax, dword ptr fs:[00000030h]	17_2_05A7C156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B14144 mov eax, dword ptr fs:[00000030h]	17_2_05B14144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B14144 mov eax, dword ptr fs:[00000030h]	17_2_05B14144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B14144 mov ecx, dword ptr fs:[00000030h]	17_2_05B14144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B14144 mov eax, dword ptr fs:[00000030h]	17_2_05B14144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B14144 mov eax, dword ptr fs:[00000030h]	17_2_05B14144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A86154 mov eax, dword ptr fs:[00000030h]	17_2_05A86154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A86154 mov eax, dword ptr fs:[00000030h]	17_2_05A86154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A780A0 mov eax, dword ptr fs:[00000030h]	17_2_05A780A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B460B8 mov eax, dword ptr fs:[00000030h]	17_2_05B460B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B460B8 mov ecx, dword ptr fs:[00000030h]	17_2_05B460B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B180A8 mov eax, dword ptr fs:[00000030h]	17_2_05B180A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8208A mov eax, dword ptr fs:[00000030h]	17_2_05A8208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A880E9 mov eax, dword ptr fs:[00000030h]	17_2_05A880E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7A0E3 mov ecx, dword ptr fs:[00000030h]	17_2_05A7A0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B060E0 mov eax, dword ptr fs:[00000030h]	17_2_05B060E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7C0F0 mov eax, dword ptr fs:[00000030h]	17_2_05A7C0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC20F0 mov ecx, dword ptr fs:[00000030h]	17_2_05AC20F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B020DE mov eax, dword ptr fs:[00000030h]	17_2_05B020DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B16030 mov eax, dword ptr fs:[00000030h]	17_2_05B16030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7A020 mov eax, dword ptr fs:[00000030h]	17_2_05A7A020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7C020 mov eax, dword ptr fs:[00000030h]	17_2_05A7C020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B04000 mov ecx, dword ptr fs:[00000030h]	17_2_05B04000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B22000 mov eax, dword ptr fs:[00000030h]	17_2_05B22000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B22000 mov eax, dword ptr fs:[00000030h]	17_2_05B22000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B22000 mov eax, dword ptr fs:[00000030h]	17_2_05B22000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B22000 mov eax, dword ptr fs:[00000030h]	17_2_05B22000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B22000 mov eax, dword ptr fs:[00000030h]	17_2_05B22000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B22000 mov eax, dword ptr fs:[00000030h]	17_2_05B22000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B22000 mov eax, dword ptr fs:[00000030h]	17_2_05B22000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B22000 mov eax, dword ptr fs:[00000030h]	17_2_05B22000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9E016 mov eax, dword ptr fs:[00000030h]	17_2_05A9E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9E016 mov eax, dword ptr fs:[00000030h]	17_2_05A9E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9E016 mov eax, dword ptr fs:[00000030h]	17_2_05A9E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9E016 mov eax, dword ptr fs:[00000030h]	17_2_05A9E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAC073 mov eax, dword ptr fs:[00000030h]	17_2_05AAC073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B06050 mov eax, dword ptr fs:[00000030h]	17_2_05B06050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A82050 mov eax, dword ptr fs:[00000030h]	17_2_05A82050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA438F mov eax, dword ptr fs:[00000030h]	17_2_05AA438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA438F mov eax, dword ptr fs:[00000030h]	17_2_05AA438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7E388 mov eax, dword ptr fs:[00000030h]	17_2_05A7E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7E388 mov eax, dword ptr fs:[00000030h]	17_2_05A7E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7E388 mov eax, dword ptr fs:[00000030h]	17_2_05A7E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A78397 mov eax, dword ptr fs:[00000030h]	17_2_05A78397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A78397 mov eax, dword ptr fs:[00000030h]	17_2_05A78397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A78397 mov eax, dword ptr fs:[00000030h]	17_2_05A78397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A903E9 mov eax, dword ptr fs:[00000030h]	17_2_05A903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A903E9 mov eax, dword ptr fs:[00000030h]	17_2_05A903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A903E9 mov eax, dword ptr fs:[00000030h]	17_2_05A903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A903E9 mov eax, dword ptr fs:[00000030h]	17_2_05A903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A903E9 mov eax, dword ptr fs:[00000030h]	17_2_05A903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A903E9 mov eax, dword ptr fs:[00000030h]	17_2_05A903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A903E9 mov eax, dword ptr fs:[00000030h]	17_2_05A903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A903E9 mov eax, dword ptr fs:[00000030h]	17_2_05A903E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB63FF mov eax, dword ptr fs:[00000030h]	17_2_05AB63FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9E3F0 mov eax, dword ptr fs:[00000030h]	17_2_05A9E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9E3F0 mov eax, dword ptr fs:[00000030h]	17_2_05A9E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9E3F0 mov eax, dword ptr fs:[00000030h]	17_2_05A9E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B243D4 mov eax, dword ptr fs:[00000030h]	17_2_05B243D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B243D4 mov eax, dword ptr fs:[00000030h]	17_2_05B243D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8A3C0 mov eax, dword ptr fs:[00000030h]	17_2_05A8A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8A3C0 mov eax, dword ptr fs:[00000030h]	17_2_05A8A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8A3C0 mov eax, dword ptr fs:[00000030h]	17_2_05A8A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8A3C0 mov eax, dword ptr fs:[00000030h]	17_2_05A8A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8A3C0 mov eax, dword ptr fs:[00000030h]	17_2_05A8A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8A3C0 mov eax, dword ptr fs:[00000030h]	17_2_05A8A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A883C0 mov eax, dword ptr fs:[00000030h]	17_2_05A883C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A883C0 mov eax, dword ptr fs:[00000030h]	17_2_05A883C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A883C0 mov eax, dword ptr fs:[00000030h]	17_2_05A883C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A883C0 mov eax, dword ptr fs:[00000030h]	17_2_05A883C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2E3DB mov eax, dword ptr fs:[00000030h]	17_2_05B2E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2E3DB mov eax, dword ptr fs:[00000030h]	17_2_05B2E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2E3DB mov ecx, dword ptr fs:[00000030h]	17_2_05B2E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2E3DB mov eax, dword ptr fs:[00000030h]	17_2_05B2E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B063C0 mov eax, dword ptr fs:[00000030h]	17_2_05B063C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B3C3CD mov eax, dword ptr fs:[00000030h]	17_2_05B3C3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B58324 mov eax, dword ptr fs:[00000030h]	17_2_05B58324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B58324 mov ecx, dword ptr fs:[00000030h]	17_2_05B58324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B58324 mov eax, dword ptr fs:[00000030h]	17_2_05B58324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B58324 mov eax, dword ptr fs:[00000030h]	17_2_05B58324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABA30B mov eax, dword ptr fs:[00000030h]	17_2_05ABA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABA30B mov eax, dword ptr fs:[00000030h]	17_2_05ABA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABA30B mov eax, dword ptr fs:[00000030h]	17_2_05ABA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7C310 mov ecx, dword ptr fs:[00000030h]	17_2_05A7C310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA0310 mov ecx, dword ptr fs:[00000030h]	17_2_05AA0310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B2437C mov eax, dword ptr fs:[00000030h]	17_2_05B2437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B28350 mov ecx, dword ptr fs:[00000030h]	17_2_05B28350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B4A352 mov eax, dword ptr fs:[00000030h]	17_2_05B4A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0035C mov eax, dword ptr fs:[00000030h]	17_2_05B0035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0035C mov eax, dword ptr fs:[00000030h]	17_2_05B0035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0035C mov eax, dword ptr fs:[00000030h]	17_2_05B0035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0035C mov ecx, dword ptr fs:[00000030h]	17_2_05B0035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0035C mov eax, dword ptr fs:[00000030h]	17_2_05B0035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0035C mov eax, dword ptr fs:[00000030h]	17_2_05B0035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B02349 mov eax, dword ptr fs:[00000030h]	17_2_05B02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B02349 mov eax, dword ptr fs:[00000030h]	17_2_05B02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B02349 mov eax, dword ptr fs:[00000030h]	17_2_05B02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B02349 mov eax, dword ptr fs:[00000030h]	17_2_05B02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B02349 mov eax, dword ptr fs:[00000030h]	17_2_05B02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B02349 mov eax, dword ptr fs:[00000030h]	17_2_05B02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B02349 mov eax, dword ptr fs:[00000030h]	17_2_05B02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B02349 mov eax, dword ptr fs:[00000030h]	17_2_05B02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B02349 mov eax, dword ptr fs:[00000030h]	17_2_05B02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B02349 mov eax, dword ptr fs:[00000030h]	17_2_05B02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B02349 mov eax, dword ptr fs:[00000030h]	17_2_05B02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B02349 mov eax, dword ptr fs:[00000030h]	17_2_05B02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B02349 mov eax, dword ptr fs:[00000030h]	17_2_05B02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B02349 mov eax, dword ptr fs:[00000030h]	17_2_05B02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B02349 mov eax, dword ptr fs:[00000030h]	17_2_05B02349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B5634F mov eax, dword ptr fs:[00000030h]	17_2_05B5634F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A902A0 mov eax, dword ptr fs:[00000030h]	17_2_05A902A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A902A0 mov eax, dword ptr fs:[00000030h]	17_2_05A902A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B162A0 mov eax, dword ptr fs:[00000030h]	17_2_05B162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B162A0 mov ecx, dword ptr fs:[00000030h]	17_2_05B162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B162A0 mov eax, dword ptr fs:[00000030h]	17_2_05B162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B162A0 mov eax, dword ptr fs:[00000030h]	17_2_05B162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B162A0 mov eax, dword ptr fs:[00000030h]	17_2_05B162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B162A0 mov eax, dword ptr fs:[00000030h]	17_2_05B162A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABE284 mov eax, dword ptr fs:[00000030h]	17_2_05ABE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABE284 mov eax, dword ptr fs:[00000030h]	17_2_05ABE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B00283 mov eax, dword ptr fs:[00000030h]	17_2_05B00283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B00283 mov eax, dword ptr fs:[00000030h]	17_2_05B00283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B00283 mov eax, dword ptr fs:[00000030h]	17_2_05B00283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A902E1 mov eax, dword ptr fs:[00000030h]	17_2_05A902E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A902E1 mov eax, dword ptr fs:[00000030h]	17_2_05A902E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A902E1 mov eax, dword ptr fs:[00000030h]	17_2_05A902E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B562D6 mov eax, dword ptr fs:[00000030h]	17_2_05B562D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8A2C3 mov eax, dword ptr fs:[00000030h]	17_2_05A8A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8A2C3 mov eax, dword ptr fs:[00000030h]	17_2_05A8A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8A2C3 mov eax, dword ptr fs:[00000030h]	17_2_05A8A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8A2C3 mov eax, dword ptr fs:[00000030h]	17_2_05A8A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8A2C3 mov eax, dword ptr fs:[00000030h]	17_2_05A8A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7823B mov eax, dword ptr fs:[00000030h]	17_2_05A7823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30274 mov eax, dword ptr fs:[00000030h]	17_2_05B30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30274 mov eax, dword ptr fs:[00000030h]	17_2_05B30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30274 mov eax, dword ptr fs:[00000030h]	17_2_05B30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30274 mov eax, dword ptr fs:[00000030h]	17_2_05B30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30274 mov eax, dword ptr fs:[00000030h]	17_2_05B30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30274 mov eax, dword ptr fs:[00000030h]	17_2_05B30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30274 mov eax, dword ptr fs:[00000030h]	17_2_05B30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30274 mov eax, dword ptr fs:[00000030h]	17_2_05B30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30274 mov eax, dword ptr fs:[00000030h]	17_2_05B30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30274 mov eax, dword ptr fs:[00000030h]	17_2_05B30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30274 mov eax, dword ptr fs:[00000030h]	17_2_05B30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30274 mov eax, dword ptr fs:[00000030h]	17_2_05B30274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A84260 mov eax, dword ptr fs:[00000030h]	17_2_05A84260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A84260 mov eax, dword ptr fs:[00000030h]	17_2_05A84260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A84260 mov eax, dword ptr fs:[00000030h]	17_2_05A84260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7826B mov eax, dword ptr fs:[00000030h]	17_2_05A7826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B3A250 mov eax, dword ptr fs:[00000030h]	17_2_05B3A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B3A250 mov eax, dword ptr fs:[00000030h]	17_2_05B3A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B5625D mov eax, dword ptr fs:[00000030h]	17_2_05B5625D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A86259 mov eax, dword ptr fs:[00000030h]	17_2_05A86259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B08243 mov eax, dword ptr fs:[00000030h]	17_2_05B08243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B08243 mov ecx, dword ptr fs:[00000030h]	17_2_05B08243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7A250 mov eax, dword ptr fs:[00000030h]	17_2_05A7A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB6DA0 mov eax, dword ptr fs:[00000030h]	17_2_05AB6DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA8DBF mov eax, dword ptr fs:[00000030h]	17_2_05AA8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA8DBF mov eax, dword ptr fs:[00000030h]	17_2_05AA8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B54DAD mov eax, dword ptr fs:[00000030h]	17_2_05B54DAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B48DAE mov eax, dword ptr fs:[00000030h]	17_2_05B48DAE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B48DAE mov eax, dword ptr fs:[00000030h]	17_2_05B48DAE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABCDB1 mov ecx, dword ptr fs:[00000030h]	17_2_05ABCDB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABCDB1 mov eax, dword ptr fs:[00000030h]	17_2_05ABCDB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABCDB1 mov eax, dword ptr fs:[00000030h]	17_2_05ABCDB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B20DF0 mov eax, dword ptr fs:[00000030h]	17_2_05B20DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B20DF0 mov eax, dword ptr fs:[00000030h]	17_2_05B20DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8ADE0 mov eax, dword ptr fs:[00000030h]	17_2_05A8ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8ADE0 mov eax, dword ptr fs:[00000030h]	17_2_05A8ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8ADE0 mov eax, dword ptr fs:[00000030h]	17_2_05A8ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8ADE0 mov eax, dword ptr fs:[00000030h]	17_2_05A8ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8ADE0 mov eax, dword ptr fs:[00000030h]	17_2_05A8ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8ADE0 mov eax, dword ptr fs:[00000030h]	17_2_05A8ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA0DE1 mov eax, dword ptr fs:[00000030h]	17_2_05AA0DE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7CDEA mov eax, dword ptr fs:[00000030h]	17_2_05A7CDEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7CDEA mov eax, dword ptr fs:[00000030h]	17_2_05A7CDEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A76DF6 mov eax, dword ptr fs:[00000030h]	17_2_05A76DF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AACDF0 mov eax, dword ptr fs:[00000030h]	17_2_05AACDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AACDF0 mov ecx, dword ptr fs:[00000030h]	17_2_05AACDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B04DD7 mov eax, dword ptr fs:[00000030h]	17_2_05B04DD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B04DD7 mov eax, dword ptr fs:[00000030h]	17_2_05B04DD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAEDD3 mov eax, dword ptr fs:[00000030h]	17_2_05AAEDD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAEDD3 mov eax, dword ptr fs:[00000030h]	17_2_05AAEDD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B54D30 mov eax, dword ptr fs:[00000030h]	17_2_05B54D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B08D20 mov eax, dword ptr fs:[00000030h]	17_2_05B08D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B38D10 mov eax, dword ptr fs:[00000030h]	17_2_05B38D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B38D10 mov eax, dword ptr fs:[00000030h]	17_2_05B38D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9AD00 mov eax, dword ptr fs:[00000030h]	17_2_05A9AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9AD00 mov eax, dword ptr fs:[00000030h]	17_2_05A9AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A9AD00 mov eax, dword ptr fs:[00000030h]	17_2_05A9AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB4D1D mov eax, dword ptr fs:[00000030h]	17_2_05AB4D1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A76D10 mov eax, dword ptr fs:[00000030h]	17_2_05A76D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A76D10 mov eax, dword ptr fs:[00000030h]	17_2_05A76D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A76D10 mov eax, dword ptr fs:[00000030h]	17_2_05A76D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B18D6B mov eax, dword ptr fs:[00000030h]	17_2_05B18D6B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A80D59 mov eax, dword ptr fs:[00000030h]	17_2_05A80D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A80D59 mov eax, dword ptr fs:[00000030h]	17_2_05A80D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A80D59 mov eax, dword ptr fs:[00000030h]	17_2_05A80D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A88D59 mov eax, dword ptr fs:[00000030h]	17_2_05A88D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A88D59 mov eax, dword ptr fs:[00000030h]	17_2_05A88D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A88D59 mov eax, dword ptr fs:[00000030h]	17_2_05A88D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A88D59 mov eax, dword ptr fs:[00000030h]	17_2_05A88D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A88D59 mov eax, dword ptr fs:[00000030h]	17_2_05A88D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30CB5 mov eax, dword ptr fs:[00000030h]	17_2_05B30CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30CB5 mov eax, dword ptr fs:[00000030h]	17_2_05B30CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30CB5 mov eax, dword ptr fs:[00000030h]	17_2_05B30CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30CB5 mov eax, dword ptr fs:[00000030h]	17_2_05B30CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30CB5 mov eax, dword ptr fs:[00000030h]	17_2_05B30CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30CB5 mov eax, dword ptr fs:[00000030h]	17_2_05B30CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30CB5 mov eax, dword ptr fs:[00000030h]	17_2_05B30CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30CB5 mov eax, dword ptr fs:[00000030h]	17_2_05B30CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30CB5 mov eax, dword ptr fs:[00000030h]	17_2_05B30CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30CB5 mov eax, dword ptr fs:[00000030h]	17_2_05B30CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30CB5 mov eax, dword ptr fs:[00000030h]	17_2_05B30CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30CB5 mov eax, dword ptr fs:[00000030h]	17_2_05B30CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B30CB5 mov eax, dword ptr fs:[00000030h]	17_2_05B30CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFCCA0 mov ecx, dword ptr fs:[00000030h]	17_2_05AFCCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFCCA0 mov eax, dword ptr fs:[00000030h]	17_2_05AFCCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFCCA0 mov eax, dword ptr fs:[00000030h]	17_2_05AFCCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AFCCA0 mov eax, dword ptr fs:[00000030h]	17_2_05AFCCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA8CB1 mov eax, dword ptr fs:[00000030h]	17_2_05AA8CB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AA8CB1 mov eax, dword ptr fs:[00000030h]	17_2_05AA8CB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A78C8D mov eax, dword ptr fs:[00000030h]	17_2_05A78C8D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB2CF0 mov eax, dword ptr fs:[00000030h]	17_2_05AB2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB2CF0 mov eax, dword ptr fs:[00000030h]	17_2_05AB2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB2CF0 mov eax, dword ptr fs:[00000030h]	17_2_05AB2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB2CF0 mov eax, dword ptr fs:[00000030h]	17_2_05AB2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7CCC8 mov eax, dword ptr fs:[00000030h]	17_2_05A7CCC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A78CD0 mov eax, dword ptr fs:[00000030h]	17_2_05A78CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B24C34 mov eax, dword ptr fs:[00000030h]	17_2_05B24C34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B24C34 mov eax, dword ptr fs:[00000030h]	17_2_05B24C34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B24C34 mov eax, dword ptr fs:[00000030h]	17_2_05B24C34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B24C34 mov eax, dword ptr fs:[00000030h]	17_2_05B24C34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B24C34 mov eax, dword ptr fs:[00000030h]	17_2_05B24C34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B24C34 mov eax, dword ptr fs:[00000030h]	17_2_05B24C34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B24C34 mov ecx, dword ptr fs:[00000030h]	17_2_05B24C34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7EC20 mov eax, dword ptr fs:[00000030h]	17_2_05A7EC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B1CC20 mov eax, dword ptr fs:[00000030h]	17_2_05B1CC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B1CC20 mov eax, dword ptr fs:[00000030h]	17_2_05B1CC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90C00 mov eax, dword ptr fs:[00000030h]	17_2_05A90C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90C00 mov eax, dword ptr fs:[00000030h]	17_2_05A90C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90C00 mov eax, dword ptr fs:[00000030h]	17_2_05A90C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A90C00 mov eax, dword ptr fs:[00000030h]	17_2_05A90C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABCC00 mov eax, dword ptr fs:[00000030h]	17_2_05ABCC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B04C0F mov eax, dword ptr fs:[00000030h]	17_2_05B04C0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB4C59 mov eax, dword ptr fs:[00000030h]	17_2_05AB4C59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A86C50 mov eax, dword ptr fs:[00000030h]	17_2_05A86C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A86C50 mov eax, dword ptr fs:[00000030h]	17_2_05A86C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A86C50 mov eax, dword ptr fs:[00000030h]	17_2_05A86C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8AC50 mov eax, dword ptr fs:[00000030h]	17_2_05A8AC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8AC50 mov eax, dword ptr fs:[00000030h]	17_2_05A8AC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8AC50 mov eax, dword ptr fs:[00000030h]	17_2_05A8AC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8AC50 mov eax, dword ptr fs:[00000030h]	17_2_05A8AC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8AC50 mov eax, dword ptr fs:[00000030h]	17_2_05A8AC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A8AC50 mov eax, dword ptr fs:[00000030h]	17_2_05A8AC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABCF80 mov eax, dword ptr fs:[00000030h]	17_2_05ABCF80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB2F98 mov eax, dword ptr fs:[00000030h]	17_2_05AB2F98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB2F98 mov eax, dword ptr fs:[00000030h]	17_2_05AB2F98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B36FF7 mov eax, dword ptr fs:[00000030h]	17_2_05B36FF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B54FE7 mov eax, dword ptr fs:[00000030h]	17_2_05B54FE7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC0FF6 mov eax, dword ptr fs:[00000030h]	17_2_05AC0FF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC0FF6 mov eax, dword ptr fs:[00000030h]	17_2_05AC0FF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC0FF6 mov eax, dword ptr fs:[00000030h]	17_2_05AC0FF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AC0FF6 mov eax, dword ptr fs:[00000030h]	17_2_05AC0FF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A82FC8 mov eax, dword ptr fs:[00000030h]	17_2_05A82FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A82FC8 mov eax, dword ptr fs:[00000030h]	17_2_05A82FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A82FC8 mov eax, dword ptr fs:[00000030h]	17_2_05A82FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A82FC8 mov eax, dword ptr fs:[00000030h]	17_2_05A82FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7EFD8 mov eax, dword ptr fs:[00000030h]	17_2_05A7EFD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7EFD8 mov eax, dword ptr fs:[00000030h]	17_2_05A7EFD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7EFD8 mov eax, dword ptr fs:[00000030h]	17_2_05A7EFD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAEF28 mov eax, dword ptr fs:[00000030h]	17_2_05AAEF28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B36F00 mov eax, dword ptr fs:[00000030h]	17_2_05B36F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABCF1F mov eax, dword ptr fs:[00000030h]	17_2_05ABCF1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A82F12 mov eax, dword ptr fs:[00000030h]	17_2_05A82F12
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAAF69 mov eax, dword ptr fs:[00000030h]	17_2_05AAAF69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AAAF69 mov eax, dword ptr fs:[00000030h]	17_2_05AAAF69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B22F60 mov eax, dword ptr fs:[00000030h]	17_2_05B22F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B22F60 mov eax, dword ptr fs:[00000030h]	17_2_05B22F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B54F68 mov eax, dword ptr fs:[00000030h]	17_2_05B54F68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B20F50 mov eax, dword ptr fs:[00000030h]	17_2_05B20F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B04F40 mov eax, dword ptr fs:[00000030h]	17_2_05B04F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B04F40 mov eax, dword ptr fs:[00000030h]	17_2_05B04F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B04F40 mov eax, dword ptr fs:[00000030h]	17_2_05B04F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B04F40 mov eax, dword ptr fs:[00000030h]	17_2_05B04F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B24F42 mov eax, dword ptr fs:[00000030h]	17_2_05B24F42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7CF50 mov eax, dword ptr fs:[00000030h]	17_2_05A7CF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7CF50 mov eax, dword ptr fs:[00000030h]	17_2_05A7CF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7CF50 mov eax, dword ptr fs:[00000030h]	17_2_05A7CF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7CF50 mov eax, dword ptr fs:[00000030h]	17_2_05A7CF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7CF50 mov eax, dword ptr fs:[00000030h]	17_2_05A7CF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7CF50 mov eax, dword ptr fs:[00000030h]	17_2_05A7CF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05ABCF50 mov eax, dword ptr fs:[00000030h]	17_2_05ABCF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B1AEB0 mov eax, dword ptr fs:[00000030h]	17_2_05B1AEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B1AEB0 mov eax, dword ptr fs:[00000030h]	17_2_05B1AEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0CEA0 mov eax, dword ptr fs:[00000030h]	17_2_05B0CEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0CEA0 mov eax, dword ptr fs:[00000030h]	17_2_05B0CEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05B0CEA0 mov eax, dword ptr fs:[00000030h]	17_2_05B0CEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB2E9C mov eax, dword ptr fs:[00000030h]	17_2_05AB2E9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05AB2E9C mov ecx, dword ptr fs:[00000030h]	17_2_05AB2E9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7AE90 mov eax, dword ptr fs:[00000030h]	17_2_05A7AE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7AE90 mov eax, dword ptr fs:[00000030h]	17_2_05A7AE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A7AE90 mov eax, dword ptr fs:[00000030h]	17_2_05A7AE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 17_2_05A86EE0 mov eax, dword ptr fs:[00000030h]	17_2_05A86EE0

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BL-INV-PL-ISO.exe"
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dZxrrOCj.exe"
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BL-INV-PL-ISO.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dZxrrOCj.exe"	Jump to behavior

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BL-INV-PL-ISO.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dZxrrOCj.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dZxrrOCj" /XML "C:\Users\user\AppData\Local\Temp\tmp590C.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dZxrrOCj" /XML "C:\Users\user\AppData\Local\Temp\tmp68AC.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Users\user\Desktop\BL-INV-PL-ISO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Queries volume information: C:\Users\user\AppData\Roaming\dZxrrOCj.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dZxrrOCj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\BL-INV-PL-ISO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 17.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2054400538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2055413010.00000000058F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 17.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2054400538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2055413010.00000000058F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	OS Credential Dumping	12 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
BL-INV-PL-ISO.exe	26%	ReversingLabs	ByteCode-MSIL.Spyware.Negasteal
BL-INV-PL-ISO.exe	23%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\dZxrrOCj.exe	26%	ReversingLabs	ByteCode-MSIL.Spyware.Negasteal

Source	Detection	Scanner	Label
http://www.fontbureau.com	0%	URL Reputation	safe
http://www.fontbureau.com/designersG	0%	URL Reputation	safe
http://www.fontbureau.com/designers/?	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.fontbureau.com/designers?	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.fontbureau.com/designers	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.fontbureau.com/designers/cabarga.htmlN	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.com/designers/frere-user.html	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fontbureau.com/designers8	0%	URL Reputation	safe
http://www.fonts.com	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.fontbureau.com	BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersG	BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.com	BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.goodfont.co.kr	BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com.	BL-INV-PL-ISO.exe, 00000000.00000002.1740573197.0000000004EC4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.typography.netD	BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.kr	BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	BL-INV-PL-ISO.exe, 00000000.00000002.1735961289.0000000002604000.00000004.00000800.00020000.00000000.sdmp, dZxrrOCj.exe, 0000000D.00000002.1773816351.0000000002834000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	BL-INV-PL-ISO.exe, 00000000.00000002.1740830875.0000000006712000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1522512
Start date and time:	2024-09-30 09:53:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	BL-INV-PL-ISO.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@27/15@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 49 Number of non-executed functions: 256
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:54:00	API Interceptor	1x Sleep call for process: BL-INV-PL-ISO.exe modified
03:54:02	API Interceptor	33x Sleep call for process: powershell.exe modified
03:54:05	API Interceptor	1x Sleep call for process: dZxrrOCj.exe modified
03:54:34	API Interceptor	3x Sleep call for process: vbc.exe modified
08:54:03	Task Scheduler	Run new task: dZxrrOCj path: C:\Users\user\AppData\Roaming\dZxrrOCj.exe

Process:	C:\Users\user\Desktop\BL-INV-PL-ISO.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dZxrrOCj.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\dZxrrOCj.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379909843762687
Encrypted:	false
SSDEEP:	48:BWSU4xympgv4RIoUP7gZ9tK8NPZHUx7u1iMuge//ZSUyus:BLHxv2IfLZ2KRH6OugEs
MD5:	8D858A903F4F5A554A798D5A9E6FC43E
SHA1:	3422755EEA787BDA946C2C36F945A471A5A11416
SHA-256:	5D2C99871C47D463475A7A52ABC4F23269E7D3EA03467C4AAF2252A4B45097D5
SHA-512:	1C1C01A733B3662DA6D0380336C59DD163CF2253C8BE1A8DC0114BC49027DD496BD8DD21816B743BB09B2390303CD27BAA8A90FA403CA90072253D64D92FD704
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2gyktmql.t4p.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cbazdhg0.dun.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cn1tgy2e.ph1.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n4esw3el.htp.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pq2ypskd.3gr.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sjycvick.3it.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u4ht5npl.kop.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yt04t5bh.pzc.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp590C.tmp

Download File

Process:	C:\Users\user\Desktop\BL-INV-PL-ISO.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1574
Entropy (8bit):	5.109544037548327
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaXxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTMv
MD5:	F01F88FADE9B5782C3A3532648DDC66C
SHA1:	056662B358015B54BECCE838D0FF0CD9AD9148F4
SHA-256:	9FAC25FE31D127447909D325577C295D25446C09E1EB9640B86DC462BF1BB7E7
SHA-512:	517AAC94EB024765E327BE8580544B8F22E46689B5715ADC473C1A3440C0D95146A2C50C8FA4511B9239246BA1686FD72ED6EEC47A2554DF475E7FBA5860EDB4
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmp68AC.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\dZxrrOCj.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1574
Entropy (8bit):	5.109544037548327
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaXxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTMv
MD5:	F01F88FADE9B5782C3A3532648DDC66C
SHA1:	056662B358015B54BECCE838D0FF0CD9AD9148F4
SHA-256:	9FAC25FE31D127447909D325577C295D25446C09E1EB9640B86DC462BF1BB7E7
SHA-512:	517AAC94EB024765E327BE8580544B8F22E46689B5715ADC473C1A3440C0D95146A2C50C8FA4511B9239246BA1686FD72ED6EEC47A2554DF475E7FBA5860EDB4
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\dZxrrOCj.exe

Download File

Process:	C:\Users\user\Desktop\BL-INV-PL-ISO.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	832512
Entropy (8bit):	7.69741464569923
Encrypted:	false
SSDEEP:	12288:M1ZF8Km3Tsu+N7PB6cDS9YGFuzM4DrGUS6ZbxksCsJSxaV5+prfHha9:Mygu2Qc9GwMArGUZZbxksCs9+hfHha
MD5:	98764B1EA06180B4A89C043B0FC11914
SHA1:	88CDFCF42452CA0429F31FDD8D7372EFFE387969
SHA-256:	97FB0388618E3D977B390696F4CA19E38F0E706D70A40726BAB9ED8DCDCD036C
SHA-512:	3D394A5887178F60C6C92F1790314812FE8D13FB0811BAEEB7F526EAB7BD9F548F9AE8C171361430743EFC06CA476145CB53821258FE1CEA8D353CDBF87A0211
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 26%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................... ............@.................................C...O.......,...........................P...p............................................ ............... ..H............text........ ...................... ..`.rsrc...,...........................@..@.reloc..............................@..B................w.......H.......h...(.......(....;...L...........................................0..5........r...p(.....rk..p(.....r...p..A.....A...(.........+D...Y..r...p..A.....A...(......{....o.....o...............,.+......X...{..........-.........,......8.........(......X..r...p...A......A...(......r...p..(....(........{.....Y.........,..r...p(.....81............8.....r...p...A......A...(.......{....o......o......r9..p..(....(.......,...o.....(....+......,(.r[..p...........o....r...p(....(.....+

C:\Users\user\AppData\Roaming\dZxrrOCj.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\BL-INV-PL-ISO.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.69741464569923
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	BL-INV-PL-ISO.exe
File size:	832'512 bytes
MD5:	98764b1ea06180b4a89c043b0fc11914
SHA1:	88cdfcf42452ca0429f31fdd8d7372effe387969
SHA256:	97fb0388618e3d977b390696f4ca19e38f0e706d70a40726bab9ed8dcdcd036c
SHA512:	3d394a5887178f60c6c92f1790314812fe8d13fb0811baeeb7f526eab7bd9f548f9ae8c171361430743efc06ca476145cb53821258fe1cea8d353cdbf87a0211
SSDEEP:	12288:M1ZF8Km3Tsu+N7PB6cDS9YGFuzM4DrGUS6ZbxksCsJSxaV5+prfHha9:Mygu2Qc9GwMArGUZZbxksCs9+hfHha
TLSH:	0B05DFC03B69B319DE784A749479DCB492B52D287011FAE61EDD3B9B3AAC3015E0CF46
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4cc796
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xC3F91EE2 [Sat Mar 10 04:58:10 2074 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcc743	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xce000	0x62c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xc8850	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xca79c	0xca800	671d2562ec8c5210e7f3d3fd37f70cf7	False	0.8666835455246914	data	7.705373741079922	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xce000	0x62c	0x800	500172e2ca5e34550920f52ceab0f5e9	False	0.33984375	data	3.4815421975097673	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd0000	0xc	0x200	0ad54f57f38f97fa29d092a935b1355b	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xce090	0x39c	data			0.420995670995671
RT_MANIFEST	0xce43c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Target ID:	0
Start time:	03:53:59
Start date:	30/09/2024
Path:	C:\Users\user\Desktop\BL-INV-PL-ISO.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\BL-INV-PL-ISO.exe"
Imagebase:	0x40000
File size:	832'512 bytes
MD5 hash:	98764B1EA06180B4A89C043B0FC11914
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:54:01
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BL-INV-PL-ISO.exe"
Imagebase:	0x440000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:54:01
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:54:01
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dZxrrOCj.exe"
Imagebase:	0x440000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:54:01
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:54:02
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dZxrrOCj" /XML "C:\Users\user\AppData\Local\Temp\tmp590C.tmp"
Imagebase:	0x9b0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:54:02
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:54:02
Start date:	30/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Imagebase:	0xcc0000
File size:	2'625'616 bytes
MD5 hash:	0A7608DB01CAE07792CEA95E792AA866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:54:02
Start date:	30/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Imagebase:	0xcc0000
File size:	2'625'616 bytes
MD5 hash:	0A7608DB01CAE07792CEA95E792AA866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	03:54:02
Start date:	30/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Imagebase:	0xcc0000
File size:	2'625'616 bytes
MD5 hash:	0A7608DB01CAE07792CEA95E792AA866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:54:02
Start date:	30/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Imagebase:	0xcc0000
File size:	2'625'616 bytes
MD5 hash:	0A7608DB01CAE07792CEA95E792AA866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	03:54:02
Start date:	30/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Imagebase:	0xcc0000
File size:	2'625'616 bytes
MD5 hash:	0A7608DB01CAE07792CEA95E792AA866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	03:54:03
Start date:	30/09/2024
Path:	C:\Users\user\AppData\Roaming\dZxrrOCj.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\dZxrrOCj.exe
Imagebase:	0x440000
File size:	832'512 bytes
MD5 hash:	98764B1EA06180B4A89C043B0FC11914
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 26%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	03:54:04
Start date:	30/09/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	03:54:06
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dZxrrOCj" /XML "C:\Users\user\AppData\Local\Temp\tmp68AC.tmp"
Imagebase:	0x9b0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	03:54:06
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	03:54:06
Start date:	30/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Imagebase:	0xcc0000
File size:	2'625'616 bytes
MD5 hash:	0A7608DB01CAE07792CEA95E792AA866
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.2054400538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.2054400538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.2055413010.00000000058F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.2055413010.00000000058F0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	6.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	73
Total number of Limit Nodes:	4

Executed Functions

Function 00AED568 Relevance: 6.1, APIs: 4, Instructions: 136
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00AED5F6
GetCurrentThread.KERNEL32 ref: 00AED633
GetCurrentProcess.KERNEL32 ref: 00AED670
GetCurrentThreadId.KERNEL32 ref: 00AED6C9

Memory Dump Source

Source File: 00000000.00000002.1735204520.0000000000AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_BL-INV-PL-ISO.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 403c83975fb6ef3e9f5f88362ef287941591761a9e3c07d4ab94da2b7643989a
Instruction ID: b06c6b7ab7137e2494cf4329725e02c0160729ccf7efc87f391047ba887d2b12
Opcode Fuzzy Hash: 403c83975fb6ef3e9f5f88362ef287941591761a9e3c07d4ab94da2b7643989a
Instruction Fuzzy Hash: C15167B0D003498FDB04DFAAD948BAEBBF1EF48304F208459E009AB3A1D7755944CF65

Function 00AED578 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00AED5F6
GetCurrentThread.KERNEL32 ref: 00AED633
GetCurrentProcess.KERNEL32 ref: 00AED670
GetCurrentThreadId.KERNEL32 ref: 00AED6C9

Memory Dump Source

Source File: 00000000.00000002.1735204520.0000000000AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_BL-INV-PL-ISO.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: baac12d6917e18e709b60a27af9fa54e25b078c5a959911e6b05126d63d99be3
Instruction ID: 62b9f056c774c6e12434e4fdd94e0b1a6fc5a06ca93f6205e49147c3383f1b93
Opcode Fuzzy Hash: baac12d6917e18e709b60a27af9fa54e25b078c5a959911e6b05126d63d99be3
Instruction Fuzzy Hash: C75167B0D003498FDB04DFAAD948BAEBBF1EF48314F208459E009AB3A0DB759944CF65

Function 00AEB2E1 Relevance: 1.7, APIs: 1, Instructions: 209
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00AEB546

Memory Dump Source

Source File: 00000000.00000002.1735204520.0000000000AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_BL-INV-PL-ISO.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0c745306827fcd724f66a7ff2c1a71ae806d088e6f89f0dfcbee44934a8ccb8b
Instruction ID: 8c4755bc3f87d4dc47dcade3a7c9bae7333ca8e103b0c860adfccd65a0cd3acf
Opcode Fuzzy Hash: 0c745306827fcd724f66a7ff2c1a71ae806d088e6f89f0dfcbee44934a8ccb8b
Instruction Fuzzy Hash: 06816570A10B858FDB24DF2AD54575BBBF1FF88300F108929D08ACBA91DB35E945CBA1

Function 00AE480C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00AE5CC1

Memory Dump Source

Source File: 00000000.00000002.1735204520.0000000000AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_BL-INV-PL-ISO.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 91a4eddf183ec9ecb8bd02ca11a4c2815fac7d3c7057c5dc16bb82f5a1315fbd
Instruction ID: 86b28602e1733be2120d781b8e7011e492aca7f3bbbf471254a38ab23390be58
Opcode Fuzzy Hash: 91a4eddf183ec9ecb8bd02ca11a4c2815fac7d3c7057c5dc16bb82f5a1315fbd
Instruction Fuzzy Hash: 7041C2B4C0075DCBDB24DFAAC848B9EBBF5BF49304F20806AD409AB251DB756945CF90

Function 00AE5C05 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00AE5CC1

Memory Dump Source

Source File: 00000000.00000002.1735204520.0000000000AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_BL-INV-PL-ISO.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4ccd05b34cb03eb8c63a5702fc47d1fda62180b7a895ab0b8f963e7d44386bbf
Instruction ID: 27c4e1d8979a6b7a7b79e63c5130645ea5890cc2a932bfedfb14dfb3afb648aa
Opcode Fuzzy Hash: 4ccd05b34cb03eb8c63a5702fc47d1fda62180b7a895ab0b8f963e7d44386bbf
Instruction Fuzzy Hash: 5841B2B0C00759CADB25DFA9D884BDDBBF5BF49304F20806AD409AB251DB756946CF90

Function 00AED7B8 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00AED847

Memory Dump Source

Source File: 00000000.00000002.1735204520.0000000000AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_BL-INV-PL-ISO.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ebab15053c236088439818248d2b2e0c3c3c11e62f9ffcaa9e7a6ed741a8b700
Instruction ID: ce909f08c0f0b4e6b1300a069dffeb852488b4beee9c3715a03fcb3bd3c2b178
Opcode Fuzzy Hash: ebab15053c236088439818248d2b2e0c3c3c11e62f9ffcaa9e7a6ed741a8b700
Instruction Fuzzy Hash: 4521E3B59002489FDB10CFAAD484AEEBFF5FF48310F14841AE958A3351D375AA54CF64

Function 00AED7C0 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00AED847

Memory Dump Source

Source File: 00000000.00000002.1735204520.0000000000AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_BL-INV-PL-ISO.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: cae9dad3e4e40414a69c08420e58f6d89b6ef42f798d4187199c5a0f70d5c8cf
Instruction ID: 8bda534757c9f97c7f7a65e7d1e6e76b7acad37ff4f6342fe7186cb769a4ea5c
Opcode Fuzzy Hash: cae9dad3e4e40414a69c08420e58f6d89b6ef42f798d4187199c5a0f70d5c8cf
Instruction Fuzzy Hash: E421E2B59003489FDB10CFAAD884ADEBFF8EB48320F14841AE918A3350D374A954CFA4

Function 00AEB4E0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00AEB546

Memory Dump Source

Source File: 00000000.00000002.1735204520.0000000000AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_BL-INV-PL-ISO.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6be4e3fc1111c48b03d6b3a7fda8d3538417544b91d572a35f9a7d79ad8e1478
Instruction ID: 649e56e4c9e07365e6d601aa96b1dbb3ec50564fe55a84244af0964825d5d895
Opcode Fuzzy Hash: 6be4e3fc1111c48b03d6b3a7fda8d3538417544b91d572a35f9a7d79ad8e1478
Instruction Fuzzy Hash: 2C11DFB5C003498FCB10DF9AD448ADEFBF4AB89320F10846AD419A7250D375A645CFA5

Function 00A0D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1734081604.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0d000_BL-INV-PL-ISO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7076248a745fc00d7d683253d2a54347ffe48d2207d4baba5b1ac942ec590426
Instruction ID: 2802c5c4c94d04f08016b71be98ec8aec4235b3a0b5f61289da94d56fa74966e
Opcode Fuzzy Hash: 7076248a745fc00d7d683253d2a54347ffe48d2207d4baba5b1ac942ec590426
Instruction Fuzzy Hash: 352148B2500208DFCB01DF44E9C0B26BF75FB94324F20C569E90A0B286C337E856C7A2

Function 00A1D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1734202531.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a1d000_BL-INV-PL-ISO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ba8f265df3e01704ff71395e7fe59729e8c0fbad7e55c567a6fd9da5b8ed6cc
Instruction ID: abebc73bc733972be41ac8d7789bd9ed2324a3ef0f6b5f76919bdbfe20f5e683
Opcode Fuzzy Hash: 6ba8f265df3e01704ff71395e7fe59729e8c0fbad7e55c567a6fd9da5b8ed6cc
Instruction Fuzzy Hash: FE2107B5604200EFDB05DF14D9C4BA5BBB5FB94314F24CA6DD81A4B391C336D886CB61

Function 00A1D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1734202531.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a1d000_BL-INV-PL-ISO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5d43ea0bd869eb92c23d5848201d3b4b79db4a8b883e7e3727c00dea3cc0ff2
Instruction ID: a739ed712b0fb73950df71c82e1e7f4590782d846fd2d73955ffe1b1a670820d
Opcode Fuzzy Hash: c5d43ea0bd869eb92c23d5848201d3b4b79db4a8b883e7e3727c00dea3cc0ff2
Instruction Fuzzy Hash: 3621F275604200EFCB14DF14D9C4B66BBA5FB98314F24C96DD80B4B386C33AD887CA61

Function 0797019F Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742022651.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7970000_BL-INV-PL-ISO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f459e29733f6330a936d718c301ff12a2179223eb71fb62deb7d39f36f6c0195
Instruction ID: 6ed853114a0cb4d04740d5a9e872e86c4a5f775e0871f72970a050c0fd1e8541
Opcode Fuzzy Hash: f459e29733f6330a936d718c301ff12a2179223eb71fb62deb7d39f36f6c0195
Instruction Fuzzy Hash: 9621F6B27043468FDB14CF6DD8907AABBE5EF85604F08C4BA945DCB246DF349842C7A0

Function 079701B0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742022651.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7970000_BL-INV-PL-ISO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 020cde52b89da6a717fd3e03c7a20ac8f26181cf7957cbecf1ac775027ae9746
Instruction ID: 408b01fe01b5cfb648c1c088dc60c6ceedb73dff188454c3ab572c097ce92e65
Opcode Fuzzy Hash: 020cde52b89da6a717fd3e03c7a20ac8f26181cf7957cbecf1ac775027ae9746
Instruction Fuzzy Hash: DB11ACB2B002068BDB28CF6DD89076AB6E6EF84215F18C439941D8B245DF34D842CBA0

Function 00A1D006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1734202531.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a1d000_BL-INV-PL-ISO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dbd7e0c3fc703331d26d9799677f3facbea00ff4b162ba7037808045f79f102
Instruction ID: 6e9f303c5efc3eb1ba2554ef7c3bfea2e0be01f01fc300c21cf18354926c520a
Opcode Fuzzy Hash: 0dbd7e0c3fc703331d26d9799677f3facbea00ff4b162ba7037808045f79f102
Instruction Fuzzy Hash: B821A1755093808FCB02CF24D994B15BF71FB49314F28C5DAD84A8B2A7C33AD84ACB62

Function 00A0D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1734081604.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0d000_BL-INV-PL-ISO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction ID: fa80723ef29680ad8d424f1bac2319f32dcb0de3205cb6f20ab810c091419197
Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction Fuzzy Hash: 7F112676504244CFCB02CF44D5C4B16BF72FB94324F24C2A9D8090B296C33BE85ACBA1

Function 00A1D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1734202531.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a1d000_BL-INV-PL-ISO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: 2ae659d7494ee7d8b93d3867389935bed56adea91e7a9c1e423476b0a5811c3e
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: 2011DD75904280DFCB02CF14C5C4B55FBB2FB84324F28C6ADD8494B696C33AD84ACB61

Function 07970FA0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742022651.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7970000_BL-INV-PL-ISO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23664f47723ad230ba484017b927e8b55c8b90416ff89be6968ad52bc0668898
Instruction ID: 344d50e9651be6e5247ba3577f89529906412d1a27b1f0f6a223453f1fc2346f
Opcode Fuzzy Hash: 23664f47723ad230ba484017b927e8b55c8b90416ff89be6968ad52bc0668898
Instruction Fuzzy Hash: 1C1161B0C052A9EFD701DFB88855BFDBFF4AB46305F0454E5E454A7291C3345A44DB51

Function 07970FB0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742022651.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7970000_BL-INV-PL-ISO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e4e9f5931e56aba0031bcad320eee80f4b7a51651ec8d79c7e75b087b000f94
Instruction ID: ffe96c8395e52b227a3beb07f189df49534cc316d440c4e7a627ba8d12f1177e
Opcode Fuzzy Hash: 5e4e9f5931e56aba0031bcad320eee80f4b7a51651ec8d79c7e75b087b000f94
Instruction Fuzzy Hash: EA0128B0D04259DFCB04DFA9C849BFEBBF4BB4A306F0484A9D469A3291D7789A44DF14

Function 0797102C Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1742022651.0000000007970000.00000040.00000800.00020000.00000000.sdmp, Offset: 07970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7970000_BL-INV-PL-ISO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9660c50df7471d5e4f14af10d750d2c62da25e03be3af78a249824ad7f5c82c5
Instruction ID: d87c95e8aa060db3d92943034c8d4eff4a384be81b21fea6ac5fe98c4d4000fc
Opcode Fuzzy Hash: 9660c50df7471d5e4f14af10d750d2c62da25e03be3af78a249824ad7f5c82c5
Instruction Fuzzy Hash: EBF0B4F0C092A99FC7118FA498659BCBFB0EB4B306F0444D6D456B7251D2388641DB10

Non-executed Functions

Function 00AEE12C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735204520.0000000000AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_BL-INV-PL-ISO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baeb56e42152e975e91384a560892761939057d8500d6255b3a0213647a7c679
Instruction ID: 3d4d36b131982ace04129991bb44b3412c360e033f5367e090c4f28b0103c8c7
Opcode Fuzzy Hash: baeb56e42152e975e91384a560892761939057d8500d6255b3a0213647a7c679
Instruction Fuzzy Hash: D7A18D32E00249CFCF05DFB6C9809AEB7B2FF95300B15857AE805AB265DB71E955CB80

Analysis Process: dZxrrOCj.exePID: 7288, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	9.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	88
Total number of Limit Nodes:	5

Executed Functions

Function 00FDD568 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00FDD5F6
GetCurrentThread.KERNEL32 ref: 00FDD633
GetCurrentProcess.KERNEL32 ref: 00FDD670
GetCurrentThreadId.KERNEL32 ref: 00FDD6C9

Memory Dump Source

Source File: 0000000D.00000002.1773379702.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_fd0000_dZxrrOCj.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 5c375dcdd22cd4ca38fb85f5ff66fbe237fe6335a5cb0dac5bf8afd6e1852618
Instruction ID: b86e9396d99a734c468d619d724ee7af703568bb53f26a626b759bf2cf5a9628
Opcode Fuzzy Hash: 5c375dcdd22cd4ca38fb85f5ff66fbe237fe6335a5cb0dac5bf8afd6e1852618
Instruction Fuzzy Hash: B35164B0D01309CFDB04DFA9D548B9EBBF2AB48314F24849AE009A73A1DB749984CF65

Function 00FDD578 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00FDD5F6
GetCurrentThread.KERNEL32 ref: 00FDD633
GetCurrentProcess.KERNEL32 ref: 00FDD670
GetCurrentThreadId.KERNEL32 ref: 00FDD6C9

Memory Dump Source

Source File: 0000000D.00000002.1773379702.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_fd0000_dZxrrOCj.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: ca1c73ca88169367eb36a788c7c1a05607e3bab33629c83f5579742a0fbf317e
Instruction ID: 8f32937fcd42ddd6fecd5a8ed17d919e8797be5eb9e217f5a1abf7340583fd67
Opcode Fuzzy Hash: ca1c73ca88169367eb36a788c7c1a05607e3bab33629c83f5579742a0fbf317e
Instruction Fuzzy Hash: 0E5144B0D01309CFDB14DFAAD548B9EBBF1EB48314F24845AE409A73A0DB74A984CF65

Function 00FDB2E1 Relevance: 1.7, APIs: 1, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00FDB546

Memory Dump Source

Source File: 0000000D.00000002.1773379702.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_fd0000_dZxrrOCj.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 2a752f45c276356e2347260fd4f0aa3a2e144cffc3bacc5cd78e33a4396c6b0c
Instruction ID: 8d22b7c3fe081a7d182228bc5f21ef589cdb3ba04a4bd74a1ed43231ae47d4df
Opcode Fuzzy Hash: 2a752f45c276356e2347260fd4f0aa3a2e144cffc3bacc5cd78e33a4396c6b0c
Instruction Fuzzy Hash: C7813170A00B458FDB24DF29D44475ABBF2BF88310F088A2ED48AD7B41DB38E945DB91

Function 04D71DE4 Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04D71F02

Memory Dump Source

Source File: 0000000D.00000002.1785388687.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4d70000_dZxrrOCj.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 084d0453231479dd56db57898a7efccb46da6daf725ea2690f381ddc37ab62d6
Instruction ID: 2426fbcb06e31e03be2fececcbdf8f9aaff674e69c8953e8f3bea7d59d368358
Opcode Fuzzy Hash: 084d0453231479dd56db57898a7efccb46da6daf725ea2690f381ddc37ab62d6
Instruction Fuzzy Hash: E851F2B1D003499FDB15CFA9C884ADEBFB5BF48310F24826AE418AB311E774A945CF91

Function 04D71DF0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04D71F02

Memory Dump Source

Source File: 0000000D.00000002.1785388687.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4d70000_dZxrrOCj.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 0ec998983170dba2839d1deb76229720724ade18d5f5d9c6e6fb69b933118ede
Instruction ID: 719ac995110b4d7b1c83e34a3c963c09daf73aab45c0cfa6f4db3c813f7fd05f
Opcode Fuzzy Hash: 0ec998983170dba2839d1deb76229720724ade18d5f5d9c6e6fb69b933118ede
Instruction Fuzzy Hash: D141A0B1D003099FDB14CF99C984ADEFBB5BF48310F24822AE819AB310D775A945CF91

Function 00FD5C04 Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00FD5CC1

Memory Dump Source

Source File: 0000000D.00000002.1773379702.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_fd0000_dZxrrOCj.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 493e1f8a71ba640256bdd9dfd974ae2079a6230d56b252eb76da3914509b3676
Instruction ID: 2c5c709e66c45bc3a7ebfbe1227f2be2b61bd1e331f2ce26ae98c038528688f4
Opcode Fuzzy Hash: 493e1f8a71ba640256bdd9dfd974ae2079a6230d56b252eb76da3914509b3676
Instruction Fuzzy Hash: CE41E1B0C0071DCADB24DFA9C944B9EBBF6BF49714F24806AD408AB251DB75694ACF90

Function 04D70CEC Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04D74481

Memory Dump Source

Source File: 0000000D.00000002.1785388687.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4d70000_dZxrrOCj.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 13950e7cad4c6bb6b1663238cafa6c52df34410fc12e776a04e91b53f4e7dcec
Instruction ID: ad18c77f919abed944406743e043fecc7ce69320821f49e8499cd4e360a82f00
Opcode Fuzzy Hash: 13950e7cad4c6bb6b1663238cafa6c52df34410fc12e776a04e91b53f4e7dcec
Instruction Fuzzy Hash: 48413AB4A00305CFDB15CF99C488AAABBF5FF88318F25C859D519A7361E774A841DBA0

Function 00FD480C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00FD5CC1

Memory Dump Source

Source File: 0000000D.00000002.1773379702.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_fd0000_dZxrrOCj.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 011201665958cbc14ba494ddfdd6582cdebb72c9db0574400f3814dfaa4b0228
Instruction ID: 783cb533c88b4718f04282e5ce2e08c61015258d241f6b4e396a3f1f4e342ce4
Opcode Fuzzy Hash: 011201665958cbc14ba494ddfdd6582cdebb72c9db0574400f3814dfaa4b0228
Instruction Fuzzy Hash: 7041CEB0C0071DCBDB24DFA9C848B9EBBF6BF49714F24806AD409AB251DB756949CF90

Function 00FDD7B8 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00FDD847

Memory Dump Source

Source File: 0000000D.00000002.1773379702.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_fd0000_dZxrrOCj.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: bd7dbd45551f9508091b93c324d0e0b50875435fdd769b13feee0e98157f4d3c
Instruction ID: dc0d8213734d68bd3de4e318b27ec579523e5ce5501eaaa29419040ee8dd7c04
Opcode Fuzzy Hash: bd7dbd45551f9508091b93c324d0e0b50875435fdd769b13feee0e98157f4d3c
Instruction Fuzzy Hash: 0B2113B59003489FDB10CF9AD584ADEBFF5EB48320F14801AE958A3310D378A944DFA1

Function 00FDD7C0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00FDD847

Memory Dump Source

Source File: 0000000D.00000002.1773379702.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_fd0000_dZxrrOCj.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5dd71ec18b56e1806a9e1f4e01bb84ab387ab3cb8dffbc70160947f2bca0b8bb
Instruction ID: 12e763626176afd69ed3383ff912e95b4c8004d1c581842e58be20f342d420db
Opcode Fuzzy Hash: 5dd71ec18b56e1806a9e1f4e01bb84ab387ab3cb8dffbc70160947f2bca0b8bb
Instruction Fuzzy Hash: D021E4B5D003499FDB10CF9AD984ADEBFF5EB48320F14801AE958A3350D378A954DFA0

Function 00FDB4E0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00FDB546

Memory Dump Source

Source File: 0000000D.00000002.1773379702.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_fd0000_dZxrrOCj.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: faef20d10aeca112a3d1d2831adc447e1eb793295b38365601504fed8f8043b6
Instruction ID: 34ed7bc8fa6b8f6f2a963accc9c5be3f0cb439b827f7baa1c669013093db28f5
Opcode Fuzzy Hash: faef20d10aeca112a3d1d2831adc447e1eb793295b38365601504fed8f8043b6
Instruction Fuzzy Hash: 1D11FDB5C003498BCB10DF9AD844A9EFBF5AB88320F15845AD419A7200D379A545CFA1

Function 00BDD1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1773103650.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_bdd000_dZxrrOCj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cba0bcf958f47f4006d249bbe4fab530265e3a3c2895664e92c018e826b11b96
Instruction ID: 49747f4504b86c49da7c7662f83f9bc1805d387a64e351a3b9074aba282be6da
Opcode Fuzzy Hash: cba0bcf958f47f4006d249bbe4fab530265e3a3c2895664e92c018e826b11b96
Instruction Fuzzy Hash: A92103B1604200DFCB05DF14D8C4B2AFFA5FB98310F24C6AAE9490B346D336D816DBA1

Function 00BDD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1773103650.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_bdd000_dZxrrOCj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bcedc39a9c35d7f73a5d6520d603fc892f4eca901ae0ec8fdddcb4762f8708d
Instruction ID: ee2db9ad25c8c716bf48c201ea6dde919b1e8d9989d62cfb6e9869c5a4d9d331
Opcode Fuzzy Hash: 5bcedc39a9c35d7f73a5d6520d603fc892f4eca901ae0ec8fdddcb4762f8708d
Instruction Fuzzy Hash: 63212871504240DFDB05DF14E9C0B26FFA5FBA4318F24C5AAD8490B356D336D816CBA1

Function 00BED01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1773154946.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_bed000_dZxrrOCj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 157ad8ed11989c1729fac70adb097200ddfa54c24a239f500c11461854a1bdd5
Instruction ID: 38b67aa6b5f91ed23719621dee22765e8dfd29eba42834d5d94da06614e31338
Opcode Fuzzy Hash: 157ad8ed11989c1729fac70adb097200ddfa54c24a239f500c11461854a1bdd5
Instruction Fuzzy Hash: 5D21D075604280DFCB14DF14D9D4B26BBA5FB94314F28CAADD80A4B296C3BAD807CA61

Function 00BED1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1773154946.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_bed000_dZxrrOCj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcb88d7415898807cefd51db9770df4b299d189b6fc9c124fe6b17965b1b77d7
Instruction ID: 9a581564eb2affc792b336b3220f3dc20f65f3da4400976bf291824c2d6d6bd4
Opcode Fuzzy Hash: fcb88d7415898807cefd51db9770df4b299d189b6fc9c124fe6b17965b1b77d7
Instruction Fuzzy Hash: EC210775604280EFDB05DF15D9C4B25BBE5FB94314F24CAADDA0A4B391C376D806CB61

Function 00BED006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1773154946.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_bed000_dZxrrOCj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efffbc3db5b80ae8b1fe12e56ba6e390deb1ff71cd524639bb2269d482bca579
Instruction ID: f499946d8a841dec5212907a3e33b561d999301133824c752daf2aa0d73c318c
Opcode Fuzzy Hash: efffbc3db5b80ae8b1fe12e56ba6e390deb1ff71cd524639bb2269d482bca579
Instruction Fuzzy Hash: A821A4755093C08FCB02CF20D5A4715BFB1EB45314F28C5EAD8498B297C33AD80ACB62

Function 00BDD1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1773103650.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_bdd000_dZxrrOCj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3660dfe55a9ec3abc1fd528c2c7e977daaa4d4c3ae68719e8bb560421c7628fc
Instruction ID: 65c45beaae5bef84ba5d7c53a734b841d661c97f7e9a447ad6e7b1dcaf2821bf
Opcode Fuzzy Hash: 3660dfe55a9ec3abc1fd528c2c7e977daaa4d4c3ae68719e8bb560421c7628fc
Instruction Fuzzy Hash: 7B219D76504240DFDB06CF50D9C4B16FFB2FB84314F24C6AADD490A656C33AD82ACBA1

Function 00BDD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1773103650.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_bdd000_dZxrrOCj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction ID: 1b9d4d93b70cae0883d9180fa09ae7ace9e31023b9352a27c09f71249d4adab5
Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction Fuzzy Hash: A611B176504280DFCB16CF14D5C4B16FFB2FBA4328F24C6AAD8490B656C336D85ACBA1

Function 00BED1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1773154946.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_bed000_dZxrrOCj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: d816470b13b53593f73b95d4b19847a516994c0865815f425360cfd78c49af15
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: A211DD79A04280DFCB02CF10C5C4B15FBB2FB84324F24C6ADD9494B296C37AD80ACB61

Function 07820220 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1787558803.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7820000_dZxrrOCj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1fe2c4770859d8deb05e1fc90726a0913dea551931f470065cfb575d8ea51c1
Instruction ID: db0c5535dc868e50d7f2c909458ce120c2e560e7a7062b0b1b3a5700b59f50d7
Opcode Fuzzy Hash: e1fe2c4770859d8deb05e1fc90726a0913dea551931f470065cfb575d8ea51c1
Instruction Fuzzy Hash: F8011AB0D05269DFCB01DFA5D8087BDBBF0FB4A302F0484AAD468A3291D7344A80EF14

Function 0782029C Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1787558803.0000000007820000.00000040.00000800.00020000.00000000.sdmp, Offset: 07820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7820000_dZxrrOCj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58559bf3955bb50eea8a2ba96ccedeaff4ea4b37b58a5a3aa69dd28d5ebc5a0f
Instruction ID: 418cf3a5a8d90088e709007af3cd9c6d404a840fb3b170f7b7d4d8aa03b3312f
Opcode Fuzzy Hash: 58559bf3955bb50eea8a2ba96ccedeaff4ea4b37b58a5a3aa69dd28d5ebc5a0f
Instruction Fuzzy Hash: CCF0B4B0C092699FC7028FB098595BCBFB0EB6B303F0480D6D496E7261C6344681EB10

Analysis Process: vbc.exePID: 7564, Parent PID: 7288COMMON

Execution Graph

Execution Coverage:	0.8%
Dynamic/Decrypted Code Coverage:	5.5%
Signature Coverage:	9.1%
Total number of Nodes:	110
Total number of Limit Nodes:	12

Executed Functions

Function 00417BF3 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417C65

Memory Dump Source

Source File: 00000011.00000002.2054400538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 15334b27798d5646baa2fb667cb1bd54b02f4f0ae59de07c703da83143408988
Instruction ID: 8bf3c3ea2f0059adb96aeca56b0dee45023ff29f563ccf5832e8fe0fd52589cd
Opcode Fuzzy Hash: 15334b27798d5646baa2fb667cb1bd54b02f4f0ae59de07c703da83143408988
Instruction Fuzzy Hash: 090125B5E4020DABDF10DBE5DC42FDEB3789B54308F0041A6E90897241F675EB588795

Function 0042CA83 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042CAB7

Memory Dump Source

Source File: 00000011.00000002.2054400538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: e04e7f475683f92694246f374bcc50d433ef83bea3239dd8adfa11e6ef3f5f8c
Instruction ID: 7cc26104a293bde659163a0037faa47e4748335bf684d1060b1119f1bab331e5
Opcode Fuzzy Hash: e04e7f475683f92694246f374bcc50d433ef83bea3239dd8adfa11e6ef3f5f8c
Instruction Fuzzy Hash: 9BE04F766146147BD210BAAADC01F9BB75CDFC5714F40446AFA5C67142C674790087A4

Function 05AC2DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 05AC2DFA

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 218811d7187653364dfb0bd26ce5a21377b03a29b4c70b49aeb918f4d78415fc
Instruction ID: 5dab195ace3306a0062f4803fba9f59a2a07041d8f7d517a9969e565b20cd77b
Opcode Fuzzy Hash: 218811d7187653364dfb0bd26ce5a21377b03a29b4c70b49aeb918f4d78415fc
Instruction Fuzzy Hash: 7E90023620141513D51171585544B07402987D0241FD6C412A0434559D965E8A52A131

Function 05AC2C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 05AC2C7A

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2c7ee6f5c66f854bb9a8fe8e32b2687acc6784e649cf4ec18462649c8b3b0ddf
Instruction ID: a1ac8fbd81115e2f00288f30618b3bf485452fd8f251ae7b85d119505003741e
Opcode Fuzzy Hash: 2c7ee6f5c66f854bb9a8fe8e32b2687acc6784e649cf4ec18462649c8b3b0ddf
Instruction Fuzzy Hash: 8B90023620149902D51071589444B4A402587D0301F9AC411A4434659D869D89917131

Function 05AC35C0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 05AC35CA

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a6b8d5020cfc811206921ab23f7be836ddabecf6056e7f95e9899222fa0717dc
Instruction ID: 829e47bceb635eebe83d5aeab637253a0d450b3b15e2f81618b9a980b51fcfc3
Opcode Fuzzy Hash: a6b8d5020cfc811206921ab23f7be836ddabecf6056e7f95e9899222fa0717dc
Instruction Fuzzy Hash: 3D90023660551502D50071585554B06502587D0201FA6C411A0434569D879D8A5165B2

Function 0042CDE3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4), ref: 0042CE22

Strings

AiA, xrefs: 0042CDE6

Memory Dump Source

Source File: 00000011.00000002.2054400538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: AiA
API String ID: 3298025750-1006477069
Opcode ID: 46a9b9700e650c9e129a987a06cc0e65bf10c4a7c47248bbb861eb1d0d76aa50
Instruction ID: c72936cb4efe5e2cf01bc671713416fca844fb81b380d1929e51ec7f9bf1c3fc
Opcode Fuzzy Hash: 46a9b9700e650c9e129a987a06cc0e65bf10c4a7c47248bbb861eb1d0d76aa50
Instruction Fuzzy Hash: 2BE06DB6604604BBD610EE9AEC45E9B73ACDFC8710F00441AFD08A7241D670B9108AB4

Function 0042CD93 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,0041EA24,?,?,00000000,?,0041EA24,?,?,?), ref: 0042CDCF

Memory Dump Source

Source File: 00000011.00000002.2054400538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c507f5cdd0cb2c99d51aa2b97bc8289730527cacbf787ebd788a04eef9f5a23a
Instruction ID: b01edf77d5195f78f0d610293897fa3a338d9c232dfd3eac683267fcc812f4dd
Opcode Fuzzy Hash: c507f5cdd0cb2c99d51aa2b97bc8289730527cacbf787ebd788a04eef9f5a23a
Instruction Fuzzy Hash: 24E06DB66042447BC614EE99DC41EDB33ACEFC8714F00445AF908A7241C670BD108AB4

Function 0042CE33 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?), ref: 0042CE67

Memory Dump Source

Source File: 00000011.00000002.2054400538.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 93e88a4cd9ea8e33a96dbfc1479c99e3f85031411c676b6611650d8667f0066d
Instruction ID: 25b2cbbcdf84ce54516d582ca17e3cc71a358c84468f5b2f557c169db28fe67e
Opcode Fuzzy Hash: 93e88a4cd9ea8e33a96dbfc1479c99e3f85031411c676b6611650d8667f0066d
Instruction Fuzzy Hash: 6AE04F763006147BD220FA9ADC01E9B77ACDBC5714F00446AFA0867141C6B1B91586E4

Function 05AC2C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 05AC2C24

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 736654f676b11747b202168ea9db592aab28a9c36d254a5fa3ac2675283346cd
Instruction ID: 9deb747019b63003c5be034da5abb7fdad4c75abed0a8176597ae6a4a79d5c90
Opcode Fuzzy Hash: 736654f676b11747b202168ea9db592aab28a9c36d254a5fa3ac2675283346cd
Instruction Fuzzy Hash: 9DB09B769055D5C5DF11F7605608F177D117BD0701F56C075D2530642E473CC5D1E175

Non-executed Functions

Function 05B38D10 Relevance: 37.8, Strings: 30, Instructions: 268COMMONLIBRARYCODE

Download Yara Rule

Strings

The resource is owned exclusively by thread %p, xrefs: 05B38E24
The instruction at %p tried to %s , xrefs: 05B38F66
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 05B38FEF
The resource is owned shared by %d threads, xrefs: 05B38E2E
*** A stack buffer overrun occurred in %ws:%s, xrefs: 05B38DA3
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 05B38F34
*** enter .cxr %p for the context, xrefs: 05B38FBD
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 05B38E4B
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 05B38F2D
*** Resource timeout (%p) in %ws:%s, xrefs: 05B38E02
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 05B38DD3
Go determine why that thread has not released the critical section., xrefs: 05B38E75
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 05B38F26
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 05B38E86
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 05B38DB5
read from, xrefs: 05B38F5D, 05B38F62
*** then kb to get the faulting stack, xrefs: 05B38FCC
*** enter .exr %p for the exception record, xrefs: 05B38FA1
This failed because of error %Ix., xrefs: 05B38EF6
an invalid address, %p, xrefs: 05B38F7F
The instruction at %p referenced memory at %p., xrefs: 05B38EE2
*** Inpage error in %ws:%s, xrefs: 05B38EC8
write to, xrefs: 05B38F56
*** An Access Violation occurred in %ws:%s, xrefs: 05B38F3F
<unknown>, xrefs: 05B38D2E, 05B38D81, 05B38E00, 05B38E49, 05B38EC7, 05B38F3E
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 05B38D8C
The critical section is owned by thread %p., xrefs: 05B38E69
a NULL pointer, xrefs: 05B38F90
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 05B38DC4
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 05B38E3F

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 2185ef8ccd5da5bfac1c311977b3362ae18b7359215eb8a11502c82540045bd7
Instruction ID: cdac762a76284352e98155e99808a9e266b9401139078b72e660f5e409bf96ba
Opcode Fuzzy Hash: 2185ef8ccd5da5bfac1c311977b3362ae18b7359215eb8a11502c82540045bd7
Instruction Fuzzy Hash: 5681E079B45218BFCF25AA148C4AD7B3F36FF46B10F0204C5F1096F252E775A401E6A2

Function 05B02349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

@, xrefs: 05B02B74
DisableHeapLookaside, xrefs: 05B0246D
minkernel\ntdll\ldrinit.c, xrefs: 05B03187
GlobalFlag2, xrefs: 05B02FC0
@, xrefs: 05B02942
DisableExceptionChainValidation, xrefs: 05B0275F
UseImpersonatedDeviceMap, xrefs: 05B0251C
ExecuteOptions, xrefs: 05B025A0
UnloadEventTraceDepth, xrefs: 05B024C0
CFGOptions, xrefs: 05B02967
RaiseExceptionOnPossibleDeadlock, xrefs: 05B02579
MaxLoaderThreads, xrefs: 05B024EC
Initializing the application verifier package failed with status 0x%08lx, xrefs: 05B03176
LdrpInitializeExecutionOptions, xrefs: 05B0317D
MaxDeadActivationContexts, xrefs: 05B02D82
GlobalFlag, xrefs: 05B02F3F, 05B03059
MinimumStackCommitInBytes, xrefs: 05B02BB0
FrontEndHeapDebugOptions, xrefs: 05B02489
TracingFlags, xrefs: 05B02549
ShutdownFlags, xrefs: 05B024A1

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 37f8ca2be1e8f6988e659edf52ca6602cdb29b4c45b57fe88cb653da9f7bb44d
Instruction ID: 0363dbb3d3004a6fe5a8b3bace4b4a422edaf6f2d5aadacb4f2c2c08b039f1dd
Opcode Fuzzy Hash: 37f8ca2be1e8f6988e659edf52ca6602cdb29b4c45b57fe88cb653da9f7bb44d
Instruction Fuzzy Hash: B992AE75608741ABEB21CE14C889F6BFBE9FB84710F04586DFA95D7290D770E848CB92

Function 05AB8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

Thread identifier, xrefs: 05AF553A
Critical section debug info address, xrefs: 05AF541F, 05AF552E
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 05AF54E2
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 05AF54CE
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 05AF540A, 05AF5496, 05AF5519
Address of the debug info found in the active list., xrefs: 05AF54AE, 05AF54FA
Thread is in a state in which it cannot own a critical section, xrefs: 05AF5543
corrupted critical section, xrefs: 05AF54C2
undeleted critical section in freed memory, xrefs: 05AF542B
8, xrefs: 05AF52E3
Critical section address, xrefs: 05AF5425, 05AF54BC, 05AF5534
Invalid debug info address of this critical section, xrefs: 05AF54B6
Critical section address., xrefs: 05AF5502
double initialized or corrupted critical section, xrefs: 05AF5508

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: 4d9a32edceb4ce484264ab32abbcb9ba674b6c637d4a7855ea7f2aeabb93e20a
Instruction ID: 981b20e81ace61f5501568239d24b84738c8cd455cf7012eec289380cc03aacb
Opcode Fuzzy Hash: 4d9a32edceb4ce484264ab32abbcb9ba674b6c637d4a7855ea7f2aeabb93e20a
Instruction Fuzzy Hash: 27816AB1E40359AFDB20CF98C845FAEBBFABB08714F104159F615B7281D3B5A940DBA0

Function 05A9AD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON

Download Yara Rule

Strings

Status: 0x%08lx, xrefs: 05AE82D0, 05AE83AB
LdrpFindLoadedDllInternal, xrefs: 05AE82D7
DLL name: %wZ, xrefs: 05AE8075
minkernel\ntdll\ldrutil.c, xrefs: 05AE80B7
LdrGetDllHandleEx, xrefs: 05AE807C, 05AE83B2
LdrpInitializeDllPath, xrefs: 05AE80AD
minkernel\ntdll\ldrapi.c, xrefs: 05AE8086, 05AE83BC
DLL search path passed in externally: %ws, xrefs: 05AE80A6
minkernel\ntdll\ldrfind.c, xrefs: 05AE82E1

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
API String ID: 0-3197712848
Opcode ID: 015e2fc60b5346663682f1971ffb06b601d14499e1abe69575528e547089ab4d
Instruction ID: 9a2621b2e9805dcabe31a32b16a490a3dcdeca7d37734207e914a877efadc9dd
Opcode Fuzzy Hash: 015e2fc60b5346663682f1971ffb06b601d14499e1abe69575528e547089ab4d
Instruction Fuzzy Hash: F712F3716083659FDB28DF18C984FBAB7E5BF84704F04491EF9958B290EB34D944CBA2

Function 05B30CB5 Relevance: 10.4, Strings: 8, Instructions: 402COMMON

Download Yara Rule

Strings

dedicated (%04Ix) free list element %p is marked busy, xrefs: 05B30ED1
HEAP: , xrefs: 05B30E61, 05B30EC2, 05B30FD5, 05B3105E, 05B31124, 05B31178
Non-Dedicated free list element %p is out of order, xrefs: 05B30E6D
Tag %04x (%ws) size incorrect (%Ix != %Ix) %p, xrefs: 05B31192
Total size of free blocks in arena (%Id) does not match number total in heap header (%Id), xrefs: 05B3106F
Number of free blocks in arena (%ld) does not match number in the free lists (%ld), xrefs: 05B30FE4
HEAP[%wZ]: , xrefs: 05B30E54, 05B30EB5, 05B30FC8, 05B31051, 05B31117, 05B3116B
Pseudo Tag %04x size incorrect (%Ix != %Ix) %p, xrefs: 05B3113D

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
API String ID: 0-1357697941
Opcode ID: 7dcb41a8b850cf632512e4e9ed386a39eda1815bf806cc2bf4845687329cd465
Instruction ID: 13085df2e34bd795235b37901b745389f51d7bf7e566ec53ce583b8da728cde1
Opcode Fuzzy Hash: 7dcb41a8b850cf632512e4e9ed386a39eda1815bf806cc2bf4845687329cd465
Instruction Fuzzy Hash: D3F1F331A04699EFCB25DF68C84AFBAB7F5FF09714F048099E886AB251D730B945CB50

Function 05B30274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

Invalid allocation size - %Ix (exceeded %Ix), xrefs: 05B306EA
Just reallocated block at %p to %Ix bytes, xrefs: 05B305F1
RtlReAllocateHeap, xrefs: 05B302BF, 05B30362
About to reallocate block at %p to %Ix bytes, xrefs: 05B303BA
HEAP: , xrefs: 05B303A6, 05B304B5, 05B305DD, 05B30682, 05B306D9
HEAP[%wZ]: , xrefs: 05B30399, 05B304A8, 05B305D0, 05B30675, 05B306CC
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 05B304D3
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 05B3069F

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: 6ac58fe57868d22a023989376b5f68def3d1a182431233446a7bca9b555be755
Instruction ID: 825ae75ae23585da2e9b81bed5d282b747ebdafb38a4c18bf8ee44ff74d59cd0
Opcode Fuzzy Hash: 6ac58fe57868d22a023989376b5f68def3d1a182431233446a7bca9b555be755
Instruction Fuzzy Hash: F8D1D13161468DEFCB11EF68C84AEAEBBF2FF49710F098099E446AB251D734B940CB50

Function 05A8ADE0 Relevance: 9.3, Strings: 7, Instructions: 573COMMON

Download Yara Rule

Strings

MUI, xrefs: 05A8B410
LdrpResSearchResourceMappedFile Exit, xrefs: 05A8AECC
LdrpResSearchResourceMappedFile Enter, xrefs: 05A8AEB8
J, xrefs: 05A8AEAE
MZER, xrefs: 05AE36A8
#, xrefs: 05AE363D
H, xrefs: 05A8AEC2

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI$MZER
API String ID: 0-664215390
Opcode ID: 5c945bb8a0273957c3b9c4d60c76b55f475f7721797b215b14b47b374fd74b70
Instruction ID: dd71accfe23fa6878b88cc2f55ccf74cd00dcb23d40a1942fe4d5c21ec7952d4
Opcode Fuzzy Hash: 5c945bb8a0273957c3b9c4d60c76b55f475f7721797b215b14b47b374fd74b70
Instruction Fuzzy Hash: 20329071A0426D8BDF22DB14C898FFEB7B6BF45340F1441EAE859AB250D731AE818F50

Function 05AB2F98 Relevance: 9.1, Strings: 7, Instructions: 307COMMON

Download Yara Rule

Strings

SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 05AF28B2
SXS: %s() bad parametersSXS: Flags: 0x%lxSXS: Root: %pSXS: AssemblyDirectory: %pSXS: PreAllocatedString: %pSXS: DynamicString: %pSXS: StringUsed: %pSXS: OpenDirectoryHandle: %p, xrefs: 05AF29B1
SXS: Assembly storage resolution failing probe because combined path length does not fit in an UNICODE_STRING., xrefs: 05AF2856
SXS: Assembly storage resolution failing probe because attempt to allocate %u bytes failed., xrefs: 05AF2881
RtlpProbeAssemblyStorageRootForAssembly, xrefs: 05AF29AC
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 05AF292E
@, xrefs: 05AB3180

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: @$RtlpProbeAssemblyStorageRootForAssembly$SXS: %s() bad parametersSXS: Flags: 0x%lxSXS: Root: %pSXS: AssemblyDirectory: %pSXS: PreAllocatedString: %pSXS: DynamicString: %pSXS: StringUsed: %pSXS: OpenDirectoryHandle: %p$SXS: Assembly storage resolution failing probe because attempt to allocate %u bytes failed.$SXS: Assembly storage resolution failing probe because combined path length does not fit in an UNICODE_STRING.$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx
API String ID: 0-541586583
Opcode ID: 0593721d771d74dee429d3aaab58f5ef663461413169c9a6aaae9c19f617f8cd
Instruction ID: 8a4b5bdd500b8844270b07fccef9775ff50bb42b7dfc20c51e22b864425d4e6a
Opcode Fuzzy Hash: 0593721d771d74dee429d3aaab58f5ef663461413169c9a6aaae9c19f617f8cd
Instruction Fuzzy Hash: 63C1A075A402299BEF209F55DC88FBAB7B9FF54710F0040EAE949A7250E7749E80CF91

Function 05B04DD7 Relevance: 8.8, Strings: 7, Instructions: 86COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrutil.c, xrefs: 05B04E06
***Exception thrown within loader***, xrefs: 05B04E27
Execute '.cxr %p' to dump context, xrefs: 05B04EB1
Break repeatedly, break Once, Ignore, terminate Process or terminate Thread (boipt)? , xrefs: 05B04E38
LdrpGenericExceptionFilter, xrefs: 05B04DFC
LdrpProtectedCopyMemory, xrefs: 05B04DF4
Function %s raised exception 0x%08lxException record: .exr %pContext record: .cxr %p, xrefs: 05B04DF5

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: ***Exception thrown within loader***$Break repeatedly, break Once, Ignore, terminate Process or terminate Thread (boipt)? $Execute '.cxr %p' to dump context$Function %s raised exception 0x%08lxException record: .exr %pContext record: .cxr %p$LdrpGenericExceptionFilter$LdrpProtectedCopyMemory$minkernel\ntdll\ldrutil.c
API String ID: 0-2973941816
Opcode ID: 5d1ee297bffa5b7d340fdb7a113efa756fcced4b0eb67530b1fa07a7e3fb41df
Instruction ID: 722b058bd1e3098fe1981e32ef76837caaeb6e0e829d95fb34d1fa310e59dae4
Opcode Fuzzy Hash: 5d1ee297bffa5b7d340fdb7a113efa756fcced4b0eb67530b1fa07a7e3fb41df
Instruction Fuzzy Hash: 15218777284108BBDF2CAA6C9D49E367FADFB82960F1415C5F222AB5D0C960FE11D261

Function 05AB63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

Process initialization failed with status 0x%08lx, xrefs: 05AF413A
minkernel\ntdll\ldrinit.c, xrefs: 05AF40E9, 05AF414B, 05AF420F, 05AF4269
_LdrpInitialize, xrefs: 05AF40DF, 05AF4141, 05AF4205, 05AF425F
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 05AF40D8
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 05AF41FE
Delaying execution failed with status 0x%08lx, xrefs: 05AF4258

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 0fa5695e72be9849014f79dc33de45ab60aff8aa47cda825669105d550fb094c
Instruction ID: dcccb76f9cb9d54f3ead9f3796328d28b12652a5f654b1b765b3fd5af7aeb034
Opcode Fuzzy Hash: 0fa5695e72be9849014f79dc33de45ab60aff8aa47cda825669105d550fb094c
Instruction Fuzzy Hash: 06911830B017189BEB25DF54DA49FAE7BB9BF44724F040169FA126B2C1DBB4A801D7D2

Function 05AB2CF0 Relevance: 7.7, Strings: 6, Instructions: 218COMMON

Download Yara Rule

Strings

\WinSxS\, xrefs: 05AB2E23
SXS: Attempt to get storage location from subkey %wZ failed; Status = 0x%08lx, xrefs: 05AF276F
SXS: Unable to enumerate assembly storage subkey #%lu Status = 0x%08lx, xrefs: 05AF2706
SXS: Unable to open registry key %wZ Status = 0x%08lx, xrefs: 05AF279C
@, xrefs: 05AB2E4D
.Local\, xrefs: 05AB2D91

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: .Local\$@$SXS: Attempt to get storage location from subkey %wZ failed; Status = 0x%08lx$SXS: Unable to enumerate assembly storage subkey #%lu Status = 0x%08lx$SXS: Unable to open registry key %wZ Status = 0x%08lx$\WinSxS\
API String ID: 0-3926108909
Opcode ID: ff2f98fd68a350d0b8dc027b378c27214235f7dc01652bd6b172e53744b2e77f
Instruction ID: d57878a79de03546de3419bca5aa2bd2e49a659296d793d68d8b1ea15aa7f7ba
Opcode Fuzzy Hash: ff2f98fd68a350d0b8dc027b378c27214235f7dc01652bd6b172e53744b2e77f
Instruction Fuzzy Hash: 4581BD756083019FEB11CF54C894FABBBE9FF89700F04895EF8958B242D6B1D544CBA2

Function 05A7645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 05AD99ED
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 05AD9A2A
apphelp.dll, xrefs: 05A76496
minkernel\ntdll\ldrinit.c, xrefs: 05AD9A11, 05AD9A3A
LdrpInitShimEngine, xrefs: 05AD99F4, 05AD9A07, 05AD9A30
Getting the shim engine exports failed with status 0x%08lx, xrefs: 05AD9A01

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: c44fc69af6aa74ea89dea0079acaa09993a6cf9bf1cc4e9c85f015615eec7aba
Instruction ID: a5c4f80c32b9e1ac7181702b043ef04076e468557f40f0bd3830ceda5f922c54
Opcode Fuzzy Hash: c44fc69af6aa74ea89dea0079acaa09993a6cf9bf1cc4e9c85f015615eec7aba
Instruction Fuzzy Hash: 7851C371318708AFD721EF24DD45FABBBE9FF84644F000919F5969B1A0DA30E905DBA2

Function 05ABC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

Loading import redirection DLL: '%wZ', xrefs: 05AF8170
LdrpInitializeImportRedirection, xrefs: 05AF8177, 05AF81EB
minkernel\ntdll\ldrinit.c, xrefs: 05ABC6C3
LdrpInitializeProcess, xrefs: 05ABC6C4
minkernel\ntdll\ldrredirect.c, xrefs: 05AF8181, 05AF81F5
Unable to build import redirection Table, Status = 0x%x, xrefs: 05AF81E5

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: 43f01c86ea03499c126fcf878eea4648ed8ea1d0319c1da56c1a79aaa09cdf15
Instruction ID: b852f6d73f4fa8bc17d396b39b4b46aba28492cdf681c50060f9f12d4ba336a7
Opcode Fuzzy Hash: 43f01c86ea03499c126fcf878eea4648ed8ea1d0319c1da56c1a79aaa09cdf15
Instruction Fuzzy Hash: FB31D571744706AFD210EB68D95AE1A7BD9FF84B20F040958F9416B291EB70EC04C7A2

Function 05AB2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 05AF21BF
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 05AF2178
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 05AF219F
SXS: %s() passed the empty activation context, xrefs: 05AF2165
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 05AF2180
RtlGetAssemblyStorageRoot, xrefs: 05AF2160, 05AF219A, 05AF21BA

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: a332b5426a9450e6ce20c28837923027a5affed360a83821c36af17549c93c61
Instruction ID: efe8a2b22b4a88b753fbebbbb1cca5593da0a0a1651374b03c7d2fccbe8f4cf8
Opcode Fuzzy Hash: a332b5426a9450e6ce20c28837923027a5affed360a83821c36af17549c93c61
Instruction Fuzzy Hash: 2F31353AB4021477F721CA958C45FAE7BBDFF95A44F05005ABA05B7141D2B0AE41C7E8

Function 05AC096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 05AC2DF0: LdrInitializeThunk.NTDLL ref: 05AC2DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 05AC0BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 05AC0BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 05AC0D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 05AC0D74

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: 6bcfc49214c26817d4eede4e392886979453b1da0af7b88deae0d4978847bd6f
Instruction ID: 24ebedf31e3b24ca047ed0490ed0bf00b4b7ed91df756277ab979ac92df932c3
Opcode Fuzzy Hash: 6bcfc49214c26817d4eede4e392886979453b1da0af7b88deae0d4978847bd6f
Instruction Fuzzy Hash: D2425A75A00715DFDB21CF68C984FAABBF5BF04300F1445ADE999AB241E770AA85CF60

Function 05B04F40 Relevance: 6.5, Strings: 5, Instructions: 246COMMON

Download Yara Rule

Strings

.DLL, xrefs: 05B050C7, 05B0519C
\, xrefs: 05B04F66
/, xrefs: 05B04F6D
.Local, xrefs: 05B05170
\microsoft.system.package.metadata\Application, xrefs: 05B05158

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: .DLL$.Local$/$\$\microsoft.system.package.metadata\Application
API String ID: 0-2518169356
Opcode ID: 79dcb97c253104db96b29069fe6663ddb0c2be7406e749868a732636969aae40
Instruction ID: f239a690f018374dff203c7023b7ef207cf572a7f181f57048bc3dfa774b43bf
Opcode Fuzzy Hash: 79dcb97c253104db96b29069fe6663ddb0c2be7406e749868a732636969aae40
Instruction Fuzzy Hash: EA919072E006199BCB21CF58C881ABEBBB5FF48310F5951A9E815EB3D0E775E941CB90

Function 05A8A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

LdrResFallbackLangList Enter, xrefs: 05A8A3EF
6, xrefs: 05A8A3F7
8, xrefs: 05A8A3E7
LdrResFallbackLangList Exit, xrefs: 05A8A3FF

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: d213333d6c3616c9323490e691c38ebec9699a4199a07c9fc41bf4d6801776bc
Instruction ID: 279946241c4c52ba76f6544dd644e5bf1c41b748059c19a4b63ec0a067aa80bc
Opcode Fuzzy Hash: d213333d6c3616c9323490e691c38ebec9699a4199a07c9fc41bf4d6801776bc
Instruction Fuzzy Hash: 53C168742083828FCB15EF18C144F7AB7F5BF84724F00486AF9969B250E738DA49CB66

Function 05AB8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 05AB855E
minkernel\ntdll\ldrinit.c, xrefs: 05AB8421
LdrpInitializeProcess, xrefs: 05AB8422
@, xrefs: 05AB8591

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: 5cd99c7f29cec514971de22c88b3cd70fe8e99036c2f2cfb4b6a717173101faf
Instruction ID: 638bdf40349f31224b82c8af18a0ceb434aac834ef3a0dfed6f76c032940a834
Opcode Fuzzy Hash: 5cd99c7f29cec514971de22c88b3cd70fe8e99036c2f2cfb4b6a717173101faf
Instruction Fuzzy Hash: E091AD71608345AFE721EF64CD54FABBAECBF88650F40092EFA8492051E774DA44CB92

Function 05A90C00 Relevance: 5.3, Strings: 4, Instructions: 260COMMON

Download Yara Rule

Strings

((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 05AE54ED
HEAP: , xrefs: 05AE54E0, 05AE55A1
ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 05AE55AE
HEAP[%wZ]: , xrefs: 05AE54D1, 05AE5592

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
API String ID: 0-1657114761
Opcode ID: 2f727155d794a0cdb5c06dcb29e370eef51ea128c8ff1577a82df80823f9f455
Instruction ID: 8e7a267ee8520faff53df03e83fd8bd32c3c2046e1e72f97c82c6898b8ba05eb
Opcode Fuzzy Hash: 2f727155d794a0cdb5c06dcb29e370eef51ea128c8ff1577a82df80823f9f455
Instruction Fuzzy Hash: 7BA1F474A046299FDF28DF28C888F7ABBF2BF45344F148569D4A68B641D734F845CBA0

Function 05AB273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 05AF21D9, 05AF22B1
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 05AF22B6
.Local, xrefs: 05AB28D8
SXS: %s() passed the empty activation context, xrefs: 05AF21DE

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: c7cb2c99aa218112b8858b5792d3dd6dffaacae4ae7554d2d5b32d0dab3d496c
Instruction ID: 029edc01bf0e096db3da6149b1c733366162b1fff68ab1139f804bea9d722110
Opcode Fuzzy Hash: c7cb2c99aa218112b8858b5792d3dd6dffaacae4ae7554d2d5b32d0dab3d496c
Instruction Fuzzy Hash: 75A1A039A042299BDB24CFA4CC88FE9B3B5BF58314F1501EAE919A7251D7709E81CFD0

Function 05A864AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 05AE10AE
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 05AE106B
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 05AE0FE5
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 05AE1028

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: 1a0f3e7d1711592352e2d2ca5c511d73ce82bfaf4347f54dff5c2b4131180692
Instruction ID: 655d16ae910c8defc5617dbc15e8c2e51e61364199158731cae80d05ef29f8f9
Opcode Fuzzy Hash: 1a0f3e7d1711592352e2d2ca5c511d73ce82bfaf4347f54dff5c2b4131180692
Instruction Fuzzy Hash: 2271AFB1A04305AFDB20EF14C988FA77FA9BF54764F400468F9598B246D774D588CBD2

Function 05AB4D1D Relevance: 5.1, Strings: 4, Instructions: 117COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 05AF3640, 05AF366C
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 05AF362F
Querying the active activation context failed with status 0x%08lx, xrefs: 05AF365C
LdrpFindDllActivationContext, xrefs: 05AF3636, 05AF3662

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: 5fbdebec4047a36669c104227b00426bf00998aa0543549a6d523c7b57dd32b8
Instruction ID: 1a71337b0e8fd60b3f9788a8367daea259c7a9dad353599dd453cc4be35b37a9
Opcode Fuzzy Hash: 5fbdebec4047a36669c104227b00426bf00998aa0543549a6d523c7b57dd32b8
Instruction Fuzzy Hash: AB312832A14215AFFF31EB48C849FB667BFBB09650F064026E52557153EBE0AC8087F1

Function 05AA245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

apphelp.dll, xrefs: 05AA2462
LdrpDynamicShimModule, xrefs: 05AEA998
minkernel\ntdll\ldrinit.c, xrefs: 05AEA9A2
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 05AEA992

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: dbe1e83627ad58d876343e5360261342128b53f426746c1d79d69f82702aec50
Instruction ID: 8bfa719f08ea7fa4473e75bc6b60887eb541570fe0840dc2c6daade43c0cbe66
Opcode Fuzzy Hash: dbe1e83627ad58d876343e5360261342128b53f426746c1d79d69f82702aec50
Instruction Fuzzy Hash: E231F676610205ABDB20EF68994AEBE7BB5FF84700F164459F92167250CB706941D780

Function 05A90770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 05AE50BD
(UCRBlock->Size >= *Size), xrefs: 05AE50CA
HEAP[%wZ]: , xrefs: 05AE50AE

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: f7556f217284d4fc38e2fff589e0aa7ae2d30f3ab1f6d396050919c21b0b2673
Instruction ID: 71d5af676ac713f67f00935520d7843132ea5b21f1f5510314aae0bf18d6944b
Opcode Fuzzy Hash: f7556f217284d4fc38e2fff589e0aa7ae2d30f3ab1f6d396050919c21b0b2673
Instruction Fuzzy Hash: 6AF18B34B00616DFDB19CF68D898F6AB7F6FF48344F1481A9E4269B391D734A981CB90

Function 05A7A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

UseFilter, xrefs: 05A7A1C1
FilterFullPath, xrefs: 05ADC2E6
\??\, xrefs: 05ADC1E4

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 4c6703e2b75775427b6567a982991eb963a93b9b98f9f1343b64b1e2659341fc
Instruction ID: c8abcd117b657341d43e2d82336a7717a86b28d6747f81944397ce6d1e58ce0c
Opcode Fuzzy Hash: 4c6703e2b75775427b6567a982991eb963a93b9b98f9f1343b64b1e2659341fc
Instruction Fuzzy Hash: 89A16C759116299BDB21EF64CC98FAAF7B8FF44710F1001E9E90AA7250D7359E84CF90

Function 05A7CCC8 Relevance: 3.9, Strings: 3, Instructions: 164COMMON

Download Yara Rule

Strings

\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 05A7CD34
@, xrefs: 05A7CD63
InstallLanguageFallback, xrefs: 05A7CD7F

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 9d7901d0bb28aa891d1e217a55ebe0694c01d8c8ce2d39f30846972fc194d860
Instruction ID: d1dfe74360735340fdeea1ebca77194f7cbcb918485f58fcf731bfd14321cf7a
Opcode Fuzzy Hash: 9d7901d0bb28aa891d1e217a55ebe0694c01d8c8ce2d39f30846972fc194d860
Instruction Fuzzy Hash: 1C51D6B65083459BC710EF64C958FBBB7E9BF88714F04096EF996D7240E734DA048762

Function 05ABC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 05AF82E8
Failed to reallocate the system dirs string !, xrefs: 05AF82D7
LdrpInitializePerUserWindowsDirectory, xrefs: 05AF82DE

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: c9ce462145c380a35ca9d6a0f1409324e7940deab26fb6bd63a5325ed41d103d
Instruction ID: 9639c7b2469ea2c3480b355c3f46f3bc048a985ee70d1192ba9c192fa2d93078
Opcode Fuzzy Hash: c9ce462145c380a35ca9d6a0f1409324e7940deab26fb6bd63a5325ed41d103d
Instruction Fuzzy Hash: C041F371654315EBD720EB64DD49F9B7BE8FF48660F00492AB958D3291EB74E800CB91

Function 05B3C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 05B3C212
@, xrefs: 05B3C1F1
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 05B3C1C5

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: f5c28bba9093af3b921f3b80c2a1b78676e46d87d056d343bb84eae716912046
Instruction ID: cda076d8615df7b33bf4ac8890cf18f27e98d98eadaab5428055aaccadaa9899
Opcode Fuzzy Hash: f5c28bba9093af3b921f3b80c2a1b78676e46d87d056d343bb84eae716912046
Instruction Fuzzy Hash: 30415072E00219ABDF11DAD4CD46FEEBBB9FF14700F1440AAE905B7240DB74AE448B90

Function 05B04755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpCheckRedirection, xrefs: 05B0488F
minkernel\ntdll\ldrredirect.c, xrefs: 05B04899
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 05B04888

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: c0b870e7364e08aa6aab88e0b5cffa034f56bead5d40dbcd20cdf6518419a72e
Instruction ID: dd771d34ec90c125d24a81b8e9a6802e6fa09435590e44aa13e4737315e84777
Opcode Fuzzy Hash: c0b870e7364e08aa6aab88e0b5cffa034f56bead5d40dbcd20cdf6518419a72e
Instruction Fuzzy Hash: 8E419F32A157509FCF21DE689940E367FE5FB89650B0519D9EE4997291D730F800CB91

Function 05B14144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

@, xrefs: 05B14225
LdrpResValidateFilePath Exit, xrefs: 05B14172
LdrpResValidateFilePath Enter, xrefs: 05B14160

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: 7c5eebcf9372c7b1d29bc2087807d67c0936f342cdf7108c84a881156a88be69
Instruction ID: c0634bf15e7781a664a64109da6cd463756657c2aeeb5ba2a333329dbd2eda70
Opcode Fuzzy Hash: 7c5eebcf9372c7b1d29bc2087807d67c0936f342cdf7108c84a881156a88be69
Instruction Fuzzy Hash: 27411331A14658CBEF65DB94C948BADBBB5FF45340F64089ADC02EF780D734A941CB64

Function 05B020DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

Process initialization failed with status 0x%08lx, xrefs: 05B020F3
minkernel\ntdll\ldrinit.c, xrefs: 05B02104
LdrpInitializationFailure, xrefs: 05B020FA

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: d21401406c5d756ac82c9436e1e2b7f5b764d81ab8297664b6fd50325e0ab269
Instruction ID: 36edf0b415c52cbf3370af0377789129228d3b6ddedbac399007be7c95ee3644
Opcode Fuzzy Hash: d21401406c5d756ac82c9436e1e2b7f5b764d81ab8297664b6fd50325e0ab269
Instruction Fuzzy Hash: 76F0C235650208BBDB24EA48DD4BFA97FADFB40B54F5404A9FA407B2C1D6B0B904DA91

Function 05A903E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 05AE4D8A

Strings

#%u, xrefs: 05AE4D82

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: 0b9f8edafb4ed315ba3fc143908d354819e4da17aac1e5766ff503fbba2bf34e
Instruction ID: 73a59e6de7bd811f86ff84802401ac7e2b0ab586ae1e22274f7c232224b8beeb
Opcode Fuzzy Hash: 0b9f8edafb4ed315ba3fc143908d354819e4da17aac1e5766ff503fbba2bf34e
Instruction Fuzzy Hash: A8714871A0025A9FDF05DFA8C998FAEBBF8BF48744F144465E905E7251EA34ED01CBA0

Function 05B0CEA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 05B0CFBD

Strings

@, xrefs: 05B0CF0A

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @
API String ID: 4062629308-2766056989
Opcode ID: 17aecf05286830a7abb83ac33d80d80fc89af2ecf46685c12af54eb53f05616a
Instruction ID: 3bb4b2e1c57ef55c76c733e534b93860e9188281c2c024ff448d5b8ffa31b8d8
Opcode Fuzzy Hash: 17aecf05286830a7abb83ac33d80d80fc89af2ecf46685c12af54eb53f05616a
Instruction Fuzzy Hash: 6341B171A00628DFCB25DF94C954E6EBFF8FF44700F0045AAE915DB2A4E734A805DB61

Function 05B4A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 05B4A551
`, xrefs: 05B4A44B

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: 8132d9f24fee14546c89bc75fe4ea88a6d755b5546d089c4130fe4e795cf4542
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: 21C1CE312483429BEB34CF28C945B6BBBE6FF84318F084A6DF5968A290D774E505DF81

Function 05B22F60 Relevance: 2.8, Strings: 2, Instructions: 327COMMON

Download Yara Rule

Strings

*** ASSERT FAILED: Input parameter pwmszLanguage for function RtlGetUILanguageInfo is not a valid multi-string!, xrefs: 05B23011
, xrefs: 05B232B8

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: $*** ASSERT FAILED: Input parameter pwmszLanguage for function RtlGetUILanguageInfo is not a valid multi-string!
API String ID: 0-4088147954
Opcode ID: 13b15ebb5d47afa4ecd2f0b783bd7d7a473a1bc04465b580a06fde25c16897a2
Instruction ID: 9276aa64c2f7ab4cef840b01aabf7c306039122eaa2a2e9c4b3aef4c0dec11ca
Opcode Fuzzy Hash: 13b15ebb5d47afa4ecd2f0b783bd7d7a473a1bc04465b580a06fde25c16897a2
Instruction Fuzzy Hash: 5DC1AC316083619BDB20CF15C484B2BB7E6FF88714F144D9DF9899B240EB78E945CBA2

Function 05AFE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

Legacy, xrefs: 05AFE75A
UEFI, xrefs: 05AFE751

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 1155c5e3f35986b0a7bd913c2ef858fe9d935904a2bf0f24cae53bb3fedbc229
Instruction ID: c0b5f55391aeb90c711b9504f942262736ec41b4bb50d573d1965ddc29006b63
Opcode Fuzzy Hash: 1155c5e3f35986b0a7bd913c2ef858fe9d935904a2bf0f24cae53bb3fedbc229
Instruction Fuzzy Hash: C1613871E042189FDB65EFA8D984FAEBBB9FB48700F14406DE659EB261D731A900CB50

Function 05A8AC50 Relevance: 2.7, Strings: 2, Instructions: 178COMMON

Download Yara Rule

Strings

LdrpResGetMappingSize Exit, xrefs: 05A8AC7C
LdrpResGetMappingSize Enter, xrefs: 05A8AC6A

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: LdrpResGetMappingSize Enter$LdrpResGetMappingSize Exit
API String ID: 0-1497657909
Opcode ID: 8039debcfedaa82d9ea935ca4d264228e74592d339594a3b7f32ef14f96c9bcc
Instruction ID: 5d8cbf0f6d916458f0564169b50c050cb78483acba2eb321548de738e3418083
Opcode Fuzzy Hash: 8039debcfedaa82d9ea935ca4d264228e74592d339594a3b7f32ef14f96c9bcc
Instruction Fuzzy Hash: D9619F71A056459BDF11EFA8C840FBDB7B6BF54721F04496BE812EB290D774E940C760

Function 05B243D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

MUI, xrefs: 05B24525
@, xrefs: 05B24437

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: @$MUI
API String ID: 0-17815947
Opcode ID: aa0f6312de73745832163a46360cacec7f7349f4e1ad7bd7a11cf56fab3916af
Instruction ID: 8d83af6d771a77aebaedcb578da1719b4642f2645b0d7890d8ffe9a00b303ef7
Opcode Fuzzy Hash: aa0f6312de73745832163a46360cacec7f7349f4e1ad7bd7a11cf56fab3916af
Instruction Fuzzy Hash: 22514971E0062DAEDF11DFA5CD84EEEBBB8FF08754F100569E555A7280DA70AD05CBA0

Function 05AB4C59 Relevance: 2.7, Strings: 2, Instructions: 164COMMON

Download Yara Rule

Strings

Flst, xrefs: 05AB4C96
0, xrefs: 05AB4CC3

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: 0$Flst
API String ID: 0-758220159
Opcode ID: 13ef1ce6a61c58d8eb7fe3dd0b5c2e710e7e6011ddab51309afdfeeab7c86f12
Instruction ID: 7e73772b87f4f614cc45773ade11c0a22fea723ccc9a60ec255ad1ae38843f96
Opcode Fuzzy Hash: 13ef1ce6a61c58d8eb7fe3dd0b5c2e710e7e6011ddab51309afdfeeab7c86f12
Instruction Fuzzy Hash: AA519FB1E002188FDF25CF99C584EB9FBFAFF48714F14842AD1599B252EBB09945CB90

Function 05A804E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 05A8063D
kLsE, xrefs: 05A80540

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: 7ee3e649cf2c6e88b7340053b12a27e6cde011773f44a5c6b9f34a98264f74e1
Instruction ID: cda7ce651dec9e82e2817d9c72b18b57f04da8f34fac408fc5c1cc2ab1ef3793
Opcode Fuzzy Hash: 7ee3e649cf2c6e88b7340053b12a27e6cde011773f44a5c6b9f34a98264f74e1
Instruction Fuzzy Hash: 5D517D716047469FC728EF65C548FB7B7E5BF84304F04883EE9AA87240E774A549CBA1

Function 05AB2E9C Relevance: 2.6, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

SXS: %s() bad parametersSXS: Map : %pSXS: AssemblyRosterIndex : 0x%lxSXS: Map->AssemblyCount : 0x%lxSXS: StorageLocation : %pSXS: StorageLocation->Length: 0x%xSXS: StorageLocation->Buffer: %pSXS: OpenDirectoryHand, xrefs: 05AF280C
RtlpInsertAssemblyStorageMapEntry, xrefs: 05AF2807

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: RtlpInsertAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: AssemblyRosterIndex : 0x%lxSXS: Map->AssemblyCount : 0x%lxSXS: StorageLocation : %pSXS: StorageLocation->Length: 0x%xSXS: StorageLocation->Buffer: %pSXS: OpenDirectoryHand
API String ID: 0-2104531740
Opcode ID: ea050616765842c28a199d302c1e191be96c367fad8c8833ae8179aec6ce6638
Instruction ID: 708c42849b1ccbef9b6eaeee87bd704b53cc21812bc5c35ce603f094b852e80d
Opcode Fuzzy Hash: ea050616765842c28a199d302c1e191be96c367fad8c8833ae8179aec6ce6638
Instruction Fuzzy Hash: 2141DF3A604611EBDB24CF95C840FAAB7BAFF94B10F20802EF9559B640D770AC41CB90

Function 05A8A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Enter, xrefs: 05A8A2FB
RtlpResUltimateFallbackInfo Exit, xrefs: 05A8A309

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: a947b23cc815f88d6776d100e3682811cecc37def16a29490a66bcccd645a48a
Instruction ID: b68195b5c91a1ba026f8940bfdbd9d7f40a1e2ab043197893e8c5935919c5ce2
Opcode Fuzzy Hash: a947b23cc815f88d6776d100e3682811cecc37def16a29490a66bcccd645a48a
Instruction Fuzzy Hash: 9941BE38A04659DBDB21EF59C844F7E77B9FF84720F1480A6E825DB691E335D900CB50

Function 05AC0FF6 Relevance: 2.6, Strings: 2, Instructions: 92COMMON

Download Yara Rule

Strings

\Registry\Machine\System\CurrentControlSet\Control, xrefs: 05AC1025
@, xrefs: 05AC1050

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: @$\Registry\Machine\System\CurrentControlSet\Control
API String ID: 0-2976085014
Opcode ID: d5bbf6c8218a17fa82e54be899b87a8d057484a53c141e508c33b5f1b89fc7fa
Instruction ID: b58ebf9f2af7b1007d9f7dbcf54f9b1a728cfcf52173319d10aa1aa47b195400
Opcode Fuzzy Hash: d5bbf6c8218a17fa82e54be899b87a8d057484a53c141e508c33b5f1b89fc7fa
Instruction Fuzzy Hash: EE31A072A00598AFDB22EBA5CD88F9FBFB9EF84750F000469F500A7250DB759D01CBA0

Function 05ABA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Threadpool!, xrefs: 05ABA5E9
Cleanup Group, xrefs: 05ABA5E4

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: 855739ea192845bdb319ec986d79b703a734596fad716a3a52ee64083f00831a
Instruction ID: 51c8a64ada5d4c78511523f4e4323cb81db38be74f6cebed239eda7ce5a4e0e0
Opcode Fuzzy Hash: 855739ea192845bdb319ec986d79b703a734596fad716a3a52ee64083f00831a
Instruction Fuzzy Hash: 4E01D1B2654704AFE311DF14CE4AF967BE8E754725F008939B548C7191EB74E904CB8A

Function 05A8C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 05A8C8C3, 05A8CA40

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: e7d97463083547eb11d865ec8f96dfebab1c93b1cdcad00cf5a57b2a5bc5f5f4
Instruction ID: 19b40cd88581003f15613884971d3066eddcddb9f25ca815283bceed8211e4fa
Opcode Fuzzy Hash: e7d97463083547eb11d865ec8f96dfebab1c93b1cdcad00cf5a57b2a5bc5f5f4
Instruction Fuzzy Hash: 14822A75E042189BDB24EFA9C994FBDB7B2BF48710F148169D86AAB390D7309D41CF60

Function 05A82FC8 Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

PATH, xrefs: 05A830D6, 05A83124

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: b71b37d585769b64cb2bacafa5a004cf58e2bf4a9be0e4ab03111e446a884191
Instruction ID: 0b8a96f5f7d51aa26e4c72cacf5c9ad6f7f83ede1f900f31fe25c1baf90cdb3a
Opcode Fuzzy Hash: b71b37d585769b64cb2bacafa5a004cf58e2bf4a9be0e4ab03111e446a884191
Instruction Fuzzy Hash: D4F19C71E106199BCF25EF98DD81EBEBBF1FF48B00F54442AE851AB250DB34A941CB60

Function 05B1CC20 Relevance: 1.6, Strings: 1, Instructions: 353COMMON

Download Yara Rule

Strings

w, xrefs: 05B1D038

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: w
API String ID: 0-476252946
Opcode ID: 6502eb7b6a4d63c433415df7497047e55d0f38fa269ddf358aba315385e55ec9
Instruction ID: 194b91e9e2d516683c8141d44da19a9730d3515c91eb1ac547ea9a1f0845ad85
Opcode Fuzzy Hash: 6502eb7b6a4d63c433415df7497047e55d0f38fa269ddf358aba315385e55ec9
Instruction Fuzzy Hash: 1BD1B031A44215EBDB64CF64C442ABEBBB2FF44700F948499EC999B241E335FD92C798

Function 05B24C34 Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

@, xrefs: 05B24CF4

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 89f527b55bfe7a4f0811dd71fcfc3e06bd55def568a9094adf0b6a96f076d154
Instruction ID: 445c893cb1be691b8fb7050b74bedf519b6cf92ea6ae6844563aa21b9d8dd7fc
Opcode Fuzzy Hash: 89f527b55bfe7a4f0811dd71fcfc3e06bd55def568a9094adf0b6a96f076d154
Instruction Fuzzy Hash: 3FA19FB1E04229AFDF15DF98C980EBEBBB9FF48740F144469E909A7650E770AD00CB60

Function 05B06420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 05B065C1

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 9551c16cbe2d7ba0c059e6c5b9191c81945de61120c231d7e3e396f2a1c214b3
Instruction ID: 5010b2937ce1ae6ac6c4ead8effb4f3bf047c5c8955e740355849cd2db288512
Opcode Fuzzy Hash: 9551c16cbe2d7ba0c059e6c5b9191c81945de61120c231d7e3e396f2a1c214b3
Instruction Fuzzy Hash: 92914C72A40219AFDB21DF94CD85FAEBBB9EF08B50F100065F601AB190DB75ED14CBA4

Function 05B2E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

, xrefs: 05B2E1FA

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 4d13c56401b5511c6a2f5ba67cd411d1bf0478fe3fb4b742a9ccc3ae7d1f10be
Instruction ID: 82672eb212402553eaa53fc227ea0f869249032a774b69ae31ff78e0c67e6777
Opcode Fuzzy Hash: 4d13c56401b5511c6a2f5ba67cd411d1bf0478fe3fb4b742a9ccc3ae7d1f10be
Instruction Fuzzy Hash: DA918F31A40519AADF26DBA6DD44FBEBB7EEF45740F100069F509A7250DB74E901CBA0

Function 05ABA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 05AF67C9

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: b45b37e7fbdd3edab48ae5727d2a17b1e8579c4164b6b013fec9f07da2e18371
Instruction ID: 81a58546211793cfa7c07c916e34738299c0f8e3877c6b804a645620fa5c944a
Opcode Fuzzy Hash: b45b37e7fbdd3edab48ae5727d2a17b1e8579c4164b6b013fec9f07da2e18371
Instruction Fuzzy Hash: 99716C75E0421A9FDF28CF98D591EEDBBB2BF48700F14812EF916A7240DB759941CBA0

Function 05A9E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 05A9E6A4

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 3e63f04bb1b61ea7b8658613f28616bc2c1c7c36ab0c33b3e0b162a1740643a2
Instruction ID: f4adcf77c87d47ceffe979ef6d198bf2feac6e3dd53e0b822b60214ff323706f
Opcode Fuzzy Hash: 3e63f04bb1b61ea7b8658613f28616bc2c1c7c36ab0c33b3e0b162a1740643a2
Instruction Fuzzy Hash: 8941CE76608361ABDB28DB74C984F6BB7ECAF88614F04092DF985D7181E734D908C793

Function 05A7CDEA Relevance: 1.4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

Strings

AlternateCodePage, xrefs: 05A7CDFE

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: AlternateCodePage
API String ID: 0-3889302423
Opcode ID: 4722916860946ae3fb387a74276da1d74763ffc83c888fdd1e13b24b48dcbc4b
Instruction ID: 53bc2448259b766c0c08e06f07badc2e05a51ce02a2111086f1af1f6df5cc35b
Opcode Fuzzy Hash: 4722916860946ae3fb387a74276da1d74763ffc83c888fdd1e13b24b48dcbc4b
Instruction Fuzzy Hash: D641B276E00218ABDF24EB98CD84EFEF7F8FF44260F14415AE522E7250D6749A41CBA0

Function 05AFC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 05AFC77F

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: e266a0b014d3966cefbedd4fa3ed5ec2663c1ee191e4e5aba9ee18c44716a1ab
Instruction ID: b6a3ba3ec4a6ec8fdb869cc7b822dffb4fa53979fc108baaa7256623e28189bf
Opcode Fuzzy Hash: e266a0b014d3966cefbedd4fa3ed5ec2663c1ee191e4e5aba9ee18c44716a1ab
Instruction Fuzzy Hash: 814123B1D0452CAADF219A91DD94FDEBB7CAB44724F0045E5B708AB140DB709E898FA4

Function 05AFCCA0 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

TrustedInstaller, xrefs: 05AFCCBB

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: TrustedInstaller
API String ID: 0-565535830
Opcode ID: bd1503d0f10f9008a8c5949e7bec04a0f8a8232f955757a1356d7fd06b566437
Instruction ID: 6f636598761e3a75d1dd79b6217a00d1715944b9fb0f4039a5b950be4f602707
Opcode Fuzzy Hash: bd1503d0f10f9008a8c5949e7bec04a0f8a8232f955757a1356d7fd06b566437
Instruction Fuzzy Hash: 2131A132A44619BBDF22ABD4CC55FEEBBBDEB44B50F01006AFA10AB151D7349D41CBA0

Function 05B20F50 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

@, xrefs: 05B20FD3

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 82e9b14cf91a5a6f37c9e4009f2ae5fbb7a03b243ebd8f8edba72d545418d4d2
Instruction ID: 79dd6a968e73ad4943d1a834fef2bb793a4a1465edc103da2aa7444251a2ab83
Opcode Fuzzy Hash: 82e9b14cf91a5a6f37c9e4009f2ae5fbb7a03b243ebd8f8edba72d545418d4d2
Instruction Fuzzy Hash: 13317E71118395AFD711DF14C849E9FBBE8FF84750F404A6EB5D482290E7B0E908CBA2

Function 05B1AEB0 Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 05B1AF2F

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: 58c4bec251160c68e8eda4884e728ff7f2044843aadf530b2ae2d4a123ea9a8a
Instruction ID: 9d71ca0cf6227bf764809a13f7aa153bceee205f4c33724a1ebca7088640ac30
Opcode Fuzzy Hash: 58c4bec251160c68e8eda4884e728ff7f2044843aadf530b2ae2d4a123ea9a8a
Instruction Fuzzy Hash: 1A31E4B2B04A08AFD711DF54CD45F6ABBB5FB44B10F1186A5F905D7680D738B800CB90

Function 05AA8CB1 Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

WindowsExcludedProcs, xrefs: 05AA8CE7

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 34a5547e051765790c2c8ceff76a078c61e809f66b40f98c98d16d0ff40d25f6
Instruction ID: ad645819aa1b478bfae73f070e30a4ea26e6fe137cf1e88529df1bc899978c8c
Opcode Fuzzy Hash: 34a5547e051765790c2c8ceff76a078c61e809f66b40f98c98d16d0ff40d25f6
Instruction Fuzzy Hash: 98212937A00166ABCF22DB54C844F6B7BBEBF51A90F05442AB926DF114D738DD0087B0

Function 05B36FF7 Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

Critical error detected %lx, xrefs: 05B37027

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 64036c55ec2c451e3222455ec121aafa1844cbd6aeb544b6cb1aba7c2dba30e5
Instruction ID: be55b65dcdcc882b7b81558b0ce400a6e539799100bd4e88436a3a9cb5c09fa4
Opcode Fuzzy Hash: 64036c55ec2c451e3222455ec121aafa1844cbd6aeb544b6cb1aba7c2dba30e5
Instruction Fuzzy Hash: FF1179B6E443489BDB25DFA4C806BEDFBB1EB04714F2041AAD026AB281DB752601CF10

Function 05B22000 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 644bfd786c581e3e96fe8e6971633be17b65c5013f046e8e781615abefca44b6
Instruction ID: fc83ccff39d55defbdeaf590ab247c331c10b19bcfa5d4571d1c48d1a5b5655a
Opcode Fuzzy Hash: 644bfd786c581e3e96fe8e6971633be17b65c5013f046e8e781615abefca44b6
Instruction Fuzzy Hash: F342C13A6083519BDB25CF64C890A7BF7E6FF88300F14096DF98ACB250D671E945CB62

Function 05B18158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 823176504a460d07bc4a85566b9f8f22651bc3307f6702d0ce79c6d58647c9bf
Instruction ID: 8b2b48e29f9cab1754b7cdfca46f4a716872cba656c0fccf8443485f93ea206a
Opcode Fuzzy Hash: 823176504a460d07bc4a85566b9f8f22651bc3307f6702d0ce79c6d58647c9bf
Instruction Fuzzy Hash: 78425C75E002198FDB65CF69C881BADB7F6FF48300F58819AE849EB241DB34A985CF54

Function 05B2A118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e918f4f403c7b9e1c671d9cb69f28d1ee909acbc6075b6cf24cdd0a0e14ebde
Instruction ID: 20664ff19c6c1119fe0d1355fda932b3a144d80a0baefb3959283d41de6955d3
Opcode Fuzzy Hash: 0e918f4f403c7b9e1c671d9cb69f28d1ee909acbc6075b6cf24cdd0a0e14ebde
Instruction Fuzzy Hash: 2E22BD702086718BDB25CF29C094772B7E2FF44300F1888DAE89A8B695D7B5F492DB74

Function 05AA8DBF Relevance: .6, Instructions: 554COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3577eb852e4fca28522b754bf6d4ae02418496e6dac48b78b45ec2ceb23d3371
Instruction ID: 723fc606f51e5d8048bd2cc2b2c40d626a67343ca79bc97ea0d1d41601216104
Opcode Fuzzy Hash: 3577eb852e4fca28522b754bf6d4ae02418496e6dac48b78b45ec2ceb23d3371
Instruction Fuzzy Hash: 9F221A71E0421ADBCB15CF95C580DBEFBF6BF48304B15806AE955AB241E738DD82CBA4

Function 05A865D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c46798bdaeb32efc00cd32993c28d23768d01ea336a78e42ef9c01e61083bb63
Instruction ID: 71e86e60b11febaca071fd2a2b667e4de880c4996297a2f040912e1d9724fd2d
Opcode Fuzzy Hash: c46798bdaeb32efc00cd32993c28d23768d01ea336a78e42ef9c01e61083bb63
Instruction Fuzzy Hash: 33E17B71608341CFD714DF28C590E7ABBE2BF99304F05896DE9A98B351DB31E905CB92

Function 05A78397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7031d689dddeed6fc2bc764b0720aebf1606fa0048a49ad34ca4473b825764a8
Instruction ID: 625465e6fcf95fb3dd45ccb604c34730e4d208c93a9da859f98478034949ca0b
Opcode Fuzzy Hash: 7031d689dddeed6fc2bc764b0720aebf1606fa0048a49ad34ca4473b825764a8
Instruction Fuzzy Hash: 05D1B171B0020E9BCB14DF64CD98EBEB7B6BF44244F054669E967DB280E738E941CB60

Function 05AAEF28 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0b1ab8114643f670ced9ebc112ba8a491941fb90a53ef64eec1c76ccd32afe0
Instruction ID: 3223c32ebb7753e7675cde26a13452283703260445dde982c158fd095e1dd4a4
Opcode Fuzzy Hash: b0b1ab8114643f670ced9ebc112ba8a491941fb90a53ef64eec1c76ccd32afe0
Instruction Fuzzy Hash: 92E1E276E00608DFCB29CFA9C984EADBBF6FF48314F24456AE556A7260D770A841CF10

Function 05B08243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: 2b3d7f4d4b5e681706790d4f432a2937612e55df0644e16b8fa161c2074f8b0b
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: BDB14F74B00604AFDF24DB95C944EABBBBAFF88304F1054A9B9429B7D1DA74FA05CB10

Function 05A90535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: 3cac46ba95674ea8ba191021506fd07f107a3feef4cd452092a050a562fae962
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: EDB11331B04655EFDF29CB68C858FBEBBF6BF88240F144599E55297281DB30E941CB90

Function 05AA0DE1 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f95b0b38e0dc3e7fe5cb3790bd5fd12362fe4c9c1bf87842ea164d1b4e0bc92e
Instruction ID: 8e7cd89422976851163da03a963133e965c6e7e8b4413765af4640b2ad1d68e2
Opcode Fuzzy Hash: f95b0b38e0dc3e7fe5cb3790bd5fd12362fe4c9c1bf87842ea164d1b4e0bc92e
Instruction Fuzzy Hash: 61C16B71E04259DFDF25CFA8C988EAEBBB6FF48304F10412AE415AB255DB71AD45CB80

Function 05A883C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fca6aa0968b653f67f81f46add29f6ee4eead432d29ae5f559542c055d60545
Instruction ID: 9e9be56b3da9917380f5b7124d7f332bcbc0db8b12369c3bd82ff86147b48a18
Opcode Fuzzy Hash: 6fca6aa0968b653f67f81f46add29f6ee4eead432d29ae5f559542c055d60545
Instruction Fuzzy Hash: C1C14675208341CFD764DF18C494FAAB7E5BF88304F44496DE99A97290DB78E908CB92

Function 05A7C427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 100e54b54850753f82e6974a728edb4c6861bb2cf2260b5621c02429242dd929
Instruction ID: f3a50cec6a0a6d6e03d49bf119bf4b067fd2da50b133db12240389b587dfb08c
Opcode Fuzzy Hash: 100e54b54850753f82e6974a728edb4c6861bb2cf2260b5621c02429242dd929
Instruction Fuzzy Hash: 27B16F70B042698BDB24DF64CD94FA9B3B6FF44710F0485EAD50AEB240EB719D86CB24

Function 05AAE5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efda73abec9e48c61dbe7f91383cbde06c0e7be433c4f0f3b3fe9799d6040a78
Instruction ID: d1cc97908adc643aedf172777f5d9c603b506d7e9baed40403de0151787323ad
Opcode Fuzzy Hash: efda73abec9e48c61dbe7f91383cbde06c0e7be433c4f0f3b3fe9799d6040a78
Instruction Fuzzy Hash: 0AA11532E046189FDB22DB58C948FAEBBBAFB44710F150565E921BB2C0D774AD40CB91

Function 05AC0185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f94a79f899f99cc20ee0599269eb5c9277dc54ade74ecb3ff8397431f604b9c
Instruction ID: 681b9652d174e53cc3bb4fefe59fb1a7812c63419169a8d702a7fa95e60e5c3d
Opcode Fuzzy Hash: 5f94a79f899f99cc20ee0599269eb5c9277dc54ade74ecb3ff8397431f604b9c
Instruction Fuzzy Hash: 18A17C71B00619DFDB24DBA5C698FBEBBB6FF44314F1040ADEA5697281DB34A811CB50

Function 05B54500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aea798c54065c11833d33ed4867c3281d226f96ba32e79471832586fd41be69d
Instruction ID: 3a6c15dc435d8205daeb8b1c5d98ffb4d606eecf7a969dbb51a22e65c03f22fe
Opcode Fuzzy Hash: aea798c54065c11833d33ed4867c3281d226f96ba32e79471832586fd41be69d
Instruction Fuzzy Hash: 2BA1DF72A14611AFCB19DF24C980F6ABBE9FF48714F4009A8F949DB250D734F984CB91

Function 05B060E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b0ca5cce023fc9ccdfb2abef8c4fbd91e3cde84622a03616f4136e4defb0b6f
Instruction ID: d55638cddd6a45d92bbc4bb09b7fd3e990b50f3c7a3f3cdb67a5e4a17f3619f8
Opcode Fuzzy Hash: 6b0ca5cce023fc9ccdfb2abef8c4fbd91e3cde84622a03616f4136e4defb0b6f
Instruction Fuzzy Hash: 9291A171E04215AFDF15CFA8D885BBEBFB5EF48710F1551A9E511EB280D734E9108BA0

Function 05A9E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6cd1f12f58995d27598799fd45b59a44a35971650382f754c3d795db2d05180
Instruction ID: fd3f556c49da100248a2b3fdb8d0a554db60ab82e574d7bd03ae79606eabbb51
Opcode Fuzzy Hash: f6cd1f12f58995d27598799fd45b59a44a35971650382f754c3d795db2d05180
Instruction Fuzzy Hash: 40910271A046259FDF28DB28C584FBEB7FAFF84710F058065E9169B292EB34E901C791

Function 05A76D10 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 195e2f82063eedb9e4fdbdbcb5fd24521ac7e25457de8ecaae88d5bc5163f399
Instruction ID: 9be67d5bf2c99c417f68de04f563f20e70a7e027d0b5709a51129870b626ea49
Opcode Fuzzy Hash: 195e2f82063eedb9e4fdbdbcb5fd24521ac7e25457de8ecaae88d5bc5163f399
Instruction Fuzzy Hash: 1B716C75608746AFDB21EF15C984F7BF7E9BB48250F04492AE967D7200E730E9448BB2

Function 05ABE284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f501238a496e4fca7d2c3cc661a2f5107d3ce5558225c6ae46d0d6491eab558
Instruction ID: cb68bf241c2e76d8591a4978233dbe5b04e37ab5c42affad3dc7cab9960c593c
Opcode Fuzzy Hash: 1f501238a496e4fca7d2c3cc661a2f5107d3ce5558225c6ae46d0d6491eab558
Instruction Fuzzy Hash: F5816F71A00609AFEB25CFA5C980FEEBBBEFF48350F104529E556A7250D770AC45CBA0

Function 05A9C640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2a5b0e3c30a6dff655c21769e9b03424e596d05705380aed9019ee7b47a92ae
Instruction ID: afbc8db968932293a5041c05d325d7c236ad9bf57b4bcbd9dec155718e24175f
Opcode Fuzzy Hash: e2a5b0e3c30a6dff655c21769e9b03424e596d05705380aed9019ee7b47a92ae
Instruction Fuzzy Hash: 3271A075D05A6ADBCB29CF59D590BBDBBF2FF48710F14411AE852AB350D7389801CBA0

Function 05B18D6B Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9aef97589f8cd3f803b0f5ffd774d09adf8512cba424ea8de56bb5af0a86127
Instruction ID: 16be606e1af1f039e7dce61901bc6f0113ba3ae7537fda7aa500a4522fa9f290
Opcode Fuzzy Hash: d9aef97589f8cd3f803b0f5ffd774d09adf8512cba424ea8de56bb5af0a86127
Instruction Fuzzy Hash: 8471D271A042569FCB55CF59C840ABABBF2FF45300F448499FC94DB201E335EA45C7A8

Function 05B347A0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb9e464b7a96ff99028a36fb1a3163979e58ad6b84f795239894bac092f7764c
Instruction ID: b0bbe54020a2f16ef828e6135673d7b05682808ae6a654b3770ed710c32609ab
Opcode Fuzzy Hash: bb9e464b7a96ff99028a36fb1a3163979e58ad6b84f795239894bac092f7764c
Instruction Fuzzy Hash: 6C714970A14619EFCF10CFA5DA4BE9ABBF9FB84300B10419AE555AB294DB31AA04CF54

Function 05A9260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92b31eec6bcf3a9f8eed9a100e7b8c36a176ac893cd77bf3e31dc885729bfdd3
Instruction ID: 48c3894d24e8c411e940f4ab003c804ec57c1f6c938b9f26aba9a7131bc3a0d2
Opcode Fuzzy Hash: 92b31eec6bcf3a9f8eed9a100e7b8c36a176ac893cd77bf3e31dc885729bfdd3
Instruction Fuzzy Hash: 4171B1797046919FCB19DF28C484F2AB7F6FF84310F0485A9E8A98B751DB34D845CB91

Function 05B0035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: f44480089ca6f88b55d67b23942f8e40bda709fe0b38e92e941fe8f2fe06148b
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: 05714071A00619EFCF15DFA5C988FAEBBB9FF48704F104569E505A7290DB34EA05CB90

Function 05B162A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fd370b660bd43c203b4d67cd99de741f5ca228a723114dd19332381cd8aa990
Instruction ID: b8dc4bbaa1539b87ca00f0367112771169a33419bff93a589d4bcc7d4934331b
Opcode Fuzzy Hash: 8fd370b660bd43c203b4d67cd99de741f5ca228a723114dd19332381cd8aa990
Instruction Fuzzy Hash: 6E711432240700AFEB36DF18C945F66BBE6FF44720F504898E95687AA0DB75F944CB54

Function 05ABCDB1 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3343d4e39be55db51070deb4060471177c16cde6c7df33e0602028719cd2215a
Instruction ID: cd1b9f71b611a5489202a4473b1c5ce1db5ca7295aaaf92008e42f0d9092a558
Opcode Fuzzy Hash: 3343d4e39be55db51070deb4060471177c16cde6c7df33e0602028719cd2215a
Instruction Fuzzy Hash: 3561B171A00206DFDB18EFA8C995FAEB7B5FF08310F114569E621EB291DB759D01CBA0

Function 05B58324 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0bbb657d825e1b3dc8174eb6f5c959d7e29fb3d9a3b15dda8c91c98f5106706
Instruction ID: 4810419663f7abbf283460955d67ed48d20695c426893ec45af25d6180872864
Opcode Fuzzy Hash: b0bbb657d825e1b3dc8174eb6f5c959d7e29fb3d9a3b15dda8c91c98f5106706
Instruction Fuzzy Hash: C0712B75E00209AFDF1ADF94C945FEEBBB9FF04360F204169FA11A6290D774AA05CB90

Function 05A7CF50 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c039dac4d0c79e4adae2489b980ce8c838fb626483c5f982736a6a658be53934
Instruction ID: 6d09ef6f143998ab2b5f87f2f0ce53e5743ad3aa751d503bcbbf18090b037ee7
Opcode Fuzzy Hash: c039dac4d0c79e4adae2489b980ce8c838fb626483c5f982736a6a658be53934
Instruction Fuzzy Hash: 7A715871644B46CBDB31AF24CA44F32BBF2BF41761F540A2DD9E3469E1E325A842CB50

Function 05B3A250 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2cb3bd7c1d9dbe97e7582bf2185116380c7d8b50b6ff17380e507f2adec15b3
Instruction ID: b88fbf34c31ea6a0e88f842efb105a7e6a55d1ec2e856d8dc6f185920ae1db3e
Opcode Fuzzy Hash: b2cb3bd7c1d9dbe97e7582bf2185116380c7d8b50b6ff17380e507f2adec15b3
Instruction Fuzzy Hash: B651C372608711AFD712DE68C85AE5BB7E9EBC4750F1105A9BA80EB150E730FD04C792

Function 05AAEDD3 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47cb1bf0c0e6ed8167c36153f48fb3768cc29c6137ad85a8d4352b525f45424d
Instruction ID: f7a7a13c63982e7c4ff9fb454c5059255edf86d673e498dc2437a1aa4036f296
Opcode Fuzzy Hash: 47cb1bf0c0e6ed8167c36153f48fb3768cc29c6137ad85a8d4352b525f45424d
Instruction Fuzzy Hash: AB516972700744AFDB34EB55C988E6AB7FAFB44219F50492EE10687A52DB74F844CB90

Function 05AACDF0 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6851680e3e689f07d8311deac1a97bfa9ae5f47be04d730b0759b45304561ce1
Instruction ID: 5c77fecaedbe176d8376540a684b279c15136c4a406e05b5cd4c60a521ad3e58
Opcode Fuzzy Hash: 6851680e3e689f07d8311deac1a97bfa9ae5f47be04d730b0759b45304561ce1
Instruction Fuzzy Hash: B5518176E0464ADFDF24CFA8C580EEEB7BAFB88210F158169D915B7200D734AA45CB94

Function 05B48DAE Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b928461679a2ee636fb225522c429ed6c9cf195eff01cdbd126291ee96ca58e2
Instruction ID: 698c9ba8fbf51f793d6a0dca4579ace95191232580043866fa9ac25f2b5637d9
Opcode Fuzzy Hash: b928461679a2ee636fb225522c429ed6c9cf195eff01cdbd126291ee96ca58e2
Instruction Fuzzy Hash: 9E51CF726087029FD721DF28C844BAAB7E6FF84350F04896CF98597291D734E909DF96

Function 05B28350 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 141fe240daafc87f607a0ec0b79fbdd13eb390eae18fb2ae8bb18192489b7dc7
Instruction ID: deb5621a200ca93bea7042770c6b60782515765efbdebffcfb4d608a54365b5c
Opcode Fuzzy Hash: 141fe240daafc87f607a0ec0b79fbdd13eb390eae18fb2ae8bb18192489b7dc7
Instruction Fuzzy Hash: 8F519E70A007149FDB21DF56C884AABFBF9FF94710F10465EE1AA576A0C7B0B545CBA0

Function 05ABE443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e97bd1278b1019f628e2d14033de0299b4ba23705a536dc8bbb88b3ef7737bad
Instruction ID: ab379546b97d853a2277d2b13c97ebbe892d588c1cbb24c6d227336b246444ef
Opcode Fuzzy Hash: e97bd1278b1019f628e2d14033de0299b4ba23705a536dc8bbb88b3ef7737bad
Instruction Fuzzy Hash: 81517B71200A14DFDB25EFA4CA84FAAB7FEFF04740F50086AE65687261DB74E944CB91

Function 05AA45B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: 7b7c39ecd2c2e0bf5f0a84e0e49943412ab8f3e875eff8184e84771bf2ae5b6f
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: D851BE76E0425AABCF16DF94C444FEEBBB5AF49300F04406AE911AB240E7B4DD44CBA0

Function 05B24180 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fdfebe48ca427506dc6827e6014701da9da1a23a1a908b27937c01cb037f0e3
Instruction ID: 372cdeebbdf08c59c374b10e99202805b06f8e8810df9ae42804ada3aaabc026
Opcode Fuzzy Hash: 1fdfebe48ca427506dc6827e6014701da9da1a23a1a908b27937c01cb037f0e3
Instruction Fuzzy Hash: D45143726083559FCB54DF29C881A6BB7E5FFC8208F44497DF48AC7650EB30E9058BA6

Function 05A7EFD8 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2457980eaae2f5228e90d8075747a56c9784235771fbac285306e64ef320a76c
Instruction ID: 6d4891717e0168ad1608eaaade73e7b1be0fa2942a9751f3d488b6fb44a949de
Opcode Fuzzy Hash: 2457980eaae2f5228e90d8075747a56c9784235771fbac285306e64ef320a76c
Instruction Fuzzy Hash: 42515F716083459FC700DF19D944E6BBBE9FF84214F14496DF8A5C7291EB30E905CBA2

Function 05A7AE90 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c72595ad81a0d02ccfb638e53e266cdf6f9f36660e5c61391edbf41915f7f60
Instruction ID: 50b6236e3bcbe0067e3b7967850a5f9bb5c33c09689f1a1ad3f41185dfd793b6
Opcode Fuzzy Hash: 9c72595ad81a0d02ccfb638e53e266cdf6f9f36660e5c61391edbf41915f7f60
Instruction Fuzzy Hash: D151E371A05A59AFCB15EF64CD94FBDFBB2BB44724F14416AE827A3280D330AC40C765

Function 05ABCC00 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a36d0f4cdd04ea9f20a6a0fcd5866d561b8d2830d67b2d80ae4a5c5a77d4e674
Instruction ID: 9ec56b9c11f88cb15e685be90081a75e6731106470648dacbc1a1f7add8233ff
Opcode Fuzzy Hash: a36d0f4cdd04ea9f20a6a0fcd5866d561b8d2830d67b2d80ae4a5c5a77d4e674
Instruction Fuzzy Hash: 8F51B3303042078BEB24CF24D564FB67ABAFB63265F18856AE91ACA113D7B0DC81C7D1

Function 05ABA430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c38a44fc47539ce4e4e4c867d6e8bc37e3f23805965692cca164014e1ddc37d3
Instruction ID: 6ca8a52a71705aa742a52221c2611fdff05b284cd6a3dd6d03f92a1b8b258788
Opcode Fuzzy Hash: c38a44fc47539ce4e4e4c867d6e8bc37e3f23805965692cca164014e1ddc37d3
Instruction Fuzzy Hash: 6F41EA71744205ABEB18FF649996FBA7B7AFB44704F01002DFA129B252DBB1AD00C7D0

Function 05AB01F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f71e393022c174108cbc3c0278358819ecf1667743603d94b64cfac732841aef
Instruction ID: 82c0118ead8505715d8a5e3547545e3d6ec0cb9a537a1e05f252061d52fb1082
Opcode Fuzzy Hash: f71e393022c174108cbc3c0278358819ecf1667743603d94b64cfac732841aef
Instruction Fuzzy Hash: F441DD35A00218DBEF14DF98C448EEEB7B9BF48710F14826AE916F7241D7B4AD45CBA4

Function 05AC2750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: 1ef9522d70b254583e953f799f98a7a1d37e5286180c81266d2942f750feba59
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: 0A513B75A00619DFCB14CF98C580EADF7B2FF84710F2481A9EA69A7750D730AE81CB90

Function 05A86154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bda538af448af92a918775ab2ee85f6755cc9af21d989c041d984dac252e5ae
Instruction ID: a99ab84ecc37b4374439e4bdffd1d94bdb285959f0b18c0b7dcc3f58bc2c016c
Opcode Fuzzy Hash: 4bda538af448af92a918775ab2ee85f6755cc9af21d989c041d984dac252e5ae
Instruction Fuzzy Hash: D851C370E045169BEB25DB24CD48FB8BBB2FF15314F1442E9D529A72D1EB74A981CF80

Function 05A80D59 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c3922f54e941dfa9607337ddccccad264073d5b52eeae7ec4fb7fe6ee79ab51
Instruction ID: cd259093be47d214ca6ea728551b704595c8115b85d53e755e38e9ccc60deab6
Opcode Fuzzy Hash: 3c3922f54e941dfa9607337ddccccad264073d5b52eeae7ec4fb7fe6ee79ab51
Instruction Fuzzy Hash: 7A418171600718AFEB21EF24CD89F7BBBBABB45614F04049AE8569B280D774ED44CB61

Function 05B4866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 39c6f57cd001f8673755e1e4df37c4edaa65050c5882d8b9eb11120ad81a0303
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: 5C41B375B00205ABDF25DF99CC95ABFB7BAFF89240F1440A9F805A7341DA70ED019BA0

Function 05AAA470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47490d5bc850c440413e0b4a6d92c0a1183d4a4fef068c82689ffc567b3e3ff7
Instruction ID: d02f2ea591730672beac436a4688da1f7426b4d4eb95dd3acd2d72166a748fb2
Opcode Fuzzy Hash: 47490d5bc850c440413e0b4a6d92c0a1183d4a4fef068c82689ffc567b3e3ff7
Instruction Fuzzy Hash: 5641CE32A44619CFCF15DF68C994FAD7BF5FF18311F14059AE426AB290DB34A940CBA4

Function 05A7A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 635f432a3d7587dcc98cd09267ef137289c887bd42ae2a92db45e7417bb5866f
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: 73410531A0421DEBDB20EB158844FBEFB72FB44714F16846AA8578B240D631CD41CFB0

Function 05AB0710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: 4385ed6b85c3caf109cf3075781e4f58d5536d2d1f0fa85278ca7fd50553f724
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: 18414875A00605EFEB24CFA8C984EAABBF9FF08700B10496DE156D7251D770EA44CF90

Function 05A8262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04426f98542db7f439d38fcabd58f31f6d65c078dacf50509b451db13183ce7c
Instruction ID: 61881fe58df3721c612e7b19f8cfeaf545f348e52b98c1c00517d15411ec1779
Opcode Fuzzy Hash: 04426f98542db7f439d38fcabd58f31f6d65c078dacf50509b451db13183ce7c
Instruction Fuzzy Hash: 7C415B75A01B04DFCB25FF65CA44F79B7B2FF84310F1482AAD4269B6A0EB30A941CB51

Function 05B007C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddada9878896efd08088544986e91afe5a46ce8d866535ec39a201350468d471
Instruction ID: 835966bc49c8e8c5433962ee8d2e8ab2c0f990123a650b2328505247823cb17e
Opcode Fuzzy Hash: ddada9878896efd08088544986e91afe5a46ce8d866535ec39a201350468d471
Instruction Fuzzy Hash: 8A4183716183049FD760DF24C849FABBBE8FF88654F404A2EF598D7290DB70A904CB92

Function 05B005A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 757a149cdb1ce156fd4cad2ba2729a919af3ad7806881855cabaf2866cc43bac
Instruction ID: defdf3ea0b1de168d5e80418d776cbf9f1aa7e920e5e7c69daa204bcdaa2a24c
Opcode Fuzzy Hash: 757a149cdb1ce156fd4cad2ba2729a919af3ad7806881855cabaf2866cc43bac
Instruction Fuzzy Hash: 9441C3726086499FC720EF69C884B7ABBE5FFC8700F444A6DF85597690E730E904C7A6

Function 05A780A0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 824c69ad8a2399bc4d469bee84e4579505038282cfea9b13ef9a06242dac5192
Instruction ID: bb1ef37403e5895f33b41ce0a1fcbaac15998362961c97196844aae14ce29efd
Opcode Fuzzy Hash: 824c69ad8a2399bc4d469bee84e4579505038282cfea9b13ef9a06242dac5192
Instruction Fuzzy Hash: E2418271A0551AAFCB10DF54CD48EA9B7F2BF44760F258229D826A7690D738ED418BD0

Function 05A78CD0 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3750b30c2d6922d02a6f4a6c01b7c6c7b35af11ab6545723078fb90ba63000b1
Instruction ID: 10881087cce7a1465f6356a3c99a3706d4f4400b2a25c75f971a310cf55a581a
Opcode Fuzzy Hash: 3750b30c2d6922d02a6f4a6c01b7c6c7b35af11ab6545723078fb90ba63000b1
Instruction Fuzzy Hash: FD31D772A042099FCB20DF54CD44E6EB7F2FF54724F24456ED466A7291CB39ED018B60

Function 05A86EE0 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64b732a40360dc91fa69cacfc08e8d221a2b67d55a3a5d25e17e04af522cc735
Instruction ID: 358ef5219af3593cebc17673d37758e120a2bb9d02e1f540fbc221cd235dd650
Opcode Fuzzy Hash: 64b732a40360dc91fa69cacfc08e8d221a2b67d55a3a5d25e17e04af522cc735
Instruction Fuzzy Hash: 87416A35710646EFDB1AEF24C944F6ABBB6FF45740F144055E80287A51DB71EC20CB90

Function 05A902E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: 5dd40232cee272ce10296331bfab1cddb21a14b35c37e9da4619b508044a4009
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: E731D231A04254AFDF25DB68CC88FABBFFABF44390F0445A5E865E7251D6749884CBA0

Function 05B2E3DB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7733d2178e6876ad0b8ad3e11da369bf6e1e94251debd8861fda2046301c4af8
Instruction ID: a96e224f1262b84fbe8b66684b9a297ff8acc39a9c4e82d9f42d6334ffee75b0
Opcode Fuzzy Hash: 7733d2178e6876ad0b8ad3e11da369bf6e1e94251debd8861fda2046301c4af8
Instruction Fuzzy Hash: 8131B635B50715ABDB229F558D45F7F7BB9EF48B50F000068F604AB291DBA4ED0187E0

Function 05A84260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb6ebc600fce64ae04edd9a19f19f8efad728e253d1f7dc1877798e7cb4aa5b9
Instruction ID: c25566072b1b9629b68e4ffd3258d907da9c1edd602de7cbff7596b945c030b2
Opcode Fuzzy Hash: bb6ebc600fce64ae04edd9a19f19f8efad728e253d1f7dc1877798e7cb4aa5b9
Instruction Fuzzy Hash: CA418D71204B45DFCB26DF28C589FE67BE5BF49314F148429EAAA8B250DB74F804CB90

Function 05B20DF0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7347ad76c9c86dc65c89daed89238317501206b72f65cd682cfb8c4669e39ed
Instruction ID: 34bbd017e0cb0f87d72e947499df6d5f51b37442520eb6f243061a1accfdb053
Opcode Fuzzy Hash: f7347ad76c9c86dc65c89daed89238317501206b72f65cd682cfb8c4669e39ed
Instruction Fuzzy Hash: 8831E871509319AFD716FB14C809E6BBBECEF50660F0445ADF85987250E670EC45CBB1

Function 05B461C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e17d731a76c488cbf8f4b75532dd1d9de55bfe27f8d7ed48daec8b4d36a33b8f
Instruction ID: c707914c1e102a58d8d82fe43b9e0fa69cb8a4bda37833be70c027b72648bc98
Opcode Fuzzy Hash: e17d731a76c488cbf8f4b75532dd1d9de55bfe27f8d7ed48daec8b4d36a33b8f
Instruction Fuzzy Hash: A431D075A00229BBDB25DF98CD44FAEB7B5FB49B40F4141A8E900AB244D770FD00CBA4

Function 05A807AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab3f0814c17832e3bc37443a93654f54d292c7e8e7720d6d99d1c2e236d39b7e
Instruction ID: 66332fd85d4d1d6b746d5e94a2a8fef18a2bdc3669409b9b5755c8c2df85bd3a
Opcode Fuzzy Hash: ab3f0814c17832e3bc37443a93654f54d292c7e8e7720d6d99d1c2e236d39b7e
Instruction Fuzzy Hash: 5731A032B04655DBC712EF24C888E7BBFAABF84660F014529FC669B210DA30DC5987E1

Function 05B460B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e55643d00efb1f4d719d880ff8490dccf2f300bccaa634a79966366249db56ca
Instruction ID: d6c48da1d33c3b885feb8d2626d18d28e1bd22c61d22b98d30bb7b5d9588abc2
Opcode Fuzzy Hash: e55643d00efb1f4d719d880ff8490dccf2f300bccaa634a79966366249db56ca
Instruction Fuzzy Hash: F031B171B40615ABDF269F99C850F6ABBFAEF45754F1040A9E505EB351DB30FC00AB90

Function 05A88550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8be306d8d8e73ed5cae0815cfe83650c96bf6e7160140b3ad0eeeae44784f522
Instruction ID: 5950e14db767af9f2751fa0ae06fa1f8c2b3504dbf0b64e881f34b6c1581ac57
Opcode Fuzzy Hash: 8be306d8d8e73ed5cae0815cfe83650c96bf6e7160140b3ad0eeeae44784f522
Instruction Fuzzy Hash: 7C319A766093028FD325DF19C840F2AB7E9FF88710F44496DE8969B291D774EC48CB91

Function 05AAAF69 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbb10bcc93cc094d8a9b2234b85d3a29d3b96fffd27c1676d98aea5fe7335260
Instruction ID: 1866befc98928244f3f50a6916835f2a84d9c13e51c63b19881edfc492e78bde
Opcode Fuzzy Hash: bbb10bcc93cc094d8a9b2234b85d3a29d3b96fffd27c1676d98aea5fe7335260
Instruction Fuzzy Hash: 01317572A011289BDB25DF15CD48FAFB7B9FF44644F0500AAE819E7250D7349E45CFA1

Function 05ABA6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: d189bd57db293d801dda47278b88e8840cd98e212564c930a27aea260edafcd5
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: C2312E72B08701AFD764CF69DD41F97BBF9BF08750F04052DA5AAC3651E670E9408B90

Function 05AA438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88f063f840ba4c51700739f251a1322788b11badb5117de283cbe9c1c4ca92d1
Instruction ID: fc5cc138d5ed8fc4bbb65124c955e36f2158c07e46a37be242ea73eafab0bcd1
Opcode Fuzzy Hash: 88f063f840ba4c51700739f251a1322788b11badb5117de283cbe9c1c4ca92d1
Instruction Fuzzy Hash: 8331B132B006059FDB15EFB8C985E6AB7FAAF88304F10852AE156D7254E770E945CBA0

Function 05A7E420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10a56e7d3e8d379265cf1dc4cad5d71302ebaa959c177820bda5ba32ab12672a
Instruction ID: 7cc34eece65c19f5b7a09ebb4c2b4d9ad2e42c09dfcf76542cc23d0af36b2ad3
Opcode Fuzzy Hash: 10a56e7d3e8d379265cf1dc4cad5d71302ebaa959c177820bda5ba32ab12672a
Instruction Fuzzy Hash: 8031B432A0152C9BDF35DB24CD45FEE77BEEB05740F0101E5E655AB290D675AE808F90

Function 05A7C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41e102b12edd88a9aec5fc91a6f141a9ccecde1b7ea4429826beda684e01b90f
Instruction ID: a2bb387ee0d8d517f6520f8e36ee5e99a69794460e2056d24a044c278f4a7deb
Opcode Fuzzy Hash: 41e102b12edd88a9aec5fc91a6f141a9ccecde1b7ea4429826beda684e01b90f
Instruction Fuzzy Hash: 753127B56002109BCB24BF28CC45FB9BBB5FF40314F5481A9DC569B382DA34E986CBE0

Function 05B3C3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: dc693e360e43992675de335ecc8dfd7c1bc2c2404779ae20d1505062cc7c0933
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: 35214B36700A51A6CF15ABE49C01EBABFB5EF40710F40805AF9D5BB691EA34ED50C3A0

Function 05AB4588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: fd9055e0ec5d158b23747c0e25130feac0546157975c52d27b9450ab1288af4a
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: 2C216031B00608EBDF15CF59C994E9ABBBAFF4C714F108069ED259B242D6B1EA058B90

Function 05AB44B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95e9f7be6bbd2c920ae3328fe6af880429f96eda76129e036436b404303f4460
Instruction ID: 68eecdd1dc12a4410092c98965b2ffd96cf84548532bcad3da8836d9b440214e
Opcode Fuzzy Hash: 95e9f7be6bbd2c920ae3328fe6af880429f96eda76129e036436b404303f4460
Instruction Fuzzy Hash: 81219E32604B059BDB21CF58C940FAB77EAFB8C710F004619B9559B242D7B0EE008BE1

Function 05AFE609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6e8c6f3af4f8331478f755066f8d6466c422cc07fd97d9a9afb0e714af64f4c
Instruction ID: b7aa52fb13be7a37ec7ae0a3808c19275b083fd11035de4c17a66ac3318ded98
Opcode Fuzzy Hash: a6e8c6f3af4f8331478f755066f8d6466c422cc07fd97d9a9afb0e714af64f4c
Instruction Fuzzy Hash: 9E316F756002099FCB98CF58C484DAEB7BAFF84304B114459F9059B3A0E731A941CB95

Function 05A7E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 2fe46010c5022ab7f2110703d56436189c08fbc1616f827df8d47ff7f0ace965
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: F8317A31600608EFDB21DF68C988F6AB7F9FF85354F1049A9E5528B690E730EE01CB60

Function 05A88D59 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
Instruction ID: ae1407ad63d222662ac71fd56e8711ef7fe1d9ee422ea927e1450f80cfa8f195
Opcode Fuzzy Hash: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
Instruction Fuzzy Hash: 322125397056829BEB2AE728CD19F3577EEBF80750F0948A5DE52876D1E768DC40C260

Function 05B006F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1025513b4ae15fad5e2be271e51f09b0cd2f639eb72d903e675e190553a956c1
Instruction ID: c3b63bbd1daa6db89d0b8646101f03ae17b7b4314a1e4f9fc4a0e04fdad1dba7
Opcode Fuzzy Hash: 1025513b4ae15fad5e2be271e51f09b0cd2f639eb72d903e675e190553a956c1
Instruction Fuzzy Hash: C4218071A006299BCF14DF59C985ABEBBF4FF48740B5100A9F441EB250D738AD41CBA0

Function 05B0019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af802e11977595ac7c094b10b1ac440e6b7ef5888116dad6bf982559ae677195
Instruction ID: c37bc430bef1f3bbf28d080eb2747f06d5a5eb6a6dfe3a26d1aa76c911561c67
Opcode Fuzzy Hash: af802e11977595ac7c094b10b1ac440e6b7ef5888116dad6bf982559ae677195
Instruction Fuzzy Hash: 8D21AE71600658EFDB15EB68C948F6ABBF8FF88740F1444AAF905DB690D634ED40CBA4

Function 05B00283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7ad893d340ac86049b0696989b52e3fe2b4039894606db7c81dc22fe06a5acb
Instruction ID: 1d79bd63af01993cf453e33fcaf75651711ef6abcde29c1bca01501b8ee70954
Opcode Fuzzy Hash: d7ad893d340ac86049b0696989b52e3fe2b4039894606db7c81dc22fe06a5acb
Instruction Fuzzy Hash: 4121B6725087499BCB11EF59C94CF6BBBECEF85240F4848A6BC81C7291D734E504C6A1

Function 05A86C50 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8ccae6e2f7e35f84e7bb989f2678c939a5afa5094da6a1dc038476e0161c08b
Instruction ID: 9190a1c3a5a1cb05bd52a2e8ffb460ead33cba9a9e40756f50f5192f894df886
Opcode Fuzzy Hash: e8ccae6e2f7e35f84e7bb989f2678c939a5afa5094da6a1dc038476e0161c08b
Instruction Fuzzy Hash: BF3186B5604600CFD720CF58C180F26BBF9FB88714F2484ADEA5A8B752DB31E942CB90

Function 05B3A49A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1a1b700344aba1e64c5a1f6fab0fba06af8027cb751b2997e2f5b66367d7a05
Instruction ID: 47dbfcb5176e5b8b40de2d4342553f64f6e65698c03f0b5fde160b3869842903
Opcode Fuzzy Hash: a1a1b700344aba1e64c5a1f6fab0fba06af8027cb751b2997e2f5b66367d7a05
Instruction Fuzzy Hash: 5311CA72390B117FD72265549C47F2BB699DBC4B60F320468B658EB1D0DA74FC018795

Function 05ABA30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bce4a12d916497b14d853b40d413983df999abb06cfa05cce06dacde1a7f44ef
Instruction ID: ff1a4f8e38c13026b6e75f9dccd5e3d8157c6b322e3b6abad30c3029b69d866c
Opcode Fuzzy Hash: bce4a12d916497b14d853b40d413983df999abb06cfa05cce06dacde1a7f44ef
Instruction Fuzzy Hash: 6721AC39200A109FCB29DF28C901F5673F5BF08704F248469A559CBB61E331E842CF94

Function 05B180A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: 6188416376b491d47fe46081301c2cf9a8e65ccc0fea58486282eec3b377d254
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: B1215872A00209AFDF129F94CC44FAEBBBAFF88310F600899F905A7250D734E960CB54

Function 05A88770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57271ea05da395e376c7809ba5280b646de2e6db70bd04cba4240bae1e095f55
Instruction ID: 34801b3bb2ac8f8fd62dbb4db593d243951e3275d1863706ca8ca7a65aba751b
Opcode Fuzzy Hash: 57271ea05da395e376c7809ba5280b646de2e6db70bd04cba4240bae1e095f55
Instruction Fuzzy Hash: 0711C831701A169BCB11EF49C5C0D36B7F5FF4AB50B944469ED19EF204DAB5E901CB90

Function 05AB0124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: 6be07d3a22a46801b07aa87a70e107b6b3d509033e49e0c85b62e4e2049aa4b8
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 7F11D072600604AFEB269B44DD49F9BBBBDFB84750F110029E6019F181D6B1ED44CBA0

Function 05B24F42 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c72c45912d47683c52433c96848dfb8decf3587e712a2c85a6b68d0e49ae640
Instruction ID: 8defb88dd51a7f9ab8e8446af2765c8298309bf15ed3e5fa83c490ca21adca1e
Opcode Fuzzy Hash: 7c72c45912d47683c52433c96848dfb8decf3587e712a2c85a6b68d0e49ae640
Instruction Fuzzy Hash: 98215075E04219AFCB05CF88C880DAEBBB5FF98304F1140A9E809A7351DA71AE41CBA0

Function 05A880E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 977c196c16a67a90d1ed11959735a0b85af8e370087e89e2833a3de9dabf7450
Instruction ID: f25101c964c5817ca8837261b3590bec3a705689848240c5fba3ec806db9950f
Opcode Fuzzy Hash: 977c196c16a67a90d1ed11959735a0b85af8e370087e89e2833a3de9dabf7450
Instruction Fuzzy Hash: D9213A75A00206DFCB14DF58C581AAABBF6FB88714F64456DD105A7310CF75AD06CB90

Function 05AB674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e8defdb93cd1eca800e8006b9b1bea8d8f614ef5774fc14beb37f6367ccad34
Instruction ID: 06d5b383ef79505a99a8baaeaa51a9c0e9e89c34d0e865c9cdc4216ed058a3d6
Opcode Fuzzy Hash: 9e8defdb93cd1eca800e8006b9b1bea8d8f614ef5774fc14beb37f6367ccad34
Instruction Fuzzy Hash: 52219071600A40EFDB20CF69C881FA6B7F9FF44250F40882DE4AAC7251DB70B880CBA0

Function 05AB66B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 573c98e5cce87262fd482f630d4651422b2315c8848c387d51e26d7aa3e8a833
Instruction ID: 708014380701d09ec9770a9e0b092a76f77db725c0b7ad9e196332babb27d4a5
Opcode Fuzzy Hash: 573c98e5cce87262fd482f630d4651422b2315c8848c387d51e26d7aa3e8a833
Instruction Fuzzy Hash: 0311E376B01254EFDB28CF59C580E9ABBF9EF84650B11407AE915DB312DAB0DD40CBD0

Function 05A82F12 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6454f71e81488528c013e124ac5fe976928a60ea066889c273027168223cef21
Instruction ID: 1e8ee6a8e525a65f5dcaa89829e5ca7f4dae6e489177b198f919138c95c5ce31
Opcode Fuzzy Hash: 6454f71e81488528c013e124ac5fe976928a60ea066889c273027168223cef21
Instruction Fuzzy Hash: FF1148353047146FD724BB299D89F76BBA5EF40AA0F540066FD06A7290D9B0FC14C6A5

Function 05B0E7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: 9f79ec8fc5659729ac14887f5463dcd93268cb59acd0e6b965e25bf6a695ff98
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: C5119E32604704EFDB219F44C944F76BBAAFF45750F0598A8E84A9B1A0EB31FC40DB90

Function 05AA27ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dd61d0545df9ae59a99c2829ff4199f24a5f24916e37e5fc798fe0359bfd6b9
Instruction ID: a99c129122530a06ba2bcf07d95c4cc1d1b00288df04b5dc8919d1a189df2216
Opcode Fuzzy Hash: 4dd61d0545df9ae59a99c2829ff4199f24a5f24916e37e5fc798fe0359bfd6b9
Instruction Fuzzy Hash: CF012636309644ABE326A369D89CF276FAEEF85354F0944B5F8119B250DA24DC00C2B1

Function 05A84690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1552bc616562e511dfb430c27315c07980c54fe3feb25c3dd6b389e801d0a91
Instruction ID: 94174baa5dde1d4f803211e0c4fbfe876f0b02aa1f49ca58cd1b467564f5db71
Opcode Fuzzy Hash: a1552bc616562e511dfb430c27315c07980c54fe3feb25c3dd6b389e801d0a91
Instruction Fuzzy Hash: E911CE36604A46AFCF25EF59D944F767BA9FB8EB68F004129F8658B650C770E840CF60

Function 05AB6620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9afc48e4aa47a4784b8ac72178051be5c0bc1cf7f916069771177f3e55c805ce
Instruction ID: ba2d5072f8a060604ea535036e33cdc9e1ef7d3314c7e57d23b3465f0d921bcc
Opcode Fuzzy Hash: 9afc48e4aa47a4784b8ac72178051be5c0bc1cf7f916069771177f3e55c805ce
Instruction Fuzzy Hash: 9011C272A00614ABEB25EF59C9D0F9EF7BCFF88740F500455D915A7242D770BD018B90

Function 05AAE53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: 39ed39141f1dd401141f067b895fc9a05a3783bab546b7fad7e68f57b51abc0e
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: C011C4733066C29FDB229728EA68F3577E9FB41758F1908E1DD418B692F728C842C260

Function 05B0E75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: e80f3cf942c2ae0fa0f7bcc9f3057ef80e291efb965d9abda0c217243c21e5f4
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: 8B01D232704108AFDB219F54C904F7ABEAEFF44790F0598A8E9069B2A0E771ED40C790

Function 05A7A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 3239313b2c029cf277e1edc5c010716bd38b0fd11bca044b23ea2fed196ce86f
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: 4301C072505B19ABCB318F159C40E7A7BB6FF45B607008A2DF8A69B6A0D735D840CBA0

Function 05AFE1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84e33733cec1c84aed4eed18822edf4dc98c803a9d4ae4ceefe361ff8e6e8c30
Instruction ID: c9a3485c4f9003e738969828063ccf99b642847c0e7d84eef7d2999246e308e7
Opcode Fuzzy Hash: 84e33733cec1c84aed4eed18822edf4dc98c803a9d4ae4ceefe361ff8e6e8c30
Instruction Fuzzy Hash: 2D118B32241640EFCB25EF58CA84F1ABBB8FF44B44F2000A5FA059B661D335ED01CBA0

Function 05A86259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0285c96a5cc3714cf345ec06605bfde87cb22923a6857e2490303bb11568b56
Instruction ID: 28ed2d8a236db891b121537c78817975eb5e161484f0a2dad1e630157a1b7901
Opcode Fuzzy Hash: d0285c96a5cc3714cf345ec06605bfde87cb22923a6857e2490303bb11568b56
Instruction Fuzzy Hash: BA117071A41228ABEF25EF64CD46FE97774BF04710F5041D9A319A60E0DB709E85CF84

Function 05AB6DA0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0ec4d266471c9547166acc1fd1eb763428ac71706b94ce862d4cb5f0fc29682
Instruction ID: eadde9f9008b28caefa98cdd98564d4087a500d0e20083b6362c7df91a7bd961
Opcode Fuzzy Hash: c0ec4d266471c9547166acc1fd1eb763428ac71706b94ce862d4cb5f0fc29682
Instruction Fuzzy Hash: FE01FC7260825567FF29DB95C845FDF7FADEB80B50F154015A9075B281D7B4D880C3E1

Function 05A76DF6 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 350231d954313f62ea6513d197e1611ef679baa51219d335e5783d9859cef567
Instruction ID: 61b61dac122b148075a36411b5ebc1012fd9a526fa22ef767c67bfa95c02b643
Opcode Fuzzy Hash: 350231d954313f62ea6513d197e1611ef679baa51219d335e5783d9859cef567
Instruction Fuzzy Hash: A201B13271470AAFCB20BB659844D67BBB6FF84210B000168F96683691DF21FC10D6E0

Function 05B16500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f47b90076f42c318bae662d978c23b336038570eb674ffb8e6a9491d549c102
Instruction ID: c5af0b7b8d038ab0bc0d507c41f466f3c88febc1320c5c7c3835ff5c2cd541b7
Opcode Fuzzy Hash: 9f47b90076f42c318bae662d978c23b336038570eb674ffb8e6a9491d549c102
Instruction Fuzzy Hash: F911E1326441499FC710CF18C800BA2BBBAFB5A304F488199E8488B711D732FC80CBA0

Function 05A8208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 533136868977a4673ae35b4076312e3de538cd83c67e6848fa9a47440eb59874
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 1901B1366002109FDF15AB29D884FB2B777BFC4610F5945A5ED178F245EA719C81C7A0

Function 05B06050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8a63729e147aad06b432ad59bf90353839033a87380ac3aba1183095c758403
Instruction ID: 67ee79a902b54d31b1b461e8ec04ef38a48435c2549bd9c71229328d88fe19a6
Opcode Fuzzy Hash: f8a63729e147aad06b432ad59bf90353839033a87380ac3aba1183095c758403
Instruction Fuzzy Hash: ED11177290001DABCB15DB94CD85DEFBBBDEF48254F044166A906A7211EA34AA14CBE0

Function 05B54D30 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dce810caaab907df470bbf0755fd55f79d5b3e8251e758c876a237234e0141c
Instruction ID: 14b969b4fed92392ea74d5207a3545f712038afd593616effaec100a72119dcb
Opcode Fuzzy Hash: 7dce810caaab907df470bbf0755fd55f79d5b3e8251e758c876a237234e0141c
Instruction Fuzzy Hash: D2019A32A1015CABCF10DFA9DD46EAFBFB9FB48650F040058F919E7251CA30EA10CBA0

Function 05ABE5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e97cc8ea1a0dce6d2e839f6fd7f5ee3c33a35b0b36f704b736fb673dbf88459b
Instruction ID: 27a78315ad74a5ee4bf51f8bb5a62ed480d3a7ce707662992709142f9b774188
Opcode Fuzzy Hash: e97cc8ea1a0dce6d2e839f6fd7f5ee3c33a35b0b36f704b736fb673dbf88459b
Instruction Fuzzy Hash: FC018472341A147FDB15AB69CE84F57B7ECFF846A0B000626B21983551DB24EC01C6E0

Function 05AC20F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49b990f5c2210af7f8e238ba627db0207148ab424410ffbc12f551262ada2546
Instruction ID: 303901f0db18a740543038b39f33b57696dadc0f67cae6c21c0b94847b2dff9d
Opcode Fuzzy Hash: 49b990f5c2210af7f8e238ba627db0207148ab424410ffbc12f551262ada2546
Instruction Fuzzy Hash: 91116D35A0020CABDF05DFA4C955FAE7BB6FF48240F004099F9159B290DA35AE11CB90

Function 05A7C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 013a8c440d20442c5d7a9f0f649b6a85ecc67fca6103ffe335f89a2383a21171
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: D701B9322007059FDF22E765D914EA7B7FAFFC5654F044819E55787540DA70E942CBA0

Function 05B0C460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63aa65d1c3291966c6ec34ba473f57b5a07ee1f31a9b84cff7fc2fe558058dc9
Instruction ID: defb65ae930b431a68df5fcb11eb4e0461dde9759e55657fdfc9fba6485c1a96
Opcode Fuzzy Hash: 63aa65d1c3291966c6ec34ba473f57b5a07ee1f31a9b84cff7fc2fe558058dc9
Instruction Fuzzy Hash: 8B115B71A0020CEBDF05EF64C955EAEBFB5FB48240F004199B80197390DB34ED11CB90

Function 05A9E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: 3323c11abb9632f164a8c60cadee6083b3ff9807c295235763782c5cb1b6503d
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: E701BC32244580DFD72AD71CC948F37B7EDFB44B40F0904A6E816CB692E638DC40C221

Function 05A7826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a2ae77e286b2a796c4d8a1683a5c4932f8c266d20832978a5219c98b7593759
Instruction ID: 32e24d59e161c0cf24253541e9bc31c61d5422fd6dc5953fad23a082676890fe
Opcode Fuzzy Hash: 5a2ae77e286b2a796c4d8a1683a5c4932f8c266d20832978a5219c98b7593759
Instruction Fuzzy Hash: B701A732B1450DEBC718EB69DD48DAF7BF9FF44211B154069A912A7680EE30ED01C6D1

Function 05B04C0F Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d6a19ea365c40c19e4fe8a16b65534bd6f59d38f244cd8fe510355439b6ac30
Instruction ID: 13282cac1df82b449cfc1439aeddf263e359e74076466403ac7caeba9082aa23
Opcode Fuzzy Hash: 5d6a19ea365c40c19e4fe8a16b65534bd6f59d38f244cd8fe510355439b6ac30
Instruction Fuzzy Hash: 9D018472B11715ABDF209F99D9C0F59BBF8EB447A0F100095EA0497240D7B4FD448754

Function 05A82582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7dc41bd2f4ff7938a0b6ff9e7f142d4b36b3aacdffe8a5cbbbaf83a6a34091e
Instruction ID: 28ec8380cd50d8858e8c4f2a9be09dfd72dc4f4a0b97d1f9a4da5792ece72d70
Opcode Fuzzy Hash: b7dc41bd2f4ff7938a0b6ff9e7f142d4b36b3aacdffe8a5cbbbaf83a6a34091e
Instruction Fuzzy Hash: 5CF0F432B41A20BBCB36EB568D44F27BEAAEF84B90F104429A50597600CA34ED05CAB0

Function 05B54F68 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b891607c0a036c0260e0c25a6e582d1a3bb579dfc8561b4df0a316a447135373
Instruction ID: eddd7b16663cf71d88a00a2f06265adff0e1394057e34b20f97b6ba9229bff5e
Opcode Fuzzy Hash: b891607c0a036c0260e0c25a6e582d1a3bb579dfc8561b4df0a316a447135373
Instruction Fuzzy Hash: 130117B1A00219ABCF04DFA9D955AAEBBF8FF48304F10445AB905E7340D674AA008BA4

Function 05AAC073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: 1ba0725f2f07b43733138769a0c6ba3d10df025abdbcbf80d5378d661eb18253
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: EFF0AFB3A00A10ABD325CF4D9940E57F7EAEBC4A90F048128A555C7220EA31ED04CB90

Function 05A7C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: c1b84fe917c1735ff5beb6d22a15fbf72d8bb84143c2b875a724e521c2121bd1
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 95F02B33348A369BD73257B99D64F3BE6A6DFC1A74F1A0036F51A9B204CA748C0297D0

Function 05B5634F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 926396bb97aff59d982486ce9c5de16f2963c37bf4f4d75292e026a1776f472e
Instruction ID: 27061f83f79adb62fda40f6c55415b30533dd151cddcf8b93599ded2781488e5
Opcode Fuzzy Hash: 926396bb97aff59d982486ce9c5de16f2963c37bf4f4d75292e026a1776f472e
Instruction Fuzzy Hash: FF012C71A10209EBCF04DFA9D555EAEBBF8FF48314F50446AF905EB350DA74AA018BA4

Function 05B562D6 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20624e05b5e8062f4f99ac4d803b6d2df97d7e082cb5cf7311411d857c2b1ac
Instruction ID: 63b6ff7cf8cb6174baff8c24f65c58a9581c13c15ce46adc4d1070f7eceb0cba
Opcode Fuzzy Hash: e20624e05b5e8062f4f99ac4d803b6d2df97d7e082cb5cf7311411d857c2b1ac
Instruction Fuzzy Hash: CD017171A00209EBCB04DFA9D555EAEBBF8EF48300F50845AF900E7350D674A9008BA0

Function 05B5625D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2f0d7da7e13b05dc4ceb711d4e20ea5c479ec46d4dd914c5c4bd60591e0175a
Instruction ID: a8ee58f734b59a2a66f0e49ee9883c9ea939da674c7222d0378a5605790a7284
Opcode Fuzzy Hash: a2f0d7da7e13b05dc4ceb711d4e20ea5c479ec46d4dd914c5c4bd60591e0175a
Instruction Fuzzy Hash: 48017C71A10209EBCF04DFA9D555EAEBBF8EF48300F50806AF900EB350D674AA008BA0

Function 05B54FE7 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d0edc180d4b038a00013cfee3a060ab448cb94e84cf47a1c323134d4c26d80f
Instruction ID: 8ddded1622dc15bec68718028dd548b7aa3e83e30d59fead33c595e42ea722fb
Opcode Fuzzy Hash: 2d0edc180d4b038a00013cfee3a060ab448cb94e84cf47a1c323134d4c26d80f
Instruction Fuzzy Hash: A3012171A1020D9BCF04DFA9D995AEEBBF8FF48355F14445AF901E7390D634EA018BA4

Function 05B561E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63ed7a09bb4b0459822fb1a52efcf4eb5803cd0a7a52d4dbbec319f0b7d49857
Instruction ID: eff17c21bb5a71d455bf4e2cfa4327ddec0f49dcff662481a845a4aa246f5cd1
Opcode Fuzzy Hash: 63ed7a09bb4b0459822fb1a52efcf4eb5803cd0a7a52d4dbbec319f0b7d49857
Instruction Fuzzy Hash: FB012171A102599BCF04DFA9D555AEEBBB4EF48310F54405AE501A7290D774AA01CB94

Function 05B063C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: e94003c9a8503d8e19fa12403975c2a32fed56d815cbbb0518d7196cd3f8b496
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: B2F01D7220001DBFEF029F94DD81DAFBBBDEB49298B114165FA1196160D631DD21ABA0

Function 05B0A4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd8fd1ca2388fffe83be3b6d7a63330db244b20a9554cc18862f1bdc75326325
Instruction ID: 02a4058b3df6ad0223cbfc554ec2d91a8c293d43b89b3676621df3ce46c02011
Opcode Fuzzy Hash: cd8fd1ca2388fffe83be3b6d7a63330db244b20a9554cc18862f1bdc75326325
Instruction Fuzzy Hash: 13019736110209ABCF129F84DC40EDE3FA6FB4C764F068551FE1966260C636E970EB81

Function 05AB656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3c76c34d267cefedb62ba4a0626a1db9717daa6ac7708cd8bd04f4ae9a773ad
Instruction ID: 0bd094476bed89991100fff81f149fc500eb82634385f5a199c88a61588915ac
Opcode Fuzzy Hash: d3c76c34d267cefedb62ba4a0626a1db9717daa6ac7708cd8bd04f4ae9a773ad
Instruction Fuzzy Hash: 1C01A4703046849BFB229768CD4DF763BF9BB44B04F484690BA528B6D2EB68D5018610

Function 05A7C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc22b44451084ba172e569b64a065a22719c570456313491481ec2ede04afa96
Instruction ID: 4b766a0ab93bea74d564398acc6a8d287fff22e80f04242a560d5ad5d10348d5
Opcode Fuzzy Hash: fc22b44451084ba172e569b64a065a22719c570456313491481ec2ede04afa96
Instruction Fuzzy Hash: ADF0B4723042055BE714A6159D61F3233EAEBC06B1F65807AEA168B6C1FA71DC01C3E4

Function 05B2437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 7c1543127001efa0707882ef5748542c31503da31db04a0d822f094167c1e4b5
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: D9F0E93274593287DF36AA29C424F2FA296FF80D00B05067C940BCBA40DF60FC0087A0

Function 05B08D20 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c920c9e1202226768875f1c63ba9a6aca6e624192ced551b1d6e52e2f5e7881a
Instruction ID: ac8c273ca5e0c9ddaf9dbfa98b65044aaf8e01d2a48b14d2f94e172cdc2b6d8e
Opcode Fuzzy Hash: c920c9e1202226768875f1c63ba9a6aca6e624192ced551b1d6e52e2f5e7881a
Instruction Fuzzy Hash: 5FF0B43351424CABC7317A18A889F6BBF6DFB94720F495699F85627291CA307D81C680

Function 05A847FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcb0416ddd55c95faa321bbc58e465a4a7664b53d96f735d3fe772c93391e6ff
Instruction ID: a90306c54aef8557674e2589a4405a2ce96b80a09710a2d7eaa6dc63adec6f7d
Opcode Fuzzy Hash: dcb0416ddd55c95faa321bbc58e465a4a7664b53d96f735d3fe772c93391e6ff
Instruction Fuzzy Hash: BDF0B4319166E29FDF32EB68C144F317FD5BB0863CF09496AD8AA87501C724D880C650

Function 05B40115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 752b5f030b30a6be344eacb14d02b8733761e924e0ace9eb57c9cb2bf80a96f3
Instruction ID: ecbfbd908dcf2eb42d35f018696a6893629c7fe36297fb6ea55e0d532e619b08
Opcode Fuzzy Hash: 752b5f030b30a6be344eacb14d02b8733761e924e0ace9eb57c9cb2bf80a96f3
Instruction Fuzzy Hash: 3EF02766529A8C4ACF317F38649E7E17F65E745010F2914C5E6A36F200CA74B483DA24

Function 05ABC5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c447ea79c84b0550beb4713cb3d562005da98ae0fd4816a11ef0dfca1a14f9dd
Instruction ID: 714e3f9e503b3f9fd9ac608e2c55f4f7931772c73f2e90226f4e5090333d185f
Opcode Fuzzy Hash: c447ea79c84b0550beb4713cb3d562005da98ae0fd4816a11ef0dfca1a14f9dd
Instruction Fuzzy Hash: B5F0BE716156929BE722D718C178FA1B3EDBB846B0F08B465D826C7513C2A0DC80CAD0

Function 05AC2619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: 234538f352f13b334eba34737ea3e80d8af892d85be8325fad9f970fc8dd6062
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: 6CE0D832300A006BDB229F598DC4F477BAEEFC6B10F0400BDB5045F251C9E2DC0982B4

Function 05ABCF80 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f2503cf4af7cb7b09027b56ae64a80349c60eadc7eba6a9026732afcc48f9fb
Instruction ID: 72786fc652e61d381e13effeee18034b74e64d6e6380833a47cdfa272af07c3e
Opcode Fuzzy Hash: 0f2503cf4af7cb7b09027b56ae64a80349c60eadc7eba6a9026732afcc48f9fb
Instruction Fuzzy Hash: CEF0E232704606EFDB01AB96D904EAEFBBAEF80720F048052F9144B211D771A861C750

Function 05B16030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: f6bff0a7929cb194bde8fb5b0b2059e8b4987770e416f8c0c68f19888cc46e6f
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: 56F0E572144204DFE3248F15DD88F52B7E9FB05364F82C069EA098B960D33AFC40CBA8

Function 05A80710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: b834b195f354308b555d6a40229077faec417a59ff126bb5ef676c4495df8ff7
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: 14F0E53A304B449BDB15EF15C058EB57BF9FB41350B014495E8468B300D731E985CB90

Function 05A7EC20 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 996ac50646acec401b5b4ec6e6a79d216cdcf7e2fbd334b6c0b4cd53c06c704f
Instruction ID: d1d7812758041542136e1531dae2b8a154235023f1a6e87ddf5128351fed3d38
Opcode Fuzzy Hash: 996ac50646acec401b5b4ec6e6a79d216cdcf7e2fbd334b6c0b4cd53c06c704f
Instruction Fuzzy Hash: 2EF0A03920428CAFEF18CB11CE08F2537ADBB04326F2484A9F8288A152C774D8A4CB85

Function 05B2678E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction ID: bebf6ea8a2fe42425dfa4fd240203ea823933acbb2c0a8f26bf24b3eae045ace
Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction Fuzzy Hash: ABE0D832B00120BBDF2297599E05F9A7BACDB44E90F050064B905D70A0D570EE00C6E0

Function 05B54164 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7f40558495fc259aa02648c890731bbf8533e9897458ab166f949ceb3c16c6b
Instruction ID: ba4e48cd2e89ccbd9214b86d2f12c2dcc4ed11dcbba2ceee0d6a6e0c08adc974
Opcode Fuzzy Hash: b7f40558495fc259aa02648c890731bbf8533e9897458ab166f949ceb3c16c6b
Instruction Fuzzy Hash: CEF030319255918FDF6AD724D644F657BE5FB14630F2A05E4D84587911C724FCC0CA50

Function 05A825E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 644037394cc24b82ffdb1db8b00b4928d38b0ac70f3e73836367de4e784fbeaa
Instruction ID: 23e20aeb2d866f3d79a9d02907d8ecf1f5b3bd0a4be1a68a04368652474ddba4
Opcode Fuzzy Hash: 644037394cc24b82ffdb1db8b00b4928d38b0ac70f3e73836367de4e784fbeaa
Instruction Fuzzy Hash: 0AE092722009549BC725BF29DE05F9A7BAAEF54364F114529B15557190CB30A910C7C8

Function 05B3A456 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction ID: 28e68b317a00805e674c5d2cf19e8ccf62defbbd2cab14094981c6902b2c9ffa
Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction Fuzzy Hash: 13E01235114A51DFDB366F25DA5DF52B6E5FF40711F248C6DA0DB114B0C7B5A8C1CA80

Function 05B04000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 5196e98a360aafcc3f15907b53c0e97ed568956ada1c387990bea1cc9e5de7e6
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: FBE0C2343043068FDB15CF19C040B637BB6FFD5A10F28C0A8A9498F245EB32E842CB40

Function 05A7823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: 031a6c258d3e36c4da23f923b488427dc87380018b9ac9d7d0de7e9379ed99ba
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 32E08C35200A28EEDB316F11DE08F617AB2FF44B51F21486AE09A064A4CA78AC81CA94

Function 05A78C8D Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e11a57143702242364d2b83303e293bdba6231e0197df2e73aa18f92c330474f
Instruction ID: 9c04abf7cdd361befa0d3e3005d3658f3f73e951e71b34bf3c31046b802756ec
Opcode Fuzzy Hash: e11a57143702242364d2b83303e293bdba6231e0197df2e73aa18f92c330474f
Instruction Fuzzy Hash: DDE08631101A25DEDF316F12DE0CF567AB2BF40710F11486AA057154A0CA789C85CA95

Function 05A82050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b591e26d566d253d950cdaefdd652ba49ed91f42e9a4b258cb3cf65b50fe924d
Instruction ID: 105fccbc9dd551cde19b7a6e9b140463341a8de7d2c215cab1778d859d278d7f
Opcode Fuzzy Hash: b591e26d566d253d950cdaefdd652ba49ed91f42e9a4b258cb3cf65b50fe924d
Instruction Fuzzy Hash: 57E0C232200864ABCB11FF5DDE01FAA77AEEF94260F100121F15487290CB20FD00C7D8

Function 05ABE59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: c201e7cb2188b4ac7db56bd7ec24ca72c9feebc7ea38d3eaa95a9dabf221d113
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: F8D0A932204A20AFDB32AA1CFC04FD333E9BB88720F16085AB018C7050C360AC81CA84

Function 05A7A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: 29d2ae65f0a75cac0ab538ab8c60b5bd1c74620eb02cd00e35fa2ed4034cbba8
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: FED01232317474A7DF2997556D14F6B6A66AB81A94F1A046D740AD3900C5158C43D6E0

Function 05ABCF50 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1e0652c89fa9f8a2eb819bacf9c7a6cea482f174652bb31bac85ffd87e94c46
Instruction ID: 16c971618cec06b3a5a8250c840f37c8bd4dcb73fe2eb37ad05fe76221fd1ddd
Opcode Fuzzy Hash: f1e0652c89fa9f8a2eb819bacf9c7a6cea482f174652bb31bac85ffd87e94c46
Instruction Fuzzy Hash: 4FD0A732110548ABCB01FF08CE41F157FAAEB94740F000020B40887221CA30FD60C688

Function 05A902A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: f6511c0c0863003a47424d0f999b5c6bcace2a0738fb6b80c8e92c721affbab3
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: F5D0C935216E80CFDA1ACB0CC5A8F1573F8BB84F84F8104D0E542CBB61D62CE980CA00

Function 05ABCF1F Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95ba97c1551e88e51c2d11dec5c5b8934833b254f10373056230eae67c17b56a
Instruction ID: d1e6a7085a1732840f3a33518fcde2802e0e1d24d294c4782eae90210bbc42ca
Opcode Fuzzy Hash: 95ba97c1551e88e51c2d11dec5c5b8934833b254f10373056230eae67c17b56a
Instruction Fuzzy Hash: 61D05E72121940DFEB2ACF04CA46F6577E4F700704F4540B8A00ACB921C728E904DB84

Function 05ABC700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: cb1e0c30a62ed13b157fe6e3ed369c03145ddaf929456d2e8db36be7159fc354
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: 1FC01232250644AFCB159A94CD01F0177A9E798B40F100421F20487570C531E810D684

Function 05AA0310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 8be839ea62ccc747a443b0d8864deb82e1246149a4cef76e9650ce25c8adf220
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: B9D01237200248EFCB01DF41C994D9A772AFBC8710F109019FD19076108A31ED62DA50

Function 05A80750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: b17e3635f8653570d3b9b66eae61457a9251db3f8ec408ab43165cef911c95a1
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: 8CC04879701A458FCF19EB2AD3A8F59B7F8FB84740F154C90E806CBB21E624E801CA60

Function 05B36F00 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0308ce5ee14c24fb886fb9f14b489cdec504b92c80768c2a23305a5c2b521e7
Instruction ID: 44edd9db6917bdae410206c24553a41122c057a36f2c0a006a66201b2b18260c
Opcode Fuzzy Hash: e0308ce5ee14c24fb886fb9f14b489cdec504b92c80768c2a23305a5c2b521e7
Instruction Fuzzy Hash: 9CC09B2F1556C149CF178F3553137E4BF61D7425D4F5D14C5D4D21F512C1145513D625

Function 05B54DAD Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
Instruction ID: 43ab675cf31649ae02350f8770eae105cb9eded05ce211abe1faa37807a429a7
Opcode Fuzzy Hash: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
Instruction Fuzzy Hash: 0BB01233312544CFC7026720CB04F5872A9FF017C0F0900F065008AC30E7188920E501

Function 05AC4650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86d0f0a9f001237890c1fb7ac408b27f07f68fd8bbc6f9c4a5cd1a855b56a9ee
Instruction ID: 4da84e2358beb5dc710598d9586c6620214da4b39a1434102d450b7c4bed1b6f
Opcode Fuzzy Hash: 86d0f0a9f001237890c1fb7ac408b27f07f68fd8bbc6f9c4a5cd1a855b56a9ee
Instruction Fuzzy Hash: 7590026660151142454071585844806A02597E13013D6C115A0564561C861C89559279

Function 05AC4340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15cbce16f00ef80f5689e44a05c3b92f75fbcc77164df9eae496dba12fbddbf0
Instruction ID: 21d289909a18836c1c20efb5460925e8136c7590c96b8fe9854a3cb7f86fc458
Opcode Fuzzy Hash: 15cbce16f00ef80f5689e44a05c3b92f75fbcc77164df9eae496dba12fbddbf0
Instruction Fuzzy Hash: D0900236605811129540715858C4946802597E0301B96C011E0434555C8A1C8A565371

Function 05AC2DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b2e8a89ca968117c12df263592721ce6fc85ce1a0b33b35d329caeca673463b
Instruction ID: 479d745737f35b2ef5aca24aa1f57cf0d4eaca75048ab5aea39bcceadb8b1930
Opcode Fuzzy Hash: 8b2e8a89ca968117c12df263592721ce6fc85ce1a0b33b35d329caeca673463b
Instruction Fuzzy Hash: 1E90023624141502D54171585444A06402997D0241FD6C012A0434555E865D8B56AA71

Function 05AC2DD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42f8093bff1e83b93c7b35d35a55b1690d681b1458d919860bdb2d9b545d0f20
Instruction ID: 30d362b3bc8bfcaca0d7092d8c0160acdd61924aa8a56954d65fb53976be07cf
Opcode Fuzzy Hash: 42f8093bff1e83b93c7b35d35a55b1690d681b1458d919860bdb2d9b545d0f20
Instruction Fuzzy Hash: 8E900226242452525945B1585444907802697E02417D6C012A1424951C852E9956D631

Function 05AC2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ee06653d91724b7f88d99edcd9a82d29ddd82c4e62e20f4e6eb8850663b4049
Instruction ID: 4a28e6e6c2d55c694f866b155fc87b55c42ab72d56b385512f37145b859b2761
Opcode Fuzzy Hash: 2ee06653d91724b7f88d99edcd9a82d29ddd82c4e62e20f4e6eb8850663b4049
Instruction Fuzzy Hash: 7190022630141103D54071586458A068025D7E1301F96D011E0424555CD91D89565232

Function 05AC2D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 816019879f3e87adaa02152e9de41867ed6d7e04af50332c407846c66e7b62bc
Instruction ID: 4d3af3d60a1ec2baccc4b741b8d21cf56c5890c01940a9be9381d5fc0a4594f8
Opcode Fuzzy Hash: 816019879f3e87adaa02152e9de41867ed6d7e04af50332c407846c66e7b62bc
Instruction Fuzzy Hash: 8490022620545542D50075586448E06402587D0205F96D011A1074596DC63D8951A131

Function 05AC2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a35ae4e214207ce7c414390e952a646c94f0013891cdf5a54dbe426d7378186b
Instruction ID: 9cb8876b68536da4d926ce40e172c76df09d3a14cc3dc3b80a555023bebe4d85
Opcode Fuzzy Hash: a35ae4e214207ce7c414390e952a646c94f0013891cdf5a54dbe426d7378186b
Instruction Fuzzy Hash: 8790022E21341102D58071586448A0A402587D1202FD6D415A0025559CC91D89695331

Function 05AC2CA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 999d09d9f4ceccc2e13c2d0a6a51fb9258571bba6c6d95d677b65ee8fbb57a1e
Instruction ID: cb62164ef5da4b5e45fd42bd6e39bf2b3268137ef47850302d4a723754ea1a41
Opcode Fuzzy Hash: 999d09d9f4ceccc2e13c2d0a6a51fb9258571bba6c6d95d677b65ee8fbb57a1e
Instruction Fuzzy Hash: C290023620141502D50075986448A46402587E0301F96D011A5034556EC66D89916131

Function 05AC2CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7ae00be9a18f6766ecb4fbe62707730d178d2953eb2540984ba97bc8fbfdf64
Instruction ID: 6b1941b3aae9058b7bfdd707cec73114811fb69fd6e9213fe450a27bf6102f95
Opcode Fuzzy Hash: e7ae00be9a18f6766ecb4fbe62707730d178d2953eb2540984ba97bc8fbfdf64
Instruction Fuzzy Hash: 4E90023620141503D50071586548B07402587D0201F96D411A0434559DD65E89516131

Function 05AC2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e886446efa133bcc1d0f1ac7515b666f802a326223770fda15ec470b19049554
Instruction ID: 21a42a38207e3b5dd8d3f4b2af4accee796974186bb9258c372043326b8ab370
Opcode Fuzzy Hash: e886446efa133bcc1d0f1ac7515b666f802a326223770fda15ec470b19049554
Instruction Fuzzy Hash: 5790022660541502D54071586458B06403587D0201F96D011A0034555DC65D8B5566B1

Function 05AC2C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac5346c91b97b1696ff742a0663c8d37c85c10b212b4ef051fea8538e463609e
Instruction ID: a7642ce96e8f8c510e2998d29aa8c45bdd96204b6b029e1aca6902f4078ec71d
Opcode Fuzzy Hash: ac5346c91b97b1696ff742a0663c8d37c85c10b212b4ef051fea8538e463609e
Instruction Fuzzy Hash: F790023620141942D50071585444F46402587E0301F96C016A0134655D861DC9517531

Function 05AC2FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6adfdd85ac6d28b937a2a0e7fa84c5a3344bdb8e54785b278c3090ec8294052a
Instruction ID: cd73844d3d032a1e5fef2659747fcae2eac719caf255533267ce54b63daa71ea
Opcode Fuzzy Hash: 6adfdd85ac6d28b937a2a0e7fa84c5a3344bdb8e54785b278c3090ec8294052a
Instruction Fuzzy Hash: 7090023620181502D50071585848B47402587D0302F96C011A5174556E866DC9916531

Function 05AC2FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cce454a2a66fa458151c726576aec023ec8228e4ac328d44263fc05a3a8f2ac
Instruction ID: 812471cdb272a28f520225d157c2c36061e85c4d27c86f93ac2613563656c78f
Opcode Fuzzy Hash: 9cce454a2a66fa458151c726576aec023ec8228e4ac328d44263fc05a3a8f2ac
Instruction Fuzzy Hash: A290022660141142454071689884D068025ABE1211796C121A09A8551D855D89655675

Function 05AC2F90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b74d277993cfa279aa1bf030a72ce07750a7221f5bbd324e09ee50e4529d6ee
Instruction ID: 2af6631d97ff46ef41ddcbf4a7f57abbf53deefedeb4417d492092602b759428
Opcode Fuzzy Hash: 6b74d277993cfa279aa1bf030a72ce07750a7221f5bbd324e09ee50e4529d6ee
Instruction Fuzzy Hash: 5F90023620181502D50071585854B0B402587D0302F96C011A1174556D862D89516571

Function 05AC2FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a836227c5aecdb2848fec4f7570c3236bd4c24af59ebd153e3823cce3378ba58
Instruction ID: f9220593a1b2523476061723a9bc533cd2779b1d51990634e0a42bc498eabb39
Opcode Fuzzy Hash: a836227c5aecdb2848fec4f7570c3236bd4c24af59ebd153e3823cce3378ba58
Instruction Fuzzy Hash: D1900226211C1142D60075685C54F07402587D0303F96C115A0164555CC91D89615531

Function 05AC2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e0cdc0c4617f0e5fed263396ba015a025449b02992bca3e3053af6ca96acf90
Instruction ID: 05b1117378ad1166e34ea8461bd4ee046e16d989b68786eebce9fbda243e996c
Opcode Fuzzy Hash: 3e0cdc0c4617f0e5fed263396ba015a025449b02992bca3e3053af6ca96acf90
Instruction Fuzzy Hash: EF90026634141542D50071585454F064025C7E1301F96C015E1074555D861DCD526136

Function 05AC2F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d1427cc44ee0accd77f9620fd1410d61995c399922c233dacd074eef1711c7c
Instruction ID: a9a3f18f61a677bee3ffc3888ce35fd01d2b4bc0743fee5865392434ed17aaa7
Opcode Fuzzy Hash: 0d1427cc44ee0accd77f9620fd1410d61995c399922c233dacd074eef1711c7c
Instruction Fuzzy Hash: C390026621141142D50471585444B06406587E1201F96C012A2164555CC52D8D615135

Function 05AC2EA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29e239aeadb0b14cec6d18c5b89d81dd7dadf348b57a8ef94ca83183b1a2b619
Instruction ID: ac07bdc9119a0c4af50fd75142fab342da54ca8bb7d649934c2355224646d750
Opcode Fuzzy Hash: 29e239aeadb0b14cec6d18c5b89d81dd7dadf348b57a8ef94ca83183b1a2b619
Instruction Fuzzy Hash: 6290027620141502D54071585444B46402587D0301F96C011A5074555E865D8ED56675

Function 05AC2E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30dacde6d8612f792c0235662ad69dc006b033a204d4fd3671a3da45de6e5a7b
Instruction ID: f0e303a8684422178368a5908bff8320f820b60ce15c5ccb571eb96f94953807
Opcode Fuzzy Hash: 30dacde6d8612f792c0235662ad69dc006b033a204d4fd3671a3da45de6e5a7b
Instruction Fuzzy Hash: 4490022660141602D50171585444A16402A87D0241FD6C022A1034556ECA2D8A92A131

Function 05AC2EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1816d6cbcfc5b1ba0733945d37976cdcd5fbae46482ba56074578e23bf86141
Instruction ID: 9ad99acd2395b53369a03671a6431d174d995d8f9dfe5a5854d9cf7e4949ddcb
Opcode Fuzzy Hash: c1816d6cbcfc5b1ba0733945d37976cdcd5fbae46482ba56074578e23bf86141
Instruction Fuzzy Hash: F090026620181503D54075585844A07402587D0302F96C011A2074556E8A2D8D516135

Function 05AC2E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ce3302bb6a2252ea13094bbef9f0e1c2649e195c75a26acb8ea456da0472e0f
Instruction ID: f7447451c4dec988ada0535a6a0c05c21a512262346c3ba5b36f6e6d19ca8995
Opcode Fuzzy Hash: 2ce3302bb6a2252ea13094bbef9f0e1c2649e195c75a26acb8ea456da0472e0f
Instruction Fuzzy Hash: C390022630141502D50271585454A064029C7D1345FD6C012E1434556D862D8A53A132

Function 05AC2BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 207a1e27b3c3e88c109a3a4ae0fa24fb60a9447a1af890b785e35f53fec3c679
Instruction ID: 01348da1593a0773d18cf06097477798dc737607b4cd986ab4957301e53228ce
Opcode Fuzzy Hash: 207a1e27b3c3e88c109a3a4ae0fa24fb60a9447a1af890b785e35f53fec3c679
Instruction Fuzzy Hash: 1490023660541902D55071585454B46402587D0301F96C011A0034655D875D8B5576B1

Function 05AC2B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 734a1578bcb8fce4af8f29e68b18d685b3e2410bf03e0502adad15eb4cb797a1
Instruction ID: dd162d4a9d2121238d5f6f17c54e6d8314b0e203abc6effc2a330c38d0feeb23
Opcode Fuzzy Hash: 734a1578bcb8fce4af8f29e68b18d685b3e2410bf03e0502adad15eb4cb797a1
Instruction Fuzzy Hash: 2D90023620141902D50471585844A86402587D0301F96C011A6034656E966D89917131

Function 05AC2BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12566b8ab609b051c82c823ac022b2b688f7db77bb1b0acf707ff035ecc9595c
Instruction ID: 97f37b8947bdcebafd7549ab598c8592fdfbcb159c837087ce08bc8c65313ebe
Opcode Fuzzy Hash: 12566b8ab609b051c82c823ac022b2b688f7db77bb1b0acf707ff035ecc9595c
Instruction Fuzzy Hash: B390023620545942D54071585444E46403587D0305F96C011A0074695D962D8E55B671

Function 05AC2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97109be5d5ab74edbd9dcfca563503c1a732562577c8aeb73821945a743c0a7a
Instruction ID: cfb7591f387ba77fbc3389df1103caa3c184acc41d0d021b2e5165dc2489372a
Opcode Fuzzy Hash: 97109be5d5ab74edbd9dcfca563503c1a732562577c8aeb73821945a743c0a7a
Instruction Fuzzy Hash: 8390023620141902D58071585444A4A402587D1301FD6C015A0035655DCA1D8B5977B1

Function 05AC2B60 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 666eda9f45f3513dc265db12221b6a749a60d7afb2adddfe3c6a9898db0a6b64
Instruction ID: 1832b2c1f659011bd1ef0ecfc100dfeec5561779f1dfb61ff8b5d2cf657b0382
Opcode Fuzzy Hash: 666eda9f45f3513dc265db12221b6a749a60d7afb2adddfe3c6a9898db0a6b64
Instruction Fuzzy Hash: 5E90026620241103450571585454A16802A87E0201B96C021E1024591DC52D89916135

Function 05AC2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eee00ff48d8e33e5ce84930314e8a97770f85ac3478bdeae699f13fda84c0192
Instruction ID: 3fb4f78a9baebc8337ff322c0bb84ac3221e864130b59685311c1ec3f711e81e
Opcode Fuzzy Hash: eee00ff48d8e33e5ce84930314e8a97770f85ac3478bdeae699f13fda84c0192
Instruction Fuzzy Hash: B29002A6201551924900B2589444F0A852587E0201B96C016E1064561CC52D89519135

Function 05AC2AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a34ff83e9137de3cb6953d903f86e97d9f7e3d6f8d0bfe44a5ccfac68a454a0d
Instruction ID: c39bf903d33d02f990611c5d48332009b3b5bf4bad43c0c013ff997f8380f1ec
Opcode Fuzzy Hash: a34ff83e9137de3cb6953d903f86e97d9f7e3d6f8d0bfe44a5ccfac68a454a0d
Instruction Fuzzy Hash: B090022A221411020545B558164490B446597D63513D6C015F1426591CC62989655331

Function 05AC2AD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe305e07c20e2224ed7bdb037221e2e2d8673e91085a9a7506283eee6aa5ca37
Instruction ID: f0779746cfa26e2da89977ec20d4b39603915c6153be68f4ea885cc7f433b7ca
Opcode Fuzzy Hash: fe305e07c20e2224ed7bdb037221e2e2d8673e91085a9a7506283eee6aa5ca37
Instruction Fuzzy Hash: F790022A211411030505B5581744907406687D5351396C021F1025551CD62989615131

Function 05AC3090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 300495e386349ade88cfa10fbe81e7ad691fda4e4f0762a8ebf542de7eb43c86
Instruction ID: 32d6b9eaf98b040853cc91f9b3f0409fb3353f8d3f4cada56358f6243b004f28
Opcode Fuzzy Hash: 300495e386349ade88cfa10fbe81e7ad691fda4e4f0762a8ebf542de7eb43c86
Instruction Fuzzy Hash: 6D90022624141902D54071589454B074026C7D0601F96C011A0034555D861E8A6566B1

Function 05AC3010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abb53c2ef13147aad06fc6141e99a7fa9f4e742e9cc57c1202ee7ef952ba2d9a
Instruction ID: 15da96268fe7bdbc925985fb92fc7688bab576e59dcbe640063c9806e63f9f59
Opcode Fuzzy Hash: abb53c2ef13147aad06fc6141e99a7fa9f4e742e9cc57c1202ee7ef952ba2d9a
Instruction Fuzzy Hash: 5290022620185542D54072585844F0F812587E1202FD6C019A4166555CC91D89555731

Function 05AC3D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e32ade41ffee923f7b140d7f1e36dbda052fcdeaaf5ca8e581ad1c1fc297f9f2
Instruction ID: 56f07f79eb8db4a99df4dd1af8f516ff2ee6f5a3c8494432215086df3f00c48a
Opcode Fuzzy Hash: e32ade41ffee923f7b140d7f1e36dbda052fcdeaaf5ca8e581ad1c1fc297f9f2
Instruction Fuzzy Hash: A790023620241242994072586844E4E812587E1302BD6D415A0025555CC91C89615231

Function 05AC3D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4a0be72c1902fd11558cd398ff70f88dd4526ef5a43d986e97242b22deab115
Instruction ID: 5578dd67b48d4f6ab22fefa2f73156a20cc52609c11b926ac52057c4ecf774a8
Opcode Fuzzy Hash: e4a0be72c1902fd11558cd398ff70f88dd4526ef5a43d986e97242b22deab115
Instruction Fuzzy Hash: 9590023A20141502D91071586844A46406687D0301F96D411A0434559D865C89A1A131

Function 05AC39B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2edbf1c25c5f3cd2daa44bfa764ee8d11778a68444271fb2a2f6e1c47814187
Instruction ID: 88f9d8ee667c45bcd3032ccae40e944f090a50dd9ddf3023b8414601341edcab
Opcode Fuzzy Hash: d2edbf1c25c5f3cd2daa44bfa764ee8d11778a68444271fb2a2f6e1c47814187
Instruction Fuzzy Hash: 8B90022624546202D550715C5444A168025A7E0201F96C021A0824595D855D89556231

Function 05AC2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 8c7037280fd77d6838d966e8d728bad0bbf4adb4065e53631b83703fbf57ea80
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 05AC2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 05AC293C
___swprintf_l.LIBCMT ref: 05AC295E
___swprintf_l.LIBCMT ref: 05AC29A3
___swprintf_l.LIBCMT ref: 05AFA52E

Strings

:%u.%u.%u.%u, xrefs: 05AFA5B8
ffff:, xrefs: 05AFA504
::%hs%u.%u.%u.%u, xrefs: 05AFA527
::ffff:0:%u.%u.%u.%u, xrefs: 05AFA54E

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 5fb2d7059dde5ea433e779e251f0cbdb80e8187b98a2623fd63f9062e924d160
Instruction ID: 6a544ac73e548c8b30e50cd89aac0e4c0e8765cd983bf5358c2d6229e3fc2281
Opcode Fuzzy Hash: 5fb2d7059dde5ea433e779e251f0cbdb80e8187b98a2623fd63f9062e924d160
Instruction Fuzzy Hash: DE51B9B9A04116BFCB10DB988D94E7EFFB9BF08200B5481ADE5A9D7641E674DE4087E0

Function 05B32410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 05B324A6
___swprintf_l.LIBCMT ref: 05B324E2
___swprintf_l.LIBCMT ref: 05B3257D
___swprintf_l.LIBCMT ref: 05B325A3
___swprintf_l.LIBCMT ref: 05B325C8
___swprintf_l.LIBCMT ref: 05B32608

Strings

:%u.%u.%u.%u, xrefs: 05B325FF
ffff:, xrefs: 05B3247D, 05B3249D
::%hs%u.%u.%u.%u, xrefs: 05B3249E
::ffff:0:%u.%u.%u.%u, xrefs: 05B324DA

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 8490ba770e7c1e9f2aa6d6bc40cffa7e691e7f876a80f0669962213c1815834f
Instruction ID: 00882373094453ec85bb98cfb777e4917c79c5121f5ac28c3d052f6b94935177
Opcode Fuzzy Hash: 8490ba770e7c1e9f2aa6d6bc40cffa7e691e7f876a80f0669962213c1815834f
Instruction Fuzzy Hash: BB51F479A00645AECF30DE5CCD91D7EF7FAFB44200B4588AAE596E7641E674FB008760

Function 05AB7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 05AF46FC
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 05AF4725
Execute=1, xrefs: 05AF4713
CLIENT(ntdll): Processing section info %ws..., xrefs: 05AF4787
ExecuteOptions, xrefs: 05AF46A0
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 05AF4742
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 05AF4655

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 88ce9f64384e6dd1451c289f21f5b09896460df659141895ab659579d7e51630
Instruction ID: 5ab9383bbe1477fdc420b8df7e5240517a4e006f8c149baacdc5d881fc81b71b
Opcode Fuzzy Hash: 88ce9f64384e6dd1451c289f21f5b09896460df659141895ab659579d7e51630
Instruction Fuzzy Hash: FA51D6317042197AEF10EBA49D99FFA7BBDFB48300F0400A9E515A7191EBF0AA45CB90

Function 05ACB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 05ACB6BF

Strings

0, xrefs: 05ACB695
-, xrefs: 05ACB650
0, xrefs: 05ACB66F
+, xrefs: 05ACB65A

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction ID: e36a65b9d54fceda5457d3b39ec64ae3e0cd66fe6ad9085896e67ec4c2a8ad24
Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction Fuzzy Hash: DD816D70E4624D9ADF24CF68C452FBEBFB2BB45310F98419DD8A2A7290C63698418B71

Function 05B320E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 05B3214F
___swprintf_l.LIBCMT ref: 05B32172

Strings

[, xrefs: 05B3212B
%%%u, xrefs: 05B32146
]:%u, xrefs: 05B32169

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 12633fff53ec0ba0f57b6f1464e39746df06f539ca1a27d1102598f1dcff12b8
Instruction ID: bbb8d7e8e50b114fd4969088eea6193da78c1e1c2ec7502c94b2aae4292a5fa8
Opcode Fuzzy Hash: 12633fff53ec0ba0f57b6f1464e39746df06f539ca1a27d1102598f1dcff12b8
Instruction Fuzzy Hash: 5E21517AA00619ABDB10DE69CD45EFEBBF9FF44640F14015AE905E3200EB30A9019BA1

Function 05AAF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 05AF031E
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 05AF02E7
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 05AF02BD

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: e33586d2d02e3d3641348443955be00c8628f11d78785fca77ae10b47837eae0
Instruction ID: 3e1839364b7a4f37c8bd1a025f1983e4e6440333b3aef28a7d2750a6020656a3
Opcode Fuzzy Hash: e33586d2d02e3d3641348443955be00c8628f11d78785fca77ae10b47837eae0
Instruction Fuzzy Hash: 43E1BF356087419FD729CF28C988F2ABBE1BF88314F140A5DF6A68B2D1D774E844CB52

Function 05ABBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 05AF7B7F
RTL: Re-Waiting, xrefs: 05AF7BAC
RTL: Resource at %p, xrefs: 05AF7B8E

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 4392e682df4996b1a008941ed950430bb02cdbd784e027947bcfa95629e64879
Instruction ID: 9a901203e04d521c07d9bb4c1c1d10358426c7ca7aa3633d4647377b449dc5fa
Opcode Fuzzy Hash: 4392e682df4996b1a008941ed950430bb02cdbd784e027947bcfa95629e64879
Instruction Fuzzy Hash: 8241BF313047069FE720DF25C840FAAB7EAFB89710F000A1DF9A697281DB71E8058BA1

Function 05ABB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 05AF728C

Strings

RTL: Re-Waiting, xrefs: 05AF72C1
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 05AF7294
RTL: Resource at %p, xrefs: 05AF72A3

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 17922dd1abb420bf5d00ee60a145bb8883f1c702b4ac90e3e54e20e78e8d3e57
Instruction ID: 44d6344137cdb010bd190481b5eeefb5a7c40053ef5fcd9a15832102d6c91937
Opcode Fuzzy Hash: 17922dd1abb420bf5d00ee60a145bb8883f1c702b4ac90e3e54e20e78e8d3e57
Instruction Fuzzy Hash: F541D03170460AABD721DF65CC41FAAB7AAFB44710F100619FA65AB280DB71F852C7E1

Function 05B32300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 05B3238D
___swprintf_l.LIBCMT ref: 05B323B3

Strings

]:%u, xrefs: 05B323AA
%%%u, xrefs: 05B32384

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: e2a897aa5b37d4475d8890cfc4bbe24ee702a9568280826516c1c6c54513bb05
Instruction ID: ad774fa2ed5f2b2d4e23ca3fe2af75c7ad78e98d8acfa822bf2f24a481b40943
Opcode Fuzzy Hash: e2a897aa5b37d4475d8890cfc4bbe24ee702a9568280826516c1c6c54513bb05
Instruction Fuzzy Hash: 64317876A00219AFCB20DF29DD45FEEB7F8FF44650F454596E849E3240EB30AA449FA0

Function 05AC7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 05AC7E8B

Strings

-, xrefs: 05AC7DDD
+, xrefs: 05AC7DE8

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction ID: 57c0ffaee3b858a661275f13a25be984a30232b9b946ec2b89fe8599063a6566
Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction Fuzzy Hash: 2091B271E0421A9ADB24DF69C880EBEBFB6FF45720F14459EE865A72C0D7348942CF60

Function 05A89126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 05A89191
@, xrefs: 05A89175

Memory Dump Source

Source File: 00000011.00000002.2055590273.0000000005A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 05A50000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5a50000_vbc.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 25d6ec6d4cd5ba2cd2296156ad49964b9f25749feabf4e5a0ad732a37c335678
Instruction ID: 374cf2dc5a7e679dac5714617e6eeb871ead83021f77925c5c81df936454237f
Opcode Fuzzy Hash: 25d6ec6d4cd5ba2cd2296156ad49964b9f25749feabf4e5a0ad732a37c335678
Instruction Fuzzy Hash: BD812B75D042699FDB25DB54CD44FEAB7B9BF08710F0041EAA91AB7240E7306E84CFA0

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report BL-INV-PL-ISO.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BL-INV-PL-ISO.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dZxrrOCj.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2gyktmql.t4p.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cbazdhg0.dun.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cn1tgy2e.ph1.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n4esw3el.htp.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pq2ypskd.3gr.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sjycvick.3it.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u4ht5npl.kop.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yt04t5bh.pzc.psm1

C:\Users\user\AppData\Local\Temp\tmp590C.tmp

C:\Users\user\AppData\Local\Temp\tmp68AC.tmp

C:\Users\user\AppData\Roaming\dZxrrOCj.exe

C:\Users\user\AppData\Roaming\dZxrrOCj.exe:Zone.Identifier

Static File Info

Windows Analysis Report
BL-INV-PL-ISO.exe