Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LisectAVT_2403002A_489.exe

Overview

General Information

Sample name:LisectAVT_2403002A_489.exe
Analysis ID:1482203
MD5:5d8382b97196a915f262105f67522fef
SHA1:d8c9fb5031a4c7ae0a5169a756d948c9b2cb0440
SHA256:ac1952d1b81f90cade1a942f54436df27292e6e6df7d1b7001243a2b8caffbca
Tags:exe
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected suspicious sample
Found pyInstaller with non standard icon
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • LisectAVT_2403002A_489.exe (PID: 6052 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_489.exe" MD5: 5D8382B97196A915F262105F67522FEF)
    • conhost.exe (PID: 1144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • LisectAVT_2403002A_489.exe (PID: 6040 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_489.exe" MD5: 5D8382B97196A915F262105F67522FEF)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Suricata Signatures

Timestamp:2024-07-25T19:27:36.267490+0200
SID:2022930
Source Port:443
Destination Port:49706
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-07-25T19:28:14.374435+0200
SID:2022930
Source Port:443
Destination Port:49710
Protocol:TCP
Classtype:A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 91.2% probability
Source: LisectAVT_2403002A_489.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: G:\A\3\s\PCbuild\amd64\_hashlib.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1418119088.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1569012950.00007FFBAB975000.00000002.00000001.01000000.0000001F.sdmp, _hashlib.pyd.0.dr
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb3 source: LisectAVT_2403002A_489.exe, 00000000.00000003.1420856229.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb3 source: LisectAVT_2403002A_489.exe, 00000000.00000003.1423899426.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.0.dr
Source: Binary string: G:\A\3\s\PCbuild\amd64\pyexpat.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1431784679.000001E4CE104000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430853028.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, pyexpat.pyd.0.dr
Source: Binary string: ucrtbase.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1434132379.000001E4CE1F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1570208444.00007FFBABAFB000.00000002.00000001.01000000.00000004.sdmp
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1420086851.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-2-0.dll.0.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1423899426.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.0.dr
Source: Binary string: G:\A\3\s\PCbuild\amd64\_lzma.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1418539467.000001E4CE139000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418288056.000001E4CE139000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1569946998.00007FFBABA34000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1425107980.000001E4CE011000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-filesystem-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1421631412.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: G:\A\3\s\PCbuild\amd64\unicodedata.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1434813060.000001E4CE4D4000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1566415949.00007FFBAABA6000.00000002.00000001.01000000.00000025.sdmp
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1424853798.000001E4CE011000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: -0.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1420404037.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: G:\A\3\s\PCbuild\amd64\_bz2.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1417239699.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1572433911.00007FFBBB91F000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: vcruntime140.amd64.pdbGCTL source: LisectAVT_2403002A_489.exe, 00000000.00000003.1417031572.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1572703015.00007FFBBB96E000.00000002.00000001.01000000.00000006.sdmp, VCRUNTIME140.dll.0.dr
Source: Binary string: G:\A\3\s\PCbuild\amd64\_lzma.pdbMM source: LisectAVT_2403002A_489.exe, 00000000.00000003.1418539467.000001E4CE139000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418288056.000001E4CE139000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1569946998.00007FFBABA34000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1420856229.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1419966704.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb3 source: api-ms-win-core-datetime-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb3 source: LisectAVT_2403002A_489.exe, 00000000.00000003.1420690171.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1424705134.000001E4CE011000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-convert-l1-1-0.dll.0.dr
Source: Binary string: C:\_work\8\b\libssl-1_1-x64.pdb;; source: LisectAVT_2403002A_489.exe, 00000000.00000003.1429358373.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430208792.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1568294500.00007FFBAB378000.00000002.00000001.01000000.00000024.sdmp
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb3 source: LisectAVT_2403002A_489.exe, 00000000.00000003.1420690171.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdbUGP source: LisectAVT_2403002A_489.exe, 00000000.00000003.1434132379.000001E4CE1F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1570208444.00007FFBABAFB000.00000002.00000001.01000000.00000004.sdmp
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb3 source: LisectAVT_2403002A_489.exe, 00000000.00000003.1420404037.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb3 source: api-ms-win-core-profile-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb3 source: LisectAVT_2403002A_489.exe, 00000000.00000003.1420086851.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-2-0.dll.0.dr
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb3 source: api-ms-win-core-heap-l1-1-0.dll.0.dr
Source: Binary string: vcruntime140.amd64.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1417031572.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1572703015.00007FFBBB96E000.00000002.00000001.01000000.00000006.sdmp, VCRUNTIME140.dll.0.dr
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll.0.dr
Source: Binary string: C:\_work\8\b\libcrypto-1_1-x64.pdb source: LisectAVT_2403002A_489.exe, 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmp, libcrypto-1_1-x64.dll.0.dr
Source: Binary string: C:\_work\8\b\libssl-1_1-x64.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1429358373.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430208792.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1568294500.00007FFBAB378000.00000002.00000001.01000000.00000024.sdmp
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1422390930.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: G:\A\3\s\PCbuild\amd64\_ctypes.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1417927258.000001E4CE0FE000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1417554943.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1572574237.00007FFBBB944000.00000002.00000001.01000000.00000007.sdmp, _ctypes.pyd.0.dr
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1420690171.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb3 source: LisectAVT_2403002A_489.exe, 00000000.00000003.1420513993.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-localization-l1-2-0.dll.0.dr
Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: api-ms-win-core-datetime-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1424389186.000001E4CE011000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-conio-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1420513993.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-localization-l1-2-0.dll.0.dr
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.0.dr
Source: Binary string: G:\A\3\s\PCbuild\amd64\python37.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1432935324.000001E4CE81F000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1567450952.00007FFBAB088000.00000002.00000001.01000000.00000005.sdmp, python37.dll.0.dr
Source: Binary string: G:\A\3\s\PCbuild\amd64\_socket.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1418644924.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1568842788.00007FFBAB959000.00000002.00000001.01000000.00000021.sdmp, _socket.pyd.0.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1421005079.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.0.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1420690171.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb3 source: LisectAVT_2403002A_489.exe, 00000000.00000003.1421005079.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.0.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1420404037.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: G:\A\3\s\PCbuild\amd64\_ssl.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1418883700.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1419173107.000001E4CE0FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1568496796.00007FFBAB3BD000.00000002.00000001.01000000.00000023.sdmp, _ssl.pyd.0.dr
Source: Binary string: C:\_work\8\b\libcrypto-1_1-x64.pdbq source: LisectAVT_2403002A_489.exe, 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmp, libcrypto-1_1-x64.dll.0.dr
Source: Binary string: G:\A\3\s\PCbuild\amd64\select.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1433528670.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1568714595.00007FFBAB943000.00000002.00000001.01000000.00000022.sdmp, select.pyd.0.dr
Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb3 source: LisectAVT_2403002A_489.exe, 00000000.00000003.1419966704.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-util-l1-1-0.pdb3 source: api-ms-win-core-util-l1-1-0.dll.0.dr
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 0_2_00007FF626E106C4 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,0_2_00007FF626E106C4
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 0_2_00007FF626E106C4 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,0_2_00007FF626E106C4
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 0_2_00007FF626E1A48C FindFirstFileExW,0_2_00007FF626E1A48C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FF626E106C4 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,3_2_00007FF626E106C4
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FF626E1A48C FindFirstFileExW,3_2_00007FF626E1A48C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FF626E106C4 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,3_2_00007FF626E106C4
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAAE2A228 FindFirstFileW,3_2_00007FFBAAE2A228
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD3E9A _errno,malloc,_errno,memset,MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,free,_errno,FindFirstFileW,_errno,FindNextFileW,WideCharToMultiByte,3_2_00007FFBAABD3E9A
Source: Joe Sandbox ViewIP Address: 103.235.47.188 103.235.47.188
Source: Joe Sandbox ViewIP Address: 103.235.47.188 103.235.47.188
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAAC10A50 WSASetLastError,recv,3_2_00007FFBAAC10A50
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept-Encoding: identityHost: www.baidu.comUser-Agent: Python-urllib/3.7Connection: close
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept-Encoding: identityHost: www.baidu.comUser-Agent: Python-urllib/3.7Connection: close
Source: global trafficDNS traffic detected: DNS query: www.baidu.com
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1427936754.000001E4CE652000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1429358373.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430208792.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1-x64.dll.0.drString found in binary or memory: http://aia.startssl.com/certs/ca.crt0
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1427936754.000001E4CE652000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1429358373.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430208792.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1-x64.dll.0.drString found in binary or memory: http://aia.startssl.com/certs/sca.code3.crt06
Source: LisectAVT_2403002A_489.exe, 00000003.00000003.1562094546.000001A6CBE84000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1561964434.000001A6CDE0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1417239699.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1431784679.000001E4CE104000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418539467.000001E4CE139000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418119088.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1434813060.000001E4CE4D4000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430853028.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1433528670.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1432935324.000001E4CE81F000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418883700.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418288056.000001E4CE139000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1417927258.000001E4CE0FE000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1419173107.000001E4CE0FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418644924.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1417554943.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1417239699.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1431784679.000001E4CE104000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418539467.000001E4CE139000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418119088.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1434813060.000001E4CE4D4000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430853028.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1433528670.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1432935324.000001E4CE81F000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418883700.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418288056.000001E4CE139000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1417927258.000001E4CE0FE000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1419173107.000001E4CE0FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418644924.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1417554943.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1427936754.000001E4CE652000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1429358373.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430208792.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1-x64.dll.0.drString found in binary or memory: http://crl.startssl.com/sca-code3.crl0#
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1427936754.000001E4CE652000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1429358373.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430208792.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1-x64.dll.0.drString found in binary or memory: http://crl.startssl.com/sfsca.crl0f
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1417239699.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1431784679.000001E4CE104000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1427936754.000001E4CE652000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418539467.000001E4CE139000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418119088.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1434813060.000001E4CE4D4000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1429358373.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430853028.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1433528670.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1432935324.000001E4CE81F000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418883700.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418288056.000001E4CE139000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1417927258.000001E4CE0FE000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1419173107.000001E4CE0FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418644924.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1417554943.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430208792.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, libcrypto-1_1-x64.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1417239699.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1431784679.000001E4CE104000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418539467.000001E4CE139000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418119088.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1434813060.000001E4CE4D4000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430853028.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1433528670.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1432935324.000001E4CE81F000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418883700.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418288056.000001E4CE139000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1417927258.000001E4CE0FE000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1419173107.000001E4CE0FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418644924.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1417554943.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1417239699.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1431784679.000001E4CE104000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418539467.000001E4CE139000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418119088.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1434813060.000001E4CE4D4000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430853028.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1433528670.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1432935324.000001E4CE81F000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418883700.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418288056.000001E4CE139000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1417927258.000001E4CE0FE000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1419173107.000001E4CE0FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418644924.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1417554943.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1417239699.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1431784679.000001E4CE104000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418539467.000001E4CE139000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418119088.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1434813060.000001E4CE4D4000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430853028.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1433528670.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1432935324.000001E4CE81F000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418883700.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418288056.000001E4CE139000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1417927258.000001E4CE0FE000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1419173107.000001E4CE0FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418644924.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1417554943.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1417239699.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1431784679.000001E4CE104000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418539467.000001E4CE139000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418119088.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1434813060.000001E4CE4D4000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430853028.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1433528670.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1432935324.000001E4CE81F000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418883700.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418288056.000001E4CE139000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1417927258.000001E4CE0FE000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1419173107.000001E4CE0FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418644924.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1417554943.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: LisectAVT_2403002A_489.exe, 00000003.00000003.1561450804.000001A6CBE77000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562721550.000001A6CBE87000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560776115.000001A6CBE64000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562011534.000001A6CBE78000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560862228.000001A6CBE76000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562094546.000001A6CBE84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/eax/eax-spec.pdf
Source: LisectAVT_2403002A_489.exe, 00000003.00000003.1561919666.000001A6CDE03000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1561450804.000001A6CBE77000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1561475331.000001A6CDE01000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560776115.000001A6CBE64000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562274396.000001A6CDE73000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562011534.000001A6CBE78000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560862228.000001A6CBE76000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562094546.000001A6CBE84000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1561964434.000001A6CDE0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf
Source: LisectAVT_2403002A_489.exe, 00000003.00000003.1563339606.000001A6CBE9F000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1563005182.000001A6CBE9C000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562582697.000001A6CBE9C000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1561345764.000001A6CBE9A000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560746184.000001A6CBE97000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1563928125.000001A6CBDD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
Source: LisectAVT_2403002A_489.exe, 00000003.00000003.1561919666.000001A6CDE03000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562294062.000001A6CDED1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1564647001.000001A6CC3E0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1561592497.000001A6CDE7A000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1561475331.000001A6CDE01000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1565343994.000001A6CDFC0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562294062.000001A6CDE88000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1565235860.000001A6CDF00000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1563186503.000001A6CDE28000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1561592497.000001A6CDED1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1565119946.000001A6CDED1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1564831877.000001A6CDDC0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1565177895.000001A6CDEF3000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562389844.000001A6CDEE0000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1561964434.000001A6CDE0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
Source: LisectAVT_2403002A_489.exe, 00000003.00000002.1565470337.000001A6CE1A8000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562951072.000001A6CE1A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://eprint.iacr.org/2002/067.pdf
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1417239699.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1431784679.000001E4CE104000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418539467.000001E4CE139000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418119088.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1434813060.000001E4CE4D4000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430853028.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1433528670.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1432935324.000001E4CE81F000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418883700.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418288056.000001E4CE139000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1417927258.000001E4CE0FE000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1419173107.000001E4CE0FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418644924.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1417554943.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.drString found in binary or memory: http://ocsp.digicert.com0C
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1417239699.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1431784679.000001E4CE104000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418539467.000001E4CE139000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418119088.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1434813060.000001E4CE4D4000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430853028.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1433528670.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1432935324.000001E4CE81F000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418883700.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418288056.000001E4CE139000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1417927258.000001E4CE0FE000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1419173107.000001E4CE0FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418644924.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1417554943.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.drString found in binary or memory: http://ocsp.digicert.com0N
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1427936754.000001E4CE652000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1429358373.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430208792.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1-x64.dll.0.drString found in binary or memory: http://ocsp.startssl.com00
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1427936754.000001E4CE652000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1429358373.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430208792.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1-x64.dll.0.drString found in binary or memory: http://ocsp.startssl.com07
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1417239699.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1431784679.000001E4CE104000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1427936754.000001E4CE652000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418539467.000001E4CE139000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418119088.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1434813060.000001E4CE4D4000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1429358373.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430853028.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1433528670.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1432935324.000001E4CE81F000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418883700.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418288056.000001E4CE139000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1417927258.000001E4CE0FE000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1419173107.000001E4CE0FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418644924.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1417554943.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430208792.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, libcrypto-1_1-x64.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.drString found in binary or memory: http://ocsp.thawte.com0
Source: LisectAVT_2403002A_489.exe, 00000003.00000002.1565757817.000001A6CE280000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pss.bdstatic.com/r/www/cache/static/global/img/pc_direct_42d6311.png)
Source: LisectAVT_2403002A_489.exe, 00000003.00000002.1565757817.000001A6CE280000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pss.bdstatic.com/r/www/cache/static/home/img/icons_0c37e9b.png);background-image:url(http://p
Source: python37.dll.0.drString found in binary or memory: http://python.org/dev/peps/pep-0263/
Source: LisectAVT_2403002A_489.exe, 00000003.00000003.1561919666.000001A6CDE03000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1561475331.000001A6CDE01000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562119709.000001A6CBEA6000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1563186503.000001A6CDE28000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1563448075.000001A6CDE29000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1561345764.000001A6CBE9A000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560746184.000001A6CBE97000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1561964434.000001A6CDE0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc4880
Source: LisectAVT_2403002A_489.exe, 00000003.00000002.1565415015.000001A6CE120000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1565305460.000001A6CDF80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc5297
Source: LisectAVT_2403002A_489.exe, 00000003.00000003.1563005182.000001A6CBE9C000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562582697.000001A6CBE9C000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1561345764.000001A6CBE9A000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560746184.000001A6CBE97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc5869
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1417239699.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1431784679.000001E4CE104000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1427936754.000001E4CE652000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418539467.000001E4CE139000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418119088.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1434813060.000001E4CE4D4000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1429358373.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430853028.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1433528670.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1432935324.000001E4CE81F000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418883700.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418288056.000001E4CE139000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1417927258.000001E4CE0FE000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1419173107.000001E4CE0FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418644924.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1417554943.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430208792.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, libcrypto-1_1-x64.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1417239699.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1431784679.000001E4CE104000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1427936754.000001E4CE652000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418539467.000001E4CE139000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418119088.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1434813060.000001E4CE4D4000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1429358373.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430853028.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1433528670.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1432935324.000001E4CE81F000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418883700.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418288056.000001E4CE139000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1417927258.000001E4CE0FE000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1419173107.000001E4CE0FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418644924.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1417554943.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430208792.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, libcrypto-1_1-x64.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1417239699.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1431784679.000001E4CE104000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1427936754.000001E4CE652000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418539467.000001E4CE139000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418119088.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1434813060.000001E4CE4D4000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1429358373.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430853028.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1433528670.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1432935324.000001E4CE81F000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418883700.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418288056.000001E4CE139000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1417927258.000001E4CE0FE000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1419173107.000001E4CE0FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418644924.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1417554943.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430208792.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, libcrypto-1_1-x64.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: LisectAVT_2403002A_489.exe, 00000003.00000003.1562683703.000001A6CBEA4000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562582697.000001A6CBE9C000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1561345764.000001A6CBE9A000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560746184.000001A6CBE97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://web.cs.ucdavis.edu/~rogaway/ocb/license.htm
Source: LisectAVT_2403002A_489.exe, 00000003.00000003.1561096856.000001A6CDEF4000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1565415015.000001A6CE120000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.baidu.com
Source: LisectAVT_2403002A_489.exe, 00000003.00000002.1565415015.000001A6CE120000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.baidu.comP
Source: LisectAVT_2403002A_489.exe, 00000003.00000003.1561450804.000001A6CBE77000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562721550.000001A6CBE87000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1563005182.000001A6CBE9C000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562582697.000001A6CBE9C000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1563492612.000001A6CBE9E000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560776115.000001A6CBE64000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562011534.000001A6CBE78000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560862228.000001A6CBE76000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1561345764.000001A6CBE9A000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560746184.000001A6CBE97000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562094546.000001A6CBE84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf
Source: LisectAVT_2403002A_489.exe, 00000003.00000003.1560542297.000001A6CE26B000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560989732.000001A6CE26C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: LisectAVT_2403002A_489.exe, 00000003.00000003.1439210131.000001A6CE1B3000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560521188.000001A6CDEF7000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1439168326.000001A6CE1D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.python.org/
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1436131995.000001E4CE1F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1565955992.000001A6CE500000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.python.org/dev/peps/pep-0205/
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1436131995.000001E4CE1F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1564831877.000001A6CDDC0000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.drString found in binary or memory: http://www.python.org/download/releases/2.3/mro/.
Source: LisectAVT_2403002A_489.exe, 00000003.00000003.1562683703.000001A6CBEA4000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562582697.000001A6CBE9C000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1561345764.000001A6CBE9A000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560746184.000001A6CBE97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.rfc-editor.org/info/rfc7253
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1427936754.000001E4CE652000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1429358373.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430208792.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1-x64.dll.0.drString found in binary or memory: http://www.startssl.com/0P
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1427936754.000001E4CE652000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1429358373.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430208792.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1-x64.dll.0.drString found in binary or memory: http://www.startssl.com/policy0
Source: LisectAVT_2403002A_489.exe, 00000003.00000003.1563339606.000001A6CBE9F000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1563005182.000001A6CBE9C000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562582697.000001A6CBE9C000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1561345764.000001A6CBE9A000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560746184.000001A6CBE97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tarsnap.com/scrypt/scrypt-slides.pdf
Source: LisectAVT_2403002A_489.exe, 00000003.00000003.1563228309.000001A6CBE6F000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1561070963.000001A6CBE6E000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560776115.000001A6CBE64000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/openssl/openssl/blob/master/include/openssl/pem.h
Source: LisectAVT_2403002A_489.exe, 00000003.00000003.1439210131.000001A6CE1B3000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560521188.000001A6CDEF7000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1439168326.000001A6CE1D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mahler:8092/site-updates.py
Source: LisectAVT_2403002A_489.exe, 00000003.00000003.1560542297.000001A6CE280000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562476121.000001A6CE280000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1565757817.000001A6CE280000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pss.bdstatic.com/r/www/static/font/cosmic/pc/cos-icon_99f656e.css
Source: LisectAVT_2403002A_489.exe, 00000003.00000003.1561919666.000001A6CDE03000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1561450804.000001A6CBE77000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1561475331.000001A6CDE01000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560776115.000001A6CBE64000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562274396.000001A6CDE73000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562011534.000001A6CBE78000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560862228.000001A6CBE76000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562094546.000001A6CBE84000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1561964434.000001A6CDE0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc3610
Source: LisectAVT_2403002A_489.exe, 00000003.00000003.1561450804.000001A6CBE77000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562721550.000001A6CBE87000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1563005182.000001A6CBE9C000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562582697.000001A6CBE9C000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1563492612.000001A6CBE9E000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560776115.000001A6CBE64000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562011534.000001A6CBE78000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560862228.000001A6CBE76000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1561345764.000001A6CBE9A000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560746184.000001A6CBE97000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562094546.000001A6CBE84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc5297
Source: LisectAVT_2403002A_489.exe, 00000003.00000002.1565757817.000001A6CE280000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.baidu.com/favicon.ico
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1417239699.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1431784679.000001E4CE104000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418539467.000001E4CE139000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418119088.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1434813060.000001E4CE4D4000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430853028.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1433528670.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1432935324.000001E4CE81F000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418883700.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418288056.000001E4CE139000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1417927258.000001E4CE0FE000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1419173107.000001E4CE0FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418644924.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1417554943.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.dr, python37.dll.0.drString found in binary or memory: https://www.digicert.com/CPS0
Source: LisectAVT_2403002A_489.exe, 00000003.00000003.1563005182.000001A6CBE9C000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562582697.000001A6CBE9C000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1561345764.000001A6CBE9A000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560746184.000001A6CBE97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ietf.org/rfc/rfc2898.txt
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1427936754.000001E4CE649000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1429358373.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430208792.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1568370123.00007FFBAB3A2000.00000002.00000001.01000000.00000024.sdmp, libcrypto-1_1-x64.dll.0.drString found in binary or memory: https://www.openssl.org/V
Source: libcrypto-1_1-x64.dll.0.drString found in binary or memory: https://www.openssl.org/docs/faq.html
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 0_2_00007FF626E1E7680_2_00007FF626E1E768
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 0_2_00007FF626E193380_2_00007FF626E19338
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 0_2_00007FF626E184D40_2_00007FF626E184D4
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 0_2_00007FF626E043200_2_00007FF626E04320
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 0_2_00007FF626E106C40_2_00007FF626E106C4
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 0_2_00007FF626E106C40_2_00007FF626E106C4
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 0_2_00007FF626E0CFFC0_2_00007FF626E0CFFC
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 0_2_00007FF626E1C7F00_2_00007FF626E1C7F0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 0_2_00007FF626E12BB40_2_00007FF626E12BB4
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 0_2_00007FF626E115340_2_00007FF626E11534
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 0_2_00007FF626E1F1080_2_00007FF626E1F108
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 0_2_00007FF626E0D4F40_2_00007FF626E0D4F4
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 0_2_00007FF626E1CCC00_2_00007FF626E1CCC0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 0_2_00007FF626E193380_2_00007FF626E19338
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 0_2_00007FF626E219F80_2_00007FF626E219F8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 0_2_00007FF626E0F6D00_2_00007FF626E0F6D0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 0_2_00007FF626E082A00_2_00007FF626E082A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 0_2_00007FF626E0D2780_2_00007FF626E0D278
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 0_2_00007FF626E1A25C0_2_00007FF626E1A25C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 0_2_00007FF626E07A500_2_00007FF626E07A50
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FF626E0CFFC3_2_00007FF626E0CFFC
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FF626E1E7683_2_00007FF626E1E768
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FF626E184D43_2_00007FF626E184D4
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FF626E106C43_2_00007FF626E106C4
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FF626E1C7F03_2_00007FF626E1C7F0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FF626E12BB43_2_00007FF626E12BB4
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FF626E193383_2_00007FF626E19338
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FF626E115343_2_00007FF626E11534
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FF626E1F1083_2_00007FF626E1F108
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FF626E0D4F43_2_00007FF626E0D4F4
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FF626E1CCC03_2_00007FF626E1CCC0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FF626E193383_2_00007FF626E19338
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FF626E219F83_2_00007FF626E219F8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FF626E043203_2_00007FF626E04320
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FF626E0F6D03_2_00007FF626E0F6D0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FF626E106C43_2_00007FF626E106C4
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FF626E082A03_2_00007FF626E082A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FF626E0D2783_2_00007FF626E0D278
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FF626E1A25C3_2_00007FF626E1A25C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FF626E07A503_2_00007FF626E07A50
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAAAC42583_2_00007FFBAAAC4258
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAACD6BD03_2_00007FFBAACD6BD0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAAC1E9703_2_00007FFBAAC1E970
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD58213_2_00007FFBAABD5821
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD23333_2_00007FFBAABD2333
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAACC2A303_2_00007FFBAACC2A30
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD15003_2_00007FFBAABD1500
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAACBE9F03_2_00007FFBAACBE9F0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD3FD03_2_00007FFBAABD3FD0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD2B493_2_00007FFBAABD2B49
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAAC730903_2_00007FFBAAC73090
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD5F6F3_2_00007FFBAABD5F6F
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD2D883_2_00007FFBAABD2D88
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD38913_2_00007FFBAABD3891
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD3E593_2_00007FFBAABD3E59
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAAC6EE803_2_00007FFBAAC6EE80
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAACE6E803_2_00007FFBAACE6E80
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD11093_2_00007FFBAABD1109
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD370B3_2_00007FFBAABD370B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD22B63_2_00007FFBAABD22B6
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAAC3E2E03_2_00007FFBAAC3E2E0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD1A8C3_2_00007FFBAABD1A8C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD4ACA3_2_00007FFBAABD4ACA
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD21303_2_00007FFBAABD2130
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD28D83_2_00007FFBAABD28D8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD352B3_2_00007FFBAABD352B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD33913_2_00007FFBAABD3391
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD396D3_2_00007FFBAABD396D
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD3ACB3_2_00007FFBAABD3ACB
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD25773_2_00007FFBAABD2577
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD2E463_2_00007FFBAABD2E46
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD33003_2_00007FFBAABD3300
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAAC724A03_2_00007FFBAAC724A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAAC1E6603_2_00007FFBAAC1E660
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD59F23_2_00007FFBAABD59F2
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD171C3_2_00007FFBAABD171C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAACC3A603_2_00007FFBAACC3A60
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD549D3_2_00007FFBAABD549D
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAAD480603_2_00007FFBAAD48060
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD19D33_2_00007FFBAABD19D3
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD1DBB3_2_00007FFBAABD1DBB
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD24D73_2_00007FFBAABD24D7
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD48C73_2_00007FFBAABD48C7
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD22C53_2_00007FFBAABD22C5
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD395E3_2_00007FFBAABD395E
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD48FE3_2_00007FFBAABD48FE
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD27893_2_00007FFBAABD2789
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAAC733C03_2_00007FFBAAC733C0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD14A13_2_00007FFBAABD14A1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAACE72603_2_00007FFBAACE7260
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD47823_2_00007FFBAABD4782
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD4AA23_2_00007FFBAABD4AA2
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD126C3_2_00007FFBAABD126C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD27023_2_00007FFBAABD2702
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD68433_2_00007FFBAABD6843
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD603C3_2_00007FFBAABD603C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD27B13_2_00007FFBAABD27B1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD54FC3_2_00007FFBAABD54FC
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD19CE3_2_00007FFBAABD19CE
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD57D13_2_00007FFBAABD57D1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD11B83_2_00007FFBAABD11B8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABF0B303_2_00007FFBAABF0B30
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD49FD3_2_00007FFBAABD49FD
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAAC04ACF3_2_00007FFBAAC04ACF
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD22023_2_00007FFBAABD2202
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD13023_2_00007FFBAABD1302
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD34D63_2_00007FFBAABD34D6
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD2AAE3_2_00007FFBAABD2AAE
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAACD8A703_2_00007FFBAACD8A70
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD1D113_2_00007FFBAABD1D11
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD1E4C3_2_00007FFBAABD1E4C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD1A5F3_2_00007FFBAABD1A5F
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD2A223_2_00007FFBAABD2A22
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD26583_2_00007FFBAABD2658
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABECF003_2_00007FFBAABECF00
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD28AB3_2_00007FFBAABD28AB
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAAC24EC03_2_00007FFBAAC24EC0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD30B23_2_00007FFBAABD30B2
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD595C3_2_00007FFBAABD595C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD42503_2_00007FFBAABD4250
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD29323_2_00007FFBAABD2932
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAAC04D373_2_00007FFBAAC04D37
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD2CFC3_2_00007FFBAABD2CFC
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD581C3_2_00007FFBAABD581C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD43593_2_00007FFBAABD4359
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAAC04E1F3_2_00007FFBAAC04E1F
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD66FE3_2_00007FFBAABD66FE
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAAC04DFD3_2_00007FFBAAC04DFD
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAACD82E03_2_00007FFBAACD82E0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD26A33_2_00007FFBAABD26A3
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD1BFE3_2_00007FFBAABD1BFE
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD53583_2_00007FFBAABD5358
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD14AB3_2_00007FFBAABD14AB
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD2CF73_2_00007FFBAABD2CF7
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD44A33_2_00007FFBAABD44A3
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD62993_2_00007FFBAABD6299
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD1CE93_2_00007FFBAABD1CE9
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD66E03_2_00007FFBAABD66E0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAAC085203_2_00007FFBAAC08520
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD64243_2_00007FFBAABD6424
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD65AF3_2_00007FFBAABD65AF
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD509C3_2_00007FFBAABD509C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD67713_2_00007FFBAABD6771
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD39953_2_00007FFBAABD3995
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABE1BE03_2_00007FFBAABE1BE0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD5DBC3_2_00007FFBAABD5DBC
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD12853_2_00007FFBAABD1285
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAACC19003_2_00007FFBAACC1900
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD24053_2_00007FFBAABD2405
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAAC2DA403_2_00007FFBAAC2DA40
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD44E93_2_00007FFBAABD44E9
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD4A7A3_2_00007FFBAABD4A7A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAACBE0303_2_00007FFBAACBE030
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD30E43_2_00007FFBAABD30E4
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: String function: 00007FFBAABD3C60 appears 41 times
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: String function: 00007FFBAABD1055 appears 1458 times
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: String function: 00007FF626E01A20 appears 74 times
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: String function: 00007FFBAABD1E06 appears 47 times
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: String function: 00007FFBAABD1EA6 appears 72 times
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: String function: 00007FFBAABD1E3D appears 39 times
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: String function: 00007FFBAABD5574 appears 669 times
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: String function: 00007FFBAABD3B75 appears 411 times
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: String function: 00007FFBAABD41E2 appears 56 times
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: String function: 00007FF626E01A80 appears 128 times
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: String function: 00007FFBAABD4098 appears 151 times
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: String function: 00007FFBAABD1ABE appears 124 times
Source: api-ms-win-core-processenvironment-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1423899426.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1420357286.000001E4CE011000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1417239699.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1425107980.000001E4CE011000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1431784679.000001E4CE104000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepyexpat.pyd. vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1427936754.000001E4CE649000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibcrypto-1_1-x64.dllH vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1421631412.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1418539467.000001E4CE139000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1418119088.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1434813060.000001E4CE4D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1434132379.000001E4CE1F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameucrtbase.dllj% vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1429358373.000001E4CE175000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibssl-1_1-x64.dllH vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1430853028.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepyexpat.pyd. vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1433528670.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1422847646.000001E4CE011000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1422054562.000001E4CE011000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1432935324.000001E4CE81F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepython37.dll. vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1418883700.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ssl.pyd. vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1420055625.000001E4CE011000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1424389186.000001E4CE011000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1420690171.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1420939855.000001E4CE011000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1421571352.000001E4CE011000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1420780287.000001E4CE011000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1417031572.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevcruntime140.dll^ vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1424853798.000001E4CE011000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1418288056.000001E4CE139000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1417927258.000001E4CE0FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1419173107.000001E4CE0FC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ssl.pyd. vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1418644924.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1420474691.000001E4CE011000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1419966704.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1417554943.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1420404037.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1419931021.000001E4CE011000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1420645140.000001E4CE011000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1430208792.000001E4CE175000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibssl-1_1-x64.dllH vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000000.00000003.1424705134.000001E4CE011000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exeBinary or memory string: OriginalFilename vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000003.00000002.1569061102.00007FFBAB97A000.00000002.00000001.01000000.0000001F.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpBinary or memory string: OriginalFilenamelibcrypto-1_1-x64.dllH vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000003.00000002.1572482432.00007FFBBB925000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000003.00000002.1568937892.00007FFBAB962000.00000002.00000001.01000000.00000021.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000003.00000002.1566682008.00007FFBAABC6000.00000002.00000001.01000000.00000025.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000003.00000002.1568157276.00007FFBAB1E6000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: OriginalFilenamepython37.dll. vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000003.00000002.1568639928.00007FFBAB3CC000.00000002.00000001.01000000.00000023.sdmpBinary or memory string: OriginalFilename_ssl.pyd. vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000003.00000002.1570052350.00007FFBABA3D000.00000002.00000001.01000000.00000009.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000003.00000002.1568370123.00007FFBAB3A2000.00000002.00000001.01000000.00000024.sdmpBinary or memory string: OriginalFilenamelibssl-1_1-x64.dllH vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000003.00000002.1570286413.00007FFBABB37000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenameucrtbase.dllj% vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000003.00000002.1572751678.00007FFBBB973000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: OriginalFilenamevcruntime140.dll^ vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000003.00000002.1568760520.00007FFBAB946000.00000002.00000001.01000000.00000022.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs LisectAVT_2403002A_489.exe
Source: LisectAVT_2403002A_489.exe, 00000003.00000002.1572626629.00007FFBBB94F000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs LisectAVT_2403002A_489.exe
Source: classification engineClassification label: mal48.winEXE@4/96@1/1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 0_2_00007FF626E05120 GetLastError,FormatMessageW,WideCharToMultiByte,0_2_00007FF626E05120
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1144:120:WilError_03
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522Jump to behavior
Source: LisectAVT_2403002A_489.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: LisectAVT_2403002A_489.exeString found in binary or memory: --help
Source: LisectAVT_2403002A_489.exeString found in binary or memory: --help
Source: LisectAVT_2403002A_489.exeString found in binary or memory: can't send non-None value to a just-started coroutine
Source: LisectAVT_2403002A_489.exeString found in binary or memory: can't send non-None value to a just-started generator
Source: LisectAVT_2403002A_489.exeString found in binary or memory: can't send non-None value to a just-started async generator
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile read: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe "C:\Users\user\Desktop\LisectAVT_2403002A_489.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeProcess created: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe "C:\Users\user\Desktop\LisectAVT_2403002A_489.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeProcess created: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe "C:\Users\user\Desktop\LisectAVT_2403002A_489.exe"Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeSection loaded: libcrypto-1_1-x64.dllJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeSection loaded: libssl-1_1-x64.dllJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile opened: C:\Users\user\Desktop\pyvenv.cfgJump to behavior
Source: LisectAVT_2403002A_489.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: LisectAVT_2403002A_489.exeStatic file information: File size 7135477 > 1048576
Source: LisectAVT_2403002A_489.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: LisectAVT_2403002A_489.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: LisectAVT_2403002A_489.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: LisectAVT_2403002A_489.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: LisectAVT_2403002A_489.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: LisectAVT_2403002A_489.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: LisectAVT_2403002A_489.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: LisectAVT_2403002A_489.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: G:\A\3\s\PCbuild\amd64\_hashlib.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1418119088.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1569012950.00007FFBAB975000.00000002.00000001.01000000.0000001F.sdmp, _hashlib.pyd.0.dr
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb3 source: LisectAVT_2403002A_489.exe, 00000000.00000003.1420856229.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb3 source: LisectAVT_2403002A_489.exe, 00000000.00000003.1423899426.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.0.dr
Source: Binary string: G:\A\3\s\PCbuild\amd64\pyexpat.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1431784679.000001E4CE104000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430853028.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, pyexpat.pyd.0.dr
Source: Binary string: ucrtbase.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1434132379.000001E4CE1F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1570208444.00007FFBABAFB000.00000002.00000001.01000000.00000004.sdmp
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1420086851.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-2-0.dll.0.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1423899426.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.0.dr
Source: Binary string: G:\A\3\s\PCbuild\amd64\_lzma.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1418539467.000001E4CE139000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418288056.000001E4CE139000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1569946998.00007FFBABA34000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1425107980.000001E4CE011000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-filesystem-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1421631412.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: G:\A\3\s\PCbuild\amd64\unicodedata.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1434813060.000001E4CE4D4000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1566415949.00007FFBAABA6000.00000002.00000001.01000000.00000025.sdmp
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1424853798.000001E4CE011000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: -0.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1420404037.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: G:\A\3\s\PCbuild\amd64\_bz2.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1417239699.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1572433911.00007FFBBB91F000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: vcruntime140.amd64.pdbGCTL source: LisectAVT_2403002A_489.exe, 00000000.00000003.1417031572.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1572703015.00007FFBBB96E000.00000002.00000001.01000000.00000006.sdmp, VCRUNTIME140.dll.0.dr
Source: Binary string: G:\A\3\s\PCbuild\amd64\_lzma.pdbMM source: LisectAVT_2403002A_489.exe, 00000000.00000003.1418539467.000001E4CE139000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418288056.000001E4CE139000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1569946998.00007FFBABA34000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1420856229.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1419966704.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb3 source: api-ms-win-core-datetime-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb3 source: LisectAVT_2403002A_489.exe, 00000000.00000003.1420690171.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1424705134.000001E4CE011000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-convert-l1-1-0.dll.0.dr
Source: Binary string: C:\_work\8\b\libssl-1_1-x64.pdb;; source: LisectAVT_2403002A_489.exe, 00000000.00000003.1429358373.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430208792.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1568294500.00007FFBAB378000.00000002.00000001.01000000.00000024.sdmp
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb3 source: LisectAVT_2403002A_489.exe, 00000000.00000003.1420690171.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdbUGP source: LisectAVT_2403002A_489.exe, 00000000.00000003.1434132379.000001E4CE1F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1570208444.00007FFBABAFB000.00000002.00000001.01000000.00000004.sdmp
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb3 source: LisectAVT_2403002A_489.exe, 00000000.00000003.1420404037.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb3 source: api-ms-win-core-profile-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb3 source: LisectAVT_2403002A_489.exe, 00000000.00000003.1420086851.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-2-0.dll.0.dr
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb3 source: api-ms-win-core-heap-l1-1-0.dll.0.dr
Source: Binary string: vcruntime140.amd64.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1417031572.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1572703015.00007FFBBB96E000.00000002.00000001.01000000.00000006.sdmp, VCRUNTIME140.dll.0.dr
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll.0.dr
Source: Binary string: C:\_work\8\b\libcrypto-1_1-x64.pdb source: LisectAVT_2403002A_489.exe, 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmp, libcrypto-1_1-x64.dll.0.dr
Source: Binary string: C:\_work\8\b\libssl-1_1-x64.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1429358373.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430208792.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1568294500.00007FFBAB378000.00000002.00000001.01000000.00000024.sdmp
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1422390930.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: G:\A\3\s\PCbuild\amd64\_ctypes.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1417927258.000001E4CE0FE000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1417554943.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1572574237.00007FFBBB944000.00000002.00000001.01000000.00000007.sdmp, _ctypes.pyd.0.dr
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1420690171.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb3 source: LisectAVT_2403002A_489.exe, 00000000.00000003.1420513993.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-localization-l1-2-0.dll.0.dr
Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: api-ms-win-core-datetime-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1424389186.000001E4CE011000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-conio-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1420513993.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-localization-l1-2-0.dll.0.dr
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.0.dr
Source: Binary string: G:\A\3\s\PCbuild\amd64\python37.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1432935324.000001E4CE81F000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1567450952.00007FFBAB088000.00000002.00000001.01000000.00000005.sdmp, python37.dll.0.dr
Source: Binary string: G:\A\3\s\PCbuild\amd64\_socket.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1418644924.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1568842788.00007FFBAB959000.00000002.00000001.01000000.00000021.sdmp, _socket.pyd.0.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1421005079.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.0.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1420690171.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb3 source: LisectAVT_2403002A_489.exe, 00000000.00000003.1421005079.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.0.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1420404037.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: G:\A\3\s\PCbuild\amd64\_ssl.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1418883700.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1419173107.000001E4CE0FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1568496796.00007FFBAB3BD000.00000002.00000001.01000000.00000023.sdmp, _ssl.pyd.0.dr
Source: Binary string: C:\_work\8\b\libcrypto-1_1-x64.pdbq source: LisectAVT_2403002A_489.exe, 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmp, libcrypto-1_1-x64.dll.0.dr
Source: Binary string: G:\A\3\s\PCbuild\amd64\select.pdb source: LisectAVT_2403002A_489.exe, 00000000.00000003.1433528670.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1568714595.00007FFBAB943000.00000002.00000001.01000000.00000022.sdmp, select.pyd.0.dr
Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb3 source: LisectAVT_2403002A_489.exe, 00000000.00000003.1419966704.000001E4CE00E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-util-l1-1-0.pdb3 source: api-ms-win-core-util-l1-1-0.dll.0.dr
Source: LisectAVT_2403002A_489.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: LisectAVT_2403002A_489.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: LisectAVT_2403002A_489.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: LisectAVT_2403002A_489.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: LisectAVT_2403002A_489.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 0_2_00007FF626E04FA0 MultiByteToWideChar,MultiByteToWideChar,LoadLibraryA,GetProcAddress,GetProcAddress,0_2_00007FF626E04FA0
Source: libcrypto-1_1-x64.dll.0.drStatic PE information: section name: .00cfg
Source: libssl-1_1-x64.dll.0.drStatic PE information: section name: .00cfg
Source: _raw_cfb.pyd.0.drStatic PE information: section name: _RDATA
Source: _raw_ctr.pyd.0.drStatic PE information: section name: _RDATA
Source: _raw_des.pyd.0.drStatic PE information: section name: _RDATA
Source: _raw_des3.pyd.0.drStatic PE information: section name: _RDATA
Source: _raw_ecb.pyd.0.drStatic PE information: section name: _RDATA
Source: _raw_eksblowfish.pyd.0.drStatic PE information: section name: _RDATA
Source: _raw_ocb.pyd.0.drStatic PE information: section name: _RDATA
Source: _raw_ofb.pyd.0.drStatic PE information: section name: _RDATA
Source: _BLAKE2b.pyd.0.drStatic PE information: section name: _RDATA
Source: _BLAKE2s.pyd.0.drStatic PE information: section name: _RDATA
Source: _ARC4.pyd.0.drStatic PE information: section name: _RDATA
Source: _Salsa20.pyd.0.drStatic PE information: section name: _RDATA
Source: _chacha20.pyd.0.drStatic PE information: section name: _RDATA
Source: _pkcs1_decode.pyd.0.drStatic PE information: section name: _RDATA
Source: _raw_aes.pyd.0.drStatic PE information: section name: _RDATA
Source: _raw_aesni.pyd.0.drStatic PE information: section name: _RDATA
Source: _raw_arc2.pyd.0.drStatic PE information: section name: _RDATA
Source: _raw_blowfish.pyd.0.drStatic PE information: section name: _RDATA
Source: _raw_cast.pyd.0.drStatic PE information: section name: _RDATA
Source: _raw_cbc.pyd.0.drStatic PE information: section name: _RDATA
Source: _MD2.pyd.0.drStatic PE information: section name: _RDATA
Source: _MD4.pyd.0.drStatic PE information: section name: _RDATA
Source: _MD5.pyd.0.drStatic PE information: section name: _RDATA
Source: _RIPEMD160.pyd.0.drStatic PE information: section name: _RDATA
Source: _SHA1.pyd.0.drStatic PE information: section name: _RDATA
Source: _SHA224.pyd.0.drStatic PE information: section name: _RDATA
Source: _SHA256.pyd.0.drStatic PE information: section name: _RDATA
Source: _SHA384.pyd.0.drStatic PE information: section name: _RDATA
Source: _SHA512.pyd.0.drStatic PE information: section name: _RDATA
Source: _ghash_clmul.pyd.0.drStatic PE information: section name: _RDATA
Source: _ghash_portable.pyd.0.drStatic PE information: section name: _RDATA
Source: _keccak.pyd.0.drStatic PE information: section name: _RDATA
Source: _poly1305.pyd.0.drStatic PE information: section name: _RDATA
Source: _modexp.pyd.0.drStatic PE information: section name: _RDATA
Source: _scrypt.pyd.0.drStatic PE information: section name: _RDATA
Source: _ec_ws.pyd.0.drStatic PE information: section name: _RDATA
Source: _ed25519.pyd.0.drStatic PE information: section name: _RDATA
Source: _ed448.pyd.0.drStatic PE information: section name: _RDATA
Source: _x25519.pyd.0.drStatic PE information: section name: _RDATA
Source: _cpuid_c.pyd.0.drStatic PE information: section name: _RDATA
Source: _strxor.pyd.0.drStatic PE information: section name: _RDATA
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAAE2A188 push rsi; retf 3_2_00007FFBAAE2A18B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAAE2A150 push rsi; retf 3_2_00007FFBAAE2A153
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAAE2A138 push rbp; retf 3_2_00007FFBAAE2A13B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAAE2A0D0 push rbp; retf 3_2_00007FFBAAE2A0D3
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAAE2A0A0 push rsi; retf 3_2_00007FFBAAE2A0AB
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAAE2A0A8 push rsi; retf 3_2_00007FFBAAE2A0C3
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAAE2A228 push rsi; retf 3_2_00007FFBAAE2A22B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAAE2A1E0 push rbp; retf 3_2_00007FFBAAE2A1E3
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAAE2A1E8 push rbp; retf 3_2_00007FFBAAE2A1F3
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAAE2A1B8 push rbp; retf 3_2_00007FFBAAE2A1BB
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAAE2A098 push rsp; retf 3_2_00007FFBAAE2A09B

Persistence and Installation Behavior

barindex
Found pyInstaller with non standard icon
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeProcess created: "C:\Users\user\Desktop\LisectAVT_2403002A_489.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\libcrypto-1_1-x64.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\_ctypes.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\_socket.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_RIPEMD160.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\_ssl.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-string-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-file-l2-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-console-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_ecb.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_SHA384.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_ctr.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_cfb.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\python37.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_SHA256.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_MD2.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_blowfish.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\ucrtbase.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_ghash_clmul.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_des.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-file-l1-2-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_aes.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_ARC4.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_ofb.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_ghash_portable.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_aesni.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_arc2.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_ocb.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\PublicKey\_ec_ws.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_des3.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\_hashlib.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_SHA512.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Protocol\_scrypt.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_cast.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_chacha20.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_BLAKE2s.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_MD4.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_SHA224.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-file-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_eksblowfish.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\_bz2.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\VCRUNTIME140.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_MD5.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Math\_modexp.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_cbc.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_pkcs1_decode.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\libssl-1_1-x64.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Util\_strxor.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\pyexpat.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\PublicKey\_ed25519.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_keccak.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\_lzma.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_Salsa20.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_BLAKE2b.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_SHA1.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Util\_cpuid_c.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\unicodedata.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\PublicKey\_ed448.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_poly1305.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-util-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\PublicKey\_x25519.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI60522\select.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 0_2_00007FF626E02BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00007FF626E02BB0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\_ctypes.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\_socket.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_RIPEMD160.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\_ssl.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-string-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-file-l2-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-console-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_ecb.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_SHA384.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_ctr.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\python37.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_cfb.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_SHA256.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_MD2.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_blowfish.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_ghash_clmul.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_des.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-file-l1-2-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_ofb.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_ARC4.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_aes.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_ghash_portable.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_aesni.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_arc2.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_ocb.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\PublicKey\_ec_ws.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_des3.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\_hashlib.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Protocol\_scrypt.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_SHA512.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_cast.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_chacha20.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_BLAKE2s.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_MD4.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_SHA224.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-file-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_eksblowfish.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\_bz2.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_MD5.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Math\_modexp.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_cbc.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_pkcs1_decode.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Util\_strxor.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\pyexpat.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\PublicKey\_ed25519.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_keccak.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\_lzma.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_Salsa20.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_BLAKE2b.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_SHA1.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Util\_cpuid_c.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\unicodedata.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\PublicKey\_ed448.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_poly1305.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-util-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\PublicKey\_x25519.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI60522\select.pydJump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeAPI coverage: 6.1 %
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 0_2_00007FF626E106C4 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,0_2_00007FF626E106C4
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 0_2_00007FF626E106C4 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,0_2_00007FF626E106C4
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 0_2_00007FF626E1A48C FindFirstFileExW,0_2_00007FF626E1A48C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FF626E106C4 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,3_2_00007FF626E106C4
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FF626E1A48C FindFirstFileExW,3_2_00007FF626E1A48C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FF626E106C4 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,3_2_00007FF626E106C4
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAAE2A228 FindFirstFileW,3_2_00007FFBAAE2A228
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD3E9A _errno,malloc,_errno,memset,MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,free,_errno,FindFirstFileW,_errno,FindNextFileW,WideCharToMultiByte,3_2_00007FFBAABD3E9A
Source: LisectAVT_2403002A_489.exe, 00000003.00000003.1562155781.000001A6CBEC5000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1563534490.000001A6CBEC7000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560889095.000001A6CBEC4000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560746184.000001A6CBE97000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 0_2_00007FF626E13C0C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF626E13C0C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 0_2_00007FF626E04FA0 MultiByteToWideChar,MultiByteToWideChar,LoadLibraryA,GetProcAddress,GetProcAddress,0_2_00007FF626E04FA0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 0_2_00007FF626E1BE0C GetProcessHeap,0_2_00007FF626E1BE0C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 0_2_00007FF626E13C0C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF626E13C0C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 0_2_00007FF626E0918C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF626E0918C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 0_2_00007FF626E08B28 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF626E08B28
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 0_2_00007FF626E09328 SetUnhandledExceptionFilter,0_2_00007FF626E09328
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FF626E13C0C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00007FF626E13C0C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FF626E0918C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00007FF626E0918C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FF626E08B28 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00007FF626E08B28
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FF626E09328 SetUnhandledExceptionFilter,3_2_00007FF626E09328
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAAAC3F84 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00007FFBAAAC3F84
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAAAC3548 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00007FFBAAAC3548
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAAAC416C SetUnhandledExceptionFilter,3_2_00007FFBAAAC416C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAABD48D1 __scrt_fastfail,IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00007FFBAABD48D1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAAE2A0D0 SetUnhandledExceptionFilter,3_2_00007FFBAAE2A0D0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeProcess created: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe "C:\Users\user\Desktop\LisectAVT_2403002A_489.exe"Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 0_2_00007FF626E21840 cpuid 0_2_00007FF626E21840
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI60522\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI60522\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI60522\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI60522 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI60522 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI60522 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI60522 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI60522\_ctypes.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI60522 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI60522 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI60522\_bz2.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI60522 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI60522\_lzma.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI60522 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI60522 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_MD5.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_ecb.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_cfb.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_ofb.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_ctr.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Util\_strxor.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_BLAKE2s.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_SHA1.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_SHA256.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_Salsa20.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Protocol\_scrypt.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Util\_cpuid_c.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_ghash_portable.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_ghash_clmul.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_ocb.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_des.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_des3.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_aes.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_aesni.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_ARC4.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI60522 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI60522\_hashlib.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI60522 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI60522\_socket.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI60522\base_library.zip VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI60522 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI60522\select.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI60522 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI60522\_ssl.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI60522 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI60522\unicodedata.pyd VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 0_2_00007FF626E0906C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF626E0906C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 0_2_00007FF626E1E768 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00007FF626E1E768
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_489.exeCode function: 3_2_00007FFBAAC0A2F0 getsockopt,setsockopt,WSAGetLastError,setsockopt,WSAGetLastError,setsockopt,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,WSAGetLastError,3_2_00007FFBAAC0A2F0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		11
Process Injection		11
Process Injection		OS Credential Dumping2
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API		Boot or Logon Initialization Scripts1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		LSASS Memory21
Security Software Discovery		Remote Desktop ProtocolData from Removable Media2
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
Obfuscated Files or Information		Security Account Manager1
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS23
System Information Discovery		Distributed Component Object ModelInput Capture2
Application Layer Protocol		Traffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://ocsp.thawte.com00%URL Reputationsafe
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-60%URL Reputationsafe
http://crl.thawte.com/ThawteTimestampingCA.crl00%URL Reputationsafe
http://www.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf0%Avira URL Cloudsafe
http://www.tarsnap.com/scrypt/scrypt-slides.pdf0%Avira URL Cloudsafe
http://www.baidu.com0%Avira URL Cloudsafe
https://www.openssl.org/docs/faq.html0%Avira URL Cloudsafe
http://www.baidu.comP0%Avira URL Cloudsafe
http://tools.ietf.org/html/rfc58690%Avira URL Cloudsafe
http://python.org/dev/peps/pep-0263/0%Avira URL Cloudsafe
https://mahler:8092/site-updates.py0%Avira URL Cloudsafe
https://pss.bdstatic.com/r/www/static/font/cosmic/pc/cos-icon_99f656e.css0%Avira URL Cloudsafe
http://pss.bdstatic.com/r/www/cache/static/home/img/icons_0c37e9b.png);background-image:url(http://p0%Avira URL Cloudsafe
http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf0%Avira URL Cloudsafe
http://ocsp.startssl.com070%Avira URL Cloudsafe
http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html0%Avira URL Cloudsafe
http://eprint.iacr.org/2002/067.pdf0%Avira URL Cloudsafe
http://www.python.org/0%Avira URL Cloudsafe
https://www.baidu.com/favicon.ico0%Avira URL Cloudsafe
http://ocsp.startssl.com000%Avira URL Cloudsafe
http://www.startssl.com/policy00%Avira URL Cloudsafe
http://www.python.org/download/releases/2.3/mro/.0%Avira URL Cloudsafe
https://github.com/openssl/openssl/blob/master/include/openssl/pem.h0%Avira URL Cloudsafe
http://aia.startssl.com/certs/sca.code3.crt060%Avira URL Cloudsafe
http://www.baidu.com/0%Avira URL Cloudsafe
http://crl.startssl.com/sfsca.crl0f0%Avira URL Cloudsafe
http://www.startssl.com/0P0%Avira URL Cloudsafe
http://aia.startssl.com/certs/ca.crt00%Avira URL Cloudsafe
http://crl.startssl.com/sca-code3.crl0#0%Avira URL Cloudsafe
https://www.ietf.org/rfc/rfc2898.txt0%Avira URL Cloudsafe
https://tools.ietf.org/html/rfc52970%Avira URL Cloudsafe
http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/eax/eax-spec.pdf0%Avira URL Cloudsafe
http://tools.ietf.org/html/rfc52970%Avira URL Cloudsafe
https://tools.ietf.org/html/rfc36100%Avira URL Cloudsafe
http://web.cs.ucdavis.edu/~rogaway/ocb/license.htm0%Avira URL Cloudsafe
http://www.python.org/dev/peps/pep-0205/0%Avira URL Cloudsafe
http://www.rfc-editor.org/info/rfc72530%Avira URL Cloudsafe
http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf0%Avira URL Cloudsafe
http://pss.bdstatic.com/r/www/cache/static/global/img/pc_direct_42d6311.png)0%Avira URL Cloudsafe
http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf0%Avira URL Cloudsafe
https://www.openssl.org/V0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
www.wshifen.com
103.235.47.188
truefalse
    		unknown
    www.baidu.com
    		unknown
    		unknownfalse
      		unknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://www.baidu.com/false
      • Avira URL Cloud: safe
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://www.cs.ucdavis.edu/~rogaway/papers/keywrap.pdfLisectAVT_2403002A_489.exe, 00000003.00000003.1561450804.000001A6CBE77000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562721550.000001A6CBE87000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1563005182.000001A6CBE9C000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562582697.000001A6CBE9C000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1563492612.000001A6CBE9E000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560776115.000001A6CBE64000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562011534.000001A6CBE78000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560862228.000001A6CBE76000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1561345764.000001A6CBE9A000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560746184.000001A6CBE97000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562094546.000001A6CBE84000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://python.org/dev/peps/pep-0263/python37.dll.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      https://mahler:8092/site-updates.pyLisectAVT_2403002A_489.exe, 00000003.00000003.1439210131.000001A6CE1B3000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560521188.000001A6CDEF7000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1439168326.000001A6CE1D8000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://pss.bdstatic.com/r/www/static/font/cosmic/pc/cos-icon_99f656e.cssLisectAVT_2403002A_489.exe, 00000003.00000003.1560542297.000001A6CE280000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562476121.000001A6CE280000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1565757817.000001A6CE280000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.baidu.comLisectAVT_2403002A_489.exe, 00000003.00000003.1561096856.000001A6CDEF4000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1565415015.000001A6CE120000.00000004.00001000.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.baidu.comPLisectAVT_2403002A_489.exe, 00000003.00000002.1565415015.000001A6CE120000.00000004.00001000.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://www.openssl.org/docs/faq.htmllibcrypto-1_1-x64.dll.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.tarsnap.com/scrypt/scrypt-slides.pdfLisectAVT_2403002A_489.exe, 00000003.00000003.1563339606.000001A6CBE9F000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1563005182.000001A6CBE9C000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562582697.000001A6CBE9C000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1561345764.000001A6CBE9A000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560746184.000001A6CBE97000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://pss.bdstatic.com/r/www/cache/static/home/img/icons_0c37e9b.png);background-image:url(http://pLisectAVT_2403002A_489.exe, 00000003.00000002.1565757817.000001A6CE280000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://tools.ietf.org/html/rfc5869LisectAVT_2403002A_489.exe, 00000003.00000003.1563005182.000001A6CBE9C000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562582697.000001A6CBE9C000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1561345764.000001A6CBE9A000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560746184.000001A6CBE97000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.htmlLisectAVT_2403002A_489.exe, 00000003.00000003.1562094546.000001A6CBE84000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1561964434.000001A6CDE0A000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdfLisectAVT_2403002A_489.exe, 00000003.00000003.1561919666.000001A6CDE03000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562294062.000001A6CDED1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1564647001.000001A6CC3E0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1561592497.000001A6CDE7A000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1561475331.000001A6CDE01000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1565343994.000001A6CDFC0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562294062.000001A6CDE88000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1565235860.000001A6CDF00000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1563186503.000001A6CDE28000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1561592497.000001A6CDED1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1565119946.000001A6CDED1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1564831877.000001A6CDDC0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1565177895.000001A6CDEF3000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562389844.000001A6CDEE0000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1561964434.000001A6CDE0A000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://eprint.iacr.org/2002/067.pdfLisectAVT_2403002A_489.exe, 00000003.00000002.1565470337.000001A6CE1A8000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562951072.000001A6CE1A1000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://ocsp.thawte.com0LisectAVT_2403002A_489.exe, 00000000.00000003.1417239699.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1431784679.000001E4CE104000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1427936754.000001E4CE652000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418539467.000001E4CE139000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418119088.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1434813060.000001E4CE4D4000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1429358373.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430853028.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1433528670.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1432935324.000001E4CE81F000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418883700.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418288056.000001E4CE139000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1417927258.000001E4CE0FE000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1419173107.000001E4CE0FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418644924.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1417554943.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430208792.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, libcrypto-1_1-x64.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.drfalse
      • URL Reputation: safe
      		unknown
      http://www.python.org/LisectAVT_2403002A_489.exe, 00000003.00000003.1439210131.000001A6CE1B3000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560521188.000001A6CDEF7000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1439168326.000001A6CE1D8000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://ocsp.startssl.com07LisectAVT_2403002A_489.exe, 00000000.00000003.1427936754.000001E4CE652000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1429358373.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430208792.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1-x64.dll.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      https://www.baidu.com/favicon.icoLisectAVT_2403002A_489.exe, 00000003.00000002.1565757817.000001A6CE280000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.startssl.com/policy0LisectAVT_2403002A_489.exe, 00000000.00000003.1427936754.000001E4CE652000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1429358373.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430208792.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1-x64.dll.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      http://ocsp.startssl.com00LisectAVT_2403002A_489.exe, 00000000.00000003.1427936754.000001E4CE652000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1429358373.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430208792.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1-x64.dll.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.python.org/download/releases/2.3/mro/.LisectAVT_2403002A_489.exe, 00000000.00000003.1436131995.000001E4CE1F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1564831877.000001A6CDDC0000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      https://github.com/openssl/openssl/blob/master/include/openssl/pem.hLisectAVT_2403002A_489.exe, 00000003.00000003.1563228309.000001A6CBE6F000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1561070963.000001A6CBE6E000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560776115.000001A6CBE64000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://aia.startssl.com/certs/sca.code3.crt06LisectAVT_2403002A_489.exe, 00000000.00000003.1427936754.000001E4CE652000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1429358373.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430208792.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1-x64.dll.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      http://crl.startssl.com/sfsca.crl0fLisectAVT_2403002A_489.exe, 00000000.00000003.1427936754.000001E4CE652000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1429358373.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430208792.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1-x64.dll.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6LisectAVT_2403002A_489.exe, 00000003.00000003.1560542297.000001A6CE26B000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560989732.000001A6CE26C000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://crl.thawte.com/ThawteTimestampingCA.crl0LisectAVT_2403002A_489.exe, 00000000.00000003.1417239699.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1431784679.000001E4CE104000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1427936754.000001E4CE652000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418539467.000001E4CE139000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418119088.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1434813060.000001E4CE4D4000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1429358373.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430853028.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1433528670.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1432935324.000001E4CE81F000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418883700.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418288056.000001E4CE139000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1417927258.000001E4CE0FE000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1419173107.000001E4CE0FC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1418644924.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1417554943.000001E4CE0F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430208792.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, libcrypto-1_1-x64.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.drfalse
      • URL Reputation: safe
      		unknown
      http://aia.startssl.com/certs/ca.crt0LisectAVT_2403002A_489.exe, 00000000.00000003.1427936754.000001E4CE652000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1429358373.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430208792.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1-x64.dll.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      http://crl.startssl.com/sca-code3.crl0#LisectAVT_2403002A_489.exe, 00000000.00000003.1427936754.000001E4CE652000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1429358373.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430208792.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1-x64.dll.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.startssl.com/0PLisectAVT_2403002A_489.exe, 00000000.00000003.1427936754.000001E4CE652000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1429358373.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430208792.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1-x64.dll.0.drfalse
      • Avira URL Cloud: safe
      		unknown
      https://tools.ietf.org/html/rfc5297LisectAVT_2403002A_489.exe, 00000003.00000003.1561450804.000001A6CBE77000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562721550.000001A6CBE87000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1563005182.000001A6CBE9C000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562582697.000001A6CBE9C000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1563492612.000001A6CBE9E000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560776115.000001A6CBE64000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562011534.000001A6CBE78000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560862228.000001A6CBE76000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1561345764.000001A6CBE9A000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560746184.000001A6CBE97000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562094546.000001A6CBE84000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/eax/eax-spec.pdfLisectAVT_2403002A_489.exe, 00000003.00000003.1561450804.000001A6CBE77000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562721550.000001A6CBE87000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560776115.000001A6CBE64000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562011534.000001A6CBE78000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560862228.000001A6CBE76000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562094546.000001A6CBE84000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://tools.ietf.org/html/rfc5297LisectAVT_2403002A_489.exe, 00000003.00000002.1565415015.000001A6CE120000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1565305460.000001A6CDF80000.00000004.00001000.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://www.ietf.org/rfc/rfc2898.txtLisectAVT_2403002A_489.exe, 00000003.00000003.1563005182.000001A6CBE9C000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562582697.000001A6CBE9C000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1561345764.000001A6CBE9A000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560746184.000001A6CBE97000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://tools.ietf.org/html/rfc4880LisectAVT_2403002A_489.exe, 00000003.00000003.1561919666.000001A6CDE03000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1561475331.000001A6CDE01000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562119709.000001A6CBEA6000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1563186503.000001A6CDE28000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1563448075.000001A6CDE29000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1561345764.000001A6CBE9A000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560746184.000001A6CBE97000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1561964434.000001A6CDE0A000.00000004.00000020.00020000.00000000.sdmpfalse
        		unknown
        http://web.cs.ucdavis.edu/~rogaway/ocb/license.htmLisectAVT_2403002A_489.exe, 00000003.00000003.1562683703.000001A6CBEA4000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562582697.000001A6CBE9C000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1561345764.000001A6CBE9A000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560746184.000001A6CBE97000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://tools.ietf.org/html/rfc3610LisectAVT_2403002A_489.exe, 00000003.00000003.1561919666.000001A6CDE03000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1561450804.000001A6CBE77000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1561475331.000001A6CDE01000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560776115.000001A6CBE64000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562274396.000001A6CDE73000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562011534.000001A6CBE78000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560862228.000001A6CBE76000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562094546.000001A6CBE84000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1561964434.000001A6CDE0A000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.python.org/dev/peps/pep-0205/LisectAVT_2403002A_489.exe, 00000000.00000003.1436131995.000001E4CE1F1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1565955992.000001A6CE500000.00000004.00001000.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.rfc-editor.org/info/rfc7253LisectAVT_2403002A_489.exe, 00000003.00000003.1562683703.000001A6CBEA4000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562582697.000001A6CBE9C000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1561345764.000001A6CBE9A000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560746184.000001A6CBE97000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdfLisectAVT_2403002A_489.exe, 00000003.00000003.1561919666.000001A6CDE03000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1561450804.000001A6CBE77000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1561475331.000001A6CDE01000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560776115.000001A6CBE64000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562274396.000001A6CDE73000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562011534.000001A6CBE78000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560862228.000001A6CBE76000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562094546.000001A6CBE84000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1561964434.000001A6CDE0A000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://pss.bdstatic.com/r/www/cache/static/global/img/pc_direct_42d6311.png)LisectAVT_2403002A_489.exe, 00000003.00000002.1565757817.000001A6CE280000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://www.openssl.org/VLisectAVT_2403002A_489.exe, 00000000.00000003.1427936754.000001E4CE649000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1429358373.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000000.00000003.1430208792.000001E4CE175000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1568370123.00007FFBAB3A2000.00000002.00000001.01000000.00000024.sdmp, libcrypto-1_1-x64.dll.0.drfalse
        • Avira URL Cloud: safe
        		unknown
        http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdfLisectAVT_2403002A_489.exe, 00000003.00000003.1563339606.000001A6CBE9F000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1563005182.000001A6CBE9C000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1562582697.000001A6CBE9C000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1561345764.000001A6CBE9A000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000003.1560746184.000001A6CBE97000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_489.exe, 00000003.00000002.1563928125.000001A6CBDD0000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        103.235.47.188
        		www.wshifen.comHong Kong
        		55967BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtdfalse

        General Information

        Joe Sandbox version:40.0.0 Tourmaline
        Analysis ID:1482203
        Start date and time:2024-07-25 19:26:21 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 7m 26s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:7
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:LisectAVT_2403002A_489.exe
        Detection:MAL
        Classification:mal48.winEXE@4/96@1/1
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 97%
        • Number of executed functions: 95
        • Number of non-executed functions: 181
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Stop behavior analysis, all processes terminated

        Warnings

        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
        • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
        • Not all processes where analyzed, report is missing behavior information
        • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
        • VT rate limit hit for: LisectAVT_2403002A_489.exe

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        103.235.47.188d48c236503a4d2e54e23d9ebc9aa48e86300fd24955c871a7b8792656c47fb6a.exeGet hashmaliciousBdaejecBrowse
        • www.baidu.com/
        7Y18r(100).exeGet hashmaliciousUnknownBrowse
        • www.baidu.com/
        7Y18r(100).exeGet hashmaliciousUnknownBrowse
        • www.baidu.com/
        Yiwaiwai Build Version.exeGet hashmaliciousUnknownBrowse
        • www.baidu.com/
        Yiwaiwai Build Version.exeGet hashmaliciousUnknownBrowse
        • www.baidu.com/
        6o63snaetO.exeGet hashmaliciousUnknownBrowse
        • www.baidu.com/
        http://metamask-zhwallet.org/Get hashmaliciousUnknownBrowse
        • www.baidu.com/img/flexible/logo/plus_logo_web_2.png
        ViKing-R2.exeGet hashmaliciousUnknownBrowse
        • www.baidu.com/
        ViKing-R2.exeGet hashmaliciousUnknownBrowse
        • www.baidu.com/
        Tas8.dllGet hashmaliciousBlackMoonBrowse
        • www.baidu.com/

        Domains

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        www.wshifen.comLisectAVT_2403002B_263.exeGet hashmaliciousUnknownBrowse
        • 103.235.47.188
        LisectAVT_2403002B_263.exeGet hashmaliciousUnknownBrowse
        • 103.235.46.96
        LisectAVT_2403002B_397.exeGet hashmaliciousUnknownBrowse
        • 103.235.47.188
        LisectAVT_2403002B_463.exeGet hashmaliciousBdaejecBrowse
        • 103.235.47.188
        LisectAVT_2403002B_463.exeGet hashmaliciousBdaejecBrowse
        • 103.235.46.96
        LisectAVT_2403002B_9.exeGet hashmaliciousBlackMoonBrowse
        • 103.235.47.188
        LisectAVT_2403002B_9.exeGet hashmaliciousBlackMoonBrowse
        • 103.235.46.96
        LisectAVT_2403002A_270.exeGet hashmaliciousBlackMoonBrowse
        • 103.235.46.96
        HEU_KMS_Activator.exeGet hashmaliciousUnknownBrowse
        • 103.235.46.96
        d48c236503a4d2e54e23d9ebc9aa48e86300fd24955c871a7b8792656c47fb6a.exeGet hashmaliciousBdaejecBrowse
        • 103.235.47.188

        ASNs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtdLisectAVT_2403002B_263.exeGet hashmaliciousUnknownBrowse
        • 103.235.47.188
        LisectAVT_2403002B_263.exeGet hashmaliciousUnknownBrowse
        • 103.235.46.96
        LisectAVT_2403002B_463.exeGet hashmaliciousBdaejecBrowse
        • 103.235.47.188
        LisectAVT_2403002B_463.exeGet hashmaliciousBdaejecBrowse
        • 103.235.46.96
        LisectAVT_2403002B_9.exeGet hashmaliciousBlackMoonBrowse
        • 103.235.47.188
        LisectAVT_2403002B_9.exeGet hashmaliciousBlackMoonBrowse
        • 103.235.46.96
        LisectAVT_2403002A_270.exeGet hashmaliciousBlackMoonBrowse
        • 103.235.46.96
        HEU_KMS_Activator.exeGet hashmaliciousUnknownBrowse
        • 103.235.46.96
        d48c236503a4d2e54e23d9ebc9aa48e86300fd24955c871a7b8792656c47fb6a.exeGet hashmaliciousBdaejecBrowse
        • 103.235.46.98
        7Y18r(174).exeGet hashmaliciousNitolBrowse
        • 103.235.47.188

        JA3 Fingerprints

        No context

        Dropped Files

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_ARC4.pyd4afbc363.exeGet hashmaliciousCobaltStrikeBrowse
          4Vp6Xc8SFr.exeGet hashmaliciousUnknownBrowse
            Nk77hIlehl.exeGet hashmaliciousUnknownBrowse
              Nk77hIlehl.exeGet hashmaliciousUnknownBrowse
                Nk77hIlehl.exeGet hashmaliciousUnknownBrowse
                  UQqngcmYAa.exeGet hashmaliciousUnknownBrowse
                    AntiMalwareToolkit.exeGet hashmaliciousUnknownBrowse
                      AdvancedESETScanner.exeGet hashmaliciousUnknownBrowse
                        CX3kyBhxm9.exeGet hashmaliciousUnknownBrowse
                          whatsapp.exeGet hashmaliciousUnknownBrowse
                            C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_Salsa20.pydYCHY8I2odi.exeGet hashmaliciousPython Stealer, BazaLoaderBrowse
                              4afbc363.exeGet hashmaliciousCobaltStrikeBrowse
                                yspx-v3.2.25-setup.exeGet hashmaliciousBazaLoaderBrowse
                                  4Vp6Xc8SFr.exeGet hashmaliciousUnknownBrowse
                                    Oxzy.exeGet hashmaliciousBazaLoaderBrowse
                                      Nk77hIlehl.exeGet hashmaliciousUnknownBrowse
                                        Nk77hIlehl.exeGet hashmaliciousUnknownBrowse
                                          Nk77hIlehl.exeGet hashmaliciousUnknownBrowse
                                            UQqngcmYAa.exeGet hashmaliciousUnknownBrowse
                                              AntiMalwareToolkit.exeGet hashmaliciousUnknownBrowse

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_ARC4.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):22016
                                                Entropy (8bit):5.437131874157128
                                                Encrypted:false
                                                SSDEEP:384:0p3KLVilCS9HOxmbUDy3N4vYfjvtddOnGyL36SlH:0ULV9zw4vSB4fLK
                                                MD5:211277A44CAC7C71FA844E9D156B9F6D
                                                SHA1:573C4668088AA8B114F601E0863F6587A59ABA4B
                                                SHA-256:4347B2AB52AF042670BD9DC2AC2F15B2487980E92E523DA0641B8287D8816CE6
                                                SHA-512:F7787B3BEF88C28DCECEF7F6C1D38056EA61FCF22614357C00382BECFBBC1EDDE3BF896CB933076F3BD2E14E06CC9573D32797AE6366E654315B217FC5B336B1
                                                Malicious:false
                                                Joe Sandbox View:
                                                • Filename: 4afbc363.exe, Detection: malicious, Browse
                                                • Filename: 4Vp6Xc8SFr.exe, Detection: malicious, Browse
                                                • Filename: Nk77hIlehl.exe, Detection: malicious, Browse
                                                • Filename: Nk77hIlehl.exe, Detection: malicious, Browse
                                                • Filename: Nk77hIlehl.exe, Detection: malicious, Browse
                                                • Filename: UQqngcmYAa.exe, Detection: malicious, Browse
                                                • Filename: AntiMalwareToolkit.exe, Detection: malicious, Browse
                                                • Filename: AdvancedESETScanner.exe, Detection: malicious, Browse
                                                • Filename: CX3kyBhxm9.exe, Detection: malicious, Browse
                                                • Filename: whatsapp.exe, Detection: malicious, Browse
                                                Reputation:moderate, very likely benign file
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,...M...M...M...?...M..5...M..5...M..5...M...5]..M...M...M..7...M..7...M..71..M..7...M..Rich.M..................PE..d...i`.b.........." ... .&...2......`.....................................................`......................................... Y.......Y..d............p.................. ....R..............................@Q..@............@..`............................text....%.......&.................. ..`.rdata.......@... ...*..............@..@.data........`.......J..............@....pdata.......p.......L..............@..@_RDATA..\............P..............@..@.rsrc................R..............@..@.reloc.. ............T..............@..B................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_Salsa20.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):24576
                                                Entropy (8bit):5.555944490067887
                                                Encrypted:false
                                                SSDEEP:384:0tH7LVilCS9HOxmbUDy3nuLIJ4KvYf0IqddOHGyL366lH:0xLV9z0EI6KvSy4fLK
                                                MD5:20B7C6271603BC7C2087B2E589B51EF3
                                                SHA1:1D478B8FACAE3532F3F384FCAF486F9F005873FC
                                                SHA-256:433310A5FDC3DF5F19F905237751156001C69D7805789D6178C6ACBB31E90105
                                                SHA-512:B2D42DC96AA955E92A942F65FC5C2BE964BC6D5EA4CF9F1B6C695BDE3287A960915F84D3CF8B6BA8C224BA6B268D1F3A0F624E139313925A4644A8911D8D159A
                                                Malicious:false
                                                Joe Sandbox View:
                                                • Filename: YCHY8I2odi.exe, Detection: malicious, Browse
                                                • Filename: 4afbc363.exe, Detection: malicious, Browse
                                                • Filename: yspx-v3.2.25-setup.exe, Detection: malicious, Browse
                                                • Filename: 4Vp6Xc8SFr.exe, Detection: malicious, Browse
                                                • Filename: Oxzy.exe, Detection: malicious, Browse
                                                • Filename: Nk77hIlehl.exe, Detection: malicious, Browse
                                                • Filename: Nk77hIlehl.exe, Detection: malicious, Browse
                                                • Filename: Nk77hIlehl.exe, Detection: malicious, Browse
                                                • Filename: UQqngcmYAa.exe, Detection: malicious, Browse
                                                • Filename: AntiMalwareToolkit.exe, Detection: malicious, Browse
                                                Reputation:moderate, very likely benign file
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,...M...M...M...?...M..5...M..5...M..5...M...5]..M...M...M..7...M..7...M..71..M..7...M..Rich.M..................PE..d...i`.b.........." ... .0...2......`.....................................................`..........................................Y......XZ..d............p.................. ....R..............................`Q..@............@..`............................text... ........0.................. ..`.rdata.......@... ...4..............@..@.data........`.......T..............@....pdata.......p.......V..............@..@_RDATA..\............Z..............@..@.rsrc................\..............@..@.reloc.. ............^..............@..B................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_chacha20.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):24576
                                                Entropy (8bit):5.472386215099601
                                                Encrypted:false
                                                SSDEEP:384:0ZH7LVilCS9HOxmbUDy3Ayr9mXEvYfPxem97ddOHGyL36GLZlH:0dLV9z5yrYEvSPp974fLKGL
                                                MD5:3816FAEFB26DCBC3E351DB6AFBD0B774
                                                SHA1:441FC6E3E004FFAE7C038CEDFC26CD624DC8316E
                                                SHA-256:1E20F6D84838619AF92DE88355E9E76996E7346152E9179098AE7A5E72425141
                                                SHA-512:8BB3302FE4983F2B8BE094F8ADD7D1E4F476632581C0E4755D0FB1651DEAC14339AC28DF050C59EA433ACBD9BF6CAF51488466B88FA538FF6593FC2C7D6673D6
                                                Malicious:false
                                                Reputation:moderate, very likely benign file
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,...M...M...M...?...M..5...M..5...M..5...M...5]..M...M...M..7...M..7...M..71..M..7...M..Rich.M..................PE..d...i`.b.........." ... .....4......`.....................................................`..........................................Y......|Z..d............p.................. ....R..............................@Q..@............@..`............................text....,.......................... ..`.rdata.......@... ...2..............@..@.data........`.......R..............@....pdata.......p.......T..............@..@_RDATA..\............Z..............@..@.rsrc................\..............@..@.reloc.. ............^..............@..B................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_pkcs1_decode.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):24064
                                                Entropy (8bit):5.521501530336399
                                                Encrypted:false
                                                SSDEEP:384:0Kn5LVilySNHG1WbcDfi8nJ3G4RBvYfyuMddOrGyL367t:0KLVJb17BvSkkfLK
                                                MD5:ADDD92647204366DF68667E42182A934
                                                SHA1:26A26DAE942C32782A3EA5BDB8AB9BC1529A341A
                                                SHA-256:F54CEBED8650C5274E81A4569708A0346DE560B89F1862DAD0E2CCB0D4D12043
                                                SHA-512:A88F6DEA1DF5DB79984570C5A48BB31555042C3589C8D84A5C930F5EBD1BFFA4B97C3F1C87C77A83147C4F030D1FB01C465622F70C0C694814C1E8BEAD5994BC
                                                Malicious:false
                                                Reputation:moderate, very likely benign file
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,...M...M...M...?...M..5...M..5...M..5...M...5]..M...M...M..7...M..7...M..71..M..7...M..Rich.M..................PE..d...f`.b.........." ... .....2......`.....................................................`......................................... Y..p....Y..d............p.................. ....R..............................@Q..@............@..h............................text....,.......................... ..`.rdata.......@... ...2..............@..@.data........`.......R..............@....pdata.......p.......T..............@..@_RDATA..\............X..............@..@.rsrc................Z..............@..@.reloc.. ............\..............@..B................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_aes.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):47616
                                                Entropy (8bit):6.469038537459305
                                                Encrypted:false
                                                SSDEEP:768:0FAp9DqzYFk3m3xAmzA2aXKKJO1oS3S4j990th9Vi8HAbC:0FAp9OC7vKKoqS430r9ob
                                                MD5:E59AE32AF366ED8A93B875517AEE9AFC
                                                SHA1:50230C4FE4A70F0440E0D072703E460DD4C8D229
                                                SHA-256:67DD4F1547145355726E07769BC30BDC5CD7A559F80E3B35CC095E462D2124E3
                                                SHA-512:768C71CB389B300AD2CD2067B43227455AC68D72EB8581543261FDB8652544DC4E0AF56B5180EC4337B870DDECB5BFDA82C1A5234946AB1610D586F2FB2596E0
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,...M...M...M...?...M..5...M..5...M..5...M...5]..M...M...M..7...M..7...M..71..M..7...M..Rich.M..................PE..d...d`.b.........." ... .^...^......`.....................................................`.........................................P..........d...............h...............(...................................p...@............p..`............................text....\.......^.................. ..`.rdata...H...p...J...b..............@..@.data...............................@....pdata..h...........................@..@_RDATA..\...........................@..@.rsrc...............................@..@.reloc..(...........................@..B................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_aesni.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):26624
                                                Entropy (8bit):5.534416327058214
                                                Encrypted:false
                                                SSDEEP:384:rvhYRs9JIijn6+B7U2GUK4LsmXB02vbU1UiT5Yf0JciddOVYUyLa5h:rZO0JlTGvIqv1UiVSKmYUyLa
                                                MD5:74754F8EFA859912E8BF19C4DFA205B3
                                                SHA1:B40B5277C67050C843C42EA6DE40333127F0448F
                                                SHA-256:1FE62525DE39118C28C06C5DEE73340B451B1BF5EF989067FEBDAD86F0C20238
                                                SHA-512:8A9122C7505D2DAFE1EFF74F26FA9FABAE638503011AC4AF04F270973BAD080880D611F30E577D748412DCA031D347CB431154E18FA0F882F62EA9CF477B3E5C
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:...[...[...[...)...[..#...[..#...[..#...[...#]..[...[...[..!...[..!...[..!1..[..!...[..Rich.[..........................PE..d...d`.b.........." ... .4...8......`.....................................................`..........................................j......4k..d...............t....................b..............................Pa..@............P..x............................text...@2.......4.................. ..`.rdata... ...P..."...8..............@..@.data................Z..............@....pdata..t............\..............@..@_RDATA..\............b..............@..@.rsrc................d..............@..@.reloc...............f..............@..B........................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_arc2.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):27648
                                                Entropy (8bit):5.752190960062965
                                                Encrypted:false
                                                SSDEEP:384:0RBfprp4CYnehG7GFM2iHsZ0AzhmB4VzCYfWPBQByddOUDvT1H:0jRp9tFlNMBAmSWJzDv
                                                MD5:C0D82A57A3DB014E2590B3EAB1413475
                                                SHA1:3B469233E7082BC9A8BAAD89E0BE07F34AD9EA3B
                                                SHA-256:DB1ADB0D8476A67471B9E736C249933F138BD08522586243D1BD258A6D19FA9B
                                                SHA-512:77A346E57094735F98E64E547C6724DB7F7B0DD36F63305D348307221F797E357767D489F956843B0403EE30D9FBEF6E048C8607689490F0F6D9164C941275D0
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,...M...M...M...?...M..5...M..5...M..5...M...5]..M...M...M..7...M..7...M..71..M..7...M..Rich.M..................PE..d...d`.b.........." ... .8...6......`.....................................................`..........................................k.......k..d...............8............... ....c..............................@b..@............P..`............................text...p7.......8.................. ..`.rdata... ...P..."...<..............@..@.data................^..............@....pdata..8............`..............@..@_RDATA..\............f..............@..@.rsrc................h..............@..@.reloc.. ............j..............@..B................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_blowfish.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):32256
                                                Entropy (8bit):6.056714851444524
                                                Encrypted:false
                                                SSDEEP:384:0L3rvh4SY3eRWLEM2iHMMsZAomjRPzCYfPpJgLa0Mp8GKLDddO/LqWBFH:0fJNDPwRPmSrgLa1ADILq
                                                MD5:CCE591EEEA855E374307B20400B828D0
                                                SHA1:7B1D6A9E6FBE51792DE23DEC1AADAE16280B6920
                                                SHA-256:614BCA7E1DDACDD1F13C523218EF0E948828CB250BB56C057821AB8AEB0684A6
                                                SHA-512:2D7C0829E789722C6CA69D19165B3BA0265A485A2296585BDC0075874B9F36663D3E4E0EF0A8E27A275B5C50BC95056BF4C56E21C2F21A459FF3CEF0D23C0CD6
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,...M...M...M...?...M..5...M..5...M..5...M...5]..M...M...M..7...M..7...M..71..M..7...M..Rich.M..................PE..d...e`.b.........." ... .:...F......`.....................................................`.........................................@z.......z..d...............................(....r...............................q..@............P..`............................text....8.......:.................. ..`.rdata..$0...P...2...>..............@..@.data................p..............@....pdata...............r..............@..@_RDATA..\............x..............@..@.rsrc................z..............@..@.reloc..(............|..............@..B................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_cast.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):35840
                                                Entropy (8bit):6.389705810408885
                                                Encrypted:false
                                                SSDEEP:768:07a9B05ARYOFf3mSAXmrXA+NNxWumKm3f:0W9BkARVf3mXmrXA+N/djO
                                                MD5:5055A838161FED842054259A61D53E5E
                                                SHA1:F5D03EC4A5A773DA1F40B119E0CCAB1B77AFBAC1
                                                SHA-256:C07032D21BACCA699F79F0C8338163F6748FA9AF03FE0212F862AC81AF18CEAF
                                                SHA-512:44780A2AF2EDD144DB902143624ED2EB537E2047EE88286EB11EAB19A39932ADF18D182FE0E143337FED7348110267F9B84839E3444EB152BD92A494909BE9C1
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,...M...M...M...?...M..5...M..5...M..5...M...5]..M...M...M..7...M..7...M..71..M..7...M..Rich.M..................PE..d...e`.b.........." ... .:...T............................................................`.....................................................d...............h...............(...................................@...@............P..`............................text....8.......:.................. ..`.rdata...?...P...@...>..............@..@.data................~..............@....pdata..h...........................@..@_RDATA..\...........................@..@.rsrc...............................@..@.reloc..(...........................@..B................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_cbc.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):22528
                                                Entropy (8bit):5.518844843757674
                                                Encrypted:false
                                                SSDEEP:384:0eH7LVilCS9HOxmbUDy3s/e3ZvYfhaRkddOHGyL36SUlH:00LV9zEvSF4fLKS
                                                MD5:0D0450292A5CF48171411CC8BFBBF0F7
                                                SHA1:5DE70C8BAB7003BBD4FDCADB5C0736B9E6D0014C
                                                SHA-256:CB3CE4F65C9E18BE6CBB504D79B594B51F38916E390DAD73DE4177FE88CE9C37
                                                SHA-512:BA6BBCC394E07FE09BB3A25E4AAE9C4286516317D0B71D090B91AAEC87FC10F61A4701AA45BC74CB216FFF1E4AD881F62EB94D4EE2A3A9C8F04A954221B81D3A
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,...M...M...M...?...M..5...M..5...M..5...M...5]..M...M...M..7...M..7...M..71..M..7...M..Rich.M..................PE..d...g`.b.........." ... .(...2......`.....................................................`..........................................Y......XZ..d............p.................. ....R..............................@Q..@............@..`............................text....'.......(.................. ..`.rdata.......@... ...,..............@..@.data........`.......L..............@....pdata.......p.......N..............@..@_RDATA..\............R..............@..@.rsrc................T..............@..@.reloc.. ............V..............@..B................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_cfb.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):24064
                                                Entropy (8bit):5.55312218265844
                                                Encrypted:false
                                                SSDEEP:384:Zih/LVilqSOH6vxbJ3KVFwdc1tvYf5OSY2ddOpKGyL36Mt:0LVwj1MvSTIKfLK
                                                MD5:0F4D8993F0D2BD829FEA19A1074E9CE7
                                                SHA1:4DFE8107D09E4D725BB887DC146B612B19818ABF
                                                SHA-256:6CA8711C8095BBC475D84F81FC8DFFF7CD722FFE98E0C5430631AE067913A11F
                                                SHA-512:1E6F4BC9C682654BD18E1FC4BD26B1E3757C9F89DC5D0764B2E6C45DB079AF184875D7D3039161EA93D375E67F33E4FB48DCB63EAE0C4EE3F98F1D2F7002B103
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............O...O...O...=...O..7...O..7...O..7...O...7]..O...O...O..5...O..5...O..51..O..5...O..Rich.O..........................PE..d...g`.b.........." ... .,...6......`.....................................................`..........................................Y.......Z..d............p.................. ....R..............................@Q..@............@..h............................text....+.......,.................. ..`.rdata.......@... ...0..............@..@.data........`.......P..............@....pdata.......p.......R..............@..@_RDATA..\............X..............@..@.rsrc................Z..............@..@.reloc.. ............\..............@..B........................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_ctr.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):26112
                                                Entropy (8bit):5.583078945456184
                                                Encrypted:false
                                                SSDEEP:384:rFhYBkBJIiYnGdG7GQ2buUK4MHSixS0CqeSbT5Yfp7jddOzURLauhh:rXe4JBri3yik0CkVS5uURLau
                                                MD5:8F385DBACD6C787926AB370C59D8BBA2
                                                SHA1:953BAD3E9121577FAB4187311CB473D237F6CBA3
                                                SHA-256:DDF0B165C1C4EFF98C4AC11E08C7BEADCDD8CC76F495980A21DF85BA4368762A
                                                SHA-512:973B80559F238F6B0A83CD00A2870E909A0D34B3DF1E6BB4D47D09395C4503EA8112FB25115232C7658E5DE360B258B6612373A96E6A23CDE098B60FE5579C1C
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:...[...[...[...)...[..#...[..#...[..#...[...#]..[...[...[..!...[..!...[..!1..[..!...[..Rich.[..........................PE..d...g`.b.........." ... .2...8......`.....................................................`..........................................j......Hk..d...............h....................b..............................Pa..@............P..x............................text....1.......2.................. ..`.rdata... ...P..."...6..............@..@.data...0............X..............@....pdata..h............Z..............@..@_RDATA..\............`..............@..@.rsrc................b..............@..@.reloc...............d..............@..B........................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_des.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):69632
                                                Entropy (8bit):4.618845285664457
                                                Encrypted:false
                                                SSDEEP:384:LWrBjAwuukfq5nnE/IOu1mLsH7Jfwx1dK/aHk7nYcZiGKdZHDLbUdzRYfOrZMruD:MjuukCnKNu1S+taH1HUdzRSu3v
                                                MD5:3F412D2368F37E25F1218BCA9E54F3F1
                                                SHA1:1CA90ADBAB069418D215FED6CDBC7B71DA9B7550
                                                SHA-256:71C70C515D810C8FE3E6EF2BB1A4B26519849C679C736F1FC17E83CD525C65B4
                                                SHA-512:84906054C30E020087F481DAD9358CB50B65848845EFFA85740009C94087D00CFC09DE56DD297E3C9CDED1B1CBD225EC7C6F963CD2E80AE5D796E3B395E90AE3
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........l....J...J...J2..K...J...K...J...K...J...K...J.J...J...J...J...K...J...K...J...J...J...K...JRich...J................PE..d...e`.b.........." ... .P...................................................`............`.........................................`...........d....@....... ...............P..(.......................................@............`..`............................text...`N.......P.................. ..`.rdata..,....`.......T..............@..@.data...............................@....pdata....... ......................@..@_RDATA..\....0......................@..@.rsrc........@......................@..@.reloc..(....P......................@..B................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_des3.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):70144
                                                Entropy (8bit):4.650657792374867
                                                Encrypted:false
                                                SSDEEP:384:XiG9Ee6elf6InXEWfhOFm7sn2O5PZo9weFX/FHkPnYcZiGKdZHDLqDaFdjoYfer4:SDelzXzJOFC+ANFHZWDaFdjoSdDqe
                                                MD5:02DA7BD57BDBE809295E77115A4DE3F0
                                                SHA1:CE4C81FC7F20170A3AC9EA0C36BE2F06E289062A
                                                SHA-256:C9CE943634D2F0F88EFD33C57E1FB99756CC8D543ADE1A35ADB954EA5F882C89
                                                SHA-512:19B42AC5A9D01660FD12336DA6F064550E5C1AD91EAB4288B884D93C888A74D235D01C46B0391E7249D32940BB3043E71E9060F9527A2CC1A3BF6EA1CBF0DC73
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........l....J...J...J2..K...J...K...J...K...J...K...J.J...J...J...J...K...J...K...J...J...J...K...JRich...J................PE..d...f`.b.........." ... .R...................................................p............`.................................................0...d....P.......0..4............`..(.......................................@............p..`............................text....P.......R.................. ..`.rdata..t....p.......V..............@..@.data........ ......................@....pdata..4....0......................@..@_RDATA..\....@......................@..@.rsrc........P......................@..@.reloc..(....`......................@..B................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_ecb.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):22016
                                                Entropy (8bit):5.316209945797911
                                                Encrypted:false
                                                SSDEEP:384:z8H6sZoaIHcvaGbwTB69j5iYSvYfw1+ddOlXol8H:oZfSvRvSwQs
                                                MD5:ADE53F8427F55435A110F3B5379BDDE1
                                                SHA1:90BDAFCCFAB8B47450F8226B675E6A85C5B4FCCE
                                                SHA-256:55CF117455AA2059367D89E508F5E2AD459545F38D01E8E7B7B0484897408980
                                                SHA-512:2856D4C1BBDD8D37C419C5DF917A9CC158C79D7F2EE68782C23FB615D719D8FE61AAA1B5F5207F80C31DC381CD6D8C9DABD450DBC0C774FF8E0A95337FDA18BD
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m..))..z)..z)..z...{*..zK..{...zK..{#..zK..{...z .`z#..z)..z...zH..{(..zH..{(..zH..z(..zH..{(..zRich)..z........PE..d...g`.b.........." ... .&...2......P.....................................................`..........................................X......xY..d............p..`............... ....R..............................@Q..@............@..`............................text...p$.......&.................. ..`.rdata.......@... ...*..............@..@.data........`.......J..............@....pdata..`....p.......L..............@..@_RDATA..\............P..............@..@.rsrc................R..............@..@.reloc.. ............T..............@..B........................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_eksblowfish.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):33280
                                                Entropy (8bit):6.106847466216386
                                                Encrypted:false
                                                SSDEEP:384:0O3rvh4SY3eRWLEM2iHrPtPEbNv37t6KjPczCYfPpJgLa0Mp8qt3KddOfLqKFH:0kJNDeVsbxwKbcmSrgLa1rkILq
                                                MD5:56EDDD9B0D6FDFB52AC052F673916838
                                                SHA1:45BC92939A73307F3607B6C162F2B5701D8CADC9
                                                SHA-256:066AFBE5DA01C01E6D9155877946C19E2FCB39E857826D4869149A36BBAFCE9F
                                                SHA-512:8F10B73169B3FD997EEC63EDCFDEEB4854C97ECA4FDDE43836882AE1128ABB1307342DB5F92B538A85A6CC122FDD1C4F0ADA13D7D9251D1844BC7A4DEB0B7F80
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,...M...M...M...?...M..5...M..5...M..5...M...5]..M...M...M..7...M..7...M..71..M..7...M..Rich.M..................PE..d...e`.b.........." ... .>...F......`.....................................................`.........................................@z.......z..d...............................(....r...............................q..@............P..`............................text....=.......>.................. ..`.rdata..,0...P...2...B..............@..@.data................t..............@....pdata...............v..............@..@_RDATA..\............|..............@..@.rsrc................~..............@..@.reloc..(...........................@..B................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_ocb.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):29184
                                                Entropy (8bit):5.617779825782902
                                                Encrypted:false
                                                SSDEEP:768:PoxWpACOXBYBjsB3Tcb+QcOY4xmSQLLa:uWpAC6YBjOTdQo4xmNL
                                                MD5:0F822EEDD33A1834A9FEB98453DF0364
                                                SHA1:F3590124F72F3982076B2C9730BD18D2A106CC0C
                                                SHA-256:2B4C6F82C9406C7763A0A064E99E5CBCFFF8D71C3B6C9BE28009341DE3B98EB9
                                                SHA-512:D8B1C0AAE3D1897506650564A0EB48241018F8B5A039BE11E0F538856A80AA8FC6DFB842D3C132A7812FA6E6469417ADC4D00CB6D0BC7281A58ED125DDC339FB
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............O...O...O...=...O..7...O..7...O..7...O...7]..O...O...O..5...O..5...O..51..O..5...O..Rich.O..........................PE..d...h`.b.........." ... .>...8......`.....................................................`..........................................j.......k..d............................... ....b..............................@a..@............P..h............................text....=.......>.................. ..`.rdata...!...P..."...B..............@..@.data...@............d..............@....pdata...............f..............@..@_RDATA..\............l..............@..@.rsrc................n..............@..@.reloc.. ............p..............@..B........................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Cipher\_raw_ofb.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):22528
                                                Entropy (8bit):5.509402286368744
                                                Encrypted:false
                                                SSDEEP:384:0OH7LVilCS9HOxmbUDy3i4OvYfghfddOHGyL36olH:0kLV9zjHvSW4fLK
                                                MD5:B894480D74EFB92A7820F0EC1FC70557
                                                SHA1:07EAF9F40F4FCE9BABE04F537FF9A4287EC69176
                                                SHA-256:CDFF737D7239FE4F39D76683D931C970A8550C27C3F7162574F2573AEE755952
                                                SHA-512:498D31F040599FE3E4CFD9F586FC2FEE7A056635E9C8FD995B418D6263D21F1708F891C60BE09C08CCF01F7915E276AAFB7ABB84554280D11B25DA4BDF3F3A75
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,...M...M...M...?...M..5...M..5...M..5...M...5]..M...M...M..7...M..7...M..71..M..7...M..Rich.M..................PE..d...g`.b.........." ... .(...2......`.....................................................`..........................................Y......XZ..d............p.................. ....R..............................@Q..@............@..`............................text....'.......(.................. ..`.rdata.......@... ...,..............@..@.data........`.......L..............@....pdata.......p.......N..............@..@_RDATA..\............R..............@..@.rsrc................T..............@..@.reloc.. ............V..............@..B................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_BLAKE2b.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):25600
                                                Entropy (8bit):5.612562183800439
                                                Encrypted:false
                                                SSDEEP:384:0+Bfprp4CYnehG7GFM2iHOVZcVVUzCYfsJ7M/vddO0Dvc1H:02Rp9tFffkUmSs2/vzDv
                                                MD5:98118ABC334CB34FE01E6D13BBD7A45F
                                                SHA1:DB059D258D76F97C6CFEF8B0D251956B244D76D3
                                                SHA-256:2A405F338B9E7933C4383E086BDAF0E6FA589320EEF9DA6A9A2E3B00D9A1D3FD
                                                SHA-512:07B04B907A1453017BB6987EDB06CCF5889EF5AC7B26295B16A56E32A4CDA05A93BA5AD3817BC913EA4ACA0C16C71C95900D78354993EB1E6387D1F3ED4D310B
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,...M...M...M...?...M..5...M..5...M..5...M...5]..M...M...M..7...M..7...M..71..M..7...M..Rich.M..................PE..d...b`.b.........." ... .2...4......`.....................................................`..........................................j......Lk..d............................... ....c..............................@b..@............P..`............................text... 1.......2.................. ..`.rdata... ...P..."...6..............@..@.data................X..............@....pdata...............Z..............@..@_RDATA..\............^..............@..@.rsrc................`..............@..@.reloc.. ............b..............@..B................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_BLAKE2s.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):25088
                                                Entropy (8bit):5.621563536249682
                                                Encrypted:false
                                                SSDEEP:384:0+XLPBilSYcUOB2rUDy3xid3399xvYf205//AddOqglkMhVH:0UPBL5Tfd3VvS7oqR
                                                MD5:96789921C688108CAC213FADB4FF2930
                                                SHA1:D017053A25549EBFF35EC548E76FC79F778D0B09
                                                SHA-256:7E4B78275516AA6BDEA350940DF89C0C94FD0EE70AB3F6A9BAC6550783A96CAD
                                                SHA-512:61A037B5F7787BB2507F1D2D78A31CF26A9472501FB959585608D8652AF6F665922B827D45979711861803102A07D4A2148E9BE70AB7033ECE9E0484FE110FDF
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,...M...M...M...?...M..5...M..5...M..5...M...5]..M...M...M..7...M..7...M..71..M..7...M..Rich.M..................PE..d...c`.b.........." ... .0...4......`.....................................................`..........................................Z.......Z..d............................... ...`S.............................. R..@............@..`............................text... /.......0.................. ..`.rdata... ...@..."...4..............@..@.data........p.......V..............@....pdata...............X..............@..@_RDATA..\............\..............@..@.rsrc................^..............@..@.reloc.. ............`..............@..B................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_MD2.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):25088
                                                Entropy (8bit):5.599020918158223
                                                Encrypted:false
                                                SSDEEP:384:H2tcMPBil6IcUmNGr8TKVFFUp8pUp8kcRy99RvYfcI9iddODj/pd:sPBzt7xpHpjvSI0j/
                                                MD5:D488F7894719C864799DDF94986FBCCE
                                                SHA1:EEDBC57E8006822E56662EEBD77F8537771D6310
                                                SHA-256:F122BCE2A7E78B10803F738B15B21B78324C913904EAC0E998A3B7D385D11AD0
                                                SHA-512:30C02D4CD6A7F8D71BA51B7B747264A849B46233BCFCA8FAD9A76EFDB3817340D32FDB6F9A5D152BB574A51E4509ECE35851DF241688EB71466184715A5863FB
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............O...O...O...=...O..7...O..7...O..7...O...7]..O...O...O..5...O..5...O..51..O..5...O..Rich.O..........................PE..d...^`.b.........." ... .0...4......`.....................................................`.........................................PZ.......[..d............................... ....S..............................@R..@............@..h............................text............0.................. ..`.rdata..X ...@..."...4..............@..@.data........p.......V..............@....pdata...............X..............@..@_RDATA..\............\..............@..@.rsrc................^..............@..@.reloc.. ............`..............@..B........................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_MD4.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):24576
                                                Entropy (8bit):5.623788421562667
                                                Encrypted:false
                                                SSDEEP:384:1GC0LVilqSNHG9Wb8TKVFppap8T0Ncp7n5+p99RvYfOImddOHGyL36Bt:iLV5bIMOT0ep75svSgofLK
                                                MD5:9077CAC73D2465BC76DA6C37DAD4E819
                                                SHA1:51B096F625278F7150789E9273506595AB56BDA8
                                                SHA-256:B31F7E349AE1DB9E9370AA1682FDDB6865C2C3696FC779EF121394C62BA59958
                                                SHA-512:E5DDD8B8A80263197FF7F921F2E49C301F4CE851B9409E49B6C8317207347D1251B09A5E695998C662E3131F908AD5711191ABF3B250D4F386D612D6128BEA57
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............O...O...O...=...O..7...O..7...O..7...O...7]..O...O...O..5...O..5...O..51..O..5...O..Rich.O..........................PE..d...^`.b.........." ... .0...2......`.....................................................`.........................................@Y.......Y..d............p.................. ....R...............................Q..@............@..h............................text............0.................. ..`.rdata..H....@... ...4..............@..@.data........`.......T..............@....pdata.......p.......V..............@..@_RDATA..\............Z..............@..@.rsrc................\..............@..@.reloc.. ............^..............@..B........................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_MD5.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):26112
                                                Entropy (8bit):5.77493158743724
                                                Encrypted:false
                                                SSDEEP:384:GABQx2PB46ocUvOdmrFo+67bndwuiDSyoGXzCYfMGfghMiddOJPpLait:GZx2PBzciuyndwuiDScXmSSMiIPpLa
                                                MD5:EE1DF33CCE4E8C7D249C4D6CECB6E5F4
                                                SHA1:4383AE99931AA277A4A257A9BCCF3E9EE093625C
                                                SHA-256:867D830E7C3699DF4FA42B0791C0EB6AB7BBA0B984549C374851BF5CF4981669
                                                SHA-512:FCCBC4B18BB4BC65135E6A4C73AAABC5093F4B143752A3A03488B06080970FF3531C4C85C6EA9D3922E1AEFD852B2B60803F2AA45C84E6620A999500BC4D5099
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............O...O...O...=...O..7...O..7...O..7...O...7]..O...O...O..5...O..5...O..51..O..5...O..Rich.O..........................PE..d...^`.b.........." ... .6...4......`.....................................................`..........................................i......pj..d............................... ....b..............................@a..@............P..h............................text...P5.......6.................. ..`.rdata.......P... ...:..............@..@.data...@....p.......Z..............@....pdata...............\..............@..@_RDATA..\............`..............@..@.rsrc................b..............@..@.reloc.. ............d..............@..B........................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_RIPEMD160.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):24576
                                                Entropy (8bit):5.595808069434089
                                                Encrypted:false
                                                SSDEEP:384:0tXbPBilSYcUOB2rUDy3eG6RDmnsOO1etN64vYfXxCn3GgddOSJk5VH:05PBL5Tv/knvO1etN64vSBlghe
                                                MD5:AB5291313135DC88DF4153AFEC954E33
                                                SHA1:FAE853174E0899E1DBC4D717602AA471E1806F65
                                                SHA-256:FEEA8DCC4FE7997556C911A2D68217A602E7DB644568413589C80871143246FF
                                                SHA-512:CA0A715E33C6032BCE47A01BF854DA9B2CF2F84878C645FF85F3BFC29AC5B5CDFCA97923750257B30F7807B727FC4310EB2B39E8499C569EFE137A29098E583A
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,...M...M...M...?...M..5...M..5...M..5...M...5]..M...M...M..7...M..7...M..71..M..7...M..Rich.M..................PE..d...b`.b.........." ... .....4......`.....................................................`..........................................Z.......[..d............................... ... T...............................R..@............@..`............................text....-.......................... ..`.rdata... ...@..."...2..............@..@.data........p.......T..............@....pdata...............V..............@..@_RDATA..\............Z..............@..@.rsrc................\..............@..@.reloc.. ............^..............@..B................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_SHA1.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):28672
                                                Entropy (8bit):5.922734358637013
                                                Encrypted:false
                                                SSDEEP:384:dABQx2PB46ocUvOdmrFo+67rHQhbQAZUUw8lMFhkzCYfkZQBAhddOp+aLaEt:dZx2PBzciueHQ2iw8lkkmS1AhI+aLa
                                                MD5:86E685735FA7CDF6BD65A2F91C984AD6
                                                SHA1:F4695A35D506486F17D66B567AD148DE8968B0A5
                                                SHA-256:43D2B19A5BF18232EC7B182DD251C3E0DFDA9A8951F849916F9A31143EACAD73
                                                SHA-512:12B8CDF71A3D99FDEEA85A6751955505DC962D48E2EC04578A7C8A7DE414291DBC3EE72EFCC2596A7E0B55D5FFB3BFB13392E25C84A173CFC3E5EAA47A0F7FA7
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............O...O...O...=...O..7...O..7...O..7...O...7]..O...O...O..5...O..5...O..51..O..5...O..Rich.O..........................PE..d..._`.b.........." ... .@...4......`.....................................................`..........................................i......xj..d............................... ....b..............................@a..@............P..h............................text...P?.......@.................. ..`.rdata.......P... ...D..............@..@.data...@....p.......d..............@....pdata...............f..............@..@_RDATA..\............j..............@..@.rsrc................l..............@..@.reloc.. ............n..............@..B........................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_SHA224.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):32768
                                                Entropy (8bit):5.996407203220532
                                                Encrypted:false
                                                SSDEEP:384:SRjuvh4az3682LJXHKVlYnJHXVgaqvYHp5RYcARQOj4MSTjqgPm3YfKOjeVqRRR1:UupbiXUMHXSZYtswv+SKWofjf
                                                MD5:A5F8F2C76FCC40EAE4C2B5646B2E5237
                                                SHA1:A047B8BA31F3ECE06BE069F6B97D5D6B0ACED4D4
                                                SHA-256:682014CA8503397E2B5189A52C1D39CE953A1D2E23691C2A0D744FF60571CD75
                                                SHA-512:356075655B745FFCEF2032661A4289C60CC35B04B571B7DE78F3047C47BA28B120FF8BE51650BFB311B463021417721E8662A50743D77428244DA6C5B5B0F2A7
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............O...O...O...=...O..7...O..7...O..7...O...7]..O...O...O..5...O..5...O..51..O..5...O..Rich.O..........................PE..d...``.b.........." ... .L...8......`.....................................................`.........................................p{......X|..d............................... ....s..............................`r..@............`..h............................text... K.......L.................. ..`.rdata...!...`..."...P..............@..@.data................r..............@....pdata...............t..............@..@_RDATA..\............z..............@..@.rsrc................|..............@..@.reloc.. ............~..............@..B........................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_SHA256.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):32768
                                                Entropy (8bit):5.99790460810446
                                                Encrypted:false
                                                SSDEEP:384:jRjuvh4az3682LJXHKVlYnJHXVSaqvYHp5RYcARQOj4MSTjqgPm3YfKpeVqRRRFN:FupbiXUMHXUZYtswv+SKHofjf
                                                MD5:146239634A5FD6C8AF1DE1E3B0E063BD
                                                SHA1:B61D62D9E751F08094B9FDF4354DB0BE17828A08
                                                SHA-256:447E3DA0363159EB7D6B309A780DD5AF66C3EE274F4B24FECCDA14E65C397A09
                                                SHA-512:F49B10D68811AD728B68C1A5C09B43FB5C4B90F07CAC537C4FB2DD78CD07C5843589BA0E2EC3E11A927C47134F46C267827E5B1F61D00885E007E4B410EFC08B
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............O...O...O...=...O..7...O..7...O..7...O...7]..O...O...O..5...O..5...O..51..O..5...O..Rich.O..........................PE..d..._`.b.........." ... .L...8......`.....................................................`.........................................p{......X|..d............................... ....s..............................`r..@............`..h............................text... K.......L.................. ..`.rdata...!...`..."...P..............@..@.data................r..............@....pdata...............t..............@..@_RDATA..\............z..............@..@.rsrc................|..............@..@.reloc.. ............~..............@..B........................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_SHA384.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):37888
                                                Entropy (8bit):5.981100447884048
                                                Encrypted:false
                                                SSDEEP:768:FIepryR912fjsui0gel9soFdkO66MlPGXmXcEFoDoSt0o9ow9Z:FTprQ2Mu/FZ6nPxM8colzw
                                                MD5:C9B48E32A16113ED813D35F092FD01B7
                                                SHA1:E58F603D4130FA14F7D43A06A5D3669518A634FE
                                                SHA-256:C8AA272A2D0D976E7E9F57650E14FE85F20EC183F771C63EFE193CF44803981D
                                                SHA-512:DA7E7C1CB4DE9BA5519F6B82A0537E40C1931EA5CC739764007D64B050B3BEBE736BF0BB1AB6B552F5113FBABAD9FB104D1C332D51023EF5D41370543FF67C44
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............O...O...O...=...O..7...O..7...O..7...O...7]..O...O...O..5...O..5...O..51..O..5...O..Rich.O..........................PE..d...a`.b.........." ... .^...:......`.....................................................`....................................................d............................... ...@...................................@............p..h............................text....\.......^.................. ..`.rdata..0#...p...$...b..............@..@.data...............................@....pdata..............................@..@_RDATA..\...........................@..@.rsrc...............................@..@.reloc.. ...........................@..B........................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_SHA512.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):37888
                                                Entropy (8bit):6.021785541208152
                                                Encrypted:false
                                                SSDEEP:768:7Yepryx9Xmgj2ui0gel9soFdkO66MlPGXmXcU4WoStRakoZ7d:7jprOmZu/FZ6nPxMBWo1hZ7
                                                MD5:442D48D2230CDEBE645B74527575930E
                                                SHA1:AC214627082AA6F2230CA27DE3AECCF95BD8AFEB
                                                SHA-256:894C4C2F8D75419AF5B2A5875491D848D6025E5400E97E215022282A159C66F4
                                                SHA-512:802AC48213BF19A66C737A92A6DF6E57DD458F8E17FF37F01500C16E03A82BDEF885BE288273ED2281D460991D5ACF6809C8E54BE9BD883445A480A3C4627C36
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............O...O...O...=...O..7...O..7...O..7...O...7]..O...O...O..5...O..5...O..51..O..5...O..Rich.O..........................PE..d...b`.b.........." ... .^...:......`.....................................................`.........................................p.......X...d............................... .......................................@............p..h............................text...P].......^.................. ..`.rdata...#...p...$...b..............@..@.data...............................@....pdata..............................@..@_RDATA..\...........................@..@.rsrc...............................@..@.reloc.. ...........................@..B........................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_ghash_clmul.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):23552
                                                Entropy (8bit):5.556437037119378
                                                Encrypted:false
                                                SSDEEP:384:C3FU5oiIHcfiGbhHoiKTs843PGYfE0J2ddONHolq:F5H6KMKPGSEu2c
                                                MD5:29C4F0E90B6D9D4B7CBA22B9E521E132
                                                SHA1:59904785459B4F64282BD51F7157AB935A29E8A8
                                                SHA-256:7DB2D4B4493BC364F59BB0704B1607578A82EA177889872AB6C22206BFC5B105
                                                SHA-512:41E9D4B93B0A39DFA70072E7F3653AC9A8350BD977B8A08F5AA64EB078ECEF17BF00D1028F1BB9C693279494B20E5F8ACD229EC51238D9A0506200E9489137A6
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2...S...S...S...!...S..+...S..+...S..+...S...+]..S...S...S..)...S..)...S..)1..S..)...S..Rich.S..................PE..d...c`.b.........." ... .,...2......P.....................................................`.........................................`Y.......Z..d............p.......................R..............................`Q..@............@..p............................text....+.......,.................. ..`.rdata..~....@... ...0..............@..@.data........`.......P..............@....pdata.......p.......R..............@..@_RDATA..\............V..............@..@.rsrc................X..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_ghash_portable.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):24064
                                                Entropy (8bit):5.543151216026751
                                                Encrypted:false
                                                SSDEEP:384:0lH7LVilCS9HOxmbUDy3/W5l4wvYfKu2ddOHGyL36TlH:05LV9zn5qwvSW4fLK
                                                MD5:3D79007047F9400CF5F4E860AA16B1B7
                                                SHA1:147E840CC7982842EA8B6F7FD612280404E9CC6F
                                                SHA-256:0CFF345186087EF40D384D656D9F0635098B3F934DA6115A39BDC6B607FB483B
                                                SHA-512:96C4EFBB2218C6DDFCA4B88B5905870D543BB6E77A2F127F754880598536CC1FAC1ABDE8ECA35FF3BEC4B53DB4D744F1053D87269F1FCE8F55654EE1FB6222EF
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,...M...M...M...?...M..5...M..5...M..5...M...5]..M...M...M..7...M..7...M..71..M..7...M..Rich.M..................PE..d...c`.b.........." ... .....2......`.....................................................`..........................................Y......8Z..d............p.................. ....R..............................@Q..@............@..`............................text...@,.......................... ..`.rdata..|....@... ...2..............@..@.data........`.......R..............@....pdata.......p.......T..............@..@_RDATA..\............X..............@..@.rsrc................Z..............@..@.reloc.. ............\..............@..B................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_keccak.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):27136
                                                Entropy (8bit):5.552382250226478
                                                Encrypted:false
                                                SSDEEP:384:iJ4rExup4KjnFKB77Y+67fBRskTdf4KWt1YsytzCYf+vMddOtWNz7X9:i9xup4doRl5QktmSJuWB
                                                MD5:D5D79B1A243C58D352DE280ED7C5C5DB
                                                SHA1:BD58C35A1C8CE33103A10BA27704425B6F6CCC75
                                                SHA-256:24BA4D92B3923F90A71F2EEB930FA6A80342761BFE5993BF63D2AF4AB25DE3AC
                                                SHA-512:9F727499EA0776E5933FA9674138F6844D141BB41E1B84D7538A19EBBD28543C874F79F5F44D26B2A503DF4044C23F0B12E45D72B091EC2C35F3AFB6302DB1CD
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............O...O...O...=...O..7...O..7...O..7...O...7]..O...O...O..5...O..5...O..51..O..5...O..Rich.O..........................PE..d...b`.b.........." ... .6...8......`.....................................................`.........................................0j......$k..d............................... ...@c...............................b..@............P..h............................text....5.......6.................. ..`.rdata..x ...P..."...:..............@..@.data...`............\..............@....pdata...............^..............@..@_RDATA..\............d..............@..@.rsrc................f..............@..@.reloc.. ............h..............@..B........................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Hash\_poly1305.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):26112
                                                Entropy (8bit):5.56741100739094
                                                Encrypted:false
                                                SSDEEP:384:yRnxQPB464cUv6WraQ+67uJKFcLEgczCYfwlsdddOARLaAt:cxQPBD1xtGgcmSrpRLa
                                                MD5:1B091BBE12C85F8BB77ADEA18BBF75EF
                                                SHA1:0F698884C49B1472D49D363381D413FA39DC6330
                                                SHA-256:9490C5CC3ABF87EECDE8311359F4B2002DF06F5536F44F4E0D9CF8C92DBA56B2
                                                SHA-512:0707F6A7B20D45641AB19171801D74D333B3E0146DBC07F36DE4450F2B02D5CAD593A1890475756A144C17C8C2D2ECD6B805F5E92AA5D0E2E8397672A3056129
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............O...O...O...=...O..7...O..7...O..7...O...7]..O...O...O..5...O..5...O..51..O..5...O..Rich.O..........................PE..d...c`.b.........." ... .4...6......`.....................................................`..........................................i.......j..d............... ............... ....b..............................@a..@............P..h............................text....2.......4.................. ..`.rdata... ...P... ...8..............@..@.data...P....p.......X..............@....pdata.. ............Z..............@..@_RDATA..\............`..............@..@.rsrc................b..............@..@.reloc.. ............d..............@..B........................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Math\_modexp.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):47616
                                                Entropy (8bit):5.974134058590261
                                                Encrypted:false
                                                SSDEEP:768:JaOtqRxgDSPP3KVS7rPAvQ/zf27CwpMg/LRtiyrypSpTkqfk47F:JjtqRxKSPy877AvQ/zfJwpMgDRtXrypQ
                                                MD5:D63849CFD1F48280E55784F3F5CAA8B5
                                                SHA1:263EAD6D76417A6D26F8FED50E4C43628E5EE789
                                                SHA-256:1326490AEF0748DF1DF5E65BB281BD492A70A1C2DA3100C900C58202E3F4EAA8
                                                SHA-512:3A7D83AB4C85DA8243711E2F125F920441E9D542DC460F7155AF76FDE2052459B2A5525DB86F9DED347B61C76E874C6FB8A0E907415B475CF523829C942BBB90
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............H...H...Hq.I...H..I...H..I...H..I...H...H...H...H...H..I...H..I...H..dH...H..I...HRich...H........PE..d...o`.b.........." ... .r...L............................................... ............`............................................d...T...d...................................................................P...@...............x............................text....p.......r.................. ..`.rdata...%.......&...v..............@..@.data...............................@....pdata..............................@..@_RDATA..\...........................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Protocol\_scrypt.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):23040
                                                Entropy (8bit):5.443197243908528
                                                Encrypted:false
                                                SSDEEP:384:KLGRpLVilqStHG92bcTKVFaTA64DvYfU60FddOtGyL369/t:KcLVZbteDvSGSfLK
                                                MD5:88F9F06E84685E880D7EF809637C17CC
                                                SHA1:E6FA1837B0BAEAD4EDA132D3B7988E7CD4286BDF
                                                SHA-256:0550731CF26FCFCA74F7E56FADCBE83589D9C894B0136984ED89BDCBFCD9E22C
                                                SHA-512:974442F2CD8E30D1E42D701C49C1E80E597D19412E667EC631ED67097E10118EF460BFBE348285D6E0DBC3919C3D5D5A3F1034144F22AB50130320A6A2DD42FC
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............O...O...O...=...O..7...O..7...O..7...O...7]..O...O...O..5...O..5...O..51..O..5...O..Rich.O..........................PE..d...i`.b.........." ... .*...2......`.....................................................`..........................................Y..d....Y..d............p.................. ....R..............................@Q..@............@..h............................text...0(.......*.................. ..`.rdata..H....@... ..................@..@.data........`.......N..............@....pdata.......p.......P..............@..@_RDATA..\............T..............@..@.rsrc................V..............@..@.reloc.. ............X..............@..B........................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\PublicKey\_ec_ws.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):766464
                                                Entropy (8bit):7.612617892316949
                                                Encrypted:false
                                                SSDEEP:12288:Uduan6fHoxJ8gf1266y8IXhJvCKAmqVLzcrZgYIMGv1iLD9yQvG6hh:+uM6fHoxJFf1p34hcrn5Go9yQO6T
                                                MD5:7BE1C79459BB9150616BA918037901A2
                                                SHA1:4460FF80D5E8BBA18E83F29B917F0CC3345BDF28
                                                SHA-256:21D62E3B54C9701C3108586CAD56430B39406B2376431B57AF48A2C7FE51E8FB
                                                SHA-512:BDD30A33F37BB61DE50F9EE74231B7631B10CE132A69EFB7AF5AD7B61F6CC6F76ED9B8339323773DE47072142A19F3F1BF41752032DF0346B9229F4D8FBB6F38
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......zu.6>..e>..e>..e.f.d<..e\l.d...e\l.d4..e\l.d6..e7l.e5..e>..e...e_n.d;..e_n.d?..e_nve?..e_n.d?..eRich>..e................PE..d...l`.b.........." ... .....0............................................................`.........................................p...d......d...............4...............(.......................................@...............x............................text.............................. ..`.rdata..Z...........................@..@.data...............................@....pdata..4...........................@..@_RDATA..\...........................@..@.rsrc...............................@..@.reloc..(...........................@..B................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\PublicKey\_ed25519.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):39936
                                                Entropy (8bit):5.984156290711925
                                                Encrypted:false
                                                SSDEEP:768:9epQjhCfM0Rc/6IrW9+mvyaXCJtISyoSYCTfrfh:9epQ1CfnK6Ir8+NaXCJtIo2
                                                MD5:A26A5E587922233E0D931CCE20186E86
                                                SHA1:40C3DBC79D5842979C31B0371B7F57D92E1099AA
                                                SHA-256:EBDEC32A452FE1CAFF0B9BCD61F74C74586543A06A1097FBBA7777A1AABFC421
                                                SHA-512:81E32ED2C38317564D3EC11C2D94E0A12EB433EEF4CE42481E918292BE3744E7925379BB93356EE8C31F3B7635A8D0859CD6FB60176F334FF4D7073DD1769D2B
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............F...F...F3.G.F...G...F...G.F...G.F...F.F...F..F...G.F...G.F..uF.F...G.FRich...F................PE..d...m`.b.........." ... .`...@......`.....................................................`.........................................P...0.......d............................... .......................................@............p..h............................text...0_.......`.................. ..`.rdata...!...p..."...d..............@..@.data...............................@....pdata..............................@..@_RDATA..\...........................@..@.rsrc...............................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\PublicKey\_ed448.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):80384
                                                Entropy (8bit):6.09591311172981
                                                Encrypted:false
                                                SSDEEP:1536:Zs2CUIBLZP2Iafnih15We6hoQ2QhJVT5rdhGk/7QAvQQzZ6CvYyF:Zs2CUIBLZP2Iafnih15WkQ2+JVT5xA6b
                                                MD5:217811EA19B08F934FABA8064CFB7357
                                                SHA1:7EAD53AF2DE58E4AAB8CC6CAC908959B2EB8EF11
                                                SHA-256:EE55E86286FB3E1994D5811564A9E2A45E22DE7EBC87E78D78DA3FBDEDEB55CA
                                                SHA-512:35E0A758536BB6A64AA8CA77FFB6394E56C9367FE6BD918983D81012CF0353DAFEA1E234C3DF9D42BC4F1E8CFC54F6008A8A937BD1099AC12C58C602A1344529
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............H...H...Hq.I...H..I...H..I...H..I...H...H...H...H...H..I...H..I...H..dH...H..I...HRich...H........PE..d...n`.b.........." ... .....V............................................................`..........................................$..h...(&..d....p.......P.................. ...................................@...@...............h............................text............................... ..`.rdata...+.......,..................@..@.data........0......................@....pdata.......P.......(..............@..@_RDATA..\....`.......4..............@..@.rsrc........p.......6..............@..@.reloc.. ............8..............@..B........................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\PublicKey\_x25519.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):21504
                                                Entropy (8bit):5.3676985825025145
                                                Encrypted:false
                                                SSDEEP:384:J8H6uZISIHcvyGbgwoicBiUvYfGJ2dQ7ddOZplol8H:sZX6PnvSG2dsUl
                                                MD5:0D74A82E22DB00D564C1BDB08CD5AAE9
                                                SHA1:C48292A0F28DC562BA0B77A64ECE7FCC55F6EB64
                                                SHA-256:C851B0E527B85D9A433B3C56BA7D4A335EB4FCF09783C2E34F4E66930C6EF434
                                                SHA-512:B30AE1839ED13C35D4789E1BFED6A45D1ACDB0EA7F37584ECDE11413F3E14086D0C94910D418D71467E4C6E2D0B248A1AD18591C0435710EED5CBF4A29C910CE
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............O...O...O...=...O..7...O..7...O..7...O...7]..O...O...O..5...O..5...O..51..O..5...O..Rich.O..........................PE..d...l`.b.........." ... .$...2......P.....................................................`.........................................0Y..P....Y..d............p..T............... ....R...............................Q..@............@..`............................text....#.......$.................. ..`.rdata.......@... ...(..............@..@.data........`.......H..............@....pdata..T....p.......J..............@..@_RDATA..\............N..............@..@.rsrc................P..............@..@.reloc.. ............R..............@..B........................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Util\_cpuid_c.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):22016
                                                Entropy (8bit):5.306077176629384
                                                Encrypted:false
                                                SSDEEP:384:u8H6sZoaIHcvaGbwTB69j5iDKvYfONPNWddOlA3ol8H:xZfSvovSONPoL3
                                                MD5:74E71D7D3E54A210999E0972FF38A0E0
                                                SHA1:4DA7CFF4C9D4EF1A844934098EDC6D2B565CB9E3
                                                SHA-256:1105D31BA776F1421CEF3B58FE54E00CFF1C71CC041038B36ED342F884616A37
                                                SHA-512:51E88325F8F0491D0E166E4BFB9389C6D3E090C23307AAAC9F9DB5B5E9DDFE3159EE492ED23FBBC4806BDFC7EC981F1DD73EBF5C3DD4A5B926BF1D0695402B60
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m..))..z)..z)..z...{*..zK..{...zK..{#..zK..{...z .`z#..z)..z...zH..{(..zH..{(..zH..z(..zH..{(..zRich)..z........PE..d...f`.b.........." ... .&...2......P.....................................................`..........................................X..|...LY..d............p..x............... ....R..............................@Q..@............@..`............................text...`$.......&.................. ..`.rdata.......@... ...*..............@..@.data........`.......J..............@....pdata..x....p.......L..............@..@_RDATA..\............P..............@..@.rsrc................R..............@..@.reloc.. ............T..............@..B........................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\Crypto\Util\_strxor.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):22016
                                                Entropy (8bit):5.287150044942797
                                                Encrypted:false
                                                SSDEEP:384:t8H6sZoaIHcvaGbwTB69j5i2W6vYfWdBCddOFjol8H:+ZfSvMvSEA0
                                                MD5:8070EB2BE9841525034A508CF16A6FD6
                                                SHA1:84DF6BCEBA52751F22841B1169D7CD090A4BB0C6
                                                SHA-256:EE59933EBA41BCA29B66AF9421BA53FFC90223AC88CCD35056503AF52A2813FE
                                                SHA-512:33C5F4623A2E5AFE404056B92556FDBAF2419D7B7728416D3368D760DDFDE44A2739F551DE26FA443D59294B8726A05A77733FEE66ABC3547073D85F2D4EBEEE
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m..))..z)..z)..z...{*..zK..{...zK..{#..zK..{...z .`z#..z)..z...zH..{(..zH..{(..zH..z(..zH..{(..zRich)..z........PE..d...i`.b.........." ... .&...2......P.....................................................`..........................................X..t...$Y..d............p..T............... ....R..............................@Q..@............@..`............................text...@$.......&.................. ..`.rdata..d....@... ...*..............@..@.data........`.......J..............@....pdata..T....p.......L..............@..@_RDATA..\............P..............@..@.rsrc................R..............@..@.reloc.. ............T..............@..B........................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\VCRUNTIME140.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):89752
                                                Entropy (8bit):6.5021374229557996
                                                Encrypted:false
                                                SSDEEP:1536:EFmmAQ77IPzHql9a2k+2v866Xc/0i+N1WtYil42TZiCvecbtjawN+o/J:EQmI+NnXertP42xvecbtjd+ox
                                                MD5:0E675D4A7A5B7CCD69013386793F68EB
                                                SHA1:6E5821DDD8FEA6681BDA4448816F39984A33596B
                                                SHA-256:BF5FF4603557C9959ACEC995653D052D9054AD4826DF967974EFD2F377C723D1
                                                SHA-512:CAE69A90F92936FEBDE67DACD6CE77647CB3B3ED82BB66463CD9047E90723F633AA2FC365489DE09FECDC510BE15808C183B12E6236B0893AF19633F6A670E66
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............x.D.x.D.x.D..AD.x.D..=D.x.D.x.D.x.Dx..E.x.Dx..E.x.Dx..E.x.Dx..E.x.Dx..E.x.Dx.QD.x.Dx..E.x.DRich.x.D........PE..d....}.Y.........." .........T...............................................`.......Y....`A........................................p...4............@.......0..(.... ...>...P..p.......8...........................@................................................text...$........................... ..`.rdata...6.......8..................@..@.data...0.... ......................@....pdata..(....0......................@..@.rsrc........@......................@..@.reloc..p....P......................@..B................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\_bz2.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):89104
                                                Entropy (8bit):6.407285534031399
                                                Encrypted:false
                                                SSDEEP:1536:We1TI//Ka3qS3zhV4k3oVT9Pb87DzK2/40Tt2lI14V6yL:Cr93bUA7DzH40TclI14V9
                                                MD5:E5BA852CB53065389044FE34474A4699
                                                SHA1:D14401C170BE8F73DE67CFC7EA414DFB1C878AE5
                                                SHA-256:690BFD170E038B7B369EB4E4E32621823B1050D895BAE3EF538C6382CDC1B2B0
                                                SHA-512:C6DB73A39C563AC8395214BA1FA9807542B228EBCF6DAEF9E5478BA99ACFCD8DC3D4816C68C51128BB421E8EE2F4625EC24FBE1EF2D268EB01CE09C37ED27101
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............]...]...]..j]...]...\...]!.>]...]...\...]...\...]...\...]...\...]...\...]...]..]...\...]...\...]...]...]...\...]Rich...]................PE..d..... \.........." .........f............................................................`.........................................`...H............`.......P.......B.......p..........T............................................................................text............................... ..`.rdata..|9.......:..................@..@.data........0......................@....pdata.......P.......*..............@..@.rsrc........`.......4..............@..@.reloc.......p.......@..............@..B................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\_ctypes.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):133136
                                                Entropy (8bit):5.96143766535051
                                                Encrypted:false
                                                SSDEEP:3072:hFHggvfQuiAnxL3RIF5Hfbr/IHWfxI1VPm:sgvZnxhw5HfbroKX
                                                MD5:9E18ACA18E4ECE1C187F8C0CD12A5C8F
                                                SHA1:A8BA36A9EEA969D722A9AE90139D4D59F643F951
                                                SHA-256:3351627469EA8965B08BAFC9DE18D1D890479357DF6BC8917F7218535E02F211
                                                SHA-512:237B0EF23D0A91014581B94F5C7696DA1AB3C1C3A51F6FFE10787C65DC4F5A90D1760E4088AFC9ACC27BAE7F159A32FA3E7A9B15DABA5950751932683E9373B3
                                                Malicious:false
                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........A.Y./.Y./.Y./.P..._./.....[./...*.R./...+.Q./...,.Z./.....[./.<.+.X./.<...^./.Y...../...,.X./...'.Q./.../.X./....X./...-.X./.RichY./.........................PE..d..... \.........." .....$..........( .......................................0......d=....`......................................... ........................................ ......`u..T............................u...............@...............................text....".......$.................. ..`.rdata...l...@...n...(..............@..@.data....9.......4..................@....pdata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\_hashlib.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):38928
                                                Entropy (8bit):6.0018953028507775
                                                Encrypted:false
                                                SSDEEP:768:LyfxGZvTTsYrKDL2M8sQkfW4B354BzBtI1sIZWDG4yuD:LczDtlQn4B354tI1sIkyuD
                                                MD5:E2F401C211FAB8C5E1517764E9175616
                                                SHA1:7497EB47B63435D60E7D1BF20B2C946335E6671E
                                                SHA-256:76FB36E23B8F6821CAEC61C49F90B194632E68C9C78C9EB1F2E668C1B6383A73
                                                SHA-512:1312EAA7CC46B774392AE9E588C41B104EDA43703E48E5B13702E15DA665C0E5CC8E21B4011141C63811CD366A0D5773FF26C40C27159B80486BC491EEF450A9
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m..........t......d......d......d......d......e......j......d.............e......e......ex.....e.....Rich............................PE..d..... \.........." .....8...H.......5..............................................?.....`..........................................e..P....e..x....................~..............@[..T............................[...............P...............................text....6.......8.................. ..`.rdata.."!...P..."...<..............@..@.data...(............^..............@....pdata...............j..............@..@.rsrc................p..............@..@.reloc...............|..............@..B........................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\_lzma.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):257040
                                                Entropy (8bit):6.057241969050838
                                                Encrypted:false
                                                SSDEEP:6144:b1Z+5O2V+S+xFBw2bAqNNbkh/aO/h4wSbH6qxNIk//GOHh+w6bkqZNnkn/hOnhAe:b1c+vibONWtsojyk
                                                MD5:C7BBBAB8B4764C1C2BFD480DC649653C
                                                SHA1:A5226B44FD42F39948174FAB8B6BA5999104D831
                                                SHA-256:96205C0EFBFBC282D3F4B76F8F2F189A409F365DBE9A9A088351A2906B18CD36
                                                SHA-512:AAD92EB554AF4A99647C770F8A0E988DA78542DF348E89B740F5F777B5ACD992A896C9790598C2C9DF35A4167347653E7B337AC98258B9C878C710582E7C21DA
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6:0Lr[^.r[^.r[^.{#..v[^. 3_.p[^. 3[.y[^. 3Z.z[^. 3].p[^..2_.q[^..=_.p[^.r[_.*[^..2V.H[^..2^.s[^..2..s[^..2\.s[^.Richr[^.........PE..d..... \.........." ................x...............................................(.....`.............................................L...,...x...............|...............<.......T............................................................................text............................... ..`.rdata..,...........................@..@.data...x...........................@....pdata..|...........................@..@.rsrc...............................@..@.reloc..<...........................@..B................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\_socket.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):75792
                                                Entropy (8bit):6.114596878434899
                                                Encrypted:false
                                                SSDEEP:1536:GVFrxwZGYDFl0gR4wYJxaC5/hEdVJ/n+gDgOKMxI1Vwny9:GfxwZGQFXOw+xa2/h0VJ/nRDgOKMxI1/
                                                MD5:9F0683EB56D79D33EE3820F1D3504CC2
                                                SHA1:0BF7A74E9040BB7FFDA943FFEF531520A9F419AF
                                                SHA-256:39612C28EEF633EEF7E2E2C83A779FDDA178D043D7AEC0A07890E5D2A11CF4F8
                                                SHA-512:F086CC899B517ACE259D27C048DB5846552A7A8E57DDAD4D6EA0B25B45E52282979309CEA56BB56312AA83273B61F78B25B1AD6A61B6B3DE33F5980C81AE6F32
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........I.c.(.0.(.0.(.0.P\0.(.0.@.1.(.0.@.1.(.0.@.1.(.0.@.1.(.0/A.1.(.0.N.1.(.0.(.0.(.0/A.1.(.0/A.1.(.0/A00.(.0/A.1.(.0Rich.(.0................PE..d..... \.........." .....x...........u.......................................P............`.........................................`...P............0....... ..H............@.........T...........................@................................................text...#w.......x.................. ..`.rdata...@.......B...|..............@..@.data....>.......8..................@....pdata..H.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\_ssl.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):123408
                                                Entropy (8bit):6.038086696060466
                                                Encrypted:false
                                                SSDEEP:3072:6+pD95bOVTh4zYjk/dm0W/Xpi6EPQN+7cmlI1473:xp55bOth4zYo/dxW/iP
                                                MD5:A7FADACB8F4FF72A26F1CCBCFCDC33C1
                                                SHA1:E73311CCE41F1DE6E01E13EF5745FEBF37FB3193
                                                SHA-256:B8232C839E99A3701657FE16F245E0AFCA2F269562682EB1A3468C47D07AC5CF
                                                SHA-512:A486A2C9FA2CF8A8B8C609A9F4D132C55C39DABCC1EA20455A27E23395515881C9CD396416796762777079AAE6C6673DC9905BDCC92FF13D93E7E6C2A06403FE
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4.M.pj#.pj#.pj#.y...vj#.".".rj#.".&.|j#.".'.xj#.". .rj#...".rj#...".tj#...".wj#.pj".&k#...+.rj#...#.qj#....qj#...!.qj#.Richpj#.........................PE..d..... \.........." ......................................................................`.........................................`>..d....>..................................l....$..T...........................@%...............................................text............................... ..`.rdata..............................@..@.data...HO...p...J...\..............@....pdata..............................@..@.rsrc...............................@..@.reloc..l...........................@..B........................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-console-l1-1-0.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):3584
                                                Entropy (8bit):2.6628617474172764
                                                Encrypted:false
                                                SSDEEP:24:etGSyNwsPfiQnzhUag9ijUW5V2dCt0vOIZW0H3NNfBI5KV9h7r35WWdPOPNj:6yNDVqif5VG+0GIZWUnfBI56h/5Wwa
                                                MD5:3127E73E09B2F660DBB1B6A3E23159CA
                                                SHA1:D121DE4D3CC1788317015F61B3ABCEA651830C2C
                                                SHA-256:A3DB4ACA7B1BA6F802DF24916F086E4A803093FFB29F8902C18B8A09AA18DDCB
                                                SHA-512:8DAF52FDDB4066FD4106FAB0C1C34E7BAB4522230090242783ED1838A49DA3DE9453C4CB8379C03112B9C1D353CC3C32E0EEF20890429F62209082ADE9464CB5
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S!..2O..2O..2O.....2O.....2O.....2O.....2O.Rich.2O.........PE..d...U..R.........." .........................................................@.......E....`.......................................................... .......................0.......................................................................................text...R........................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-datetime-l1-1-0.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):2560
                                                Entropy (8bit):2.882197047443729
                                                Encrypted:false
                                                SSDEEP:24:etGSyNwsYKfi8i6XMLadivMCt0vOIZW0H3NNfBI5KV9h7r35WWdPOPNj:6yND9i1aQM+0GIZWUnfBI56h/5Wwa
                                                MD5:727E82D02106289000923BEF8916771B
                                                SHA1:5E5EDAD1487E1553D8017F49B54289162ED3A516
                                                SHA-256:93EBCE911997392650AEE0F22B72687787C55C7A4A731724A58C45DC3E1F6CC6
                                                SHA-512:EC8A3FAA00463DB6BF24E7CB764FD6A17F4A3DF4CD21810EEEF5F2684C0CAB0C1CB2BAFB5074FE3641CFEE2814E0DEFA938FC9A881ED7DBD5C1B34EDE9858946
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S!..2O..2O..2O.....2O.....2O.....2O.....2O.Rich.2O.........PE..d......R.........." .........................................................0............`.......................................................... ...............................................................................................................text...@........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-debug-l1-1-0.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):2560
                                                Entropy (8bit):2.88260639419467
                                                Encrypted:false
                                                SSDEEP:24:etGSyNwsYKficNdHd1LDZrt0vOIZW0H3NNfBI5KV9h7r35WWdPOPNj:6yND1vd51p0GIZWUnfBI56h/5Wwa
                                                MD5:2882B2BCD74B4D79E21F5349DA2931BC
                                                SHA1:EBEAFF6F40EA6148193A9CC3368E8D9894FD53D4
                                                SHA-256:DCAFA02C5E11D38C590754EE6A23DC65C3342308BB28435EFB75DE914F2B3652
                                                SHA-512:3D8E97F67217ED52C60B0FB871E2D0FA163FE1A1FB42C2888813D496FAE9EF621F8DAEED7984F8368D3B6DE45857013DF5D77E1694CFD5F4D95BC219BEF82FD1
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S!..2O..2O..2O.....2O.....2O.....2O.....2O.Rich.2O.........PE..d......R.........." .........................................................0......|.....`.......................................................... ...............................................................................................................text...D........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-errorhandling-l1-1-0.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):2560
                                                Entropy (8bit):3.122640357315768
                                                Encrypted:false
                                                SSDEEP:24:etGSyNwsmfiL3YmDU47v7mt0vOIZW0H3NNfBI5KV9h7r35WWdPOPNj:6yND93YmJDu0GIZWUnfBI56h/5Wwa
                                                MD5:94671F5B4C8CBAAA25B6948B9AF8EACD
                                                SHA1:71AD4F949F80EFCA1BB493F6678C8AFEEB923646
                                                SHA-256:5EB1C0679756B46C57ACAF600246CEFF260B88F602215E4A94231EF0C30B0AF7
                                                SHA-512:10247A1F40F429EF22B68C51C9DF4CFF7C64F79FE09485A1A7F4FD6FD3F9B13801F6336ED6A7C1804918DC1E78660F6F4126C8052BFC0CFF15906C941BBEE12C
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S!..2O..2O..2O.....2O.....2O.....2O.....2O.Rich.2O.........PE..d......R.........." .........................................................0............`.......................................................... ...............................................................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-file-l1-1-0.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):4608
                                                Entropy (8bit):4.055566723347685
                                                Encrypted:false
                                                SSDEEP:96:xNLrSSLH7v0xB9EiEsX0/Fj6a0EW4UohWw:GgbvLFmMW4UohW
                                                MD5:AA766B098462EFF6F0F129B5C6EF1C5E
                                                SHA1:3BE25B0D330586A08C317D97EA139D096B35B0B6
                                                SHA-256:34790E8F47A8F478A4BA4F89695CEA1BE64D16FF416542EC3036ACB5633009ED
                                                SHA-512:3FD9E39CD161E164C9C3F42140A5659F516416985238F93C97BFA9079AB203CD7F920C675FC891FDDCAB683C52D876838CB623C26D7A3C8B7A0C1799DCFADA11
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S!..2O..2O..2O.....2O.....2O.....2O.....2O.Rich.2O.........PE..d......R.........." .........................................................0......H.....`.............................................l............ ...............................................................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-file-l1-2-0.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):4608
                                                Entropy (8bit):4.150522550420316
                                                Encrypted:false
                                                SSDEEP:96:xNUEI/Sqv0pB9EiEsX0/FPg7aaEW4UohWw:qPvVFM0W4UohW
                                                MD5:CB3E0DD38C444938CE1C189AADD29A3F
                                                SHA1:45B985CCD1D30C67C757580D4E9ABE6CA7BE4DD7
                                                SHA-256:B2D983883AFD758913A7DB54222A2DB4BFEB1051B0C0F92E8FAAE93C0BC90FC4
                                                SHA-512:CDE637E676819A05CFE6F757BCB6A1ACA72BD7D4422E7CEDFBF9D8BA42B47EAC7868A821FCE93E6D0F1DE20672A8DE7362F9DBA0066DB812C74E060134FC293E
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S!..2O..2O..2O.....2O.....2O.....2O.....2O.Rich.2O.........PE..d......R.........." .........................................................0......cK....`.......................................................... ...............................................................................................................text...a........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-file-l2-1-0.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):2560
                                                Entropy (8bit):3.3090252342831525
                                                Encrypted:false
                                                SSDEEP:24:etGSyNwsIifiH/rmyCt68q88vjRaBl8oIF6t0vOIZW0H3NNfBI5KV9h7r35WWdPm:6yNDIFvvjRLF20GIZWUnfBI56h/5Wwa
                                                MD5:4A18BEDA5038C5203993191431B98D62
                                                SHA1:FACBA10698A89A42C0E419BAC056366E809DEDC0
                                                SHA-256:3144BCCC1385EFC1FF204442A5AECC0A990776341A268FAD15AA605449FCA04A
                                                SHA-512:FD4A1963BABE134202C5B9C97B8A83C0DC1C7E58F04A5CB12F6CCF7AE6AC41F13303FB3D01052E2B670805A7E2D21C193EE888E98E68054DD52B9BDC636A7597
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S!..2O..2O..2O.....2O.....2O.....2O.....2O.Rich.2O.........PE..d......R.........." .........................................................0............`.............................................p............ ...............................................................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-handle-l1-1-0.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):2560
                                                Entropy (8bit):2.896310093891118
                                                Encrypted:false
                                                SSDEEP:24:etGSyNwsmfiyL5Lczve21t0vOIZW0H3NNfBI5KV9h7r35WWdPOPNj:6yNDgLVM70GIZWUnfBI56h/5Wwa
                                                MD5:D525807D6A2D16BD9B8B22FFE99B7C26
                                                SHA1:2F78DF1D946A2DE936C3F9B6CC88FE401AA74B72
                                                SHA-256:1AB5FE4396F72938193A8CE5E18FCB522F84DD24591F39EC1302FC822F875496
                                                SHA-512:013B2C635E6BE446096DE81A2003E1F65658D203F5F6EAE3477CD54EA5FF3EEC929ED41CF6E33A61AAA201CA920CDF9F96EB34EB8EBD526146D2DA2910A3A9D1
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S!..2O..2O..2O.....2O.....2O.....2O.....2O.Rich.2O.........PE..d......R.........." .........................................................0......Y.....`.......................................................... ...............................................................................................................text...H........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-heap-l1-1-0.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):3072
                                                Entropy (8bit):2.9388357019694578
                                                Encrypted:false
                                                SSDEEP:48:6yNDPd8H0A/MmKO0GIZWUnfBI56h/5Wwa:xNB8H0QKIEW4UohWw
                                                MD5:065DFF75D5E5A28BBF5B2E1B7B3FBF5C
                                                SHA1:C4DC31EA4888E5E7CA5E8155F0EAFE25AD781073
                                                SHA-256:59D807FE256FC61866EE54DC4F18BB4F8901D902F7E23B15ECBF7B7A4DC6FC5F
                                                SHA-512:067AE4CAB058BE6BFCA080C95EA5123413E11B7FF6A84ECCC10D750FAC2719EE5D86A6362D0D4155B54ACE6C4D44D7A55B627236EBEA7D3FD0B9620ED2F10A57
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S!..2O..2O..2O.....2O.....2O.....2O.....2O.Rich.2O.........PE..d......R.........." .........................................................0............`.......................................................... ...............................................................................................................text...@........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-interlocked-l1-1-0.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):2560
                                                Entropy (8bit):3.1486143068427404
                                                Encrypted:false
                                                SSDEEP:24:etGSyNwsbfm7zuGsTyCy9yht0vOIZW0H3NNfBI5KV9h7r35WWdPOPNj:6yNDaeRWL070GIZWUnfBI56h/5Wwa
                                                MD5:D0DA5A427B151F8C524948D13C51CAB4
                                                SHA1:A51AC6BA7814188B669C7ABBFDEE535D798F05E1
                                                SHA-256:65912B7D8AD3423AD4609B9E2E3C262647D5273706796F043C9B515F1E8C78F2
                                                SHA-512:01EF7F3C43AC8E81E25EDD324F56F7916FF990CF7350F582A0E2CE67ED54F584BB72D95D8FAF129964351771F5099E36E8F02F1B067CF05B3349B64EA696BCDE
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S!..2O..2O..2O.....2O.....2O.....2O.....2O.Rich.2O.........PE..d......R.........." .........................................................0......C.....`.......................................................... ...............................................................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-libraryloader-l1-1-0.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):3584
                                                Entropy (8bit):3.3515580419915065
                                                Encrypted:false
                                                SSDEEP:48:6yNDmvBIAAz464UzyLzX8Guw30GIZWUnfBI56h/5Wwa:xN6CAGZ4dLLF5EW4UohWw
                                                MD5:465C8CA52D6A5EBB8CDDDADDCC6255C2
                                                SHA1:D51DB3B2382A0457533350E687489D91A229E5E8
                                                SHA-256:E68FF1811BFE8CD7682C45A1D562C90CCB35A70971CD75D195C7773D668E1DC4
                                                SHA-512:0641EF1524C00183C0693EE301AB0D982D4BA4BDC1326294D20A9CDD8F5C1AF16A0038C6FD11D490A1DB09221C6729FE03E6329A4262D6055BB5B37B32F8B393
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S!..2O..2O..2O.....2O.....2O.....2O.....2O.Rich.2O.........PE..d......R.........." .........................................................0............`.......................................................... ...............................................................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-localization-l1-2-0.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):4096
                                                Entropy (8bit):3.9725650409834805
                                                Encrypted:false
                                                SSDEEP:96:xNLZtDm4wUO3xd38ZoO5e/Vf1EW4UohWw:DDmzF3xd3soMe/VfuW4UohW
                                                MD5:3018F5B28A9E26395B7933EBCFD6F40C
                                                SHA1:EA38F03430F1A54E9B37E9694EABC7487B6E7201
                                                SHA-256:0C62B8AB1E5F30D4A9EADCD412677E0AB5E4E9304F0870A4EE562F08D09CCC7E
                                                SHA-512:F9A81F4565D083F30049EE8E4C4DA996BA86C7C20E58D3DCD102EB41AB58C6D94941545EA2EE3AA538D352847EFDD84376144FF852BDEF4EA3C54DAB4E5CED47
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S!..2O..2O..2O.....2O.....2O.....2O.....2O.Rich.2O.........PE..d......R.........." .........................................................0............`.......................................................... ...............................................................................................................text...9........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-memory-l1-1-0.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):3072
                                                Entropy (8bit):3.048082140085007
                                                Encrypted:false
                                                SSDEEP:48:6yND/ktxyrq9TqXFL0GIZWUnfBI56h/5Wwa:xNEpCEW4UohWw
                                                MD5:DB31BDB3725819FC5C5DF30C608673C3
                                                SHA1:5253F48E153B9C722ACAC8EE558E9A6091F5EE3E
                                                SHA-256:3115632C9BEA1CCDEB7747689AA65FA36291788339793FCE306AFB03CA748A6C
                                                SHA-512:5DB501B57D129511AFA868716D82F27B8505BE5C0E2EDB5C1509B38B2537F14586DA71C4424055BFE1B812F333E3F30D63E52501700CCDF848A37E49A0235CBD
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S!..2O..2O..2O.....2O.....2O.....2O.....2O.Rich.2O.........PE..d......R.........." .........................................................0......V'....`.......................................................... ...............................................................................................................text...s........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-namedpipe-l1-1-0.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):3072
                                                Entropy (8bit):2.8930005018666094
                                                Encrypted:false
                                                SSDEEP:24:etGSyNwshfiSFx2t6QmZWhDKt0vOIZW0H3NNfBI5KV9h7r35WWdPOPNj:6yND7FxImUBG0GIZWUnfBI56h/5Wwa
                                                MD5:A8D532500495D617CA1B9F5525494486
                                                SHA1:9542CCB68FD7E5337953C25FB33589C486D98788
                                                SHA-256:C0D62D6A9350E66FB144E297C49AE2A8EFB997148807A60DBAC1AA95C88FA8F4
                                                SHA-512:68CDFCF37A60931567F341C4B1CF2751123A90733622DAA1C02D2A8937B32D7FAA4537FC4F93D238CFF6F2FAB11F7710C1DC15812D1BA028898F8A4DFB0CD10D
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S!..2O..2O..2O.....2O.....2O.....2O.....2O.Rich.2O.........PE..d......R.........." .........................................................0......T.....`.......................................................... ...............................................................................................................text...$........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-processenvironment-l1-1-0.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):3584
                                                Entropy (8bit):3.1744405946373884
                                                Encrypted:false
                                                SSDEEP:24:etGSyNwsFAfiuByBrAl5i7AjgGCXTW2RSt0vOIZW0H3NNfBI5KV9h7r35WWdPOP5:6yNDoBxC/DW2k0GIZWUnfBI56h/5Wwa
                                                MD5:9CE4F24EFDF1A23BD71206B870B2A049
                                                SHA1:2FAAC945038E108B21C5F9A0C175622F65F30072
                                                SHA-256:F4CAE758D318B23E76DDF50202768F4CBEA9CC16D36114F4CECB15957206E4AF
                                                SHA-512:86C4DB450BD26BFA007C032514E862A026E0317A48D1B05CF489B30B33985F01B98EAFFF2073D86028622694599070D80C95AE6B4C31B4832C55C6261575019C
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S!..2O..2O..2O.....2O.....2O.....2O.....2O.Rich.2O.........PE..d......R.........." .........................................................@......XO....`.......................................................... .......................0.......................................................................................text............................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-processthreads-l1-1-0.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):4096
                                                Entropy (8bit):3.6646599177824277
                                                Encrypted:false
                                                SSDEEP:48:6yND741LTNEfWeKB+vpgge6gig8YSzYFTdshgW9M2PkSV0GIZWUnfBI56h/5Wwa:xNkL5uYFT4sMEW4UohWw
                                                MD5:624033B39B9C5E1EB13D5EDE2D213DDF
                                                SHA1:055995C888275105E3560F07A2442E28295588F6
                                                SHA-256:83A0079FBF50719B46275F9CC5675A299C987862BA7AD3AD0EE5F6E714400AF5
                                                SHA-512:1200DAEC55E5F5E80489022EFE3EE67BAAE64278F9289E828DEB8A3507355E2D643E9FEFA7CF21C2056B4C5458270EF605697F38C3F3CACD41D23E3DED3C7EF8
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S!..2O..2O..2O.....2O.....2O.....2O.....2O.Rich.2O.........PE..d......R.........." .........................................................0............`.......................................................... ...............................................................................................................text...S........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-processthreads-l1-1-1.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):4608
                                                Entropy (8bit):3.8301031830183545
                                                Encrypted:false
                                                SSDEEP:48:6yNDZxfBPLJfSAQOr0xfWeKBKvpgp5ae6lgig8YHSzOYFlbTSOgoshgW9MTscPkM:xNLZjJfZiOYFtTScsaEW4UohWw
                                                MD5:004F7F67994DE33959D6480EF4D4F515
                                                SHA1:76E83DB625D504D1FEEC5DEC918552F9EC51C4C3
                                                SHA-256:053A83B3F8AC76232952BDB8FB5C5067F06BA48F82B474829C25326ADBD26361
                                                SHA-512:D187950683C79B1DFFE4432FB476071A203CB14D7987377F71538B81FD36077F181FB7D64E9E4E30099F239764E6CBB501B65C095CD4532BC0B2AB9FBD7755A3
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S!..2O..2O..2O.....2O.....2O.....2O.....2O.Rich.2O.........PE..d......R.........." .........................................................0.......h....`.............................................~............ ...............................................................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-profile-l1-1-0.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):2560
                                                Entropy (8bit):2.8232034329252635
                                                Encrypted:false
                                                SSDEEP:24:etGSyNwsefiSlM+6e464Tt0vOIZW0H3NNfBI5KV9h7r35WWdPOPNj:6yNDQkGi0GIZWUnfBI56h/5Wwa
                                                MD5:0B786FA5D778E0EA9A2175263320EE8C
                                                SHA1:83553AC046847AB0C852403E512E748B73BE5DEC
                                                SHA-256:A124C3F8402636219E06BEB708D8BE67F6DBAA7FF4F6D402B50734230FCFBA1B
                                                SHA-512:BB29F985653105E23F52F381BEF5AC1F8D1A34D1ECA4678F50FC6F308860104D073FC1551F42AE4F460C32366E95C95F7D9BF84B34B7FF48BD3921904F94607A
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S!..2O..2O..2O.....2O.....2O.....2O.....2O.Rich.2O.........PE..d......R.........." .........................................................0......\.....`.......................................................... ...............................................................................................................text...!........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-rtlsupport-l1-1-0.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):3072
                                                Entropy (8bit):3.1480446592927986
                                                Encrypted:false
                                                SSDEEP:24:etGSyNws1fiiouyzD6OXeRrZRrW7JYEFkt0vOIZW0H3NNfBI5KV9h7r35WWdPOP5:6yNDTolS9s7er0GIZWUnfBI56h/5Wwa
                                                MD5:7DB9F8A411F116BA765000E6500FB926
                                                SHA1:4267018A03D814B8963AB1E256EE9EA8F0A33FED
                                                SHA-256:F8DD900D459335EEDBE3855F1BA7858E19DFC0D348EBD25E6548D4ECB0DA61B1
                                                SHA-512:54F4C79747E2DE6F26BEF354A4328FE7F596B8D8AC0F2C14220E8998A1980553A09BCA61756316E12846B502CACC45AB4F90EFCFF0DEB3C9E39037E5CC52556C
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S!..2O..2O..2O.....2O.....2O.....2O.....2O.Rich.2O.........PE..d......R.........." .........................................................0......>#....`.......................................................... ...............................................................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-string-l1-1-0.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):2560
                                                Entropy (8bit):3.138497775886639
                                                Encrypted:false
                                                SSDEEP:24:etGSyNwsYfiAutvEKJMwidPCt0vOIZW0H3NNfBI5KV9h7r35WWdPOPNj:6yND0aEKJMBg0GIZWUnfBI56h/5Wwa
                                                MD5:C8196CD707F4A41C4A763B8E6D2EDE7A
                                                SHA1:371BE162F04E7742246C0D9C9B2AD31A25043978
                                                SHA-256:B5082680B5CA71FDEA49E8E23EFBDA2B72F6E1B1A48782B4B63530EE7BE19A2C
                                                SHA-512:3690D87E9EDDF0DE7D71BFBAB831D80009B572E5C2F181FB23B2966D1249861AEFF61EBBB16E46836697B443A0C1AF2CFDFC930E9F010B613337ED5AC475A306
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S!..2O..2O..2O.....2O.....2O.....2O.....2O.Rich.2O.........PE..d......R.........." .........................................................0............`............................................."............ ...............................................................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-synch-l1-1-0.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):3584
                                                Entropy (8bit):3.876206600228689
                                                Encrypted:false
                                                SSDEEP:48:6yNDZrZ6C1nFLrNLZoVdt6zsS0GIZWUnfBI56h/5Wwa:xNB1ntZOV76zskEW4UohWw
                                                MD5:4219B20D53C2C6B533AE93ED45876351
                                                SHA1:8973762E7C4ACE85A1D9AAA1DD35FAC6BD48C0ED
                                                SHA-256:C75A838FF92199678DF2AD04A31F609309967CF6B66D34C58D26EB3909E6DAA5
                                                SHA-512:B73FC539D6A36E38A557D3DCF44FABD1500CCEA9C9C10C0101104B10D1923E46CD78BE0791B9FCBB1603DA7A1CCD33E6A3E3B807BC5F5448D24E44351B5E100D
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S!..2O..2O..2O.....2O.....2O.....2O.....2O.Rich.2O.........PE..d......R.........." .........................................................0......>.....`.......................................................... ...............................................................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-synch-l1-2-0.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):4096
                                                Entropy (8bit):4.1029530268218615
                                                Encrypted:false
                                                SSDEEP:48:6yNDcZn8RBziHC1HrN3gGDrNLZoVG+t6zsZsd0GIZWUnfBI56h/5Wwa:xNk8Rv1LN3gGfZOVT6zsiEW4UohWw
                                                MD5:BC03011A527274767EFFD05F90D26011
                                                SHA1:56659C88000FF70422E818AD827FDCB01F036DE2
                                                SHA-256:7F840E721C8CD073631F03159565219D24128EACA905668CFC7394889B908B9E
                                                SHA-512:600D1163FFB6B7244770A67F2A543B387A33940178DBBC010AD8C5A5E32872BB0D065E1DCF5A985174577922762CCD2B462CF40C1D4D6DC99E07D22DAAEE098A
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S!..2O..2O..2O.....2O.....2O.....2O.....2O.Rich.2O.........PE..d......R.........." .........................................................0............`.......................................................... ...............................................................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-sysinfo-l1-1-0.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):3584
                                                Entropy (8bit):3.423565618533835
                                                Encrypted:false
                                                SSDEEP:48:6yNDxvSGZaed+oABAmCpLOJ0GIZWUnfBI56h/5Wwa:xNUGZaewoMAIEW4UohWw
                                                MD5:705476AAA1EF452E50C61FA56F84D919
                                                SHA1:F86ADA80B5C2C528FB328D1AAACC817E538CCC85
                                                SHA-256:1D7A5A3CD3185D839D31C83DCB2192A08A80C4A7EC17EAE550AB5A4D84B189D9
                                                SHA-512:DB6FDEC0F758A955A4FA888571AD2496F072D9F580895628AA2DA143DAA4F64C9FBDF5D9A6950BC06CA5F69395C04515D77C1EE45744C4E7600C1E5DD4CD559E
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S!..2O..2O..2O.....2O.....2O.....2O.....2O.Rich.2O.........PE..d......R.........." .........................................................0......9.....`.......................................................... ...............................................................................................................text...G........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-timezone-l1-1-0.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):3072
                                                Entropy (8bit):3.277308210140252
                                                Encrypted:false
                                                SSDEEP:24:etGSyNwsKfiSpd3mtbfb5OjeuOI/t0vOIZW0H3NNfBI5KV9h7r35WWdPOPNj:6yND2ZmZftOR0GIZWUnfBI56h/5Wwa
                                                MD5:A84F802749AE5A0AA522F203ECE20B7F
                                                SHA1:3C631CE4107B2FFC9A4A06C16D41D7D0EA0A9B2F
                                                SHA-256:E4D28023ECA5BD147AC645048B18BD7272735DA10C30C2DBC83CD1C96703D869
                                                SHA-512:52B68A300AE56EB8A3B3F811CC7368AFE5D4F1E8EE37B6FDAE0878978952041BD5467EAAAEC23AAB12C1735ED3AFD8134B2171B633EE1DAE3B159E99D765A71D
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S!..2O..2O..2O.....2O.....2O.....2O.....2O.Rich.2O.........PE..d......R.........." .........................................................0.......w....`.............................................O............ ...............................................................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-core-util-l1-1-0.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):2560
                                                Entropy (8bit):2.9176290854155225
                                                Encrypted:false
                                                SSDEEP:24:etGSyNwsqfiMp1Ppf76t0vOIZW0H3NNfBI5KV9h7r35WWdPOPNj:6yNDKpFpj20GIZWUnfBI56h/5Wwa
                                                MD5:2D8249636011CF1467BE41C8BDF7C765
                                                SHA1:C7EDAF6444690DB617F58B0506DD979E1F2314A4
                                                SHA-256:84CE120AAE88DD77A71C30630D409382F2AD22B11BE4CCEDD1800C4BB2CA4937
                                                SHA-512:4732C247B6505C48A41A0C5BA933F2C7DC63301F09FF891F2E50EF765C3EAE00D520D9E08CB5229D6E90048AA826CAF34A282B5FB80F10A63EE987A60836F9EF
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S!..2O..2O..2O.....2O.....2O.....2O.....2O.Rich.2O.........PE..d......R.........." .........................................................0......-.....`.......................................................... ...............................................................................................................text...S........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-crt-conio-l1-1-0.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):12640
                                                Entropy (8bit):6.627842192433045
                                                Encrypted:false
                                                SSDEEP:192:KWohWVyzTbPDBQABJIf3WiRfqnaj6uDp6rFUiutV:KWohWYzDBRJknlD16EtV
                                                MD5:21AB8A6F559D1E49C8FFA3CDAF037839
                                                SHA1:87F2EDACE67EBE04BA869BA77C6F3014D9CB60C0
                                                SHA-256:30B677B95DE5FCBAA2AE67088822A5FEABDB63A53101CC44DE83067018B457C8
                                                SHA-512:6F117397EE46519A5CF29D3C8A72503861A78A83CCBC56BD4447AB2F4693857147C35292C87CB5BA5EFADDE97BCE3735AEDB0275FCABEA1006C1621945A44498
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d...3..Z.........." .........................................................0............`.........................................@................ ..................`!..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-crt-convert-l1-1-0.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):15704
                                                Entropy (8bit):6.426268987658921
                                                Encrypted:false
                                                SSDEEP:192:ScJpcyeWohWCyzTbPDBQABJVKyqnaj/6g6d6q6RbwXTKS4:ScJ2yeWohWZzDBRJV1ltRJRbEp4
                                                MD5:F5D4EF8A0C33CBF321DD51ABAFD5FFB2
                                                SHA1:C85B87AA33F3FCEE76FACC1D0FEC65F1CC5F1B55
                                                SHA-256:053E6F664D1AEBE7FD120BF89056F2612B7667E1F71DF0DDDB504E04C58A508A
                                                SHA-512:9D85E5C320699C079DF98695641F24D9BAADA5514435AE9B69C28AD3C3B5C29129CD46D0F8F2398FC94ADE30777ED44CA5F75F6E78EB86D64CEB32C71046479C
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d.... .Z.........." .........................................................@......c.....`.........................................@................0..................X!..............8............................................................................rdata..............................@..@.rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-crt-environment-l1-1-0.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):12120
                                                Entropy (8bit):6.590445960075786
                                                Encrypted:false
                                                SSDEEP:192:paWohWVyzTbPDBQABJVhohqnajkZtTT2yT7eoVPB59Yt:paWohWYzDBRJVhslmT9Yt
                                                MD5:F5F31DC3B928073274BCDF7B4D4136F9
                                                SHA1:07624699FD428B5E60A5FFDAFE3AD1B820AA2B8D
                                                SHA-256:5CDE06AADDD28E0BB3AFE756215D6AE5F2EB20B00413A6A1D2095D81493C5DDD
                                                SHA-512:9458453D9530F6652F3580E988ED0F8320268A2A1A4D4A017A00935F6133FC3E8F91E8BBBA07B1F628EBA1A3822E4A3C3A8B72C2861950E1EDE9521DD04868B6
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d......Z.........." .........................................................0............`.........................................@...$............ ..................X!..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-crt-filesystem-l1-1-0.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):13656
                                                Entropy (8bit):6.641745012450597
                                                Encrypted:false
                                                SSDEEP:192:ffTnWlC0i5CuWohWBuyzTbPDBQABJPy/yqnaj/6g6d6q6RbwXKKO2ng:3TnWm5CuWohWHzDBRJPlltRJRbEuL
                                                MD5:861A2FD3AFB4557BA49A6D60A02C39BF
                                                SHA1:03622632D5E810B87B806DDFC0ED6EA3D2171B96
                                                SHA-256:C1A072B49ACB82640104AADA665FF948415CC57DFCBC495D4D85B1F18D84A1A3
                                                SHA-512:AE20BB93D7661D47048042A3A21D95F0C1B20918F170FEE77CD7DE2B9367A3F819B39E45CB6C58689603F1670CF3C46CDF6453162F3D88871C794DF13460F374
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d......Z.........." .........................................................0......50....`.........................................@................ ..................X!..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-crt-heap-l1-1-0.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):12120
                                                Entropy (8bit):6.744058743965601
                                                Encrypted:false
                                                SSDEEP:192:XwY17aFBRkWohWzuyzTbPDBQABJgSqnajE49dFXKehI9:XpNWohWz9zDBRJblPYWC
                                                MD5:156DA44DE8586202CD7BADDA883B5994
                                                SHA1:DE58F32E2172D31A55DF26F0D9A0C5AC9880EFDD
                                                SHA-256:6E0460EA48738B50C8628038368E4E4B425FB6AA5DE76F7FE06F2473FABC0E9E
                                                SHA-512:A80A316DB9FD3F6907E28771BD39C00244F510096EAB3DAF617C65962BB223C728505A40DC2C3F651CC49DF5D7BFA6F660EA1F9889AEB2BCF9B93A2EB6C0503E
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d......Z.........." .........................................................0......w.....`.........................................@................ ..................X!..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-crt-locale-l1-1-0.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):12120
                                                Entropy (8bit):6.694037933752207
                                                Encrypted:false
                                                SSDEEP:192:YFWohWCyzTbPDBQABJYpyqnaj/6g6d6q6RbwXDK/NL:gWohWZzDBRJY4ltRJRbEa
                                                MD5:10C18EE8EB974E9F6382917AD3CD7D11
                                                SHA1:3308CD7D9D29E42E137FD348B96545C206EA7096
                                                SHA-256:3A292B3AE218086EDD2D136FCC9EB65E788CAA6933C864908A07F004FECD9972
                                                SHA-512:A18769CE5EF8E0DA4B9BF997D9C8800E9D715C54F603CAC6534CADC0ADE3F9C70A0E9FC2E607D1DFD6D7326F9FB4F519466CD0953591494D0376D1624D77F1DE
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d......Z.........." .........................................................0......$.....`.........................................@...h............ ..................X!..............8............................................................................rdata..H...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-crt-math-l1-1-0.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):20824
                                                Entropy (8bit):6.2131052096898625
                                                Encrypted:false
                                                SSDEEP:384:77FRU8HM4Oe59Ckb1hgmLzWohWkzDBRJXlJcEAI:77TjMq59Bb1jXh1PzNr
                                                MD5:FD374A7F3079A4F7D96B4C8A1E71B1A3
                                                SHA1:3F3C768239D26CF8C6F83AF96131E7B8E85ED017
                                                SHA-256:F7117AA5DF8FBFED9F625CBE11CD64FDAC1220099484B3AE534107D02A99058D
                                                SHA-512:3F7D9D632E434ED01588C4EEA69483197040588F09FDF0A9ACB902EA59664EC2A0257723AB61FBE56545D14462BE475919DA8F072F5E1E720569CBB3A776110C
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d......Z.........." .........,...............................................P............`.........................................@....%...........@...............0..X!..............8............................................................................rdata..x&.......(..................@..@.rsrc........@.......,..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-crt-process-l1-1-0.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):12632
                                                Entropy (8bit):6.595805025085897
                                                Encrypted:false
                                                SSDEEP:192:HpOSAqjd7FWohWsyzTbPDBQABJ8NdPqnajkSXt7wSM6/:HpOSAcWohWLzDBRJ8NplJcm
                                                MD5:9600008630390E2209199E7791185075
                                                SHA1:7E85B6C55A2D17C0D9FFC96649A92F3E73D6757C
                                                SHA-256:0E16041AA9CFF135AF254E79D85B5F3944BF21E9448BC07F058894EB2013F724
                                                SHA-512:8690CDE896E5731074C4A703ED0A26FE5FC136A13E57656C3A92CA5A6915EC741D587258E02E60CB4B1CCAFD24E110C248641C06F8D839C0C1E235B0318491B8
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d...>..Z.........." .........................................................0............`.........................................@...x............ ..................X!..............8............................................................................rdata..X...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-crt-runtime-l1-1-0.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):16216
                                                Entropy (8bit):6.446099736226978
                                                Encrypted:false
                                                SSDEEP:192:vzfPrpJhhf4AN5/Ki5wWohWsyzTbPDBQABJyxyqnaj/6g6d6q6RbwXRK1P:vTr7MWohWLzDBRJyAltRJRbE4
                                                MD5:1B923D7B425EE35CC865715E8FF2B920
                                                SHA1:0302FE5CD576C9E28F1E9939AC04AC6AD89E371E
                                                SHA-256:FD40B4D21E907F8C168504BBA248CA7EED4A84537CEEC8A9903112E531B6A406
                                                SHA-512:62571B373B969889D07BE3FC26146D93FED2955D6E9B336E4FC8F8759DB98A8EC4154B6DF5244C3B37CD3BFD7F153B2C6BE7799845A02E0446C41A6898F82F31
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d......Z.........." .........................................................@.......M....`.........................................@...4............0..................X!..............8............................................................................rdata..............................@..@.rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-crt-stdio-l1-1-0.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):17752
                                                Entropy (8bit):6.395359786145625
                                                Encrypted:false
                                                SSDEEP:192:YH5uWYFxEpahLWohWmyzTbPDBQABJn/4qnajuZDAJ+aSa8ki:YHCFVhLWohWFzDBRJwlUeT8R
                                                MD5:D263B7CE85EFDC007C40AABCA5ACB255
                                                SHA1:B7FAC5089B3990CDDC2435138E89DA2D5D515032
                                                SHA-256:37DFD6CD14F191E97E5F1674422E79FEBFCAE062B4A56959F76FF63803E58A55
                                                SHA-512:6BC594FCB1AD5149F27C86674E78BAE447E6D3F2E494E2749EAEB15AF28A212DAD075EC441541B490774770E77377E798A3DCED94C1E9B9CFDC4F5C95BF936F6
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d......Z.........." ......... ...............................................@......7.....`.........................................@...d............0...............$..X!..............8............................................................................rdata..@...........................@..@.rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-crt-string-l1-1-0.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):17752
                                                Entropy (8bit):6.387971099974592
                                                Encrypted:false
                                                SSDEEP:384:X5yRXrx0C5yguNvZ5VQgx3SbwA7yMVIkFGlwWohWhzDBRJR8lDzHxp:sl5yguNvZ5VQgx3SbwA71IkFBu1Psj
                                                MD5:1A3292019AF01D7A6ED8BC52686840E6
                                                SHA1:E1684C73AE12CD341250D544AFCC539856C9BB43
                                                SHA-256:E01B24D0FE72AE8D2C76B287D1286741940B84808E4BF11514402A0A6D2706F9
                                                SHA-512:941C238C96DE015D511BF691E878592FF8C71556CE95B3FBA268BF9DC6A2E2ECDE3C02B4DFF66D3EEAF3B177624B193C42691C692E293982126EF70A10CAF48B
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d.... .Z.........." ......... ...............................................@.......v....`.........................................@................0...............$..X!..............8............................................................................rdata..............................@..@.rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-crt-time-l1-1-0.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):14168
                                                Entropy (8bit):6.540489946544364
                                                Encrypted:false
                                                SSDEEP:192:Qr3LDlWohWYyzTbPDBQABJ/CVIqnajXagR3GGsKOhe:QrlWohW/zDBRJ/CylDzH
                                                MD5:1BF2AF4DEB96801EDFDE04A763EA4028
                                                SHA1:F6A9A0A603B34D212620F8B513B48039E8576F47
                                                SHA-256:E4FD646A54D9A21C52C1480E5AE36BB519A7E2237A026725570776D61A43B5A1
                                                SHA-512:42FE94DE60A8EB5F3B401047316440A4F36E3184F1CB9E22F750B37627CA2A6199FB55CB950B6E5CFEBBE413554128723B17BC421301768DDF9636AD3C9D07D8
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d.... .Z.........." .........................................................0............`.........................................@................ ..................X!..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\api-ms-win-crt-utility-l1-1-0.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):12120
                                                Entropy (8bit):6.676528484011435
                                                Encrypted:false
                                                SSDEEP:192:XzIObNfHQdurWohWnyzTbPDBQABJV69PqnajkSXt7wSMr:XzIObNfpWohWyzDBRJMJlJcr
                                                MD5:FCFB6405CF54D78C5BAA81A66802918C
                                                SHA1:FFA88FADEE5B00F7DAF1A10BAEA98274C590E697
                                                SHA-256:91067F7C04812981DD32EA882C7931D128219EB376190500389BC5E60A5A116E
                                                SHA-512:CB9F02217D5FB73C91F758F29C5B6D4ED607E75BF94B90A63371902B4910D68F328F406CAB6BD1F273382514B4B8E1FACB0D6A3F7F09536F7B627DBA7E94E80B
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d...8..Z.........." .........................................................0............`.........................................@...`............ ..................X!..............8............................................................................rdata..@...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\base_library.zip

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                Category:dropped
                                                Size (bytes):782875
                                                Entropy (8bit):5.483968933352953
                                                Encrypted:false
                                                SSDEEP:12288:mbVwyZXA2DKuhfQEvvMr5yzxUDMKZUQRbki:sVwyZrfQEXMr5yaMKZb
                                                MD5:BD9BAC744AB43C7790B06630D169F008
                                                SHA1:7370037BF0F1068BD68A6E5188506FC92C11BA4E
                                                SHA-256:CC73A2FFFDEE4B251D25915CEC384D358879B27EA2BFB0804E002114C8BF3D41
                                                SHA-512:C6382042B845DC7FDA1790963CABF7BF353A3360F7F4B71FEA04FA75EA33A035AB50208056A89CD40596F00FD8D06F7C8BDAEAA6118F6F24EEA57D7AF7EA4BDD
                                                Malicious:false
                                                Preview:PK..........!._..8.]...]......functools.pycB...........vy...................@...s....d.Z.d.d.d.d.d.d.d.d.d.d.d.g.Z.y.d.d.l.m.Z...W.n...e.k.rB......Y.n.X.d.d.l.m.Z...d.d.l.m.Z...d.d.l.m.Z...d.d.l.m.Z...d.Z.d.Z.e.e.f.d.d...Z.e.e.f.d.d...Z.e.f.d.d...Z.e.f.d.d...Z.e.f.d.d...Z.e.f.d.d...Z.e.f.d.d...Z.e.f.d d!..Z.e.f.d"d#..Z.e.f.d$d%..Z.e.f.d&d'..Z.e.f.d(d)..Z.e.f.d*d+..Z.e.f.d,d-..Z.d.e.f.d/e.f.d0e.f.g.d0e.f.d1e.f.d.e.f.g.d1e.f.d0e.f.d/e.f.g.d/e.f.d.e.f.d1e.f.g.d2..Z.d3d...Z.d4d...Z y.d.d5l.m Z ..W.n...e.k...r.......Y.n.X.G.d6d...d...Z!y.d.d7l.m!Z!..W.n...e.k...r.......Y.n.X.G.d8d...d.e"..Z#e.d9d:d;d<d=g...Z$G.d>d?..d?e%..Z&e"..f.e'e(e)e*d@..h.e+e*e,f.dAdB..Z-dRdEd...Z.dFdG..Z/y.d.dHl.m/Z/..W.n...e.k...rz......Y.n.X.dIdJ..Z0dSdKdL..Z1dMdN..Z2dOdP..Z3dQd...Z4d@S.)TzEfunctools.py - Tools for working with functions and callable objects...update_wrapper..wraps..WRAPPER_ASSIGNMENTS..WRAPPER_UPDATES..total_ordering..cmp_to_key..lru_cache..reduce..partial..partialmethod..singledispatch.....).r....

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\libcrypto-1_1-x64.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):2480296
                                                Entropy (8bit):5.887920723713364
                                                Encrypted:false
                                                SSDEEP:49152:avYUOh5Px04+pRXhFXv1uTrZ0adtqXfDGszqFzPm0PfQ1CPwDv3uFgskh:rr+v7XtEseS0PI1CPwDv3uFgsc
                                                MD5:8C75BCA5EA3BEA4D63F52369E3694D01
                                                SHA1:A0C0FD3D9E5688D75386094979171DBDE2CE583A
                                                SHA-256:8513E629CD85A984E4A30DFE4B3B7502AB87C8BC920825C11035718CB0211EA0
                                                SHA-512:6D80D26D91B704D50FF3AD74F76D6B1AFE98AF3D7A18E43011DBE3809ADC305B0E382C10868328EB82C9F8B4C77BCA1522BDC023C7C8712057B65F6579C9DFF5
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........B...#...#...#...[...#...K...#...K...#...K...#...K...#...E...#...#..j#...K...#...K...!...K...#...Kg..#...K...#..Rich.#..................PE..d......\.........." .....R...........g.......................................`&.......&...`......................................... . ..7...%.,.....%.......$..a....%.......%..C.....8.............................................%..............................text....Q.......R.................. ..`.rdata.......p.......V..............@..@.data...!.....#.......".............@....pdata..$.....$.......#.............@..@.idata...#....%..$....%.............@..@.00cfg........%......R%.............@..@.rsrc.........%......T%.............@..@.reloc...a....%..b...\%.............@..B........................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\libssl-1_1-x64.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):523944
                                                Entropy (8bit):5.500138412850847
                                                Encrypted:false
                                                SSDEEP:12288:Wkgq6N7Z8nTtk2XXMEeDke/M9qAmZ/fTab4SeUYSvzaXSS3aEc89Yeyhy8Z8kmDD:W64ZBN9O+PS0npgcmrc
                                                MD5:0205C08024BF4BB892B9F31D751531A0
                                                SHA1:60875676BC6F2494F052769AA7D644EF4A28C5E5
                                                SHA-256:EBE7FFC7EB0B79E29BFC4E408EA27E9B633584DD7BC8E0B5FFC46AF19263844B
                                                SHA-512:45DA0C128BFB706CB0340AD40FBC691696F3483A0235FAAAC864DEA4580B57E36AA5B4B55A60322081D2D2E2DF788C550FD43C317582A9B6A2D66712DF215BD0
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......BxqD.............a......Tq......c.......Tq......Tq......Tq......jq..............jq..!...jq......jq......jq......Rich............................PE..d......\.........." .....f........... .......................................P............`.............................................=........... .......`..(;...........0..l....A..8............................A...............................................text....d.......f.................. ..`.rdata...h.......j...j..............@..@.data...9b.......Z..................@....pdata..<B...`...D..................@..@.idata...R.......T...r..............@..@.00cfg..............................@..@.rsrc........ ......................@..@.reloc..3....0......................@..B................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\main.exe.manifest

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1029
                                                Entropy (8bit):5.293060607356132
                                                Encrypted:false
                                                SSDEEP:12:TMHdtnQEH5ZCgVNsSNXvNxW50+bJtgVNsJWSNGOvcNg4gv18wcGkVtvXV3kQGXzJ:2dtn3ZEgPN20+bLgMfNRme7cb3jE
                                                MD5:8F51D4D555C1D238DF0F8521D2065BA1
                                                SHA1:FF50F3B073E2D2279A86C5CFAD7AD512078BABCD
                                                SHA-256:738C857C947CD0D479351359A2D6640294551E874E08AEABE40C46F526B08FFC
                                                SHA-512:937350FADADA4571D99CBC84DC3D018CBDCD6C235D75E034232F3115E98CB7C84B6B578A4CFBBBD54307CCF7CA7C941C3F60D131BC0FD9D418B317FBE7317D1B
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1">.. <assemblyIdentity name="main" processorArchitecture="amd64" type="win32" version="1.0.0.0"/>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity language="*" name="Microsoft.Windows.Common-Controls" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" type="win32" version="6.0.0.0"/>.. <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"/>.. </dependentAssembly>.. </dependency>.. <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">.. <application>.. <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>.. <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>.. <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>.. <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>.. <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>.. </application>..

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\pyexpat.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):200208
                                                Entropy (8bit):6.323972709730778
                                                Encrypted:false
                                                SSDEEP:3072:j6G1hdApT5oz99oKuQSw38vAOrB9dKEN7U+EkVBILCUKt3p+7T9aUN/xI1Vhi:jdpg52oKaw38xrH8lSmLCi75aUBJ
                                                MD5:F2CB00C0D1E5750A0273886277CC3E9A
                                                SHA1:6CD0389CFFC17115DC68FB7B241D6802C016B07F
                                                SHA-256:E82AABF687C0FBBC3EB33AD8DC55A7C74F299BCBB58D148671C33B744B0AE43D
                                                SHA-512:A0E1EE36AA0BB93567A0F6DCF333A2C49FC2F8BFD0D35529C50964A3AEEDE184FDF7179B55FB4487985EE81C9D8328E2E7DBF775ECA5FF794B19D9F483F61B17
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........`~....A...A...A.y.A...A.i.@...A.i.@...A.i.@...A.i.@...A'h.@...A.g.@...A...A...A'h.@...A'h.@...A'h.A...A'h.@...ARich...A................PE..d..... \.........." .....0..........8-....................................... ......i.....`.............................................P...P...........................................T............................................@...............................text............0.................. ..`.rdata...|...@...~...4..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\python37.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):3780624
                                                Entropy (8bit):6.3875425846586
                                                Encrypted:false
                                                SSDEEP:49152:1TeuSWg7sxvzSxFHYxcim9kOTl8MiYGYwjy9x6xN2BjXISsOIjbXH3EM6nPP8MTj:dcdOMiY+yXCNnjTHUM68wsNyPH
                                                MD5:D558D4DB5A6BD29A8B60B8AA46E5329A
                                                SHA1:A5036009DE7165B1B4721263EAE4B240EE689095
                                                SHA-256:1CFDD40A9107D89310E4E3B6DF5F25F26944B312E61638D014F1B1A8050CCC07
                                                SHA-512:5590FBD6C9C81293B21E9DA9D35D5177F03BA3D247771E4ABEF3420420D9024F3A775796D73BECD5AEB469DF648D3105A016693C6B8F68E8C61399212439EEBF
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c..............z.......j........z......j.......j.......j.......d...............k..L....k.......kB......k......Rich............PE..d..... \.........." .....x.... ..............................................p<......:...`.................................................../.|.....;......`:..y....9.......;.xt......T...............................................8............................text...Hw.......x.................. ..`.rdata...............|..............@..@.data......../......./.............@....pdata...y...`:..z....7.............@..@.rsrc.........;.......9.............@..@.reloc..xt....;..v... 9.............@..B................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\select.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):26640
                                                Entropy (8bit):6.126297605139461
                                                Encrypted:false
                                                SSDEEP:768:qK0HqVAT2PMN/Nuqn2gGxI1qGTWDG4yfb:AKVAS0pN72gGxI1qG+yz
                                                MD5:CF7BD630DB53356C3DFD51CA8822B696
                                                SHA1:202837642BAA0D161D462039AB2441D491C6FE5F
                                                SHA-256:5ED33AFC7F63DE065457E0EF0852DE0CC182A7111BD852E855EB9F48451B0E58
                                                SHA-512:4C32E03B670FA42F57E5E265E56E9845B719286FFECD8AFCD583649FEE11B803776F15EA28730925DC0C0B5510C18047CEDA951FCA1A716A1ACC54F0DBC9E91A
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................#.................................................O........Rich....................PE..d..... \.........." .........2......................................................e$....`.........................................p:..L....:..x....p.......`.......N..........,....3..T...........................`3...............0...............................text...S........................... ..`.rdata..H....0......."..............@..@.data...x....P.......6..............@....pdata.......`.......<..............@..@.rsrc........p.......@..............@..@.reloc..,............L..............@..B........................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\ucrtbase.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):994384
                                                Entropy (8bit):6.6412801989655685
                                                Encrypted:false
                                                SSDEEP:24576:WHf1+A/Ef/YdeFC2et3zfDgF5P8mX9EYmxvSZX0ypmKWLS:WHfJ/Ef/ceFgzfsH9EZA
                                                MD5:BD8B198C3210B885FE516500306A4FCF
                                                SHA1:28762CB66003587BE1A59C2668D2300FCE300C2D
                                                SHA-256:CE2621719F1358508C2C33BCC1380D78A737CA20CD18C0AC89F38E1BE788D9A2
                                                SHA-512:C32B6C083D3A7DA01085718E5685E9A04034BE91251C065794CEEF1DFAAF6573FDD845CBC84E926AB3F510D295649CB6E497564FBE52CC79C053357C645C11A5
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........z..j..Yj..Yj..Yj..Y...YccEYY..YM.Yk..Y.F.Xk..Y.F.X[..Y.F.X<..Y.F.XY..Y.F.X#..Y.F)Yk..Y.F.Xk..YRichj..Y........PE..d...o..\.........." .........d...............................................@......\.....`A.........................................G............... .. ....p.........PD...0..........8...............................................H............................text...`........................... ..`.rdata..R...........................@..@.data....%...@......................@....pdata......p......................@..@.rsrc... .... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI60522\unicodedata.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):1073168
                                                Entropy (8bit):5.328917473561447
                                                Encrypted:false
                                                SSDEEP:12288:oKe4YbeoEYa6l0SYxNtHcQJtwEI+V/IFx7agsSJNzkRoEV+2PmrZ699en:oKe4BN6ax3cxr+VUx7agnNcM2o+en
                                                MD5:D009552163B6A795E0816EA5CE4928CE
                                                SHA1:F3640F46037735667B6EBA057F89A978A3901430
                                                SHA-256:5938061557E920E925A4E9B31F950B6D25C5FF10E143FE8E1F773466810CE2A2
                                                SHA-512:5ED7513A843D2E239AAE8A4CE9CBB42366D9F2A0EA5ADAEDD8DD8C53493594EE3B5B118F766CC04D47D3EB31EC03EEB77B0DC05851DE5A585F6970830B6E8580
                                                Malicious:false
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........|.w..`$..`$..`$.e.$..`$.ua%..`$.ue%..`$.ud%..`$.uc%..`$7ta%..`$.{a%..`$..a$..`$7tm%..`$7t`%..`$7t.$..`$7tb%..`$Rich..`$........PE..d..... \.........." .....B...........5...............................................y....`..........................................q..X....q.......p.......`.......F..............`...T............................................`..8............................text...]@.......B.................. ..`.rdata.......`.......F..............@..@.data................b..............@....pdata.......`.......0..............@..@.rsrc........p.......8..............@..@.reloc...............D..............@..B................................................................................................................................................................................................................................................

                                                \Device\ConDrv

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                File Type:JSON data
                                                Category:dropped
                                                Size (bytes):38
                                                Entropy (8bit):4.323732369265593
                                                Encrypted:false
                                                SSDEEP:3:sVUZMBFReNmIyEMLy:sPMmIyED
                                                MD5:AC92887D66928925B7B1757834313256
                                                SHA1:303530F53503EE62C06564FD54E5F896A70353AB
                                                SHA-256:624276CBB61AD4282F6CD15D43E1695712EDAA990F73DAD643F0B40709967CD0
                                                SHA-512:852B6364F13436C882F1DC5D84CB9CEAF3031B07352F2AA7E6174881F4EE50299355D2344759096984FC9204B024C791A76D3B5DBE5224DC7DF581E5BBF1FC08
                                                Malicious:false
                                                Preview:[6040] Failed to execute script main..

                                                Static File Info

                                                General

                                                File type:PE32+ executable (console) x86-64, for MS Windows
                                                Entropy (8bit):7.991548312883037
                                                TrID:
                                                • Win64 Executable Console (202006/5) 92.65%
                                                • Win64 Executable (generic) (12005/4) 5.51%
                                                • Generic Win/DOS Executable (2004/3) 0.92%
                                                • DOS Executable Generic (2002/1) 0.92%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:LisectAVT_2403002A_489.exe
                                                File size:7'135'477 bytes
                                                MD5:5d8382b97196a915f262105f67522fef
                                                SHA1:d8c9fb5031a4c7ae0a5169a756d948c9b2cb0440
                                                SHA256:ac1952d1b81f90cade1a942f54436df27292e6e6df7d1b7001243a2b8caffbca
                                                SHA512:52b858d6a04bbd9b9f52e6ce60b93836d6cd6f885c2ccb9bfee03c7b66beb32cf50957469a19b05342df6cb796b2751c5c5e97c7b8dfc303c9464d119337b55d
                                                SSDEEP:196608:XFLaAXZ7Zd9e+q2WWmQMh+ZZR9IGiEkFVyetFoZot9:tx1Zd9vqZQCpo2
                                                TLSH:AF76332082F014F7F67B9632D5A66216C5B2F8005354D29F43845AF3AB93AE07EB9F74
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........=...\...\...\..).]..\..)._.4\..).^..\.......\.......\.......\..@.g..\...\...\.......\....S..\.......\..Rich.\.................

                                                File Icon

                                                Icon Hash:4bcc8e96b2b35007

                                                Static PE Info

                                                General

                                                Entrypoint:0x140008b14
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x140000000
                                                Subsystem:windows cui
                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                Time Stamp:0x5E11D35F [Sun Jan 5 12:15:27 2020 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:5
                                                OS Version Minor:2
                                                File Version Major:5
                                                File Version Minor:2
                                                Subsystem Version Major:5
                                                Subsystem Version Minor:2
                                                Import Hash:7aa1951517b3b8d38b12f874b66196c9

                                                Entrypoint Preview

                                                Instruction
                                                dec eax
                                                sub esp, 28h
                                                call 00007FA53089C484h
                                                dec eax
                                                add esp, 28h
                                                jmp 00007FA53089BDABh
                                                int3
                                                int3
                                                inc eax
                                                push ebx
                                                dec eax
                                                sub esp, 20h
                                                dec eax
                                                mov ebx, ecx
                                                xor ecx, ecx
                                                call dword ptr [0001A5AFh]
                                                dec eax
                                                mov ecx, ebx
                                                call dword ptr [0001A59Eh]
                                                call dword ptr [0001A5A8h]
                                                dec eax
                                                mov ecx, eax
                                                mov edx, C0000409h
                                                dec eax
                                                add esp, 20h
                                                pop ebx
                                                dec eax
                                                jmp dword ptr [0001A59Ch]
                                                dec eax
                                                mov dword ptr [esp+08h], ecx
                                                dec eax
                                                sub esp, 38h
                                                mov ecx, 00000017h
                                                call 00007FA5308B51C4h
                                                test eax, eax
                                                je 00007FA53089BF39h
                                                mov ecx, 00000002h
                                                int 29h
                                                dec eax
                                                lea ecx, dword ptr [0003822Fh]
                                                call 00007FA53089C0FFh
                                                dec eax
                                                mov eax, dword ptr [esp+38h]
                                                dec eax
                                                mov dword ptr [00038316h], eax
                                                dec eax
                                                lea eax, dword ptr [esp+38h]
                                                dec eax
                                                add eax, 08h
                                                dec eax
                                                mov dword ptr [000382A6h], eax
                                                dec eax
                                                mov eax, dword ptr [000382FFh]
                                                dec eax
                                                mov dword ptr [00038170h], eax
                                                dec eax
                                                mov eax, dword ptr [esp+40h]
                                                dec eax
                                                mov dword ptr [00038274h], eax
                                                mov dword ptr [0003814Ah], C0000409h
                                                mov dword ptr [00038144h], 00000001h
                                                mov dword ptr [0003814Eh], 00000001h
                                                mov eax, 00000008h

                                                Rich Headers

                                                Programming Language:
                                                • [RES] VS2015 UPD3 build 24213

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x319ac0x50.rdata
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x460000x64cc.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x430000x1d10.pdata
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x4d0000x690.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x2fa000x1c.rdata
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2fa200x94.rdata
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x230000x320.rdata
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x10000x214d00x21600bc76aa9332c27788b891bf46421d2261False0.5573209269662921zlib compressed data6.457850378424694IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rdata0x230000xf49e0xf600ffb1fcb4e358028e22b7048afa07095bFalse0.5266927083333334data5.834872518124954IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .data0x330000xf1080xc00e001c48c58a83fc36b1ec29411188fa4False0.13313802083333334data1.8475662597426965IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .pdata0x430000x1d100x1e002d86c7785fa4cdbeee10fa69a2e2d271False0.478515625data5.229254522963328IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .gfids0x450000xac0x2004ca521d659f21e53989de742d2577e62False0.28515625data1.7203527618641725IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .rsrc0x460000x64cc0x6600f6d2a3ac640584e8771ce7770ac62851False0.5320925245098039data6.279413894564505IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0x4d0000x6900x8007df6f38c84844da9738fba2d2a443f7fFalse0.56640625data4.992296233857643IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                RT_ICON0x462380x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0, 256 important colors0.773014440433213
                                                RT_ICON0x46ae00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0, 256 important colors0.5982658959537572
                                                RT_ICON0x470480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.483402489626556
                                                RT_ICON0x495f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.5914634146341463
                                                RT_ICON0x4a6980x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.7225177304964538
                                                RT_ICON0x4ab000x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.4826454033771107
                                                RT_ICON0x4bba80x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.699468085106383
                                                RT_GROUP_ICON0x4c0100x4cdata0.7631578947368421
                                                RT_GROUP_ICON0x4c05c0x68data0.7019230769230769
                                                RT_MANIFEST0x4c0c40x405XML 1.0 document, ASCII text, with CRLF line terminators0.46647230320699706

                                                Imports

                                                DLLImport
                                                KERNEL32.dllGetModuleFileNameW, GetProcAddress, GetCommandLineW, GetEnvironmentVariableW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, WaitForSingleObject, Sleep, SetDllDirectoryW, CreateProcessW, GetStartupInfoW, LoadLibraryExW, CreateDirectoryW, GetShortPathNameW, FormatMessageW, LoadLibraryA, MultiByteToWideChar, WideCharToMultiByte, GetExitCodeProcess, GetLastError, SetEndOfFile, HeapReAlloc, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetModuleHandleW, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetCommandLineA, ReadFile, CreateFileW, GetDriveTypeW, GetFileType, CloseHandle, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetFullPathNameW, GetFullPathNameA, RemoveDirectoryW, FindClose, FindFirstFileExW, FindNextFileW, SetStdHandle, SetConsoleCtrlHandler, DeleteFileW, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, GetACP, HeapFree, HeapAlloc, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleCP, CompareStringW, LCMapStringW, GetCurrentDirectoryW, FlushFileBuffers, SetEnvironmentVariableA, GetFileAttributesExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetStringTypeW, GetProcessHeap, WriteConsoleW, GetTimeZoneInformation, HeapSize, RaiseException
                                                ADVAPI32.dllConvertStringSecurityDescriptorToSecurityDescriptorW
                                                WS2_32.dllntohl

                                                Network Behavior

                                                Suricata IDS Alerts

                                                TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                                2024-07-25T19:27:36.267490+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434970620.12.23.50192.168.2.8
                                                2024-07-25T19:28:14.374435+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434971020.12.23.50192.168.2.8

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jul 25, 2024 19:27:20.128947973 CEST4970480192.168.2.8103.235.47.188
                                                Jul 25, 2024 19:27:20.135564089 CEST8049704103.235.47.188192.168.2.8
                                                Jul 25, 2024 19:27:20.135727882 CEST4970480192.168.2.8103.235.47.188
                                                Jul 25, 2024 19:27:20.136511087 CEST4970480192.168.2.8103.235.47.188
                                                Jul 25, 2024 19:27:20.142353058 CEST8049704103.235.47.188192.168.2.8
                                                Jul 25, 2024 19:27:21.063285112 CEST8049704103.235.47.188192.168.2.8
                                                Jul 25, 2024 19:27:21.063561916 CEST8049704103.235.47.188192.168.2.8
                                                Jul 25, 2024 19:27:21.063575029 CEST8049704103.235.47.188192.168.2.8
                                                Jul 25, 2024 19:27:21.063771963 CEST4970480192.168.2.8103.235.47.188
                                                Jul 25, 2024 19:27:21.064552069 CEST8049704103.235.47.188192.168.2.8
                                                Jul 25, 2024 19:27:21.064563990 CEST8049704103.235.47.188192.168.2.8
                                                Jul 25, 2024 19:27:21.064732075 CEST4970480192.168.2.8103.235.47.188
                                                Jul 25, 2024 19:27:21.065624952 CEST8049704103.235.47.188192.168.2.8
                                                Jul 25, 2024 19:27:21.065638065 CEST8049704103.235.47.188192.168.2.8
                                                Jul 25, 2024 19:27:21.065706968 CEST4970480192.168.2.8103.235.47.188
                                                Jul 25, 2024 19:27:21.066731930 CEST8049704103.235.47.188192.168.2.8
                                                Jul 25, 2024 19:27:21.066744089 CEST8049704103.235.47.188192.168.2.8
                                                Jul 25, 2024 19:27:21.066862106 CEST4970480192.168.2.8103.235.47.188
                                                Jul 25, 2024 19:27:21.067034006 CEST4970480192.168.2.8103.235.47.188
                                                Jul 25, 2024 19:27:21.067770958 CEST8049704103.235.47.188192.168.2.8
                                                Jul 25, 2024 19:27:21.067825079 CEST4970480192.168.2.8103.235.47.188
                                                Jul 25, 2024 19:27:21.070950031 CEST8049704103.235.47.188192.168.2.8
                                                Jul 25, 2024 19:27:21.070962906 CEST8049704103.235.47.188192.168.2.8
                                                Jul 25, 2024 19:27:21.070998907 CEST4970480192.168.2.8103.235.47.188
                                                Jul 25, 2024 19:27:21.070998907 CEST4970480192.168.2.8103.235.47.188
                                                Jul 25, 2024 19:27:31.064419031 CEST4970580192.168.2.8103.235.47.188
                                                Jul 25, 2024 19:27:31.069658995 CEST8049705103.235.47.188192.168.2.8
                                                Jul 25, 2024 19:27:31.069786072 CEST4970580192.168.2.8103.235.47.188
                                                Jul 25, 2024 19:27:31.069875956 CEST4970580192.168.2.8103.235.47.188
                                                Jul 25, 2024 19:27:31.075099945 CEST8049705103.235.47.188192.168.2.8
                                                Jul 25, 2024 19:27:32.123868942 CEST8049705103.235.47.188192.168.2.8
                                                Jul 25, 2024 19:27:32.123934984 CEST8049705103.235.47.188192.168.2.8
                                                Jul 25, 2024 19:27:32.123971939 CEST8049705103.235.47.188192.168.2.8
                                                Jul 25, 2024 19:27:32.124001026 CEST4970580192.168.2.8103.235.47.188
                                                Jul 25, 2024 19:27:32.124070883 CEST8049705103.235.47.188192.168.2.8
                                                Jul 25, 2024 19:27:32.124104977 CEST8049705103.235.47.188192.168.2.8
                                                Jul 25, 2024 19:27:32.124125004 CEST4970580192.168.2.8103.235.47.188
                                                Jul 25, 2024 19:27:32.124341011 CEST8049705103.235.47.188192.168.2.8
                                                Jul 25, 2024 19:27:32.124373913 CEST8049705103.235.47.188192.168.2.8
                                                Jul 25, 2024 19:27:32.124398947 CEST4970580192.168.2.8103.235.47.188
                                                Jul 25, 2024 19:27:32.124408007 CEST8049705103.235.47.188192.168.2.8
                                                Jul 25, 2024 19:27:32.124440908 CEST8049705103.235.47.188192.168.2.8
                                                Jul 25, 2024 19:27:32.124459028 CEST8049705103.235.47.188192.168.2.8
                                                Jul 25, 2024 19:27:32.124550104 CEST4970580192.168.2.8103.235.47.188
                                                Jul 25, 2024 19:27:32.124630928 CEST4970580192.168.2.8103.235.47.188
                                                Jul 25, 2024 19:27:32.125281096 CEST8049705103.235.47.188192.168.2.8
                                                Jul 25, 2024 19:27:32.125329018 CEST4970580192.168.2.8103.235.47.188
                                                Jul 25, 2024 19:27:32.132093906 CEST8049705103.235.47.188192.168.2.8
                                                Jul 25, 2024 19:27:32.132145882 CEST4970580192.168.2.8103.235.47.188

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jul 25, 2024 19:27:20.085741043 CEST5125853192.168.2.81.1.1.1
                                                Jul 25, 2024 19:27:20.094083071 CEST53512581.1.1.1192.168.2.8

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Jul 25, 2024 19:27:20.085741043 CEST192.168.2.81.1.1.10x8e91Standard query (0)www.baidu.comA (IP address)IN (0x0001)false

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Jul 25, 2024 19:27:20.094083071 CEST1.1.1.1192.168.2.80x8e91No error (0)www.baidu.comwww.a.shifen.comCNAME (Canonical name)IN (0x0001)false
                                                Jul 25, 2024 19:27:20.094083071 CEST1.1.1.1192.168.2.80x8e91No error (0)www.a.shifen.comwww.wshifen.comCNAME (Canonical name)IN (0x0001)false
                                                Jul 25, 2024 19:27:20.094083071 CEST1.1.1.1192.168.2.80x8e91No error (0)www.wshifen.com103.235.47.188A (IP address)IN (0x0001)false
                                                Jul 25, 2024 19:27:20.094083071 CEST1.1.1.1192.168.2.80x8e91No error (0)www.wshifen.com103.235.46.96A (IP address)IN (0x0001)false

                                                HTTP Request Dependency Graph

                                                • www.baidu.com

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.849704103.235.47.188806040C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                TimestampBytes transferredDirectionData
                                                Jul 25, 2024 19:27:20.136511087 CEST116OUTGET / HTTP/1.1
                                                Accept-Encoding: identity
                                                Host: www.baidu.com
                                                User-Agent: Python-urllib/3.7
                                                Connection: close
                                                Jul 25, 2024 19:27:21.063285112 CEST1236INHTTP/1.1 200 OK
                                                Bdpagetype: 1
                                                Bdqid: 0xba28fb110064da78
                                                Content-Length: 403175
                                                Content-Type: text/html; charset=utf-8
                                                Date: Thu, 25 Jul 2024 17:27:20 GMT
                                                P3p: CP=" OTI DSP COR IVA OUR IND COM "
                                                P3p: CP=" OTI DSP COR IVA OUR IND COM "
                                                Server: BWS/1.1
                                                Set-Cookie: BAIDUID=8BCA3F4A2092CDAB5D63C5A896D44D05:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
                                                Set-Cookie: BIDUPSID=8BCA3F4A2092CDAB5D63C5A896D44D05; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
                                                Set-Cookie: PSTM=1721928440; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
                                                Set-Cookie: BAIDUID=8BCA3F4A2092CDAB3E49629E00117002:FG=1; max-age=31536000; expires=Fri, 25-Jul-25 17:27:20 GMT; domain=.baidu.com; path=/; version=1; comment=bd
                                                Set-Cookie: BDSVRTM=1; path=/
                                                Set-Cookie: BD_HOME=1; path=/
                                                Traceid: 1721928440395412890613414247540562647672
                                                Vary: Accept-Encoding
                                                X-Ua-Compatible: IE=Edge,chrome=1
                                                X-Xss-Protection: 1;mode=block
                                                Connection: close
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 21 2d 2d 53 54 41 54 55 53 20 4f 4b 2d 2d 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 61 6c 77 61 79 73 22 20
                                                Data Ascii: <!DOCTYPE html>...STATUS OK--><html><head><meta http-equiv="Content-Type" content="text/html;charset=utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"><meta content="always"
                                                Jul 25, 2024 19:27:21.063561916 CEST1236INData Raw: 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 66 66 66 66 66 66 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e
                                                Data Ascii: name="referrer"><meta name="theme-color" content="#ffffff"><meta name="description" content="
                                                Jul 25, 2024 19:27:21.063575029 CEST1236INData Raw: 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 23 66 6f 72 6d 20 2e 62 64 73 75 67 7b 74 6f 70 3a 33 39 70 78 7d 2e 62 64 73 75 67 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 77 69 64 74
                                                Data Ascii: " type="text/css">#form .bdsug{top:39px}.bdsug{display:none;position:absolute;width:535px;background:#fff;border:1px solid #ccc!important;_overflow:hidden;box-shadow:1px 1px 3px #ededed;-webkit-box-shadow:1px 1px 3px #ededed;-moz-box-shadow:1p
                                                Jul 25, 2024 19:27:21.064552069 CEST1236INData Raw: 20 2e 62 64 73 75 67 20 2e 62 64 73 75 67 2d 64 69 72 65 63 74 20 70 20 73 70 61 6e 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 38 70 78 7d 23 66 6f 72 6d 20 2e 62 64 73 75 67 20 2e 62 64 73 75 67 2d 64 69 72 65 63 74 7b 77 69 64 74 68 3a 61 75 74 6f
                                                Data Ascii: .bdsug .bdsug-direct p span{margin-left:8px}#form .bdsug .bdsug-direct{width:auto;padding:0;border-bottom:1px solid #f1f1f1}#form .bdsug .bdsug-direct p i{font-size:12px;line-height:100%;font-style:normal;font-weight:400;color:#fff;background
                                                Jul 25, 2024 19:27:21.064563990 CEST1236INData Raw: 39 32 39 32 39 32 3b 6f 70 61 63 69 74 79 3a 2e 37 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 32 70 78 3b 6c 65 74 74 65 72 2d 73 70 61 63
                                                Data Ascii: 929292;opacity:.7;font-size:12px;display:inline-block;line-height:22px;letter-spacing:2px}.bdsug .bdsug-s .bdsug-newicon{opacity:1}.bdsug .bdsug-newicon i{letter-spacing:0;font-style:normal}.bdsug .bdsug-feedback-wrap{display:none}.toggle-unde
                                                Jul 25, 2024 19:27:21.065624952 CEST1236INData Raw: 7d 23 77 72 61 70 70 65 72 20 2e 62 64 6e 75 61 72 72 6f 77 7b 77 69 64 74 68 3a 30 3b 68 65 69 67 68 74 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 30 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 70 6f 73 69
                                                Data Ascii: }#wrapper .bdnuarrow{width:0;height:0;font-size:0;line-height:0;display:block;position:absolute;top:-10px;left:50%;margin-left:-5px}#wrapper .bdnuarrow em,#wrapper .bdnuarrow i{width:0;height:0;font-size:0;line-height:0;display:block;position:
                                                Jul 25, 2024 19:27:21.065638065 CEST1236INData Raw: 75 73 3a 30 20 30 20 31 30 70 78 20 31 30 70 78 3b 62 6f 72 64 65 72 3a 32 70 78 20 73 6f 6c 69 64 20 23 34 45 36 45 46 32 21 69 6d 70 6f 72 74 61 6e 74 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 30 21 69 6d 70 6f 72 74 61 6e 74 3b 62 6f 78 2d 73 68 61
                                                Data Ascii: us:0 0 10px 10px;border:2px solid #4E6EF2!important;border-top:0!important;box-shadow:none;font-family:Arial,sans-serif;z-index:1}#head_wrapper.sam_head_wrapper2 #form .bdsug-new{width:545px;z-index:1;border:1px solid #4E6EF2!important;border-
                                                Jul 25, 2024 19:27:21.066731930 CEST1000INData Raw: 6d 70 6f 72 74 61 6e 74 7d 2e 77 72 61 70 70 65 72 5f 6e 65 77 20 23 66 6f 72 6d 20 2e 73 61 6d 5f 73 65 61 72 63 68 20 2e 62 64 73 75 67 2d 6e 65 77 20 2e 62 64 73 75 67 2d 73 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 46 31 46 33
                                                Data Ascii: mportant}.wrapper_new #form .sam_search .bdsug-new .bdsug-s{background-color:#F1F3FD!important}#head_wrapper #form .sam_search .bdsug-new .bdsug-s{background-color:#F1F3FD!important}#head .s-down #form .bdsug-new{top:32px}.s-skin-hasbg #head_w
                                                Jul 25, 2024 19:27:21.066744089 CEST1236INData Raw: 68 65 61 64 5f 77 72 61 70 70 65 72 20 23 66 6f 72 6d 20 2e 62 64 73 75 67 2d 6e 65 77 20 75 6c 20 6c 69 20 2e 73 75 67 2d 68 6f 74 2d 67 72 65 79 2c 23 68 65 61 64 5f 77 72 61 70 70 65 72 20 23 66 6f 72 6d 20 2e 62 64 73 75 67 2d 6e 65 77 20 75
                                                Data Ascii: head_wrapper #form .bdsug-new ul li .sug-hot-grey,#head_wrapper #form .bdsug-new ul li .sug-hot-blue{display:inline-block;width:12px;height:12px;font-size:12px;line-height:12px;padding:2px;text-align:center;font-weight:500;margin-left:6px;vert
                                                Jul 25, 2024 19:27:21.067770958 CEST1236INData Raw: 77 72 61 70 70 65 72 20 23 66 6f 72 6d 20 2e 62 64 73 75 67 2d 6e 65 77 20 75 6c 20 6c 69 20 2e 73 75 67 2d 74 61 67 2d 69 6d 67 7b 68 65 69 67 68 74 3a 31 38 70 78 3b 6d 61 78 2d 77 69 64 74 68 3a 38 30 70 78 3b 76 65 72 74 69 63 61 6c 2d 61 6c
                                                Data Ascii: wrapper #form .bdsug-new ul li .sug-tag-img{height:18px;max-width:80px;vertical-align:middle;margin-left:6px}#head_wrapper #form .bdsug-new ul li .direct-sug-wrap{display:block;height:40px;padding:7px 0;color:#222}#head_wrapper #form .bdsug-ne
                                                Jul 25, 2024 19:27:21.070950031 CEST1236INData Raw: 6f 72 65 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 34 70 78 3b 77 69 64 74 68 3a 32 34 30 70 78 7d 23 68 65 61 64 5f 77 72 61 70 70 65 72 20 23 66 6f 72 6d 20 2e 62 64 73 75 67 2d 6e 65 77 20 75 6c 20 6c 69 20 2e 64 69 72 65 63 74 2d 73 75 67 2d
                                                Data Ascii: ore{line-height:14px;width:240px}#head_wrapper #form .bdsug-new ul li .direct-sug-wrap .brief,#head_wrapper #form .bdsug-new ul li .direct-sug-wrap .info{font-size:14px;color:#222;font-weight:400}#head_wrapper #form .bdsug-new ul li .direct-su


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                1192.168.2.849705103.235.47.188806040C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                TimestampBytes transferredDirectionData
                                                Jul 25, 2024 19:27:31.069875956 CEST116OUTGET / HTTP/1.1
                                                Accept-Encoding: identity
                                                Host: www.baidu.com
                                                User-Agent: Python-urllib/3.7
                                                Connection: close
                                                Jul 25, 2024 19:27:32.123868942 CEST1236INHTTP/1.1 200 OK
                                                Bdpagetype: 1
                                                Bdqid: 0xf613bf6400653c50
                                                Content-Length: 403429
                                                Content-Type: text/html; charset=utf-8
                                                Date: Thu, 25 Jul 2024 17:27:31 GMT
                                                P3p: CP=" OTI DSP COR IVA OUR IND COM "
                                                P3p: CP=" OTI DSP COR IVA OUR IND COM "
                                                Server: BWS/1.1
                                                Set-Cookie: BAIDUID=0CCFE3BBF02A35DFA51EA723ADE84D7F:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
                                                Set-Cookie: BIDUPSID=0CCFE3BBF02A35DFA51EA723ADE84D7F; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
                                                Set-Cookie: PSTM=1721928451; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
                                                Set-Cookie: BAIDUID=0CCFE3BBF02A35DFF374C69E16918100:FG=1; max-age=31536000; expires=Fri, 25-Jul-25 17:27:31 GMT; domain=.baidu.com; path=/; version=1; comment=bd
                                                Set-Cookie: BDSVRTM=2; path=/
                                                Set-Cookie: BD_HOME=1; path=/
                                                Traceid: 1721928451368569345017731726594112044112
                                                Vary: Accept-Encoding
                                                X-Ua-Compatible: IE=Edge,chrome=1
                                                X-Xss-Protection: 1;mode=block
                                                Connection: close
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 21 2d 2d 53 54 41 54 55 53 20 4f 4b 2d 2d 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 61 6c 77 61 79 73 22 20
                                                Data Ascii: <!DOCTYPE html>...STATUS OK--><html><head><meta http-equiv="Content-Type" content="text/html;charset=utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"><meta content="always"
                                                Jul 25, 2024 19:27:32.123934984 CEST1236INData Raw: 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 66 66 66 66 66 66 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e
                                                Data Ascii: name="referrer"><meta name="theme-color" content="#ffffff"><meta name="description" content="
                                                Jul 25, 2024 19:27:32.123971939 CEST1236INData Raw: 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 23 66 6f 72 6d 20 2e 62 64 73 75 67 7b 74 6f 70 3a 33 39 70 78 7d 2e 62 64 73 75 67 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 77 69 64 74
                                                Data Ascii: " type="text/css">#form .bdsug{top:39px}.bdsug{display:none;position:absolute;width:535px;background:#fff;border:1px solid #ccc!important;_overflow:hidden;box-shadow:1px 1px 3px #ededed;-webkit-box-shadow:1px 1px 3px #ededed;-moz-box-shadow:1p
                                                Jul 25, 2024 19:27:32.124070883 CEST1236INData Raw: 20 2e 62 64 73 75 67 20 2e 62 64 73 75 67 2d 64 69 72 65 63 74 20 70 20 73 70 61 6e 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 38 70 78 7d 23 66 6f 72 6d 20 2e 62 64 73 75 67 20 2e 62 64 73 75 67 2d 64 69 72 65 63 74 7b 77 69 64 74 68 3a 61 75 74 6f
                                                Data Ascii: .bdsug .bdsug-direct p span{margin-left:8px}#form .bdsug .bdsug-direct{width:auto;padding:0;border-bottom:1px solid #f1f1f1}#form .bdsug .bdsug-direct p i{font-size:12px;line-height:100%;font-style:normal;font-weight:400;color:#fff;background
                                                Jul 25, 2024 19:27:32.124104977 CEST1236INData Raw: 39 32 39 32 39 32 3b 6f 70 61 63 69 74 79 3a 2e 37 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 32 70 78 3b 6c 65 74 74 65 72 2d 73 70 61 63
                                                Data Ascii: 929292;opacity:.7;font-size:12px;display:inline-block;line-height:22px;letter-spacing:2px}.bdsug .bdsug-s .bdsug-newicon{opacity:1}.bdsug .bdsug-newicon i{letter-spacing:0;font-style:normal}.bdsug .bdsug-feedback-wrap{display:none}.toggle-unde
                                                Jul 25, 2024 19:27:32.124341011 CEST1236INData Raw: 7d 23 77 72 61 70 70 65 72 20 2e 62 64 6e 75 61 72 72 6f 77 7b 77 69 64 74 68 3a 30 3b 68 65 69 67 68 74 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 30 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 70 6f 73 69
                                                Data Ascii: }#wrapper .bdnuarrow{width:0;height:0;font-size:0;line-height:0;display:block;position:absolute;top:-10px;left:50%;margin-left:-5px}#wrapper .bdnuarrow em,#wrapper .bdnuarrow i{width:0;height:0;font-size:0;line-height:0;display:block;position:
                                                Jul 25, 2024 19:27:32.124373913 CEST1236INData Raw: 75 73 3a 30 20 30 20 31 30 70 78 20 31 30 70 78 3b 62 6f 72 64 65 72 3a 32 70 78 20 73 6f 6c 69 64 20 23 34 45 36 45 46 32 21 69 6d 70 6f 72 74 61 6e 74 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 30 21 69 6d 70 6f 72 74 61 6e 74 3b 62 6f 78 2d 73 68 61
                                                Data Ascii: us:0 0 10px 10px;border:2px solid #4E6EF2!important;border-top:0!important;box-shadow:none;font-family:Arial,sans-serif;z-index:1}#head_wrapper.sam_head_wrapper2 #form .bdsug-new{width:545px;z-index:1;border:1px solid #4E6EF2!important;border-
                                                Jul 25, 2024 19:27:32.124408007 CEST1236INData Raw: 6d 70 6f 72 74 61 6e 74 7d 2e 77 72 61 70 70 65 72 5f 6e 65 77 20 23 66 6f 72 6d 20 2e 73 61 6d 5f 73 65 61 72 63 68 20 2e 62 64 73 75 67 2d 6e 65 77 20 2e 62 64 73 75 67 2d 73 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 46 31 46 33
                                                Data Ascii: mportant}.wrapper_new #form .sam_search .bdsug-new .bdsug-s{background-color:#F1F3FD!important}#head_wrapper #form .sam_search .bdsug-new .bdsug-s{background-color:#F1F3FD!important}#head .s-down #form .bdsug-new{top:32px}.s-skin-hasbg #head_w
                                                Jul 25, 2024 19:27:32.124440908 CEST1236INData Raw: 70 78 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 74 65 78 74 2d 62 6f 74 74 6f 6d 7d 23 68 65 61 64 5f 77 72 61 70 70 65 72 20 23 66 6f 72 6d 20 2e 62 64 73 75 67 2d 6e 65 77 20 75 6c 20 6c 69 20 2e 73 75 67 2d 68 6f 74 2d 6f 72 61 6e 67 65
                                                Data Ascii: px;vertical-align:text-bottom}#head_wrapper #form .bdsug-new ul li .sug-hot-orange{display:inline-block;color:#fff;background:#F60;border-radius:4px}#head_wrapper #form .bdsug-new ul li .sug-new-tag{text-align:center;margin-left:6px;box-sizing
                                                Jul 25, 2024 19:27:32.124459028 CEST1236INData Raw: 64 73 75 67 2d 6e 65 77 20 75 6c 20 6c 69 20 2e 64 69 72 65 63 74 2d 73 75 67 2d 77 72 61 70 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 32 32 32 7d 23 68 65 61 64 5f 77 72 61 70 70 65 72 20 23 66 6f 72 6d 20 2e 62 64 73 75 67 2d 6e 65 77 20
                                                Data Ascii: dsug-new ul li .direct-sug-wrap:visited{color:#222}#head_wrapper #form .bdsug-new ul li .direct-sug-wrap .left-img-wrap{position:relative}#head_wrapper #form .bdsug-new ul li .direct-sug-wrap .left-img-wrap::before{content:"";width:38px;height
                                                Jul 25, 2024 19:27:32.125281096 CEST1236INData Raw: 72 65 63 74 2d 73 75 67 2d 77 72 61 70 20 2e 62 72 69 65 66 7b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 36 70 78 7d 23 68 65 61 64 5f 77 72 61 70 70 65 72 20 23 66 6f 72 6d 20 2e 62 64 73 75 67 2d 6e 65 77 20 75 6c 20 6c 69 20 2e 64 69 72 65 63 74
                                                Data Ascii: rect-sug-wrap .brief{margin-right:6px}#head_wrapper #form .bdsug-new ul li .direct-sug-wrap .right-btn{float:right;margin-top:5px;margin-right:6px;width:60px;height:24px;text-align:center;font-size:14px;color:#36F;line-height:24px;background-i


                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:13:27:15
                                                Start date:25/07/2024
                                                Path:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Users\user\Desktop\LisectAVT_2403002A_489.exe"
                                                Imagebase:0x7ff626e00000
                                                File size:7'135'477 bytes
                                                MD5 hash:5D8382B97196A915F262105F67522FEF
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:2
                                                Start time:13:27:15
                                                Start date:25/07/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6ee680000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:3
                                                Start time:13:27:18
                                                Start date:25/07/2024
                                                Path:C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Users\user\Desktop\LisectAVT_2403002A_489.exe"
                                                Imagebase:0x7ff626e00000
                                                File size:7'135'477 bytes
                                                MD5 hash:5D8382B97196A915F262105F67522FEF
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:true

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:14.3%
                                                  Dynamic/Decrypted Code Coverage:0%
                                                  Signature Coverage:17.6%
                                                  Total number of Nodes:1683
                                                  Total number of Limit Nodes:87
                                                  execution_graph 14534 7ff626e072a4 14535 7ff626e072ae 14534->14535 14536 7ff626e07384 14535->14536 14538 7ff626e12fe8 15 API calls 14535->14538 14537 7ff626e07374 14538->14537 12993 7ff626e14da8 12994 7ff626e14dc8 12993->12994 12995 7ff626e14df0 12993->12995 12996 7ff626e13f38 _set_errno_from_matherr 15 API calls 12994->12996 12999 7ff626e14e3f 12995->12999 13007 7ff626e14dd8 12995->13007 13048 7ff626e1c174 12995->13048 12997 7ff626e14dcd 12996->12997 12998 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 12997->12998 12998->13007 13013 7ff626e102c8 12999->13013 13005 7ff626e102c8 fread_s 32 API calls 13006 7ff626e14ea7 13005->13006 13006->13007 13008 7ff626e102c8 fread_s 32 API calls 13006->13008 13009 7ff626e14eb5 13008->13009 13009->13007 13010 7ff626e102c8 fread_s 32 API calls 13009->13010 13011 7ff626e14ec6 13010->13011 13012 7ff626e102c8 fread_s 32 API calls 13011->13012 13012->13007 13014 7ff626e102d1 13013->13014 13018 7ff626e102e1 13013->13018 13015 7ff626e13f38 _set_errno_from_matherr 15 API calls 13014->13015 13016 7ff626e102d6 13015->13016 13017 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 13016->13017 13017->13018 13019 7ff626e14828 13018->13019 13020 7ff626e1484c 13019->13020 13021 7ff626e14864 13019->13021 13054 7ff626e13f18 13020->13054 13023 7ff626e14911 13021->13023 13027 7ff626e148a0 13021->13027 13025 7ff626e13f18 fread_s 15 API calls 13023->13025 13028 7ff626e14916 13025->13028 13026 7ff626e13f38 _set_errno_from_matherr 15 API calls 13047 7ff626e14859 13026->13047 13030 7ff626e148b0 13027->13030 13031 7ff626e148c5 13027->13031 13029 7ff626e13f38 _set_errno_from_matherr 15 API calls 13028->13029 13033 7ff626e148bd 13029->13033 13034 7ff626e13f18 fread_s 15 API calls 13030->13034 13053 7ff626e10b9c EnterCriticalSection 13031->13053 13039 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 13033->13039 13036 7ff626e148b5 13034->13036 13035 7ff626e148cc 13037 7ff626e148f7 13035->13037 13038 7ff626e148e2 13035->13038 13040 7ff626e13f38 _set_errno_from_matherr 15 API calls 13036->13040 13042 7ff626e14940 fread_s 44 API calls 13037->13042 13041 7ff626e13f38 _set_errno_from_matherr 15 API calls 13038->13041 13039->13047 13040->13033 13043 7ff626e148e7 13041->13043 13044 7ff626e148f2 13042->13044 13045 7ff626e13f18 fread_s 15 API calls 13043->13045 13046 7ff626e10c80 LeaveCriticalSection 13044->13046 13045->13044 13046->13047 13047->13005 13047->13007 13057 7ff626e13028 13048->13057 13052 7ff626e1c198 13052->12999 13055 7ff626e171b4 _set_errno_from_matherr 15 API calls 13054->13055 13056 7ff626e13f21 13055->13056 13056->13026 13058 7ff626e13073 13057->13058 13063 7ff626e13037 fread_s 13057->13063 13059 7ff626e13f38 _set_errno_from_matherr 15 API calls 13058->13059 13061 7ff626e13071 13059->13061 13060 7ff626e1305a RtlAllocateHeap 13060->13061 13060->13063 13064 7ff626e12fe8 13061->13064 13063->13058 13063->13060 13070 7ff626e1bf20 13063->13070 13065 7ff626e12fed RtlRestoreThreadPreferredUILanguages 13064->13065 13067 7ff626e1301d Concurrency::details::SchedulerProxy::DeleteThis 13064->13067 13066 7ff626e13008 13065->13066 13065->13067 13068 7ff626e13f38 _set_errno_from_matherr 13 API calls 13066->13068 13067->13052 13069 7ff626e1300d GetLastError 13068->13069 13069->13067 13073 7ff626e1bf60 13070->13073 13078 7ff626e19140 EnterCriticalSection 13073->13078 14394 7ff626e16728 14395 7ff626e16761 14394->14395 14397 7ff626e16732 14394->14397 14396 7ff626e16747 FreeLibrary 14396->14397 14397->14395 14397->14396 14539 7ff626e202a8 14542 7ff626e1af1c 14539->14542 14543 7ff626e1af29 14542->14543 14544 7ff626e1af35 14542->14544 14546 7ff626e1ad64 14543->14546 14547 7ff626e17120 abort 36 API calls 14546->14547 14548 7ff626e1ad7d 14547->14548 14549 7ff626e1af44 36 API calls 14548->14549 14550 7ff626e1ad86 14549->14550 14566 7ff626e1aa70 14550->14566 14553 7ff626e1ada0 14553->14544 14554 7ff626e13028 fread_s 16 API calls 14555 7ff626e1adb1 14554->14555 14561 7ff626e1ae4c 14555->14561 14573 7ff626e1b004 14555->14573 14556 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 14556->14553 14559 7ff626e1ae47 14560 7ff626e13f38 _set_errno_from_matherr 15 API calls 14559->14560 14560->14561 14561->14556 14562 7ff626e1ae6c 14563 7ff626e1aea9 14562->14563 14564 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 14562->14564 14563->14561 14583 7ff626e1a820 14563->14583 14564->14563 14567 7ff626e0bfcc 36 API calls 14566->14567 14568 7ff626e1aa84 14567->14568 14569 7ff626e1aa90 GetOEMCP 14568->14569 14570 7ff626e1aaa2 14568->14570 14571 7ff626e1aab7 14569->14571 14570->14571 14572 7ff626e1aaa7 GetACP 14570->14572 14571->14553 14571->14554 14572->14571 14574 7ff626e1aa70 38 API calls 14573->14574 14576 7ff626e1b031 14574->14576 14575 7ff626e1b039 14579 7ff626e08820 _handle_error 8 API calls 14575->14579 14576->14575 14577 7ff626e1b07b IsValidCodePage 14576->14577 14582 7ff626e1b0a1 memcpy_s 14576->14582 14577->14575 14578 7ff626e1b08c GetCPInfo 14577->14578 14578->14575 14578->14582 14580 7ff626e1ae40 14579->14580 14580->14559 14580->14562 14590 7ff626e1ab80 GetCPInfo 14582->14590 14652 7ff626e19140 EnterCriticalSection 14583->14652 14595 7ff626e1abc9 14590->14595 14599 7ff626e1aca9 14590->14599 14593 7ff626e08820 _handle_error 8 API calls 14594 7ff626e1ad4d 14593->14594 14594->14575 14600 7ff626e1b7ac 14595->14600 14598 7ff626e1c68c 41 API calls 14598->14599 14599->14593 14601 7ff626e0bfcc 36 API calls 14600->14601 14602 7ff626e1b7ee MultiByteToWideChar 14601->14602 14604 7ff626e1b82c 14602->14604 14605 7ff626e1b833 14602->14605 14607 7ff626e08820 _handle_error 8 API calls 14604->14607 14606 7ff626e13028 fread_s 16 API calls 14605->14606 14611 7ff626e1b861 memcpy_s 14605->14611 14606->14611 14609 7ff626e1ac3d 14607->14609 14608 7ff626e1b90c 14608->14604 14613 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 14608->14613 14614 7ff626e1c68c 14609->14614 14610 7ff626e1b8d1 MultiByteToWideChar 14610->14608 14612 7ff626e1b8f2 GetStringTypeW 14610->14612 14611->14608 14611->14610 14612->14608 14613->14604 14615 7ff626e0bfcc 36 API calls 14614->14615 14616 7ff626e1c6b1 14615->14616 14619 7ff626e1c330 14616->14619 14620 7ff626e1c372 14619->14620 14621 7ff626e1c396 MultiByteToWideChar 14620->14621 14622 7ff626e1c3c8 14621->14622 14629 7ff626e1c641 14621->14629 14626 7ff626e13028 fread_s 16 API calls 14622->14626 14630 7ff626e1c400 14622->14630 14623 7ff626e08820 _handle_error 8 API calls 14624 7ff626e1ac70 14623->14624 14624->14598 14625 7ff626e1c464 MultiByteToWideChar 14627 7ff626e1c48a 14625->14627 14632 7ff626e1c515 14625->14632 14626->14630 14646 7ff626e16510 14627->14646 14629->14623 14630->14625 14630->14632 14632->14629 14633 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 14632->14633 14633->14629 14634 7ff626e1c4d2 14634->14632 14638 7ff626e16510 __crtLCMapStringW 6 API calls 14634->14638 14635 7ff626e1c524 14636 7ff626e1c54f 14635->14636 14637 7ff626e13028 fread_s 16 API calls 14635->14637 14636->14632 14639 7ff626e16510 __crtLCMapStringW 6 API calls 14636->14639 14637->14636 14638->14632 14640 7ff626e1c5e2 14639->14640 14641 7ff626e1c618 14640->14641 14642 7ff626e1c60c WideCharToMultiByte 14640->14642 14641->14632 14643 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 14641->14643 14642->14641 14644 7ff626e1c678 14642->14644 14643->14632 14644->14632 14645 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 14644->14645 14645->14632 14647 7ff626e15fc0 __vcrt_uninitialize_ptd 5 API calls 14646->14647 14648 7ff626e16553 14647->14648 14649 7ff626e16600 __crtLCMapStringW 5 API calls 14648->14649 14651 7ff626e1655b 14648->14651 14650 7ff626e165bc LCMapStringW 14649->14650 14650->14651 14651->14632 14651->14634 14651->14635 14398 7ff626e2242c 14399 7ff626e22477 14398->14399 14400 7ff626e2243b 14398->14400 14402 7ff626e10c80 LeaveCriticalSection 14400->14402 14403 7ff626e22130 14406 7ff626e119e4 14403->14406 14407 7ff626e171b4 _set_errno_from_matherr 15 API calls 14406->14407 14408 7ff626e11a02 14407->14408 14409 7ff626e12634 14410 7ff626e1265a GetModuleHandleW 14409->14410 14411 7ff626e126a4 14409->14411 14410->14411 14415 7ff626e12667 14410->14415 14428 7ff626e19140 EnterCriticalSection 14411->14428 14415->14411 14422 7ff626e127ec GetModuleHandleExW 14415->14422 14423 7ff626e12816 GetProcAddress 14422->14423 14424 7ff626e1283d 14422->14424 14423->14424 14425 7ff626e12830 14423->14425 14426 7ff626e12847 FreeLibrary 14424->14426 14427 7ff626e1284d 14424->14427 14425->14424 14426->14427 14427->14411 14657 7ff626e088b4 14658 7ff626e088c4 pre_c_initialization 14657->14658 14678 7ff626e0feb8 14658->14678 14660 7ff626e088d0 pre_c_initialization 14684 7ff626e08e4c 14660->14684 14662 7ff626e088e9 14663 7ff626e08959 14662->14663 14664 7ff626e088ed _RTC_Initialize 14662->14664 14665 7ff626e0918c __scrt_fastfail 7 API calls 14663->14665 14689 7ff626e09054 14664->14689 14666 7ff626e08963 14665->14666 14668 7ff626e0918c __scrt_fastfail 7 API calls 14666->14668 14670 7ff626e0896e __scrt_initialize_default_local_stdio_options 14668->14670 14669 7ff626e088fe pre_c_initialization 14692 7ff626e11e18 14669->14692 14673 7ff626e0890e 14713 7ff626e09134 InitializeSListHead 14673->14713 14679 7ff626e0fec9 14678->14679 14680 7ff626e13f38 _set_errno_from_matherr 15 API calls 14679->14680 14682 7ff626e0fed1 14679->14682 14681 7ff626e0fee0 14680->14681 14683 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 14681->14683 14682->14660 14683->14682 14685 7ff626e08f0a 14684->14685 14686 7ff626e08e64 __scrt_initialize_onexit_tables __scrt_release_startup_lock 14684->14686 14687 7ff626e0918c __scrt_fastfail 7 API calls 14685->14687 14686->14662 14688 7ff626e08f14 14687->14688 14714 7ff626e09004 14689->14714 14691 7ff626e0905d 14691->14669 14693 7ff626e11e36 14692->14693 14694 7ff626e11e4c GetModuleFileNameW 14692->14694 14695 7ff626e13f38 _set_errno_from_matherr 15 API calls 14693->14695 14698 7ff626e11e79 pre_c_initialization 14694->14698 14696 7ff626e11e3b 14695->14696 14697 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 14696->14697 14712 7ff626e0890a 14697->14712 14729 7ff626e11db4 14698->14729 14701 7ff626e11ec1 14702 7ff626e13f38 _set_errno_from_matherr 15 API calls 14701->14702 14703 7ff626e11ec6 14702->14703 14705 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 14703->14705 14704 7ff626e11ed2 pre_c_initialization 14704->14703 14706 7ff626e11f1e 14704->14706 14708 7ff626e11f37 14704->14708 14705->14712 14707 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 14706->14707 14710 7ff626e11f27 14707->14710 14708->14708 14709 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 14708->14709 14709->14703 14711 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 14710->14711 14711->14712 14712->14666 14712->14673 14715 7ff626e09029 _onexit 14714->14715 14716 7ff626e09033 14714->14716 14715->14691 14718 7ff626e12e1c 14716->14718 14721 7ff626e129d8 14718->14721 14728 7ff626e19140 EnterCriticalSection 14721->14728 14730 7ff626e11dd3 14729->14730 14734 7ff626e11dcf 14729->14734 14731 7ff626e13140 pre_c_initialization 15 API calls 14730->14731 14730->14734 14732 7ff626e11e02 14731->14732 14733 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 14732->14733 14733->14734 14734->14701 14734->14704 14735 7ff626e0b9b4 14736 7ff626e0b9bf 14735->14736 14744 7ff626e1676c 14736->14744 14757 7ff626e19140 EnterCriticalSection 14744->14757 14429 7ff626e15318 14430 7ff626e15324 14429->14430 14432 7ff626e1534b 14430->14432 14433 7ff626e10a94 14430->14433 14434 7ff626e10a99 14433->14434 14438 7ff626e10ad4 14433->14438 14435 7ff626e10aba DeleteCriticalSection 14434->14435 14436 7ff626e10acc 14434->14436 14435->14435 14435->14436 14437 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 14436->14437 14437->14438 14438->14430 14758 7ff626e0a598 GetCommandLineA GetCommandLineW 13530 7ff626e0899c 13547 7ff626e08e00 13530->13547 13534 7ff626e089c3 __scrt_acquire_startup_lock 13535 7ff626e0918c __scrt_fastfail 7 API calls 13534->13535 13536 7ff626e089e8 __scrt_is_nonwritable_in_current_image __scrt_release_startup_lock 13534->13536 13535->13536 13537 7ff626e08a97 13536->13537 13546 7ff626e08a0d 13536->13546 13616 7ff626e1288c 13536->13616 13555 7ff626e12538 13537->13555 13544 7ff626e08ac0 13621 7ff626e08fd8 13544->13621 13548 7ff626e08e22 __isa_available_init 13547->13548 13625 7ff626e09fb4 13548->13625 13551 7ff626e089b5 13551->13534 13609 7ff626e0918c IsProcessorFeaturePresent 13551->13609 13556 7ff626e12548 13555->13556 13557 7ff626e08aac 13555->13557 13712 7ff626e11fd4 13556->13712 13559 7ff626e01000 13557->13559 13560 7ff626e01011 13559->13560 13767 7ff626e05380 13560->13767 13562 7ff626e01023 13776 7ff626e0f6a4 13562->13776 13566 7ff626e0256c 13567 7ff626e02574 13566->13567 13568 7ff626e0258f 13566->13568 13569 7ff626e019e0 82 API calls 13567->13569 13570 7ff626e028c0 85 API calls 13568->13570 13571 7ff626e02587 13569->13571 13573 7ff626e025a7 13570->13573 13572 7ff626e08820 _handle_error 8 API calls 13571->13572 13574 7ff626e027ed 13572->13574 13575 7ff626e04560 92 API calls 13573->13575 13607 7ff626e092d4 GetModuleHandleW 13574->13607 13576 7ff626e025da 13575->13576 13577 7ff626e04be0 85 API calls 13576->13577 13578 7ff626e025e9 13577->13578 13579 7ff626e018c0 117 API calls 13578->13579 13582 7ff626e02613 13579->13582 13580 7ff626e02669 13583 7ff626e022c0 83 API calls 13580->13583 13586 7ff626e0268b 13580->13586 13581 7ff626e056c0 84 API calls 13584 7ff626e026a5 SetDllDirectoryW 13581->13584 13582->13580 13585 7ff626e018c0 117 API calls 13582->13585 13583->13586 13588 7ff626e026b9 13584->13588 13589 7ff626e02641 13585->13589 13586->13581 13587 7ff626e0274d 13586->13587 13590 7ff626e02150 185 API calls 13587->13590 13588->13587 13597 7ff626e026c2 13588->13597 13589->13580 13591 7ff626e02645 13589->13591 13592 7ff626e02755 13590->13592 13593 7ff626e01a20 82 API calls 13591->13593 13592->13571 13594 7ff626e04b70 88 API calls 13592->13594 13593->13571 13595 7ff626e02777 13594->13595 13598 7ff626e04560 92 API calls 13595->13598 13596 7ff626e02270 88 API calls 13599 7ff626e02736 13596->13599 13597->13571 13597->13596 13601 7ff626e02783 pre_c_initialization __C_specific_handler 13598->13601 13600 7ff626e020f0 175 API calls 13599->13600 13600->13571 13601->13571 13602 7ff626e04c20 91 API calls 13601->13602 13603 7ff626e027b0 13602->13603 13604 7ff626e027c3 13603->13604 13605 7ff626e04810 93 API calls 13603->13605 13606 7ff626e01910 63 API calls 13604->13606 13605->13604 13606->13571 13608 7ff626e092e8 13607->13608 13608->13544 13610 7ff626e091b1 memcpy_s 13609->13610 13611 7ff626e091cd RtlCaptureContext RtlLookupFunctionEntry 13610->13611 13612 7ff626e091f6 RtlVirtualUnwind 13611->13612 13613 7ff626e09232 memcpy_s 13611->13613 13612->13613 13614 7ff626e09264 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 13613->13614 13615 7ff626e092b6 13614->13615 13615->13534 13617 7ff626e128b8 13616->13617 13618 7ff626e128ca 13616->13618 13617->13537 13619 7ff626e12fc0 36 API calls 13618->13619 13620 7ff626e128cf 13619->13620 13623 7ff626e08fe9 __scrt_uninitialize_crt 13621->13623 13622 7ff626e08ffb 13622->13546 13623->13622 13624 7ff626e09fe8 __vcrt_uninitialize 8 API calls 13623->13624 13624->13622 13626 7ff626e09fbd __vcrt_initialize_pure_virtual_call_handler __vcrt_initialize_winapi_thunks 13625->13626 13645 7ff626e0a118 13626->13645 13629 7ff626e08e27 13629->13551 13633 7ff626e12f98 13629->13633 13634 7ff626e1be34 13633->13634 13635 7ff626e08e34 13634->13635 13696 7ff626e152dc 13634->13696 13635->13551 13637 7ff626e09fe8 13635->13637 13638 7ff626e09ff0 13637->13638 13639 7ff626e0a001 13637->13639 13640 7ff626e0a0f4 __vcrt_uninitialize_ptd 6 API calls 13638->13640 13639->13551 13641 7ff626e09ff5 13640->13641 13642 7ff626e0a160 __vcrt_uninitialize_locks DeleteCriticalSection 13641->13642 13643 7ff626e09ffa 13642->13643 13708 7ff626e0a534 13643->13708 13646 7ff626e0a120 13645->13646 13648 7ff626e0a151 13646->13648 13649 7ff626e09fc7 13646->13649 13662 7ff626e0a470 13646->13662 13650 7ff626e0a160 __vcrt_uninitialize_locks DeleteCriticalSection 13648->13650 13649->13629 13651 7ff626e0a0b4 13649->13651 13650->13649 13677 7ff626e0a360 13651->13677 13653 7ff626e0a0c4 13654 7ff626e09fd4 13653->13654 13682 7ff626e0a408 13653->13682 13654->13629 13658 7ff626e0a160 13654->13658 13656 7ff626e0a0e1 13656->13654 13687 7ff626e0a0f4 13656->13687 13659 7ff626e0a18b 13658->13659 13660 7ff626e0a16e DeleteCriticalSection 13659->13660 13661 7ff626e0a18f 13659->13661 13660->13659 13661->13629 13667 7ff626e0a198 13662->13667 13665 7ff626e0a4c7 InitializeCriticalSectionAndSpinCount 13666 7ff626e0a4b3 13665->13666 13666->13646 13668 7ff626e0a1f9 13667->13668 13669 7ff626e0a1fe 13667->13669 13668->13669 13670 7ff626e0a231 LoadLibraryExW 13668->13670 13675 7ff626e0a2c6 13668->13675 13676 7ff626e0a2a4 FreeLibrary 13668->13676 13669->13665 13669->13666 13670->13668 13672 7ff626e0a257 GetLastError 13670->13672 13671 7ff626e0a2d5 GetProcAddress 13671->13669 13673 7ff626e0a2ed 13671->13673 13672->13668 13674 7ff626e0a262 LoadLibraryExW 13672->13674 13673->13669 13674->13668 13675->13669 13675->13671 13676->13668 13678 7ff626e0a198 try_get_function 5 API calls 13677->13678 13679 7ff626e0a38c 13678->13679 13680 7ff626e0a3a3 TlsAlloc 13679->13680 13681 7ff626e0a394 13679->13681 13680->13681 13681->13653 13683 7ff626e0a198 try_get_function 5 API calls 13682->13683 13684 7ff626e0a43b 13683->13684 13685 7ff626e0a454 TlsSetValue 13684->13685 13686 7ff626e0a443 13684->13686 13685->13686 13686->13656 13688 7ff626e0a108 13687->13688 13689 7ff626e0a103 13687->13689 13688->13654 13691 7ff626e0a3b4 13689->13691 13692 7ff626e0a198 try_get_function 5 API calls 13691->13692 13693 7ff626e0a3df 13692->13693 13694 7ff626e0a3f5 TlsFree 13693->13694 13695 7ff626e0a3e7 13693->13695 13694->13695 13695->13688 13707 7ff626e19140 EnterCriticalSection 13696->13707 13698 7ff626e152ec 13699 7ff626e10ae4 33 API calls 13698->13699 13700 7ff626e152f5 13699->13700 13701 7ff626e15303 13700->13701 13702 7ff626e150f4 35 API calls 13700->13702 13703 7ff626e19194 _isindst LeaveCriticalSection 13701->13703 13704 7ff626e152fe 13702->13704 13705 7ff626e1530f 13703->13705 13706 7ff626e151e0 GetStdHandle GetFileType 13704->13706 13705->13634 13706->13701 13709 7ff626e0a56c 13708->13709 13710 7ff626e0a538 13708->13710 13709->13639 13710->13709 13711 7ff626e0a552 FreeLibrary 13710->13711 13711->13710 13713 7ff626e11fe8 13712->13713 13714 7ff626e11ff1 13712->13714 13713->13714 13718 7ff626e12088 13713->13718 13714->13557 13719 7ff626e120a1 13718->13719 13726 7ff626e11ffa 13718->13726 13737 7ff626e1b3b0 GetEnvironmentStringsW 13719->13737 13722 7ff626e120ae 13724 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 13722->13724 13724->13726 13726->13714 13728 7ff626e12408 13726->13728 13727 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 13727->13722 13729 7ff626e12423 13728->13729 13735 7ff626e1244b 13728->13735 13729->13714 13730 7ff626e12428 MultiByteToWideChar 13730->13729 13730->13735 13731 7ff626e13140 pre_c_initialization 15 API calls 13731->13735 13732 7ff626e124ab 13734 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 13732->13734 13733 7ff626e12460 MultiByteToWideChar 13733->13732 13733->13735 13734->13729 13735->13729 13735->13730 13735->13731 13735->13732 13735->13733 13736 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 13735->13736 13736->13735 13738 7ff626e120a6 13737->13738 13739 7ff626e1b3d4 13737->13739 13738->13722 13744 7ff626e121ec 13738->13744 13739->13739 13740 7ff626e13028 fread_s 16 API calls 13739->13740 13741 7ff626e1b406 memcpy_s 13740->13741 13742 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 13741->13742 13743 7ff626e1b426 FreeEnvironmentStringsW 13742->13743 13743->13738 13745 7ff626e1220d 13744->13745 13746 7ff626e13140 pre_c_initialization 15 API calls 13745->13746 13753 7ff626e12241 13746->13753 13747 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 13748 7ff626e120bb 13747->13748 13748->13727 13749 7ff626e13140 pre_c_initialization 15 API calls 13749->13753 13750 7ff626e122a5 13761 7ff626e122f0 13750->13761 13751 7ff626e192d0 _wfindfirst32i64 32 API calls 13751->13753 13753->13749 13753->13750 13753->13751 13755 7ff626e122dc 13753->13755 13758 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 13753->13758 13759 7ff626e122b4 13753->13759 13757 7ff626e13e38 _wfindfirst32i64 17 API calls 13755->13757 13756 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 13756->13759 13760 7ff626e122ee 13757->13760 13758->13753 13759->13747 13762 7ff626e122ad 13761->13762 13763 7ff626e122f5 13761->13763 13762->13756 13764 7ff626e1231e 13763->13764 13765 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 13763->13765 13766 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 13764->13766 13765->13763 13766->13762 13768 7ff626e0f69c 16 API calls 13767->13768 13769 7ff626e053ab 13768->13769 13770 7ff626e053d0 WideCharToMultiByte 13769->13770 13772 7ff626e0f69c 16 API calls 13769->13772 13775 7ff626e0548c 13769->13775 13770->13769 13771 7ff626e05470 13770->13771 13790 7ff626e01a80 13771->13790 13773 7ff626e05419 WideCharToMultiByte 13772->13773 13773->13769 13773->13771 13775->13562 13779 7ff626e0f6a9 13776->13779 13777 7ff626e18898 13778 7ff626e13f38 _set_errno_from_matherr 15 API calls 13777->13778 13781 7ff626e1889d 13778->13781 13779->13777 13780 7ff626e188d3 13779->13780 14245 7ff626e18748 13780->14245 13783 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 13781->13783 13784 7ff626e0255d 13783->13784 13785 7ff626e0f69c 13784->13785 13786 7ff626e13140 fread_s 13785->13786 13787 7ff626e13186 HeapAlloc 13786->13787 13788 7ff626e131a2 13786->13788 13787->13786 13787->13788 13789 7ff626e13f38 _set_errno_from_matherr 15 API calls 13788->13789 13789->13788 13797 7ff626e01ad0 13790->13797 13798 7ff626e01ae0 __scrt_initialize_default_local_stdio_options 13797->13798 13822 7ff626e0e87c 13798->13822 13802 7ff626e01b40 13864 7ff626e01960 13802->13864 13805 7ff626e08820 _handle_error 8 API calls 13806 7ff626e01aa7 GetLastError 13805->13806 13807 7ff626e05120 13806->13807 13808 7ff626e0512c 13807->13808 13809 7ff626e0514d FormatMessageW 13808->13809 13810 7ff626e05147 GetLastError 13808->13810 13811 7ff626e05180 13809->13811 13812 7ff626e0519c WideCharToMultiByte 13809->13812 13810->13809 13813 7ff626e01a80 79 API calls 13811->13813 13814 7ff626e051d4 13812->13814 13815 7ff626e05193 13812->13815 13813->13815 13816 7ff626e01a80 79 API calls 13814->13816 13817 7ff626e08820 _handle_error 8 API calls 13815->13817 13816->13815 13818 7ff626e01ab4 13817->13818 13819 7ff626e019b0 13818->13819 13820 7ff626e01ad0 82 API calls 13819->13820 13821 7ff626e019d2 13820->13821 13821->13775 13823 7ff626e0e8da 13822->13823 13824 7ff626e0e8c2 13822->13824 13823->13824 13825 7ff626e0e8e4 13823->13825 13826 7ff626e13f38 _set_errno_from_matherr 15 API calls 13824->13826 13828 7ff626e0bfcc 36 API calls 13825->13828 13827 7ff626e0e8c7 13826->13827 13829 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 13827->13829 13831 7ff626e0e8f5 memcpy_s 13828->13831 13841 7ff626e0e8d2 13829->13841 13830 7ff626e08820 _handle_error 8 API calls 13832 7ff626e01b28 13830->13832 13868 7ff626e0bed0 13831->13868 13849 7ff626e05580 13832->13849 13837 7ff626e0e9a0 13840 7ff626e0e9f8 13837->13840 13842 7ff626e0ea1c 13837->13842 13843 7ff626e0e9af 13837->13843 13846 7ff626e0e9a6 13837->13846 13838 7ff626e0e971 13839 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 13838->13839 13839->13841 13847 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 13840->13847 13841->13830 13842->13840 13844 7ff626e0ea26 13842->13844 13845 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 13843->13845 13848 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 13844->13848 13845->13841 13846->13840 13846->13843 13847->13841 13848->13841 13850 7ff626e05590 MultiByteToWideChar 13849->13850 13851 7ff626e055f4 13850->13851 13852 7ff626e055da 13850->13852 13853 7ff626e0f69c 16 API calls 13851->13853 13854 7ff626e01a80 80 API calls 13852->13854 13855 7ff626e05602 MultiByteToWideChar 13853->13855 13863 7ff626e055ed 13854->13863 13856 7ff626e05626 13855->13856 13858 7ff626e0563d 13855->13858 13857 7ff626e01a80 80 API calls 13856->13857 13857->13863 13859 7ff626e05654 13858->13859 13860 7ff626e0564d 13858->13860 13858->13863 14218 7ff626e059b0 WideCharToMultiByte 13859->14218 14208 7ff626e05a80 GetShortPathNameW 13860->14208 13863->13802 13865 7ff626e01986 __scrt_initialize_default_local_stdio_options 13864->13865 14228 7ff626e0e7f0 13865->14228 13869 7ff626e13f38 _set_errno_from_matherr 15 API calls 13868->13869 13870 7ff626e0bf3f 13869->13870 13871 7ff626e0c4d0 13870->13871 13872 7ff626e0c4ec 13871->13872 13873 7ff626e0c504 13871->13873 13875 7ff626e13f38 _set_errno_from_matherr 15 API calls 13872->13875 13873->13872 13874 7ff626e0c50b 13873->13874 13878 7ff626e0c6be 13874->13878 13883 7ff626e0c4fc 13874->13883 13887 7ff626e0d278 13874->13887 13903 7ff626e0ccdc 13874->13903 13925 7ff626e0c1bc 13874->13925 13928 7ff626e0c9c0 13874->13928 13876 7ff626e0c4f1 13875->13876 13877 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 13876->13877 13877->13883 13879 7ff626e13f38 _set_errno_from_matherr 15 API calls 13878->13879 13881 7ff626e0c6c3 13879->13881 13882 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 13881->13882 13882->13883 13883->13837 13883->13838 13888 7ff626e0d2ff 13887->13888 13898 7ff626e0d2a2 13887->13898 13889 7ff626e0d383 13888->13889 13890 7ff626e0d304 13888->13890 13951 7ff626e0d8c0 13889->13951 13892 7ff626e0d369 13890->13892 13896 7ff626e0d30e 13890->13896 13939 7ff626e0e01c 13892->13939 13893 7ff626e0d2e0 13902 7ff626e0d38c 13893->13902 13935 7ff626e0dd20 13893->13935 13900 7ff626e0d2f0 13896->13900 13896->13902 13945 7ff626e0de7c 13896->13945 13898->13889 13898->13893 13898->13896 13899 7ff626e0d2d2 13898->13899 13898->13900 13898->13902 13899->13889 13899->13893 13899->13900 13900->13902 13959 7ff626e0e3b4 13900->13959 13902->13874 13904 7ff626e0cce7 13903->13904 13905 7ff626e0cd00 13903->13905 13906 7ff626e0cd24 13904->13906 13908 7ff626e0d2ff 13904->13908 13921 7ff626e0d2a2 13904->13921 13905->13906 13907 7ff626e13f38 _set_errno_from_matherr 15 API calls 13905->13907 13906->13874 13909 7ff626e0cd19 13907->13909 13910 7ff626e0d383 13908->13910 13911 7ff626e0d304 13908->13911 13913 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 13909->13913 13912 7ff626e0d8c0 45 API calls 13910->13912 13914 7ff626e0d369 13911->13914 13920 7ff626e0d30e 13911->13920 13923 7ff626e0d2f0 13912->13923 13913->13906 13918 7ff626e0e01c 32 API calls 13914->13918 13915 7ff626e0d2e0 13916 7ff626e0d38c 13915->13916 13917 7ff626e0dd20 38 API calls 13915->13917 13916->13874 13917->13923 13918->13923 13919 7ff626e0de7c 32 API calls 13919->13923 13920->13916 13920->13919 13920->13923 13921->13910 13921->13915 13921->13916 13921->13920 13922 7ff626e0d2d2 13921->13922 13921->13923 13922->13910 13922->13915 13922->13923 13923->13916 13924 7ff626e0e3b4 38 API calls 13923->13924 13924->13916 14168 7ff626e16a60 13925->14168 14202 7ff626e0cac8 13928->14202 13931 7ff626e13f38 _set_errno_from_matherr 15 API calls 13932 7ff626e0ca21 13931->13932 13934 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 13932->13934 13933 7ff626e0c9d4 13933->13874 13934->13933 13936 7ff626e0dd3c 13935->13936 13938 7ff626e0dd85 13936->13938 13965 7ff626e16d94 13936->13965 13938->13900 13942 7ff626e0e044 13939->13942 13940 7ff626e13f38 _set_errno_from_matherr 15 API calls 13941 7ff626e0e04d 13940->13941 13943 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 13941->13943 13942->13940 13944 7ff626e0e058 13942->13944 13943->13944 13944->13900 13946 7ff626e0de9d 13945->13946 13947 7ff626e13f38 _set_errno_from_matherr 15 API calls 13946->13947 13950 7ff626e0dee8 13946->13950 13948 7ff626e0dedd 13947->13948 13949 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 13948->13949 13949->13950 13950->13900 13952 7ff626e0d8d8 13951->13952 13987 7ff626e0bb28 13952->13987 13958 7ff626e0da13 13958->13900 13960 7ff626e0e441 13959->13960 13964 7ff626e0e3db 13959->13964 13962 7ff626e08820 _handle_error 8 API calls 13960->13962 13961 7ff626e16d94 38 API calls 13961->13964 13963 7ff626e0e479 13962->13963 13963->13902 13964->13960 13964->13961 13968 7ff626e16c10 13965->13968 13969 7ff626e16c33 13968->13969 13970 7ff626e16c57 13969->13970 13971 7ff626e16c6a 13969->13971 13983 7ff626e16c38 13969->13983 13972 7ff626e13f38 _set_errno_from_matherr 15 API calls 13970->13972 13973 7ff626e0bfcc 36 API calls 13971->13973 13974 7ff626e16c5c 13972->13974 13975 7ff626e16c7c 13973->13975 13976 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 13974->13976 13977 7ff626e16c8b 13975->13977 13978 7ff626e16d04 WideCharToMultiByte 13975->13978 13976->13983 13979 7ff626e16c9d memcpy_s 13977->13979 13981 7ff626e16ce7 memcpy_s 13977->13981 13978->13979 13980 7ff626e16d58 GetLastError 13978->13980 13982 7ff626e13f38 _set_errno_from_matherr 15 API calls 13979->13982 13979->13983 13980->13979 13980->13981 13981->13983 13984 7ff626e13f38 _set_errno_from_matherr 15 API calls 13981->13984 13982->13983 13983->13938 13985 7ff626e16d83 13984->13985 13986 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 13985->13986 13986->13983 13988 7ff626e0bb64 13987->13988 13989 7ff626e0bb55 13987->13989 13991 7ff626e0bb5a 13988->13991 13992 7ff626e13028 fread_s 16 API calls 13988->13992 13990 7ff626e13f38 _set_errno_from_matherr 15 API calls 13989->13990 13990->13991 13997 7ff626e17d54 13991->13997 13993 7ff626e0bb90 13992->13993 13994 7ff626e0bba4 13993->13994 13995 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 13993->13995 13996 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 13994->13996 13995->13994 13996->13991 13998 7ff626e17d99 13997->13998 13999 7ff626e17d81 13997->13999 13998->13999 14002 7ff626e17db0 13998->14002 14000 7ff626e13f38 _set_errno_from_matherr 15 API calls 13999->14000 14001 7ff626e17d86 14000->14001 14003 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 14001->14003 14004 7ff626e17e04 14002->14004 14010 7ff626e17de3 14002->14010 14012 7ff626e0d9f6 14003->14012 14005 7ff626e17f40 14004->14005 14006 7ff626e17f07 14004->14006 14008 7ff626e17e7d 14004->14008 14011 7ff626e17e41 14004->14011 14015 7ff626e17e33 14004->14015 14005->14012 14148 7ff626e17384 14005->14148 14141 7ff626e176e4 14006->14141 14072 7ff626e1ccc0 14008->14072 14029 7ff626e17c10 14010->14029 14062 7ff626e17ad8 14011->14062 14012->13958 14022 7ff626e0c14c 14012->14022 14015->14006 14018 7ff626e17e3c 14015->14018 14018->14008 14018->14011 14020 7ff626e17ed4 14020->14012 14138 7ff626e17990 14020->14138 14158 7ff626e16a34 14022->14158 14024 7ff626e0c164 14025 7ff626e0c178 14024->14025 14162 7ff626e16830 14024->14162 14027 7ff626e16a34 44 API calls 14025->14027 14028 7ff626e0c180 14027->14028 14028->13958 14030 7ff626e17c3e 14029->14030 14033 7ff626e17c5c 14029->14033 14031 7ff626e08820 _handle_error 8 API calls 14030->14031 14032 7ff626e17c53 14031->14032 14032->14012 14034 7ff626e13088 32 API calls 14033->14034 14035 7ff626e17d34 14034->14035 14035->14030 14036 7ff626e17d3c 14035->14036 14037 7ff626e13e38 _wfindfirst32i64 17 API calls 14036->14037 14039 7ff626e17d51 14037->14039 14038 7ff626e17d81 14040 7ff626e13f38 _set_errno_from_matherr 15 API calls 14038->14040 14039->14038 14043 7ff626e17db0 14039->14043 14041 7ff626e17d86 14040->14041 14042 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 14041->14042 14052 7ff626e17d92 14042->14052 14048 7ff626e17e04 14043->14048 14050 7ff626e17de3 14043->14050 14044 7ff626e17f40 14046 7ff626e17384 37 API calls 14044->14046 14044->14052 14045 7ff626e17f07 14049 7ff626e176e4 37 API calls 14045->14049 14046->14052 14047 7ff626e17e7d 14053 7ff626e1ccc0 33 API calls 14047->14053 14048->14044 14048->14045 14048->14047 14051 7ff626e17e41 14048->14051 14055 7ff626e17e33 14048->14055 14049->14052 14054 7ff626e17c10 37 API calls 14050->14054 14056 7ff626e17ad8 37 API calls 14051->14056 14052->14012 14057 7ff626e17ea7 14053->14057 14054->14052 14055->14045 14058 7ff626e17e3c 14055->14058 14056->14052 14059 7ff626e1c724 32 API calls 14057->14059 14058->14047 14058->14051 14060 7ff626e17ed4 14059->14060 14060->14052 14061 7ff626e17990 36 API calls 14060->14061 14061->14052 14063 7ff626e1ccc0 33 API calls 14062->14063 14064 7ff626e17b1c 14063->14064 14065 7ff626e1c724 32 API calls 14064->14065 14066 7ff626e17b55 14065->14066 14067 7ff626e17bb7 14066->14067 14068 7ff626e17b7b 14066->14068 14071 7ff626e17b59 14066->14071 14069 7ff626e177b4 36 API calls 14067->14069 14070 7ff626e17990 36 API calls 14068->14070 14069->14071 14070->14071 14071->14012 14073 7ff626e1cd0e fegetenv 14072->14073 14074 7ff626e1cd7b 14073->14074 14077 7ff626e1cda2 14073->14077 14075 7ff626e13088 32 API calls 14074->14075 14076 7ff626e1cd95 14075->14076 14078 7ff626e1cd9d 14076->14078 14079 7ff626e1df0e 14076->14079 14080 7ff626e1cdc1 14077->14080 14081 7ff626e1df70 14077->14081 14085 7ff626e13e38 _wfindfirst32i64 17 API calls 14078->14085 14088 7ff626e08820 _handle_error 8 API calls 14079->14088 14083 7ff626e1cdca 14080->14083 14084 7ff626e1df51 14080->14084 14082 7ff626e13088 32 API calls 14081->14082 14087 7ff626e1df86 14082->14087 14089 7ff626e1cdd3 14083->14089 14090 7ff626e1df32 14083->14090 14086 7ff626e13088 32 API calls 14084->14086 14095 7ff626e1df2d 14085->14095 14096 7ff626e1df67 14086->14096 14087->14079 14097 7ff626e1e015 14087->14097 14091 7ff626e17ea7 14088->14091 14092 7ff626e1cddc 14089->14092 14093 7ff626e1df13 14089->14093 14094 7ff626e13088 32 API calls 14090->14094 14129 7ff626e1c724 14091->14129 14098 7ff626e20580 24 API calls 14092->14098 14101 7ff626e13088 32 API calls 14093->14101 14099 7ff626e1df48 14094->14099 14104 7ff626e13e38 _wfindfirst32i64 17 API calls 14095->14104 14096->14079 14100 7ff626e1df6b 14096->14100 14102 7ff626e13e38 _wfindfirst32i64 17 API calls 14097->14102 14109 7ff626e1ce4e memcpy_s 14098->14109 14099->14079 14103 7ff626e1df4c 14099->14103 14107 7ff626e13e38 _wfindfirst32i64 17 API calls 14100->14107 14105 7ff626e1df29 14101->14105 14106 7ff626e1e02a 14102->14106 14108 7ff626e13e38 _wfindfirst32i64 17 API calls 14103->14108 14104->14103 14105->14079 14105->14095 14107->14097 14108->14100 14110 7ff626e13f38 _set_errno_from_matherr 15 API calls 14109->14110 14115 7ff626e1ced8 memcpy_s 14109->14115 14111 7ff626e1d37c 14110->14111 14113 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 14111->14113 14112 7ff626e1dc95 14114 7ff626e1c7f0 32 API calls 14112->14114 14113->14115 14118 7ff626e1dd44 14114->14118 14121 7ff626e1d39c memcpy_s 14115->14121 14123 7ff626e1d85a memcpy_s 14115->14123 14116 7ff626e1d78a 14116->14112 14116->14116 14117 7ff626e1e02c memcpy_s 32 API calls 14116->14117 14117->14112 14120 7ff626e1e02c memcpy_s 32 API calls 14118->14120 14128 7ff626e1dd9c 14118->14128 14119 7ff626e13f38 15 API calls _set_errno_from_matherr 14119->14123 14120->14128 14121->14116 14122 7ff626e13f38 15 API calls _set_errno_from_matherr 14121->14122 14124 7ff626e13e18 32 API calls _invalid_parameter_noinfo 14121->14124 14122->14121 14123->14112 14123->14116 14123->14119 14126 7ff626e13e18 32 API calls _invalid_parameter_noinfo 14123->14126 14124->14121 14125 7ff626e1c7f0 32 API calls 14125->14128 14126->14123 14127 7ff626e1e02c memcpy_s 32 API calls 14127->14128 14128->14079 14128->14125 14128->14127 14130 7ff626e1c749 14129->14130 14131 7ff626e1c731 14129->14131 14130->14131 14133 7ff626e1c762 14130->14133 14132 7ff626e13f38 _set_errno_from_matherr 15 API calls 14131->14132 14137 7ff626e1c742 memcpy_s 14131->14137 14135 7ff626e1c736 14132->14135 14134 7ff626e13f38 _set_errno_from_matherr 15 API calls 14133->14134 14134->14135 14136 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 14135->14136 14136->14137 14137->14020 14139 7ff626e0bfcc 36 API calls 14138->14139 14140 7ff626e179c0 memcpy_s 14139->14140 14140->14012 14142 7ff626e1ccc0 33 API calls 14141->14142 14143 7ff626e17720 14142->14143 14144 7ff626e1c724 32 API calls 14143->14144 14145 7ff626e17756 14144->14145 14146 7ff626e1775a 14145->14146 14147 7ff626e177b4 36 API calls 14145->14147 14146->14012 14147->14146 14149 7ff626e0bfcc 36 API calls 14148->14149 14150 7ff626e173d1 14149->14150 14151 7ff626e173dc 14150->14151 14152 7ff626e173f2 14150->14152 14153 7ff626e13f38 _set_errno_from_matherr 15 API calls 14151->14153 14155 7ff626e176e4 37 API calls 14152->14155 14157 7ff626e173ed memcpy_s strrchr 14152->14157 14154 7ff626e173e1 14153->14154 14156 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 14154->14156 14155->14157 14156->14157 14157->14012 14159 7ff626e16a49 14158->14159 14160 7ff626e16a42 14158->14160 14159->14024 14161 7ff626e168f4 44 API calls 14160->14161 14161->14159 14163 7ff626e16843 14162->14163 14166 7ff626e1686b 14162->14166 14164 7ff626e0bfcc 36 API calls 14163->14164 14165 7ff626e1684f 14164->14165 14165->14166 14167 7ff626e1c004 40 API calls 14165->14167 14166->14024 14167->14166 14169 7ff626e16a79 14168->14169 14172 7ff626e131f8 14169->14172 14173 7ff626e13226 14172->14173 14174 7ff626e1324c 14172->14174 14176 7ff626e13f38 _set_errno_from_matherr 15 API calls 14173->14176 14174->14173 14175 7ff626e1325a 14174->14175 14177 7ff626e0bfcc 36 API calls 14175->14177 14178 7ff626e1322b 14176->14178 14181 7ff626e13266 14177->14181 14179 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 14178->14179 14192 7ff626e0c1fd 14179->14192 14182 7ff626e132bc 14181->14182 14193 7ff626e1c004 14181->14193 14183 7ff626e13336 14182->14183 14184 7ff626e13f38 _set_errno_from_matherr 15 API calls 14182->14184 14186 7ff626e13f38 _set_errno_from_matherr 15 API calls 14183->14186 14189 7ff626e13428 14183->14189 14185 7ff626e1336e 14184->14185 14187 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 14185->14187 14188 7ff626e1341d 14186->14188 14187->14183 14190 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 14188->14190 14191 7ff626e13f38 _set_errno_from_matherr 15 API calls 14189->14191 14189->14192 14190->14189 14191->14192 14192->13874 14194 7ff626e0bfcc 36 API calls 14193->14194 14195 7ff626e1c03e 14194->14195 14196 7ff626e190b8 36 API calls 14195->14196 14201 7ff626e1c048 14195->14201 14197 7ff626e1c06a 14196->14197 14200 7ff626e1b7ac 40 API calls 14197->14200 14198 7ff626e08820 _handle_error 8 API calls 14199 7ff626e1c0fa 14198->14199 14199->14181 14200->14201 14201->14198 14203 7ff626e0caee 14202->14203 14207 7ff626e0c9d0 14202->14207 14204 7ff626e13f38 _set_errno_from_matherr 15 API calls 14203->14204 14203->14207 14205 7ff626e0cb47 14204->14205 14206 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 14205->14206 14206->14207 14207->13931 14207->13933 14209 7ff626e05aa5 14208->14209 14215 7ff626e05ad3 14208->14215 14211 7ff626e0f69c 16 API calls 14209->14211 14210 7ff626e05120 80 API calls 14212 7ff626e05b02 14210->14212 14213 7ff626e05ab5 GetShortPathNameW 14211->14213 14214 7ff626e05acb 14213->14214 14213->14215 14216 7ff626e059b0 80 API calls 14214->14216 14215->14210 14217 7ff626e05ae8 14215->14217 14216->14215 14217->13863 14219 7ff626e05a13 14218->14219 14220 7ff626e059ee 14218->14220 14222 7ff626e0f69c 16 API calls 14219->14222 14221 7ff626e01a80 80 API calls 14220->14221 14223 7ff626e05a01 14221->14223 14224 7ff626e05a25 WideCharToMultiByte 14222->14224 14223->13863 14225 7ff626e05a50 14224->14225 14226 7ff626e05a63 14224->14226 14227 7ff626e01a80 80 API calls 14225->14227 14226->13863 14227->14226 14229 7ff626e0e816 14228->14229 14230 7ff626e0e82b 14228->14230 14231 7ff626e13f38 _set_errno_from_matherr 15 API calls 14229->14231 14230->14229 14232 7ff626e0e830 14230->14232 14233 7ff626e0e81b 14231->14233 14237 7ff626e0bae8 14232->14237 14235 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 14233->14235 14236 7ff626e0199c 14235->14236 14236->13805 14244 7ff626e0ba10 EnterCriticalSection 14237->14244 14252 7ff626e0ba10 EnterCriticalSection 14245->14252 14759 7ff626e12e9c 14762 7ff626e12500 14759->14762 14769 7ff626e124b8 14762->14769 14767 7ff626e122f0 15 API calls 14768 7ff626e12528 14767->14768 14770 7ff626e124c8 14769->14770 14771 7ff626e124cd 14769->14771 14772 7ff626e122f0 15 API calls 14770->14772 14773 7ff626e124d4 14771->14773 14772->14771 14774 7ff626e124e9 14773->14774 14775 7ff626e124e4 14773->14775 14774->14767 14776 7ff626e122f0 15 API calls 14775->14776 14776->14774 14777 7ff626e16fa0 14778 7ff626e16fa5 14777->14778 14782 7ff626e16fba 14777->14782 14783 7ff626e16fc0 14778->14783 14784 7ff626e1700a 14783->14784 14785 7ff626e17002 14783->14785 14787 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 14784->14787 14786 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 14785->14786 14786->14784 14788 7ff626e17017 14787->14788 14789 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 14788->14789 14790 7ff626e17024 14789->14790 14791 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 14790->14791 14792 7ff626e17031 14791->14792 14793 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 14792->14793 14794 7ff626e1703e 14793->14794 14795 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 14794->14795 14796 7ff626e1704b 14795->14796 14797 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 14796->14797 14798 7ff626e17058 14797->14798 14799 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 14798->14799 14800 7ff626e17065 14799->14800 14801 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 14800->14801 14802 7ff626e17075 14801->14802 14803 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 14802->14803 14804 7ff626e17085 14803->14804 14809 7ff626e16da8 14804->14809 14823 7ff626e19140 EnterCriticalSection 14809->14823 14825 7ff626e1fea0 14826 7ff626e1fecd 14825->14826 14827 7ff626e13f38 _set_errno_from_matherr 15 API calls 14826->14827 14832 7ff626e1fee2 14826->14832 14828 7ff626e1fed7 14827->14828 14829 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 14828->14829 14829->14832 14830 7ff626e08820 _handle_error 8 API calls 14831 7ff626e201c7 14830->14831 14832->14830 14439 7ff626e12f08 14440 7ff626e12f39 14439->14440 14441 7ff626e12f21 14439->14441 14442 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 14440->14442 14441->14440 14443 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 14441->14443 14444 7ff626e12f4c 14442->14444 14443->14440 14445 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 14444->14445 14446 7ff626e12f61 14445->14446 14447 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 14446->14447 14448 7ff626e12f74 14447->14448 14449 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 14448->14449 14450 7ff626e12f87 14449->14450 14451 7ff626e19b08 14452 7ff626e19b28 14451->14452 14453 7ff626e13f38 _set_errno_from_matherr 15 API calls 14452->14453 14456 7ff626e19b7c 14452->14456 14454 7ff626e19b70 14453->14454 14455 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 14454->14455 14455->14456 14833 7ff626e11f8c 14834 7ff626e11fa0 14833->14834 14838 7ff626e11fa9 14833->14838 14834->14838 14839 7ff626e1201c 14834->14839 14840 7ff626e11fb2 14839->14840 14841 7ff626e12035 14839->14841 14840->14838 14851 7ff626e12334 14840->14851 14842 7ff626e1af1c 49 API calls 14841->14842 14843 7ff626e1203a 14842->14843 14860 7ff626e1b2ac GetEnvironmentStringsW 14843->14860 14846 7ff626e12047 14849 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 14846->14849 14849->14840 14850 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 14850->14846 14852 7ff626e12353 14851->14852 14858 7ff626e1238a 14851->14858 14852->14838 14853 7ff626e1235b WideCharToMultiByte 14853->14852 14853->14858 14854 7ff626e13140 pre_c_initialization 15 API calls 14854->14858 14855 7ff626e123fa 14857 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 14855->14857 14856 7ff626e1239f WideCharToMultiByte 14856->14855 14856->14858 14857->14852 14858->14852 14858->14853 14858->14854 14858->14855 14858->14856 14859 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 14858->14859 14859->14858 14865 7ff626e1b2da WideCharToMultiByte 14860->14865 14871 7ff626e1b37e 14860->14871 14862 7ff626e1b334 14866 7ff626e13028 fread_s 16 API calls 14862->14866 14863 7ff626e1b388 FreeEnvironmentStringsW 14864 7ff626e1203f 14863->14864 14864->14846 14872 7ff626e120f0 14864->14872 14865->14862 14865->14871 14867 7ff626e1b33c 14866->14867 14868 7ff626e1b36b 14867->14868 14869 7ff626e1b344 WideCharToMultiByte 14867->14869 14870 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 14868->14870 14869->14868 14870->14871 14871->14863 14871->14864 14873 7ff626e12111 14872->14873 14874 7ff626e13140 pre_c_initialization 15 API calls 14873->14874 14884 7ff626e1213f 14874->14884 14875 7ff626e121ae 14876 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 14875->14876 14877 7ff626e12054 14876->14877 14877->14850 14878 7ff626e13140 pre_c_initialization 15 API calls 14878->14884 14879 7ff626e1219f 14880 7ff626e122f0 15 API calls 14879->14880 14882 7ff626e121a7 14880->14882 14881 7ff626e13088 32 API calls 14881->14884 14885 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 14882->14885 14883 7ff626e121d6 14887 7ff626e13e38 _wfindfirst32i64 17 API calls 14883->14887 14884->14875 14884->14878 14884->14879 14884->14881 14884->14883 14886 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 14884->14886 14885->14875 14886->14884 14888 7ff626e121e8 14887->14888 14457 7ff626e1be0c GetProcessHeap 14458 7ff626e08b14 14461 7ff626e0906c 14458->14461 14462 7ff626e08b1d 14461->14462 14463 7ff626e09094 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 14461->14463 14463->14462 14889 7ff626e0a094 14890 7ff626e0a09d 14889->14890 14891 7ff626e0a0ae 14889->14891 14890->14891 14892 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 14890->14892 14892->14891 14468 7ff626e190f8 14469 7ff626e19100 14468->14469 14471 7ff626e19131 14469->14471 14473 7ff626e1912d 14469->14473 14474 7ff626e16498 14469->14474 14479 7ff626e1915c 14471->14479 14475 7ff626e15fc0 __vcrt_uninitialize_ptd 5 API calls 14474->14475 14476 7ff626e164d3 14475->14476 14477 7ff626e164f0 InitializeCriticalSectionAndSpinCount 14476->14477 14478 7ff626e164db 14476->14478 14477->14478 14478->14469 14480 7ff626e19187 14479->14480 14481 7ff626e1918b 14480->14481 14482 7ff626e1916a DeleteCriticalSection 14480->14482 14481->14473 14482->14480 14893 7ff626e07d90 14898 7ff626e07df0 14893->14898 14896 7ff626e07eba 14897 7ff626e08820 _handle_error 8 API calls 14896->14897 14899 7ff626e07ef5 14897->14899 14898->14896 14900 7ff626e07f07 14898->14900 14901 7ff626e08c30 14900->14901 14904 7ff626e08c44 IsProcessorFeaturePresent 14901->14904 14905 7ff626e08c5a 14904->14905 14910 7ff626e08ce0 RtlCaptureContext RtlLookupFunctionEntry 14905->14910 14911 7ff626e08d10 RtlVirtualUnwind 14910->14911 14912 7ff626e08c6e 14910->14912 14911->14912 14913 7ff626e08b28 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 14912->14913 14914 7ff626e2217e 14917 7ff626e0ba1c LeaveCriticalSection 14914->14917 14918 7ff626e0b880 14919 7ff626e0b8aa 14918->14919 14920 7ff626e13140 pre_c_initialization 15 API calls 14919->14920 14921 7ff626e0b8c9 14920->14921 14922 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 14921->14922 14923 7ff626e0b8d7 14922->14923 14924 7ff626e13140 pre_c_initialization 15 API calls 14923->14924 14928 7ff626e0b901 14923->14928 14925 7ff626e0b8f3 14924->14925 14927 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 14925->14927 14926 7ff626e16498 6 API calls 14926->14928 14927->14928 14928->14926 14929 7ff626e0b90a 14928->14929 14930 7ff626e08980 14937 7ff626e09328 SetUnhandledExceptionFilter 14930->14937 13079 7ff626e12768 13086 7ff626e12fc0 13079->13086 13081 7ff626e1276d 13082 7ff626e19194 _isindst LeaveCriticalSection 13081->13082 13083 7ff626e12778 13082->13083 13084 7ff626e12784 13083->13084 13085 7ff626e127a0 11 API calls 13083->13085 13085->13084 13091 7ff626e17120 GetLastError 13086->13091 13088 7ff626e12fcb 13111 7ff626e130e8 13088->13111 13092 7ff626e17142 13091->13092 13093 7ff626e1713d 13091->13093 13094 7ff626e13140 pre_c_initialization 15 API calls 13092->13094 13098 7ff626e1718b 13092->13098 13095 7ff626e1634c _set_errno_from_matherr 6 API calls 13093->13095 13096 7ff626e17159 13094->13096 13095->13092 13097 7ff626e17161 13096->13097 13120 7ff626e163a4 13096->13120 13103 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 13097->13103 13100 7ff626e171a6 SetLastError 13098->13100 13101 7ff626e17190 SetLastError 13098->13101 13102 7ff626e130e8 abort 33 API calls 13100->13102 13101->13088 13105 7ff626e171b3 13102->13105 13106 7ff626e17168 13103->13106 13106->13100 13107 7ff626e1717f 13125 7ff626e16ed0 13107->13125 13144 7ff626e11034 13111->13144 13121 7ff626e15fc0 __vcrt_uninitialize_ptd 5 API calls 13120->13121 13122 7ff626e163d7 13121->13122 13123 7ff626e163f1 TlsSetValue 13122->13123 13124 7ff626e163df 13122->13124 13123->13124 13124->13097 13124->13107 13130 7ff626e16e50 13125->13130 13142 7ff626e19140 EnterCriticalSection 13130->13142 13170 7ff626e10f08 13144->13170 13175 7ff626e19140 EnterCriticalSection 13170->13175 14488 7ff626e128e8 14489 7ff626e12929 14488->14489 14490 7ff626e128fe 14488->14490 14496 7ff626e19140 EnterCriticalSection 14490->14496 12900 7ff626e0b0d8 12901 7ff626e0b0ee 12900->12901 12902 7ff626e0b103 12900->12902 12915 7ff626e13f38 12901->12915 12914 7ff626e0ba10 EnterCriticalSection 12902->12914 12906 7ff626e0b108 12908 7ff626e0b144 33 API calls 12906->12908 12910 7ff626e0b113 12908->12910 12909 7ff626e0b0fe 12911 7ff626e0b128 12910->12911 12913 7ff626e13f38 _set_errno_from_matherr 15 API calls 12910->12913 12912 7ff626e0ba1c fread_s LeaveCriticalSection 12911->12912 12912->12909 12913->12911 12921 7ff626e171b4 GetLastError 12915->12921 12918 7ff626e13e18 12960 7ff626e13d70 12918->12960 12922 7ff626e171d8 12921->12922 12923 7ff626e171dd 12921->12923 12940 7ff626e1634c 12922->12940 12928 7ff626e17226 12923->12928 12945 7ff626e13140 12923->12945 12930 7ff626e1722b SetLastError 12928->12930 12931 7ff626e17235 SetLastError 12928->12931 12934 7ff626e0b0f3 12930->12934 12931->12934 12934->12918 12950 7ff626e15fc0 12940->12950 12943 7ff626e1638e TlsGetValue 12944 7ff626e1637f 12943->12944 12944->12923 12946 7ff626e1315f fread_s 12945->12946 12947 7ff626e13186 HeapAlloc 12946->12947 12948 7ff626e131a2 12946->12948 12947->12946 12947->12948 12949 7ff626e13f38 _set_errno_from_matherr 14 API calls 12948->12949 12949->12948 12951 7ff626e16021 12950->12951 12953 7ff626e1601c 12950->12953 12951->12943 12951->12944 12952 7ff626e16049 LoadLibraryW 12952->12953 12955 7ff626e1606a GetLastError 12952->12955 12953->12951 12953->12952 12958 7ff626e160ce 12953->12958 12959 7ff626e160b3 FreeLibrary 12953->12959 12954 7ff626e160dc GetProcAddress 12956 7ff626e160ed 12954->12956 12955->12953 12957 7ff626e16075 LoadLibraryExW 12955->12957 12956->12951 12957->12953 12958->12951 12958->12954 12959->12953 12961 7ff626e171b4 _set_errno_from_matherr 15 API calls 12960->12961 12962 7ff626e13d9a 12961->12962 12967 7ff626e13e38 IsProcessorFeaturePresent 12962->12967 12964 7ff626e13e16 12965 7ff626e13d70 _invalid_parameter_noinfo 32 API calls 12964->12965 12966 7ff626e13e31 12965->12966 12966->12909 12968 7ff626e13e4a 12967->12968 12971 7ff626e13c0c 12968->12971 12972 7ff626e13c46 memcpy_s abort 12971->12972 12973 7ff626e13c6e RtlCaptureContext RtlLookupFunctionEntry 12972->12973 12974 7ff626e13ca8 RtlVirtualUnwind 12973->12974 12975 7ff626e13cde IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 12973->12975 12974->12975 12976 7ff626e13d30 abort 12975->12976 12979 7ff626e08820 12976->12979 12980 7ff626e0882a 12979->12980 12981 7ff626e08836 GetCurrentProcess TerminateProcess 12980->12981 12982 7ff626e08b5c IsProcessorFeaturePresent 12980->12982 12983 7ff626e08b73 12982->12983 12988 7ff626e08d50 RtlCaptureContext 12983->12988 12989 7ff626e08d6a RtlLookupFunctionEntry 12988->12989 12990 7ff626e08b86 12989->12990 12991 7ff626e08d80 RtlVirtualUnwind 12989->12991 12992 7ff626e08b28 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 12990->12992 12991->12989 12991->12990 13179 7ff626e14f58 13180 7ff626e14f99 13179->13180 13181 7ff626e14f81 13179->13181 13183 7ff626e15014 13180->13183 13187 7ff626e14fcc 13180->13187 13182 7ff626e13f18 fread_s 15 API calls 13181->13182 13184 7ff626e14f86 13182->13184 13185 7ff626e13f18 fread_s 15 API calls 13183->13185 13186 7ff626e13f38 _set_errno_from_matherr 15 API calls 13184->13186 13188 7ff626e15019 13185->13188 13189 7ff626e14f8e 13186->13189 13203 7ff626e10b9c EnterCriticalSection 13187->13203 13191 7ff626e13f38 _set_errno_from_matherr 15 API calls 13188->13191 13193 7ff626e15021 13191->13193 13192 7ff626e14fd3 13194 7ff626e14ff8 13192->13194 13195 7ff626e14fe3 13192->13195 13196 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 13193->13196 13197 7ff626e15048 34 API calls 13194->13197 13198 7ff626e13f38 _set_errno_from_matherr 15 API calls 13195->13198 13196->13189 13199 7ff626e14ff3 13197->13199 13200 7ff626e14fe8 13198->13200 13202 7ff626e10c80 LeaveCriticalSection 13199->13202 13201 7ff626e13f18 fread_s 15 API calls 13200->13201 13201->13199 13202->13189 14497 7ff626e072f1 14498 7ff626e07302 14497->14498 14499 7ff626e07374 14498->14499 14500 7ff626e12fe8 15 API calls 14498->14500 14500->14499 14253 7ff626e0ae5c 14254 7ff626e0ae7d 14253->14254 14255 7ff626e0ae92 14253->14255 14256 7ff626e13f38 _set_errno_from_matherr 15 API calls 14254->14256 14255->14254 14257 7ff626e0ae97 14255->14257 14258 7ff626e0ae82 14256->14258 14266 7ff626e0ba10 EnterCriticalSection 14257->14266 14260 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 14258->14260 14262 7ff626e0ae8d 14260->14262 14261 7ff626e0ae9c 14263 7ff626e0afd8 58 API calls 14261->14263 14264 7ff626e0aead 14263->14264 14265 7ff626e0ba1c fread_s LeaveCriticalSection 14264->14265 14265->14262 14956 7ff626e1a25c 14957 7ff626e1a292 14956->14957 14967 7ff626e1a2a8 14956->14967 14958 7ff626e13f38 _set_errno_from_matherr 15 API calls 14957->14958 14959 7ff626e1a297 14958->14959 14960 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 14959->14960 14962 7ff626e1a2a1 14960->14962 14961 7ff626e1a314 14961->14961 14963 7ff626e11db4 pre_c_initialization 15 API calls 14961->14963 14966 7ff626e08820 _handle_error 8 API calls 14962->14966 14971 7ff626e1a388 14963->14971 14964 7ff626e1a402 14968 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 14964->14968 14969 7ff626e1a45b 14966->14969 14967->14961 14970 7ff626e1a307 14967->14970 14979 7ff626e1a48c 14967->14979 14968->14970 14972 7ff626e1a444 14970->14972 14973 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 14970->14973 14971->14964 14976 7ff626e1a476 14971->14976 14990 7ff626e1a164 14971->14990 14974 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 14972->14974 14973->14970 14974->14962 14977 7ff626e13e38 _wfindfirst32i64 17 API calls 14976->14977 14978 7ff626e1a48a 14977->14978 14980 7ff626e1a4be 14979->14980 14980->14980 14981 7ff626e13140 pre_c_initialization 15 API calls 14980->14981 14982 7ff626e1a509 14981->14982 14983 7ff626e1a164 32 API calls 14982->14983 14984 7ff626e1a53b 14983->14984 14985 7ff626e13e38 _wfindfirst32i64 17 API calls 14984->14985 14986 7ff626e1a59d memcpy_s 14985->14986 14987 7ff626e1a65a FindFirstFileExW 14986->14987 14988 7ff626e1a6c9 14987->14988 14989 7ff626e1a48c 32 API calls 14988->14989 14994 7ff626e1a179 14990->14994 14991 7ff626e1a17e 14992 7ff626e1a194 14991->14992 14993 7ff626e13f38 _set_errno_from_matherr 15 API calls 14991->14993 14992->14971 14995 7ff626e1a188 14993->14995 14994->14991 14994->14992 14997 7ff626e1a1c5 14994->14997 14996 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 14995->14996 14996->14992 14997->14992 14998 7ff626e13f38 _set_errno_from_matherr 15 API calls 14997->14998 14998->14995 14999 7ff626e2225c 15000 7ff626e22278 14999->15000 15001 7ff626e2226e 14999->15001 15003 7ff626e19194 LeaveCriticalSection 15001->15003 14501 7ff626e08ae2 14502 7ff626e092d4 __scrt_is_managed_app GetModuleHandleW 14501->14502 14503 7ff626e08ae9 abort 14502->14503 14504 7ff626e221cc 14505 7ff626e221dc 14504->14505 14508 7ff626e0ba1c LeaveCriticalSection 14505->14508 15004 7ff626e10f50 15009 7ff626e19140 EnterCriticalSection 15004->15009 15010 7ff626e1a750 15011 7ff626e1a778 15010->15011 15012 7ff626e1a771 15010->15012 15013 7ff626e1a77f 15011->15013 15014 7ff626e1a7b1 15011->15014 15015 7ff626e13140 pre_c_initialization 15 API calls 15013->15015 15014->15012 15016 7ff626e1bd6c _onexit 35 API calls 15014->15016 15017 7ff626e1a78a 15015->15017 15018 7ff626e1a7dc 15016->15018 15019 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 15017->15019 15020 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 15018->15020 15019->15012 15020->15012 15021 7ff626e17254 15028 7ff626e1629c 15021->15028 15024 7ff626e1726f 15025 7ff626e171b4 _set_errno_from_matherr 15 API calls 15026 7ff626e17278 15025->15026 15026->15024 15033 7ff626e17290 15026->15033 15029 7ff626e15fc0 __vcrt_uninitialize_ptd 5 API calls 15028->15029 15030 7ff626e162c8 15029->15030 15031 7ff626e162e0 TlsAlloc 15030->15031 15032 7ff626e162d0 15030->15032 15031->15032 15032->15024 15032->15025 15034 7ff626e172a4 15033->15034 15035 7ff626e1729f 15033->15035 15034->15024 15037 7ff626e162f4 15035->15037 15038 7ff626e15fc0 __vcrt_uninitialize_ptd 5 API calls 15037->15038 15039 7ff626e1631f 15038->15039 15040 7ff626e16336 TlsFree 15039->15040 15041 7ff626e16327 15039->15041 15040->15041 15041->15034 14334 7ff626e184d4 14335 7ff626e186d0 14334->14335 14338 7ff626e18513 _isindst 14334->14338 14336 7ff626e13f38 _set_errno_from_matherr 15 API calls 14335->14336 14337 7ff626e18693 14336->14337 14339 7ff626e08820 _handle_error 8 API calls 14337->14339 14338->14335 14341 7ff626e185a0 _isindst 14338->14341 14340 7ff626e186eb 14339->14340 14359 7ff626e1ec94 14341->14359 14346 7ff626e18728 14347 7ff626e13e38 _wfindfirst32i64 17 API calls 14346->14347 14349 7ff626e1873d 14347->14349 14351 7ff626e18713 14353 7ff626e13e38 _wfindfirst32i64 17 API calls 14351->14353 14353->14346 14355 7ff626e186ff 14356 7ff626e13e38 _wfindfirst32i64 17 API calls 14355->14356 14356->14351 14357 7ff626e185f9 14357->14337 14385 7ff626e1ecd0 14357->14385 14360 7ff626e185bb 14359->14360 14361 7ff626e1eca2 14359->14361 14367 7ff626e1e1c8 14360->14367 14392 7ff626e19140 EnterCriticalSection 14361->14392 14363 7ff626e1ecaa 14365 7ff626e1eb8c 46 API calls 14363->14365 14366 7ff626e1ecba 14363->14366 14364 7ff626e19194 _isindst LeaveCriticalSection 14364->14360 14365->14366 14366->14364 14368 7ff626e185cf 14367->14368 14369 7ff626e1e1d1 14367->14369 14368->14346 14373 7ff626e1e1f8 14368->14373 14370 7ff626e13f38 _set_errno_from_matherr 15 API calls 14369->14370 14371 7ff626e1e1d6 14370->14371 14372 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 14371->14372 14372->14368 14374 7ff626e185e0 14373->14374 14375 7ff626e1e201 14373->14375 14374->14351 14379 7ff626e1e228 14374->14379 14376 7ff626e13f38 _set_errno_from_matherr 15 API calls 14375->14376 14377 7ff626e1e206 14376->14377 14378 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 14377->14378 14378->14374 14380 7ff626e185f1 14379->14380 14381 7ff626e1e231 14379->14381 14380->14355 14380->14357 14382 7ff626e13f38 _set_errno_from_matherr 15 API calls 14381->14382 14383 7ff626e1e236 14382->14383 14384 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 14383->14384 14384->14380 14393 7ff626e19140 EnterCriticalSection 14385->14393 14509 7ff626e09db8 14511 7ff626e09df6 _IsNonwritableInCurrentImage __C_specific_handler 14509->14511 14510 7ff626e09ed9 14511->14510 14512 7ff626e09ea4 RtlUnwindEx 14511->14512 14512->14511 15042 7ff626e09338 15043 7ff626e09347 15042->15043 15044 7ff626e09363 15042->15044 15043->15044 15045 7ff626e12fc0 36 API calls 15043->15045 15046 7ff626e0936f 15045->15046 13204 7ff626e19338 13205 7ff626e1935c 13204->13205 13209 7ff626e19370 strchr 13204->13209 13206 7ff626e13f38 _set_errno_from_matherr 15 API calls 13205->13206 13207 7ff626e19361 13206->13207 13208 7ff626e193e3 13210 7ff626e13f38 _set_errno_from_matherr 15 API calls 13208->13210 13209->13208 13211 7ff626e193af 13209->13211 13313 7ff626e19918 13209->13313 13243 7ff626e193e8 13210->13243 13213 7ff626e1941c 13211->13213 13215 7ff626e193d5 13211->13215 13218 7ff626e19472 13211->13218 13217 7ff626e13140 pre_c_initialization 15 API calls 13213->13217 13213->13243 13214 7ff626e194c0 13220 7ff626e194dd 13214->13220 13225 7ff626e1952f 13214->13225 13215->13208 13215->13218 13219 7ff626e1942e 13217->13219 13218->13214 13218->13243 13331 7ff626e1fc58 13218->13331 13222 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 13219->13222 13223 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 13220->13223 13221 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 13221->13207 13224 7ff626e1943c 13222->13224 13226 7ff626e194e6 13223->13226 13224->13218 13229 7ff626e13140 pre_c_initialization 15 API calls 13224->13229 13224->13243 13227 7ff626e1bd6c _onexit 35 API calls 13225->13227 13225->13243 13235 7ff626e194eb 13226->13235 13368 7ff626e1bd6c 13226->13368 13228 7ff626e1956a 13227->13228 13231 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 13228->13231 13230 7ff626e19464 13229->13230 13233 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 13230->13233 13231->13235 13233->13218 13234 7ff626e19517 13236 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 13234->13236 13235->13235 13237 7ff626e13140 pre_c_initialization 15 API calls 13235->13237 13235->13243 13236->13235 13238 7ff626e195b4 13237->13238 13239 7ff626e195fb 13238->13239 13295 7ff626e13088 13238->13295 13240 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 13239->13240 13240->13243 13243->13221 13244 7ff626e195cf SetEnvironmentVariableA 13244->13239 13246 7ff626e195f6 13244->13246 13245 7ff626e19610 13247 7ff626e13e38 _wfindfirst32i64 17 API calls 13245->13247 13248 7ff626e13f38 _set_errno_from_matherr 15 API calls 13246->13248 13249 7ff626e19624 13247->13249 13248->13239 13250 7ff626e19650 13249->13250 13252 7ff626e19664 wcschr 13249->13252 13251 7ff626e13f38 _set_errno_from_matherr 15 API calls 13250->13251 13269 7ff626e19655 13251->13269 13253 7ff626e196d4 13252->13253 13255 7ff626e1969e 13252->13255 13377 7ff626e19a04 13252->13377 13254 7ff626e13f38 _set_errno_from_matherr 15 API calls 13253->13254 13288 7ff626e196d9 13254->13288 13257 7ff626e1976b 13255->13257 13258 7ff626e19712 13255->13258 13259 7ff626e196c6 13255->13259 13270 7ff626e197b6 13257->13270 13257->13288 13395 7ff626e1fa90 13257->13395 13262 7ff626e13140 pre_c_initialization 15 API calls 13258->13262 13274 7ff626e19735 13258->13274 13258->13288 13259->13253 13259->13257 13261 7ff626e13140 pre_c_initialization 15 API calls 13264 7ff626e1975d 13261->13264 13266 7ff626e19727 13262->13266 13263 7ff626e197d3 13267 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 13263->13267 13268 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 13264->13268 13265 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 13265->13269 13271 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 13266->13271 13273 7ff626e197dc 13267->13273 13268->13257 13270->13263 13272 7ff626e19825 13270->13272 13271->13274 13275 7ff626e1bd6c _onexit 35 API calls 13272->13275 13272->13288 13278 7ff626e1bd6c _onexit 35 API calls 13273->13278 13280 7ff626e197e1 13273->13280 13274->13257 13274->13261 13274->13288 13276 7ff626e19860 13275->13276 13277 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 13276->13277 13277->13280 13279 7ff626e1980d 13278->13279 13281 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 13279->13281 13280->13280 13282 7ff626e13140 pre_c_initialization 15 API calls 13280->13282 13280->13288 13281->13280 13283 7ff626e198ab 13282->13283 13284 7ff626e198eb 13283->13284 13304 7ff626e192d0 13283->13304 13285 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 13284->13285 13285->13288 13288->13265 13289 7ff626e19900 13292 7ff626e13e38 _wfindfirst32i64 17 API calls 13289->13292 13290 7ff626e198c5 SetEnvironmentVariableW 13290->13284 13291 7ff626e198e6 13290->13291 13293 7ff626e13f38 _set_errno_from_matherr 15 API calls 13291->13293 13294 7ff626e19914 13292->13294 13293->13284 13296 7ff626e1309f 13295->13296 13297 7ff626e13095 13295->13297 13298 7ff626e13f38 _set_errno_from_matherr 15 API calls 13296->13298 13297->13296 13301 7ff626e130ba 13297->13301 13299 7ff626e130a6 13298->13299 13300 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 13299->13300 13302 7ff626e130b2 13300->13302 13301->13302 13303 7ff626e13f38 _set_errno_from_matherr 15 API calls 13301->13303 13302->13244 13302->13245 13303->13299 13305 7ff626e192e7 13304->13305 13306 7ff626e192dd 13304->13306 13307 7ff626e13f38 _set_errno_from_matherr 15 API calls 13305->13307 13306->13305 13308 7ff626e19303 13306->13308 13309 7ff626e192ef 13307->13309 13311 7ff626e192fb 13308->13311 13312 7ff626e13f38 _set_errno_from_matherr 15 API calls 13308->13312 13310 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 13309->13310 13310->13311 13311->13289 13311->13290 13312->13309 13314 7ff626e1993c 13313->13314 13315 7ff626e19935 13313->13315 13316 7ff626e13140 pre_c_initialization 15 API calls 13314->13316 13315->13211 13317 7ff626e19960 13316->13317 13318 7ff626e199e0 13317->13318 13329 7ff626e19968 13317->13329 13320 7ff626e130e8 abort 36 API calls 13318->13320 13319 7ff626e199c0 13321 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 13319->13321 13322 7ff626e199e5 13320->13322 13321->13315 13323 7ff626e13e38 _wfindfirst32i64 17 API calls 13322->13323 13325 7ff626e199fb 13323->13325 13324 7ff626e13140 pre_c_initialization 15 API calls 13324->13329 13327 7ff626e130e8 abort 36 API calls 13325->13327 13326 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 13326->13329 13328 7ff626e19a01 13327->13328 13329->13319 13329->13322 13329->13324 13329->13325 13329->13326 13330 7ff626e13088 32 API calls 13329->13330 13330->13329 13332 7ff626e1fc66 13331->13332 13338 7ff626e1eefc 13331->13338 13334 7ff626e0bfcc 36 API calls 13332->13334 13333 7ff626e1ef37 13363 7ff626e1efa2 13333->13363 13419 7ff626e0bfcc 13333->13419 13336 7ff626e1fc99 13334->13336 13335 7ff626e1ef0f 13337 7ff626e13f38 _set_errno_from_matherr 15 API calls 13335->13337 13339 7ff626e1fc9e 13336->13339 13343 7ff626e1fcaf 13336->13343 13346 7ff626e1fcc6 13336->13346 13341 7ff626e1ef14 13337->13341 13338->13333 13338->13335 13339->13218 13344 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 13341->13344 13347 7ff626e13f38 _set_errno_from_matherr 15 API calls 13343->13347 13348 7ff626e1ef1f 13344->13348 13345 7ff626e1ef92 13349 7ff626e13f38 _set_errno_from_matherr 15 API calls 13345->13349 13351 7ff626e1fcd0 13346->13351 13352 7ff626e1fce2 13346->13352 13350 7ff626e1fcb4 13347->13350 13348->13218 13355 7ff626e1ef97 13349->13355 13356 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 13350->13356 13357 7ff626e13f38 _set_errno_from_matherr 15 API calls 13351->13357 13353 7ff626e1fd0a 13352->13353 13354 7ff626e1fcf3 13352->13354 13438 7ff626e21184 13353->13438 13427 7ff626e1ef4c 13354->13427 13360 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 13355->13360 13356->13339 13361 7ff626e1fcd5 13357->13361 13360->13363 13364 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 13361->13364 13363->13218 13364->13339 13365 7ff626e168f4 44 API calls 13367 7ff626e1efa4 13365->13367 13366 7ff626e13f38 _set_errno_from_matherr 15 API calls 13366->13339 13367->13363 13367->13365 13369 7ff626e1bd74 13368->13369 13370 7ff626e1bdb3 13369->13370 13371 7ff626e1bda4 13369->13371 13372 7ff626e1bdbd 13370->13372 13507 7ff626e202c0 13370->13507 13373 7ff626e13f38 _set_errno_from_matherr 15 API calls 13371->13373 13514 7ff626e202fc 13372->13514 13376 7ff626e1bda9 memcpy_s 13373->13376 13376->13234 13378 7ff626e19a27 13377->13378 13379 7ff626e19a2e 13377->13379 13378->13255 13380 7ff626e13140 pre_c_initialization 15 API calls 13379->13380 13381 7ff626e19a52 13380->13381 13382 7ff626e19ad5 13381->13382 13390 7ff626e19a5a 13381->13390 13384 7ff626e130e8 abort 36 API calls 13382->13384 13383 7ff626e19ab0 13386 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 13383->13386 13385 7ff626e19ada 13384->13385 13387 7ff626e13e38 _wfindfirst32i64 17 API calls 13385->13387 13386->13378 13389 7ff626e19aef 13387->13389 13388 7ff626e13140 pre_c_initialization 15 API calls 13388->13390 13392 7ff626e130e8 abort 36 API calls 13389->13392 13390->13383 13390->13385 13390->13388 13390->13389 13391 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 13390->13391 13394 7ff626e192d0 _wfindfirst32i64 32 API calls 13390->13394 13391->13390 13393 7ff626e19af5 13392->13393 13394->13390 13397 7ff626e1fb1b 13395->13397 13398 7ff626e1faa7 13395->13398 13396 7ff626e13f38 _set_errno_from_matherr 15 API calls 13399 7ff626e1fab1 13396->13399 13400 7ff626e1fb59 13397->13400 13403 7ff626e1fb78 13397->13403 13417 7ff626e1fb4d 13397->13417 13398->13396 13410 7ff626e1fad4 13398->13410 13401 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 13399->13401 13402 7ff626e13f38 _set_errno_from_matherr 15 API calls 13400->13402 13404 7ff626e1fabc 13401->13404 13405 7ff626e1fb5e 13402->13405 13406 7ff626e1fb97 13403->13406 13407 7ff626e1fb82 13403->13407 13404->13257 13409 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 13405->13409 13408 7ff626e0bfcc 36 API calls 13406->13408 13411 7ff626e13f38 _set_errno_from_matherr 15 API calls 13407->13411 13412 7ff626e1fba4 13408->13412 13409->13417 13410->13257 13413 7ff626e1fb87 13411->13413 13412->13417 13526 7ff626e20d30 13412->13526 13414 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 13413->13414 13414->13417 13417->13257 13418 7ff626e13f38 _set_errno_from_matherr 15 API calls 13418->13417 13420 7ff626e0bfe7 13419->13420 13426 7ff626e0bfe2 13419->13426 13421 7ff626e17120 abort 36 API calls 13420->13421 13420->13426 13422 7ff626e0c004 13421->13422 13443 7ff626e172b4 13422->13443 13426->13345 13426->13367 13428 7ff626e1efa2 13427->13428 13429 7ff626e1ef72 13427->13429 13428->13339 13430 7ff626e0bfcc 36 API calls 13429->13430 13431 7ff626e1ef7e 13430->13431 13432 7ff626e1ef92 13431->13432 13437 7ff626e1efa4 13431->13437 13433 7ff626e13f38 _set_errno_from_matherr 15 API calls 13432->13433 13434 7ff626e1ef97 13433->13434 13435 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 13434->13435 13435->13428 13436 7ff626e168f4 44 API calls 13436->13437 13437->13428 13437->13436 13439 7ff626e0bfcc 36 API calls 13438->13439 13440 7ff626e211a9 13439->13440 13475 7ff626e20df0 13440->13475 13444 7ff626e172c9 13443->13444 13446 7ff626e0c028 13443->13446 13444->13446 13451 7ff626e1bc94 13444->13451 13447 7ff626e172e8 13446->13447 13448 7ff626e172fd 13447->13448 13449 7ff626e17310 13447->13449 13448->13449 13463 7ff626e1af44 13448->13463 13449->13426 13452 7ff626e17120 abort 36 API calls 13451->13452 13453 7ff626e1bca3 13452->13453 13461 7ff626e1bcf5 13453->13461 13462 7ff626e19140 EnterCriticalSection 13453->13462 13461->13446 13464 7ff626e17120 abort 36 API calls 13463->13464 13465 7ff626e1af53 13464->13465 13466 7ff626e1af6e 13465->13466 13474 7ff626e19140 EnterCriticalSection 13465->13474 13469 7ff626e1aff4 13466->13469 13471 7ff626e130e8 abort 36 API calls 13466->13471 13469->13449 13471->13469 13478 7ff626e20e3a 13475->13478 13476 7ff626e08820 _handle_error 8 API calls 13477 7ff626e1fd31 13476->13477 13477->13339 13477->13366 13479 7ff626e20f33 MultiByteToWideChar 13478->13479 13481 7ff626e20ebf GetCPInfo 13478->13481 13488 7ff626e20e68 13478->13488 13480 7ff626e20f5c 13479->13480 13479->13488 13484 7ff626e13028 fread_s 16 API calls 13480->13484 13487 7ff626e20f94 13480->13487 13482 7ff626e20ed0 13481->13482 13481->13488 13482->13479 13482->13488 13483 7ff626e20ff8 MultiByteToWideChar 13485 7ff626e2101e MultiByteToWideChar 13483->13485 13489 7ff626e21149 13483->13489 13484->13487 13486 7ff626e21048 13485->13486 13485->13489 13492 7ff626e13028 fread_s 16 API calls 13486->13492 13495 7ff626e21076 13486->13495 13487->13483 13487->13489 13488->13476 13489->13488 13490 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 13489->13490 13490->13488 13491 7ff626e210dd MultiByteToWideChar 13493 7ff626e210ff 13491->13493 13496 7ff626e2112d 13491->13496 13492->13495 13498 7ff626e161ac 13493->13498 13495->13491 13495->13496 13496->13489 13497 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 13496->13497 13497->13489 13499 7ff626e15fc0 __vcrt_uninitialize_ptd 5 API calls 13498->13499 13500 7ff626e161ef 13499->13500 13503 7ff626e161f7 13500->13503 13504 7ff626e16600 13500->13504 13502 7ff626e16258 CompareStringW 13502->13503 13503->13496 13505 7ff626e15fc0 __vcrt_uninitialize_ptd 5 API calls 13504->13505 13506 7ff626e16633 __crtLCMapStringW 13505->13506 13506->13502 13508 7ff626e202c9 13507->13508 13509 7ff626e202e2 HeapSize 13507->13509 13510 7ff626e13f38 _set_errno_from_matherr 15 API calls 13508->13510 13511 7ff626e202ce 13510->13511 13512 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 13511->13512 13513 7ff626e202d9 13512->13513 13513->13372 13515 7ff626e2031b 13514->13515 13516 7ff626e20311 13514->13516 13518 7ff626e20320 13515->13518 13524 7ff626e20327 fread_s 13515->13524 13517 7ff626e13028 fread_s 16 API calls 13516->13517 13522 7ff626e20319 13517->13522 13519 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 13518->13519 13519->13522 13520 7ff626e20366 13521 7ff626e13f38 _set_errno_from_matherr 15 API calls 13520->13521 13521->13522 13522->13376 13523 7ff626e20350 HeapReAlloc 13523->13522 13523->13524 13524->13520 13524->13523 13525 7ff626e1bf20 fread_s 2 API calls 13524->13525 13525->13524 13528 7ff626e20d59 __crtLCMapStringW 13526->13528 13527 7ff626e1fc11 13527->13417 13527->13418 13528->13527 13529 7ff626e161ac 6 API calls 13528->13529 13529->13527 14513 7ff626e203bc 14514 7ff626e203d7 14513->14514 14515 7ff626e203d1 CloseHandle 14513->14515 14515->14514 14516 7ff626e1a0bc 14527 7ff626e1fd70 14516->14527 14528 7ff626e1fd8d 14527->14528 14529 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 14528->14529 14530 7ff626e1fda3 14528->14530 14529->14528 14531 7ff626e12fe8 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 14530->14531 14532 7ff626e1a0c5 14530->14532 14531->14530 14533 7ff626e19140 EnterCriticalSection 14532->14533 15047 7ff626e1923c 15048 7ff626e19259 15047->15048 15049 7ff626e1924c 15047->15049 15051 7ff626e192b5 15048->15051 15054 7ff626e19288 15048->15054 15050 7ff626e13f38 _set_errno_from_matherr 15 API calls 15049->15050 15057 7ff626e19251 15050->15057 15052 7ff626e13f38 _set_errno_from_matherr 15 API calls 15051->15052 15053 7ff626e192ba 15052->15053 15055 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 15053->15055 15058 7ff626e191b0 15054->15058 15055->15057 15071 7ff626e10b9c EnterCriticalSection 15058->15071 14267 7ff626e106c4 14268 7ff626e1072b 14267->14268 14269 7ff626e106f2 14267->14269 14268->14269 14271 7ff626e10730 FindFirstFileExW 14268->14271 14270 7ff626e13f38 _set_errno_from_matherr 15 API calls 14269->14270 14272 7ff626e106f7 14270->14272 14273 7ff626e10799 14271->14273 14274 7ff626e10752 GetLastError 14271->14274 14275 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 14272->14275 14327 7ff626e10934 14273->14327 14277 7ff626e1076c 14274->14277 14278 7ff626e1075d 14274->14278 14279 7ff626e10702 14275->14279 14282 7ff626e13f38 _set_errno_from_matherr 15 API calls 14277->14282 14281 7ff626e10789 14278->14281 14285 7ff626e10767 14278->14285 14286 7ff626e10779 14278->14286 14288 7ff626e08820 _handle_error 8 API calls 14279->14288 14283 7ff626e13f38 _set_errno_from_matherr 15 API calls 14281->14283 14282->14279 14283->14279 14284 7ff626e10934 _wfindfirst32i64 10 API calls 14289 7ff626e107bf 14284->14289 14285->14277 14285->14281 14287 7ff626e13f38 _set_errno_from_matherr 15 API calls 14286->14287 14287->14279 14290 7ff626e10716 14288->14290 14291 7ff626e10934 _wfindfirst32i64 10 API calls 14289->14291 14292 7ff626e107cd 14291->14292 14293 7ff626e192d0 _wfindfirst32i64 32 API calls 14292->14293 14294 7ff626e107eb 14293->14294 14294->14279 14295 7ff626e107f7 14294->14295 14296 7ff626e13e38 _wfindfirst32i64 17 API calls 14295->14296 14297 7ff626e1080b 14296->14297 14298 7ff626e10835 14297->14298 14301 7ff626e10874 FindNextFileW 14297->14301 14299 7ff626e13f38 _set_errno_from_matherr 15 API calls 14298->14299 14300 7ff626e1083a 14299->14300 14302 7ff626e13e18 _invalid_parameter_noinfo 32 API calls 14300->14302 14303 7ff626e10883 GetLastError 14301->14303 14304 7ff626e108c4 14301->14304 14310 7ff626e10845 14302->14310 14305 7ff626e1089d 14303->14305 14308 7ff626e1088e 14303->14308 14306 7ff626e10934 _wfindfirst32i64 10 API calls 14304->14306 14309 7ff626e13f38 _set_errno_from_matherr 15 API calls 14305->14309 14311 7ff626e108dc 14306->14311 14307 7ff626e108b7 14314 7ff626e13f38 _set_errno_from_matherr 15 API calls 14307->14314 14308->14307 14312 7ff626e10898 14308->14312 14313 7ff626e108aa 14308->14313 14309->14310 14315 7ff626e08820 _handle_error 8 API calls 14310->14315 14316 7ff626e10934 _wfindfirst32i64 10 API calls 14311->14316 14312->14305 14312->14307 14318 7ff626e13f38 _set_errno_from_matherr 15 API calls 14313->14318 14314->14310 14319 7ff626e10858 14315->14319 14317 7ff626e108ea 14316->14317 14320 7ff626e10934 _wfindfirst32i64 10 API calls 14317->14320 14318->14310 14321 7ff626e108f8 14320->14321 14322 7ff626e192d0 _wfindfirst32i64 32 API calls 14321->14322 14323 7ff626e10916 14322->14323 14323->14310 14324 7ff626e1091e 14323->14324 14325 7ff626e13e38 _wfindfirst32i64 17 API calls 14324->14325 14326 7ff626e10932 14325->14326 14328 7ff626e10958 FileTimeToSystemTime 14327->14328 14329 7ff626e1094c 14327->14329 14330 7ff626e10952 14328->14330 14331 7ff626e10967 SystemTimeToTzSpecificLocalTime 14328->14331 14329->14328 14329->14330 14332 7ff626e08820 _handle_error 8 API calls 14330->14332 14331->14330 14333 7ff626e107b1 14332->14333 14333->14284

                                                  Executed Functions

                                                  Function 00007FF626E1E768 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 366timeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 39 7ff626e1e768-7ff626e1e79c call 7ff626e1e1c0 call 7ff626e1e228 44 7ff626e1e9a1-7ff626e1e9e2 call 7ff626e13e38 call 7ff626e1e1c0 call 7ff626e1e228 39->44 45 7ff626e1e7a2-7ff626e1e7ad call 7ff626e1e1c8 39->45 69 7ff626e1eb77-7ff626e1ebe5 call 7ff626e13e38 call 7ff626e19f88 44->69 70 7ff626e1e9e8-7ff626e1e9f3 call 7ff626e1e1c8 44->70 51 7ff626e1e98c-7ff626e1e9a0 call 7ff626e13e38 45->51 52 7ff626e1e7b3-7ff626e1e7bd 45->52 51->44 54 7ff626e1e7bf-7ff626e1e7c5 52->54 55 7ff626e1e7e5-7ff626e1e7ee call 7ff626e12fe8 52->55 58 7ff626e1e7c8-7ff626e1e7d3 54->58 65 7ff626e1e7f1-7ff626e1e7f8 55->65 63 7ff626e1e7dd-7ff626e1e7df 58->63 64 7ff626e1e7d5-7ff626e1e7db 58->64 63->55 67 7ff626e1e93c-7ff626e1e94c 63->67 64->58 64->63 65->65 68 7ff626e1e7fa-7ff626e1e81a call 7ff626e13028 call 7ff626e12fe8 65->68 68->67 85 7ff626e1e820-7ff626e1e827 68->85 90 7ff626e1ebe7-7ff626e1ebec 69->90 91 7ff626e1ebee-7ff626e1ebf1 69->91 79 7ff626e1e9f9-7ff626e1ea04 call 7ff626e1e1f8 70->79 80 7ff626e1eb62-7ff626e1eb76 call 7ff626e13e38 70->80 92 7ff626e1ea0a-7ff626e1ea2d call 7ff626e12fe8 GetTimeZoneInformation 79->92 93 7ff626e1eb4d-7ff626e1eb61 call 7ff626e13e38 79->93 80->69 85->85 89 7ff626e1e829-7ff626e1e837 call 7ff626e13088 85->89 108 7ff626e1e977-7ff626e1e98b call 7ff626e13e38 89->108 109 7ff626e1e83d-7ff626e1e857 call 7ff626e201d4 89->109 96 7ff626e1ec3c-7ff626e1ec4e 90->96 97 7ff626e1ebf8-7ff626e1ec08 call 7ff626e13028 91->97 98 7ff626e1ebf3-7ff626e1ebf6 91->98 106 7ff626e1eb26-7ff626e1eb4c call 7ff626e1e1b8 call 7ff626e1e1a8 call 7ff626e1e1b0 92->106 107 7ff626e1ea33-7ff626e1ea55 92->107 93->80 103 7ff626e1ec5f call 7ff626e1e9b8 96->103 104 7ff626e1ec50-7ff626e1ec53 96->104 120 7ff626e1ec0a 97->120 121 7ff626e1ec13-7ff626e1ec2e call 7ff626e19f88 97->121 98->96 113 7ff626e1ec64-7ff626e1ec90 call 7ff626e12fe8 call 7ff626e08820 103->113 104->103 110 7ff626e1ec55-7ff626e1ec5d call 7ff626e1e768 104->110 115 7ff626e1ea57-7ff626e1ea5c 107->115 116 7ff626e1ea5f-7ff626e1ea66 107->116 108->51 137 7ff626e1e85d-7ff626e1e860 109->137 138 7ff626e1e962-7ff626e1e976 call 7ff626e13e38 109->138 110->113 115->116 125 7ff626e1ea68-7ff626e1ea70 116->125 126 7ff626e1ea80-7ff626e1ea83 116->126 122 7ff626e1ec0c-7ff626e1ec11 call 7ff626e12fe8 120->122 142 7ff626e1ec30-7ff626e1ec33 121->142 143 7ff626e1ec35-7ff626e1ec37 call 7ff626e12fe8 121->143 122->98 125->126 134 7ff626e1ea72-7ff626e1ea7e 125->134 136 7ff626e1ea86-7ff626e1eac2 call 7ff626e1b448 WideCharToMultiByte 126->136 134->136 157 7ff626e1ead2-7ff626e1ead5 136->157 158 7ff626e1eac4-7ff626e1eac7 136->158 146 7ff626e1e86b-7ff626e1e875 137->146 147 7ff626e1e862-7ff626e1e869 137->147 138->108 142->122 143->96 148 7ff626e1e877 146->148 149 7ff626e1e87a-7ff626e1e888 call 7ff626e13be0 146->149 147->137 147->146 148->149 162 7ff626e1e88b-7ff626e1e88f 149->162 161 7ff626e1ead8-7ff626e1eb0e WideCharToMultiByte 157->161 158->157 160 7ff626e1eac9-7ff626e1ead0 158->160 160->161 163 7ff626e1eb1f-7ff626e1eb23 161->163 164 7ff626e1eb10-7ff626e1eb13 161->164 165 7ff626e1e897-7ff626e1e89a 162->165 166 7ff626e1e891-7ff626e1e895 162->166 163->106 164->163 167 7ff626e1eb15-7ff626e1eb1d 164->167 165->162 166->165 168 7ff626e1e89c-7ff626e1e89f 166->168 167->106 169 7ff626e1e8ed-7ff626e1e8f0 168->169 170 7ff626e1e8a1-7ff626e1e8b7 call 7ff626e13be0 168->170 171 7ff626e1e8f7-7ff626e1e905 169->171 172 7ff626e1e8f2-7ff626e1e8f4 169->172 178 7ff626e1e8c0-7ff626e1e8c4 170->178 174 7ff626e1e907-7ff626e1e91d call 7ff626e201d4 171->174 175 7ff626e1e921-7ff626e1e925 171->175 172->171 179 7ff626e1e928-7ff626e1e93a call 7ff626e1e1b8 call 7ff626e1e1a8 174->179 186 7ff626e1e91f-7ff626e1e961 call 7ff626e13e38 174->186 175->179 181 7ff626e1e8c6-7ff626e1e8c9 178->181 182 7ff626e1e8b9-7ff626e1e8bb 178->182 179->67 181->169 184 7ff626e1e8cb-7ff626e1e8de call 7ff626e13be0 181->184 182->181 187 7ff626e1e8bd 182->187 194 7ff626e1e8e7-7ff626e1e8eb 184->194 186->138 187->178 194->169 196 7ff626e1e8e0-7ff626e1e8e2 194->196 196->169 197 7ff626e1e8e4 196->197 197->194
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _get_daylight$ByteCharMultiWide_invalid_parameter_noinfo$InformationTimeZone
                                                  • String ID: ?
                                                  • API String ID: 3440502458-1684325040
                                                  • Opcode ID: f099517cce63619e677fb5fb01d5383985bf31eee4a700021e7e49d293da68bb
                                                  • Instruction ID: 1a4ba757b44120556430f7b9d62257cfc8a58fa5e24f057e758f8d99db12cfca
                                                  • Opcode Fuzzy Hash: f099517cce63619e677fb5fb01d5383985bf31eee4a700021e7e49d293da68bb
                                                  • Instruction Fuzzy Hash: ADE1F232A0C2824AFF24AF31AC415B96B91FF84784F444175FA8E83A95DF7EEC419742
                                                  Function 00007FF626E04320 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 146COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetTempPathW.KERNEL32(?,00000000,?,00007FF626E042ED), ref: 00007FF626E043CE
                                                  • GetCurrentProcessId.KERNEL32(?,00000000,?,00007FF626E042ED), ref: 00007FF626E043D4
                                                    • Part of subcall function 00007FF626E04560: GetEnvironmentVariableW.KERNEL32(00007FF626E025DA), ref: 00007FF626E0459A
                                                    • Part of subcall function 00007FF626E04560: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF626E045B7
                                                    • Part of subcall function 00007FF626E056C0: MultiByteToWideChar.KERNEL32(?,00000000,00007FF626E0458C,00007FF626E025DA), ref: 00007FF626E056F6
                                                    • Part of subcall function 00007FF626E056C0: MultiByteToWideChar.KERNEL32(?,00000000,00007FF626E0458C,00007FF626E025DA), ref: 00007FF626E05750
                                                    • Part of subcall function 00007FF626E10664: _invalid_parameter_noinfo.LIBCMT ref: 00007FF626E1067D
                                                  • SetEnvironmentVariableW.KERNEL32(?,00000000,?,00007FF626E042ED), ref: 00007FF626E04494
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: Environment$ByteCharMultiVariableWide$CurrentExpandPathProcessStringsTemp_invalid_parameter_noinfo
                                                  • String ID: TMP$_MEI%d
                                                  • API String ID: 850739655-1047136609
                                                  • Opcode ID: 4995e3d7b55c7563fd9c290543a21def303982ee1a7dce3758431a23acdf73f7
                                                  • Instruction ID: ec4d056d44a0875780ddc16205bfa5ff9d7e0fb79d69b1a78ee3ade3ec944aa5
                                                  • Opcode Fuzzy Hash: 4995e3d7b55c7563fd9c290543a21def303982ee1a7dce3758431a23acdf73f7
                                                  • Instruction Fuzzy Hash: CF518211B2D647C0EE54BB26BE156BE5241AF89BC0F845035EDCEE7B97DD2EE0018702
                                                  Function 00007FF626E19338 Relevance: 6.4, APIs: 4, Instructions: 425stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: EnvironmentVariable$strchrwcschr
                                                  • String ID:
                                                  • API String ID: 2618829048-0
                                                  • Opcode ID: 38be96f683aac3bb490e1206ff08020bfe383a29a2948ad5682a918f71349002
                                                  • Instruction ID: 1c898e976c5932c243afad8e3fee505862eaafc358180a52be38e1bf5974b1c8
                                                  • Opcode Fuzzy Hash: 38be96f683aac3bb490e1206ff08020bfe383a29a2948ad5682a918f71349002
                                                  • Instruction Fuzzy Hash: A8F1FE21E0D65241FE21AB269C442B92690AF21BA0F084675DEFDD73D1DE7FEC42A342
                                                  Function 00007FF626E184D4 Relevance: 6.2, APIs: 4, Instructions: 179COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _get_daylight$_isindst
                                                  • String ID:
                                                  • API String ID: 4170891091-0
                                                  • Opcode ID: d5eeda719bd18130e753a87b16964e5977d1f2ef54ac4c2fa4a9ea025e11ae79
                                                  • Instruction ID: 69561622c22414c82b4287c397fcefd4e550da29712ecd59cdad6a4f9e899169
                                                  • Opcode Fuzzy Hash: d5eeda719bd18130e753a87b16964e5977d1f2ef54ac4c2fa4a9ea025e11ae79
                                                  • Instruction Fuzzy Hash: 54612572F2C20586FF28DF649D517BE33A6AB50398F400235DEAD96AC4DF3DA8058702
                                                  Function 00007FF626E01670 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 91COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: htonl$_fread_nolock_invalid_parameter_noinfo
                                                  • String ID: Could not allocate buffer for TOC.$Could not read from file.$Error on file.$fread$malloc
                                                  • API String ID: 235321421-2332847760
                                                  • Opcode ID: 6a1e080f936852c182ab77671831a9ca9dba19baed2860e359b0007243bdb1c8
                                                  • Instruction ID: 6e73ce65d50edf41742d7a72e361bca13ee7e3e58bb3eadae813cc716572292d
                                                  • Opcode Fuzzy Hash: 6a1e080f936852c182ab77671831a9ca9dba19baed2860e359b0007243bdb1c8
                                                  • Instruction Fuzzy Hash: 7A319E31F1C50282EF04EB74DC613B823A1AF94B58F584530E59DDB2DAEE3EE8818702
                                                  Function 00007FF626E01230 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 95COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: htonl$_fread_nolock
                                                  • String ID: Cannot open archive file$Could not allocate read buffer$Could not read from file$Error decompressing %s
                                                  • API String ID: 941911645-3387914768
                                                  • Opcode ID: 7e0ec647f90901047cc0c2dd4b46abb51097effe98527717440f83fa267ccbc6
                                                  • Instruction ID: 666983f5b355849d76b4f9dec96d7f6fc3caae3a2a825292ca8ea84865cd0b58
                                                  • Opcode Fuzzy Hash: 7e0ec647f90901047cc0c2dd4b46abb51097effe98527717440f83fa267ccbc6
                                                  • Instruction Fuzzy Hash: FC31A221B1C54285EF44EB65E9513B923A0EF487C4F440431EA8DDBB8AEE2EE9918702
                                                  Function 00007FF626E1F66C Relevance: 13.8, APIs: 9, Instructions: 272fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 235 7ff626e1f66c-7ff626e1f6de call 7ff626e1f39c 238 7ff626e1f6f7-7ff626e1f701 call 7ff626e10ca4 235->238 239 7ff626e1f6e0-7ff626e1f6e8 call 7ff626e13f18 235->239 244 7ff626e1f71b-7ff626e1f787 CreateFileW 238->244 245 7ff626e1f703-7ff626e1f719 call 7ff626e13f18 call 7ff626e13f38 238->245 246 7ff626e1f6eb-7ff626e1f6f2 call 7ff626e13f38 239->246 248 7ff626e1f78d-7ff626e1f794 244->248 249 7ff626e1f80f-7ff626e1f81a GetFileType 244->249 245->246 262 7ff626e1fa3e-7ff626e1fa5a 246->262 252 7ff626e1f796-7ff626e1f79a 248->252 253 7ff626e1f7dc-7ff626e1f80a GetLastError call 7ff626e13ec8 248->253 255 7ff626e1f86d-7ff626e1f873 249->255 256 7ff626e1f81c-7ff626e1f857 GetLastError call 7ff626e13ec8 CloseHandle 249->256 252->253 260 7ff626e1f79c-7ff626e1f7da CreateFileW 252->260 253->246 258 7ff626e1f87a-7ff626e1f87d 255->258 259 7ff626e1f875-7ff626e1f878 255->259 256->246 269 7ff626e1f85d-7ff626e1f868 call 7ff626e13f38 256->269 265 7ff626e1f882-7ff626e1f8d0 call 7ff626e10bc0 258->265 266 7ff626e1f87f 258->266 259->265 260->249 260->253 274 7ff626e1f8d2-7ff626e1f8de call 7ff626e1f5a8 265->274 275 7ff626e1f8e4-7ff626e1f90e call 7ff626e1f108 265->275 266->265 269->246 282 7ff626e1f8e0 274->282 283 7ff626e1f913-7ff626e1f91d call 7ff626e14070 274->283 280 7ff626e1f910 275->280 281 7ff626e1f922-7ff626e1f967 275->281 280->283 285 7ff626e1f989-7ff626e1f995 281->285 286 7ff626e1f969-7ff626e1f96d 281->286 282->275 283->262 289 7ff626e1f99b-7ff626e1f99f 285->289 290 7ff626e1fa3c 285->290 286->285 288 7ff626e1f96f-7ff626e1f984 286->288 288->285 289->290 291 7ff626e1f9a5-7ff626e1f9ed CloseHandle CreateFileW 289->291 290->262 292 7ff626e1f9ef-7ff626e1fa1d GetLastError call 7ff626e13ec8 call 7ff626e10dd4 291->292 293 7ff626e1fa22-7ff626e1fa37 291->293 292->293 293->290
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type_get_daylight
                                                  • String ID:
                                                  • API String ID: 1330151763-0
                                                  • Opcode ID: 4e312cbdaea06996988d8d323f6e4bff09b570e26b286370dc240ebc8d32d696
                                                  • Instruction ID: 07af31ef1d2b3d15750313b70b59450b16f26df0a33fd409d12903f076430b7d
                                                  • Opcode Fuzzy Hash: 4e312cbdaea06996988d8d323f6e4bff09b570e26b286370dc240ebc8d32d696
                                                  • Instruction Fuzzy Hash: 59C1CF33B28A418AEF108B65D8513AC37A1EB497A8F040235DAAE977D5CF39E855D342
                                                  Function 00007FF626E0899C Relevance: 13.6, APIs: 9, Instructions: 92COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterPresentUnhandled__scrt_fastfail__scrt_is_nonwritable_in_current_image$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual__isa_available_init__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt__vcrt_initialize
                                                  • String ID:
                                                  • API String ID: 552178382-0
                                                  • Opcode ID: 70968b06e30dede323ce45a542f067e5329e95d33d1afdf5ff1aeb90018d2c88
                                                  • Instruction ID: 49529b2b1f6cb4eef05084b4a67a5bbd8aa61757e0a72d9582483c5ee789860b
                                                  • Opcode Fuzzy Hash: 70968b06e30dede323ce45a542f067e5329e95d33d1afdf5ff1aeb90018d2c88
                                                  • Instruction Fuzzy Hash: 6A31CD21E0C24342FE50AB609C553BA23A1AF55784F504034EAEEEB6D7DE2FE844CB13
                                                  Function 00007FF626E1E9B8 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 155timeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 357 7ff626e1e9b8-7ff626e1e9e2 call 7ff626e1e1c0 call 7ff626e1e228 362 7ff626e1eb77-7ff626e1ebe5 call 7ff626e13e38 call 7ff626e19f88 357->362 363 7ff626e1e9e8-7ff626e1e9f3 call 7ff626e1e1c8 357->363 377 7ff626e1ebe7-7ff626e1ebec 362->377 378 7ff626e1ebee-7ff626e1ebf1 362->378 369 7ff626e1e9f9-7ff626e1ea04 call 7ff626e1e1f8 363->369 370 7ff626e1eb62-7ff626e1eb76 call 7ff626e13e38 363->370 379 7ff626e1ea0a-7ff626e1ea2d call 7ff626e12fe8 GetTimeZoneInformation 369->379 380 7ff626e1eb4d-7ff626e1eb61 call 7ff626e13e38 369->380 370->362 382 7ff626e1ec3c-7ff626e1ec4e 377->382 383 7ff626e1ebf8-7ff626e1ec08 call 7ff626e13028 378->383 384 7ff626e1ebf3-7ff626e1ebf6 378->384 391 7ff626e1eb26-7ff626e1eb4c call 7ff626e1e1b8 call 7ff626e1e1a8 call 7ff626e1e1b0 379->391 392 7ff626e1ea33-7ff626e1ea55 379->392 380->370 388 7ff626e1ec5f call 7ff626e1e9b8 382->388 389 7ff626e1ec50-7ff626e1ec53 382->389 401 7ff626e1ec0a 383->401 402 7ff626e1ec13-7ff626e1ec2e call 7ff626e19f88 383->402 384->382 396 7ff626e1ec64-7ff626e1ec90 call 7ff626e12fe8 call 7ff626e08820 388->396 389->388 393 7ff626e1ec55-7ff626e1ec5d call 7ff626e1e768 389->393 398 7ff626e1ea57-7ff626e1ea5c 392->398 399 7ff626e1ea5f-7ff626e1ea66 392->399 393->396 398->399 406 7ff626e1ea68-7ff626e1ea70 399->406 407 7ff626e1ea80-7ff626e1ea83 399->407 403 7ff626e1ec0c-7ff626e1ec11 call 7ff626e12fe8 401->403 419 7ff626e1ec30-7ff626e1ec33 402->419 420 7ff626e1ec35-7ff626e1ec37 call 7ff626e12fe8 402->420 403->384 406->407 413 7ff626e1ea72-7ff626e1ea7e 406->413 415 7ff626e1ea86-7ff626e1eac2 call 7ff626e1b448 WideCharToMultiByte 407->415 413->415 427 7ff626e1ead2-7ff626e1ead5 415->427 428 7ff626e1eac4-7ff626e1eac7 415->428 419->403 420->382 430 7ff626e1ead8-7ff626e1eb0e WideCharToMultiByte 427->430 428->427 429 7ff626e1eac9-7ff626e1ead0 428->429 429->430 431 7ff626e1eb1f-7ff626e1eb23 430->431 432 7ff626e1eb10-7ff626e1eb13 430->432 431->391 432->431 433 7ff626e1eb15-7ff626e1eb1d 432->433 433->391
                                                  APIs
                                                  • _get_daylight.LIBCMT ref: 00007FF626E1E9DB
                                                    • Part of subcall function 00007FF626E1E228: _invalid_parameter_noinfo.LIBCMT ref: 00007FF626E1E23C
                                                  • _get_daylight.LIBCMT ref: 00007FF626E1E9EC
                                                    • Part of subcall function 00007FF626E1E1C8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF626E1E1DC
                                                  • _get_daylight.LIBCMT ref: 00007FF626E1E9FD
                                                    • Part of subcall function 00007FF626E1E1F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF626E1E20C
                                                    • Part of subcall function 00007FF626E12FE8: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,00000000,00007FF626E17203,?,?,?,00007FF626E13F41,?,?,?,?,00007FF626E131A7,?,?,00000000), ref: 00007FF626E12FFE
                                                    • Part of subcall function 00007FF626E12FE8: GetLastError.KERNEL32(?,?,00000000,00007FF626E17203,?,?,?,00007FF626E13F41,?,?,?,?,00007FF626E131A7,?,?,00000000), ref: 00007FF626E13010
                                                  • GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF626E1EC5D), ref: 00007FF626E1EA24
                                                  • WideCharToMultiByte.KERNEL32 ref: 00007FF626E1EABA
                                                  • WideCharToMultiByte.KERNEL32 ref: 00007FF626E1EB06
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _get_daylight_invalid_parameter_noinfo$ByteCharMultiWide$ErrorInformationLanguagesLastPreferredRestoreThreadTimeZone
                                                  • String ID: ?
                                                  • API String ID: 2482340769-1684325040
                                                  • Opcode ID: 72438becd4922dd198cc2389288b6e69ac15e9d92133e9b32c1eaf00b3400806
                                                  • Instruction ID: d9daaf8e6577f528f1578e58f1e2a5693c73136a7678b9cf95285e9c2cc9b76e
                                                  • Opcode Fuzzy Hash: 72438becd4922dd198cc2389288b6e69ac15e9d92133e9b32c1eaf00b3400806
                                                  • Instruction Fuzzy Hash: 5C617032A0C6428AEF60AF21AC805B977A4FF44794F540175FA8DC3A95DF7DD841D781
                                                  Function 00007FF626E04C20 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93processsynchronizationCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 00007FF626E056C0: MultiByteToWideChar.KERNEL32(?,00000000,00007FF626E0458C,00007FF626E025DA), ref: 00007FF626E056F6
                                                    • Part of subcall function 00007FF626E11320: SetConsoleCtrlHandler.KERNEL32(?,00007FF626E04C70,00000000,00007FF626E027B0), ref: 00007FF626E1138D
                                                    • Part of subcall function 00007FF626E11320: GetLastError.KERNEL32(?,00007FF626E04C70,00000000,00007FF626E027B0), ref: 00007FF626E113A8
                                                  • GetStartupInfoW.KERNEL32 ref: 00007FF626E04CA7
                                                    • Part of subcall function 00007FF626E102C8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF626E102DC
                                                    • Part of subcall function 00007FF626E10E90: _invalid_parameter_noinfo.LIBCMT ref: 00007FF626E10EF7
                                                  • GetCommandLineW.KERNEL32 ref: 00007FF626E04D2F
                                                  • CreateProcessW.KERNELBASE ref: 00007FF626E04D71
                                                  • WaitForSingleObject.KERNEL32 ref: 00007FF626E04D83
                                                  • GetExitCodeProcess.KERNELBASE ref: 00007FF626E04D93
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlErrorExitHandlerInfoLastLineMultiObjectSingleStartupWaitWide
                                                  • String ID: CreateProcessW$Error creating child process!
                                                  • API String ID: 1742298069-3524285272
                                                  • Opcode ID: 05d262c293b487762f3dbad098e564223b159d77222357447265fbdf363835cf
                                                  • Instruction ID: ad287d7ef93f3fc4b7d414a6db47bbc5b5166a037bbb9824f7bd3cdf001a553f
                                                  • Opcode Fuzzy Hash: 05d262c293b487762f3dbad098e564223b159d77222357447265fbdf363835cf
                                                  • Instruction Fuzzy Hash: 4A416232A0C68286DF10DB60F8452EEB3A1FF94350F504535E6CD93A9AEF7DD5548B41
                                                  Function 00007FF626E01040 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 56COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: htonl
                                                  • String ID: 1.2.11$Error %d from inflate: %s$Error %d from inflateInit: %s$Error allocating decompression buffer
                                                  • API String ID: 2009864989-3188157777
                                                  • Opcode ID: f313091ccf6ae85b35453b0967b088e56e4400c39107b9d31981af0b285c4612
                                                  • Instruction ID: 4b53907c29e55d1b967fb7e8b33dca3e1ec63ee417067a01b2765aaf208f196a
                                                  • Opcode Fuzzy Hash: f313091ccf6ae85b35453b0967b088e56e4400c39107b9d31981af0b285c4612
                                                  • Instruction Fuzzy Hash: 16217F31A1C68292EF50DB50EC413AA63A0FB88380F544135EACDD7A99EF3EE5158B42
                                                  Function 00007FF626E14940 Relevance: 10.8, APIs: 7, Instructions: 294COMMONLIBRARYCODE
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 493 7ff626e14940-7ff626e14966 494 7ff626e14968-7ff626e1497c call 7ff626e13f18 call 7ff626e13f38 493->494 495 7ff626e14981-7ff626e14985 493->495 511 7ff626e14d8a 494->511 497 7ff626e1498b-7ff626e14992 495->497 498 7ff626e14d73-7ff626e14d7f call 7ff626e13f18 call 7ff626e13f38 495->498 497->498 500 7ff626e14998-7ff626e149c7 497->500 514 7ff626e14d85 call 7ff626e13e18 498->514 500->498 503 7ff626e149cd-7ff626e149d4 500->503 506 7ff626e149d6-7ff626e149e8 call 7ff626e13f18 call 7ff626e13f38 503->506 507 7ff626e149ed-7ff626e149f0 503->507 506->514 509 7ff626e149f6-7ff626e149fb 507->509 510 7ff626e14d6f-7ff626e14d71 507->510 509->510 516 7ff626e14a01-7ff626e14a04 509->516 515 7ff626e14d8d-7ff626e14da4 510->515 511->515 514->511 516->506 520 7ff626e14a06-7ff626e14a2c 516->520 522 7ff626e14a48-7ff626e14a50 520->522 523 7ff626e14a2e-7ff626e14a31 520->523 526 7ff626e14a6e-7ff626e14a9a call 7ff626e13028 call 7ff626e12fe8 * 2 522->526 527 7ff626e14a52-7ff626e14a69 call 7ff626e13f18 call 7ff626e13f38 call 7ff626e13e18 522->527 524 7ff626e14a3d-7ff626e14a43 523->524 525 7ff626e14a33-7ff626e14a3b 523->525 529 7ff626e14ae8-7ff626e14afe 524->529 525->524 525->527 555 7ff626e14ab7-7ff626e14ae3 call 7ff626e150ec 526->555 556 7ff626e14a9c-7ff626e14ab2 call 7ff626e13f38 call 7ff626e13f18 526->556 553 7ff626e14bf4 527->553 531 7ff626e14b7d-7ff626e14b87 call 7ff626e1c114 529->531 532 7ff626e14b00-7ff626e14b07 529->532 545 7ff626e14b8d-7ff626e14ba2 531->545 546 7ff626e14c12 531->546 532->531 535 7ff626e14b09-7ff626e14b0c 532->535 535->531 539 7ff626e14b0e-7ff626e14b26 535->539 539->531 543 7ff626e14b28-7ff626e14b33 539->543 543->531 549 7ff626e14b35-7ff626e14b38 543->549 545->546 552 7ff626e14ba4-7ff626e14bb6 GetConsoleMode 545->552 551 7ff626e14c17-7ff626e14c37 ReadFile 546->551 549->531 554 7ff626e14b3a-7ff626e14b53 549->554 557 7ff626e14d39-7ff626e14d42 GetLastError 551->557 558 7ff626e14c3d-7ff626e14c45 551->558 552->546 559 7ff626e14bb8-7ff626e14bc0 552->559 563 7ff626e14bf7-7ff626e14c01 call 7ff626e12fe8 553->563 554->531 564 7ff626e14b55-7ff626e14b60 554->564 555->529 556->553 561 7ff626e14d5f-7ff626e14d62 557->561 562 7ff626e14d44-7ff626e14d5a call 7ff626e13f38 call 7ff626e13f18 557->562 558->557 566 7ff626e14c4b 558->566 559->551 560 7ff626e14bc2-7ff626e14be5 ReadConsoleW 559->560 568 7ff626e14c06-7ff626e14c10 560->568 569 7ff626e14be7 GetLastError 560->569 573 7ff626e14d68-7ff626e14d6a 561->573 574 7ff626e14bed-7ff626e14bef call 7ff626e13ec8 561->574 562->553 563->515 564->531 572 7ff626e14b62-7ff626e14b65 564->572 576 7ff626e14c52-7ff626e14c67 566->576 568->576 569->574 572->531 581 7ff626e14b67-7ff626e14b78 572->581 573->563 574->553 576->563 583 7ff626e14c69-7ff626e14c71 576->583 581->531 586 7ff626e14c9b-7ff626e14ca2 583->586 587 7ff626e14c73-7ff626e14c8f call 7ff626e14528 583->587 589 7ff626e14d21-7ff626e14d34 call 7ff626e142f8 586->589 590 7ff626e14ca4-7ff626e14cbc 586->590 593 7ff626e14c94-7ff626e14c96 587->593 589->593 594 7ff626e14cbe-7ff626e14cc2 590->594 595 7ff626e14d14-7ff626e14d1c 590->595 593->563 597 7ff626e14cc7-7ff626e14cd0 594->597 595->563 598 7ff626e14d0b-7ff626e14d0f 597->598 599 7ff626e14cd2-7ff626e14cd7 597->599 598->595 600 7ff626e14cd9-7ff626e14cdc 599->600 601 7ff626e14cf4-7ff626e14d00 599->601 600->601 602 7ff626e14cde-7ff626e14ce1 600->602 603 7ff626e14d04-7ff626e14d07 601->603 602->601 604 7ff626e14ce3-7ff626e14cf2 602->604 603->597 605 7ff626e14d09 603->605 604->603 605->595
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: 1f29cd5de6ebf1c15664a9e03e71a1f160410583f69693746160ba96e00a23a5
                                                  • Instruction ID: d19d0137468bd7bec9f7a26f6c6befdf023f500a9a9c9831a32aa86c23b7e604
                                                  • Opcode Fuzzy Hash: 1f29cd5de6ebf1c15664a9e03e71a1f160410583f69693746160ba96e00a23a5
                                                  • Instruction Fuzzy Hash: 5EC1DF62A0C68281EF608F1498407BD6B65BF81B84F5541B4EADE877D5CF3EEC45E702
                                                  Function 00007FF626E01130 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _fread_nolock$fread_s
                                                  • String ID: M$Z
                                                  • API String ID: 184871262-4250246861
                                                  • Opcode ID: 0c6223039834f2c997cfbdc4da033cd8e4098f13f587316de20ef7190b74eaf0
                                                  • Instruction ID: a78eb49a2f3bdf9549248b16363edc1b29a3f5250df2a050d262a7c95c2009e2
                                                  • Opcode Fuzzy Hash: 0c6223039834f2c997cfbdc4da033cd8e4098f13f587316de20ef7190b74eaf0
                                                  • Instruction Fuzzy Hash: 4D21F062A2C04982EF60DA66E8507AE7311EB95754F405131FA8EC7ACADF3ED845CF02
                                                  Function 00007FF626E01000 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 187COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 703 7ff626e01000-7ff626e02572 call 7ff626e0a5cc call 7ff626e0a5c4 call 7ff626e05380 call 7ff626e08860 call 7ff626e0b9a0 call 7ff626e0f6a4 call 7ff626e0f69c 719 7ff626e02574-7ff626e0258a call 7ff626e019e0 703->719 720 7ff626e0258f-7ff626e025ee call 7ff626e028c0 call 7ff626e02800 call 7ff626e02a70 call 7ff626e04560 call 7ff626e04be0 703->720 725 7ff626e027dd-7ff626e027f8 call 7ff626e08820 719->725 736 7ff626e025f2-7ff626e025f9 720->736 736->736 737 7ff626e025fb-7ff626e02615 call 7ff626e018c0 736->737 740 7ff626e02669-7ff626e02681 737->740 741 7ff626e02617-7ff626e0261c 737->741 743 7ff626e02683-7ff626e0268d call 7ff626e022c0 740->743 744 7ff626e02698-7ff626e026bc call 7ff626e056c0 SetDllDirectoryW call 7ff626e0a9bc 740->744 742 7ff626e02620-7ff626e02627 741->742 742->742 746 7ff626e02629-7ff626e02643 call 7ff626e018c0 742->746 751 7ff626e02693 743->751 752 7ff626e0274d-7ff626e02757 call 7ff626e02150 743->752 744->752 758 7ff626e026c2-7ff626e026cd 744->758 746->740 757 7ff626e02645-7ff626e02664 call 7ff626e01a20 746->757 751->744 762 7ff626e02790-7ff626e02793 752->762 763 7ff626e02759-7ff626e0278e call 7ff626e04b70 call 7ff626e04560 call 7ff626e09130 752->763 769 7ff626e027d5 757->769 761 7ff626e026d0-7ff626e026da 758->761 766 7ff626e026e3-7ff626e026e5 761->766 767 7ff626e026dc-7ff626e026e1 761->767 765 7ff626e027cd 762->765 763->762 785 7ff626e02795-7ff626e027b9 call 7ff626e0a090 call 7ff626e04c20 763->785 765->769 770 7ff626e0272e-7ff626e02748 call 7ff626e02270 call 7ff626e020f0 call 7ff626e02260 766->770 771 7ff626e026e7-7ff626e02706 call 7ff626e0ed00 766->771 767->761 767->766 769->725 790 7ff626e027cb 770->790 771->762 780 7ff626e0270c-7ff626e0271d 771->780 783 7ff626e02720-7ff626e0272c 780->783 783->770 783->783 793 7ff626e027c3-7ff626e027c6 call 7ff626e01910 785->793 794 7ff626e027bb-7ff626e027be call 7ff626e04810 785->794 790->765 793->790 794->793
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$_invalid_parameter_noinfo
                                                  • String ID: Cannot allocate memory for ARCHIVE_STATUS$Cannot open self %s or archive %s$_MEIPASS2$calloc
                                                  • API String ID: 4226448076-3874408297
                                                  • Opcode ID: c73c0e1792cf7f47f3200989978f29864479dd6755149621367ef767661f5d49
                                                  • Instruction ID: 53a9059b4a0b34b671506939b5da43a1cff30e6f1d45e4ac4819857631f88c6f
                                                  • Opcode Fuzzy Hash: c73c0e1792cf7f47f3200989978f29864479dd6755149621367ef767661f5d49
                                                  • Instruction Fuzzy Hash: 8881F531E0C68695EE24AB31AD952FD6391EF847D0F404131EADDA76CADF3EE1058702
                                                  Function 00007FF626E01390 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 61COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: htonl
                                                  • String ID: %s could not be extracted!$Failed to write all bytes for %s$fopen$fwrite
                                                  • API String ID: 2009864989-741305175
                                                  • Opcode ID: d29f56765d5a13e96dfbe2e32c0c286016e32006d46fefaa43b2e9c7eecbddac
                                                  • Instruction ID: a72c0ae14d2835d754f7a71171870c3c63278677cf1d0a1149a7a34dfcfa1022
                                                  • Opcode Fuzzy Hash: d29f56765d5a13e96dfbe2e32c0c286016e32006d46fefaa43b2e9c7eecbddac
                                                  • Instruction Fuzzy Hash: 0221D420F1C94381EE1097A6BD001F96361EF41BE4F184131EEADEBBD6DE2EE5418702
                                                  Function 00007FF626E159E4 Relevance: 7.7, APIs: 5, Instructions: 203COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 822 7ff626e159e4-7ff626e15a09 823 7ff626e15a0b-7ff626e15a0d 822->823 824 7ff626e15a12-7ff626e15a15 822->824 825 7ff626e15cad-7ff626e15cc4 823->825 826 7ff626e15a36-7ff626e15a61 824->826 827 7ff626e15a17-7ff626e15a31 call 7ff626e13f18 call 7ff626e13f38 call 7ff626e13e18 824->827 829 7ff626e15a6c-7ff626e15a72 826->829 830 7ff626e15a63-7ff626e15a6a 826->830 827->825 831 7ff626e15a82-7ff626e15a90 call 7ff626e1c114 829->831 832 7ff626e15a74-7ff626e15a7d call 7ff626e150ec 829->832 830->827 830->829 839 7ff626e15a96-7ff626e15aa7 831->839 840 7ff626e15b97-7ff626e15ba8 831->840 832->831 839->840 842 7ff626e15aad-7ff626e15ac0 call 7ff626e17120 839->842 844 7ff626e15bf7-7ff626e15c1c WriteFile 840->844 845 7ff626e15baa-7ff626e15baf 840->845 859 7ff626e15ad8-7ff626e15af4 GetConsoleMode 842->859 860 7ff626e15ac2-7ff626e15ad2 842->860 847 7ff626e15c27 844->847 848 7ff626e15c1e-7ff626e15c24 GetLastError 844->848 849 7ff626e15bb1-7ff626e15bb4 845->849 850 7ff626e15be3-7ff626e15bf5 call 7ff626e15560 845->850 855 7ff626e15c2a 847->855 848->847 851 7ff626e15bb6-7ff626e15bb9 849->851 852 7ff626e15bcf-7ff626e15be1 call 7ff626e15784 849->852 867 7ff626e15b8b-7ff626e15b92 850->867 856 7ff626e15bbb-7ff626e15bcd call 7ff626e15668 851->856 857 7ff626e15c34-7ff626e15c3e 851->857 852->867 862 7ff626e15c2f 855->862 856->867 863 7ff626e15ca8-7ff626e15cab 857->863 864 7ff626e15c40-7ff626e15c45 857->864 859->840 868 7ff626e15afa-7ff626e15afc 859->868 860->840 860->859 862->857 863->825 869 7ff626e15c47-7ff626e15c4a 864->869 870 7ff626e15c74-7ff626e15c85 864->870 867->862 872 7ff626e15b79-7ff626e15b86 call 7ff626e15358 868->872 873 7ff626e15afe-7ff626e15b03 868->873 874 7ff626e15c67-7ff626e15c6f call 7ff626e13ec8 869->874 875 7ff626e15c4c-7ff626e15c5c call 7ff626e13f38 call 7ff626e13f18 869->875 877 7ff626e15c87-7ff626e15c8a 870->877 878 7ff626e15c90-7ff626e15ca0 call 7ff626e13f38 call 7ff626e13f18 870->878 872->867 873->857 879 7ff626e15b09-7ff626e15b1b 873->879 874->870 875->874 877->823 877->878 878->863 879->855 882 7ff626e15b21-7ff626e15b32 call 7ff626e1c1d8 879->882 891 7ff626e15b67-7ff626e15b6d GetLastError 882->891 892 7ff626e15b34-7ff626e15b3f 882->892 897 7ff626e15b70-7ff626e15b74 891->897 895 7ff626e15b5c-7ff626e15b63 892->895 896 7ff626e15b41-7ff626e15b53 call 7ff626e1c1d8 892->896 895->897 899 7ff626e15b65 895->899 896->891 901 7ff626e15b55-7ff626e15b5a 896->901 897->855 899->882 901->895
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: 2f7bcaecceb36eecdccf574391bf900be0cffb0692915f96fe00f067866c602e
                                                  • Instruction ID: 9225799e5b512a6311ebb2c509932f0ba7f348d9e579507d79d129b6254e51f3
                                                  • Opcode Fuzzy Hash: 2f7bcaecceb36eecdccf574391bf900be0cffb0692915f96fe00f067866c602e
                                                  • Instruction Fuzzy Hash: 8681D2A2F2C60289FF109F259C806BD27A0BB44B88F444175DE8E976D5DF3EAC45E712
                                                  Function 00007FF626E15FC0 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetProcAddress.KERNEL32(?,?,00000003,00007FF626E163D7,?,?,00000000,00007FF626E17213,?,?,?,00007FF626E13F41), ref: 00007FF626E160E2
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: AddressProc
                                                  • String ID:
                                                  • API String ID: 190572456-0
                                                  • Opcode ID: e4f38beb4a091d050f27c2334aa2686840f91458448eacaec98016cc0bf5d900
                                                  • Instruction ID: 7b7cf435d63eb354fa3a7bc8dc188ac2549378818f47e4cd91ca2473972b9c74
                                                  • Opcode Fuzzy Hash: e4f38beb4a091d050f27c2334aa2686840f91458448eacaec98016cc0bf5d900
                                                  • Instruction Fuzzy Hash: 234127A1B0DA4281FE258B12AC006B56396BF44BD0F294675DD9DCBB84FF3FE8449742
                                                  Function 00007FF626E151E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: FileHandleType
                                                  • String ID: @
                                                  • API String ID: 3000768030-2766056989
                                                  • Opcode ID: 684ce04248267d855382c620c221f8df4a26059d37e9916bf26084109412f334
                                                  • Instruction ID: d46bde08ba803a1a33abbb3f8777a34a5a85a2370c58573e4659876d787b3e46
                                                  • Opcode Fuzzy Hash: 684ce04248267d855382c620c221f8df4a26059d37e9916bf26084109412f334
                                                  • Instruction Fuzzy Hash: 652181A3A1CA4281EF608B289C901392665EB45774F281375D6EE877D4CE3EEC81E342
                                                  Function 00007FF626E0F054 Relevance: 4.6, APIs: 3, Instructions: 137pipeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ErrorFileLastNamedPeekPipeType
                                                  • String ID:
                                                  • API String ID: 1388729460-0
                                                  • Opcode ID: 731317a3404dea321fefb9282ee467258c4f9cec5d501f90ba24f0a36c15a993
                                                  • Instruction ID: ee5c63ba9bd3676b9e265d5057e0cfbc8df8300f0c859f54c16e1ccc7f9528bb
                                                  • Opcode Fuzzy Hash: 731317a3404dea321fefb9282ee467258c4f9cec5d501f90ba24f0a36c15a993
                                                  • Instruction Fuzzy Hash: A051CB62A0C65289EF10CB71DC403BD33A1BB44B68F144634DEADA77C9DF39D8168742
                                                  Function 00007FF626E0EE94 Relevance: 4.6, APIs: 3, Instructions: 122fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: File$CloseCreateHandleType_invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 1405040552-0
                                                  • Opcode ID: fe5eef5ee4e3644145924420639b586b664da7bb89814c748e8b48b74c0fb88c
                                                  • Instruction ID: 933f1c190a326d0ebc892a46f723761f465d93b5ffeeb44578733168aa7f2490
                                                  • Opcode Fuzzy Hash: fe5eef5ee4e3644145924420639b586b664da7bb89814c748e8b48b74c0fb88c
                                                  • Instruction Fuzzy Hash: ED51A222A1C74146FA609F25AC012BD76A0BF943A4F149334EEED62AD2DF3DE5819742
                                                  Function 00007FF626E0F23C Relevance: 4.6, APIs: 3, Instructions: 50timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF626E0F113), ref: 00007FF626E0F270
                                                  • SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF626E0F113), ref: 00007FF626E0F284
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF626E0F113), ref: 00007FF626E0F2D1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: Time$System$ErrorFileLastLocalSpecific
                                                  • String ID:
                                                  • API String ID: 2674341965-0
                                                  • Opcode ID: e7d5c1ce460788a976e03217c2461d1d5aee4c25f04631c192cb23a35b3136c1
                                                  • Instruction ID: 77a038f46635a8b4f03c7afc611255bbffe63ceba40b4786c90e198c38fdecc6
                                                  • Opcode Fuzzy Hash: e7d5c1ce460788a976e03217c2461d1d5aee4c25f04631c192cb23a35b3136c1
                                                  • Instruction Fuzzy Hash: 11116D21F1C65289FF509B7098111BD26A1AF04B35F500335EEFEA6AD8EF3D94608712
                                                  Function 00007FF626E127A0 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: Process$CurrentExitTerminate
                                                  • String ID:
                                                  • API String ID: 1703294689-0
                                                  • Opcode ID: 6af1f5f4e259511a7fd2ca9a09745217329c0a7cbc39c5daa09a01073255fccb
                                                  • Instruction ID: 925ae2d7685fa60ff2529454d2bc2acded75d89264859baa99ea09a6f2afea1a
                                                  • Opcode Fuzzy Hash: 6af1f5f4e259511a7fd2ca9a09745217329c0a7cbc39c5daa09a01073255fccb
                                                  • Instruction Fuzzy Hash: 22E04F28B0C30B86EE446B219C8177A23535F84741F104479C88E87792DE3FA8889B12
                                                  Function 00007FF626E04810 Relevance: 3.2, APIs: 2, Instructions: 190sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00007FF626E056C0: MultiByteToWideChar.KERNEL32(?,00000000,00007FF626E0458C,00007FF626E025DA), ref: 00007FF626E056F6
                                                  • _findclose.LIBCMT ref: 00007FF626E04B33
                                                    • Part of subcall function 00007FF626E1150C: DeleteFileW.KERNELBASE ref: 00007FF626E11510
                                                    • Part of subcall function 00007FF626E1150C: GetLastError.KERNEL32 ref: 00007FF626E1151A
                                                  • Sleep.KERNEL32(?,00007FF626E027C3), ref: 00007FF626E04B07
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ByteCharDeleteErrorFileLastMultiSleepWide_findclose
                                                  • String ID:
                                                  • API String ID: 418668421-0
                                                  • Opcode ID: b3fbe084964f4479d1104facad523a46690e1497d39bd93e145c217fa8770c2f
                                                  • Instruction ID: 29a154886dbcdce377bf56cb817d61053579767b07ceeda4290bc15e4322e17f
                                                  • Opcode Fuzzy Hash: b3fbe084964f4479d1104facad523a46690e1497d39bd93e145c217fa8770c2f
                                                  • Instruction Fuzzy Hash: A3A1B252E18BC1C5EB259F28CA012FC2360FBA8B48F849321EBDC56596EF25E6C5C301
                                                  Function 00007FF626E0AB14 Relevance: 3.2, APIs: 2, Instructions: 187COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: ecf3264a030f1d94219489a15d86942b3c015555ea4854584f75f4fe9a16eb75
                                                  • Instruction ID: da01280924d0f350a49d84d3bb7924e4875c98d7e5c2f86ec18d6a2927d405e1
                                                  • Opcode Fuzzy Hash: ecf3264a030f1d94219489a15d86942b3c015555ea4854584f75f4fe9a16eb75
                                                  • Instruction Fuzzy Hash: 33612B21B0D64A46EE34DE399C0037A6691AF44BA8F044734DDEDE77DADE3ED4019B02
                                                  Function 00007FF626E14070 Relevance: 3.1, APIs: 2, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindCloseChangeNotification.KERNELBASE(?,?,?,00007FF626E13FA3,?,?,00000000,00007FF626E1404B,?,?,?,?,?,?,00007FF626E0AA1E), ref: 00007FF626E140D3
                                                  • GetLastError.KERNEL32(?,?,?,00007FF626E13FA3,?,?,00000000,00007FF626E1404B,?,?,?,?,?,?,00007FF626E0AA1E), ref: 00007FF626E140DD
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ChangeCloseErrorFindLastNotification
                                                  • String ID:
                                                  • API String ID: 1687624791-0
                                                  • Opcode ID: 330a491f5bc223d93eb8a7ba1c531ec1200787dd13d3c5c7f4932ceea18e02bb
                                                  • Instruction ID: 316590450c3b6e14956e9ef7dcae55605de3845f739ddf45ca3df5d57ffe1ce8
                                                  • Opcode Fuzzy Hash: 330a491f5bc223d93eb8a7ba1c531ec1200787dd13d3c5c7f4932ceea18e02bb
                                                  • Instruction Fuzzy Hash: 7311C811F0C68381FE9457769D9537C16C29F94764F5402B4DAAEC73D2DEAEAC84A303
                                                  Function 00007FF626E15048 Relevance: 3.0, APIs: 2, Instructions: 42COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetFilePointerEx.KERNELBASE(?,?,00000000,00007FF626E15A82,?,?,?,?,?,?,?,?,?,?,?,00007FF626E159A4), ref: 00007FF626E1508C
                                                  • GetLastError.KERNEL32(?,?,00000000,00007FF626E15A82,?,?,?,?,?,?,?,?,?,?,?,00007FF626E159A4), ref: 00007FF626E15096
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ErrorFileLastPointer
                                                  • String ID:
                                                  • API String ID: 2976181284-0
                                                  • Opcode ID: 3bad29e83aeed8d0fc0bd44871fb944ed94c24ed5fcf2358b2e5fab63c8285fe
                                                  • Instruction ID: e3fc513bed704ae980ab603306e9d11926f5f77c24fb84e01c27a398c8fdee97
                                                  • Opcode Fuzzy Hash: 3bad29e83aeed8d0fc0bd44871fb944ed94c24ed5fcf2358b2e5fab63c8285fe
                                                  • Instruction Fuzzy Hash: 1C012661B1C78241EE104B65BC4407C6611AF81BF4F544375EAFE87BD4DE3ED8458302
                                                  Function 00007FF626E10934 Relevance: 3.0, APIs: 2, Instructions: 35timeCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF626E107B1), ref: 00007FF626E1095D
                                                  • SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF626E107B1), ref: 00007FF626E10973
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: Time$System$FileLocalSpecific
                                                  • String ID:
                                                  • API String ID: 1707611234-0
                                                  • Opcode ID: 9fa8752d5857163d30ae079a6aef37d9e2f6ffb83f6d0e5fafffc234dcd048cc
                                                  • Instruction ID: d4c00e40cab490e936c8626b1e1ac29b56b2030ecc5339f739513f635c3e268e
                                                  • Opcode Fuzzy Hash: 9fa8752d5857163d30ae079a6aef37d9e2f6ffb83f6d0e5fafffc234dcd048cc
                                                  • Instruction Fuzzy Hash: 86016172A0C69286EB504B11E81123BB7B1FB81B61F604336EAE9919D4DF7ED454DF01
                                                  Function 00007FF626E12FE8 Relevance: 3.0, APIs: 2, Instructions: 19threadCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,00000000,00007FF626E17203,?,?,?,00007FF626E13F41,?,?,?,?,00007FF626E131A7,?,?,00000000), ref: 00007FF626E12FFE
                                                  • GetLastError.KERNEL32(?,?,00000000,00007FF626E17203,?,?,?,00007FF626E13F41,?,?,?,?,00007FF626E131A7,?,?,00000000), ref: 00007FF626E13010
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ErrorLanguagesLastPreferredRestoreThread
                                                  • String ID:
                                                  • API String ID: 588628887-0
                                                  • Opcode ID: c99c9bf24de7d50c4a64595c34789309ab40f0556c33ae5648065abd77c9b9af
                                                  • Instruction ID: bd75fdbcf1cba2ee88cba51d831bf1666621222b37a7d1987e5b97dc8d4bf927
                                                  • Opcode Fuzzy Hash: c99c9bf24de7d50c4a64595c34789309ab40f0556c33ae5648065abd77c9b9af
                                                  • Instruction Fuzzy Hash: 1EE0C250F0E24342FF186BF29C041B913E26F88B40F444074C98DD7692FE2EAC865743
                                                  Function 00007FF626E1150C Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: DeleteErrorFileLast
                                                  • String ID:
                                                  • API String ID: 2018770650-0
                                                  • Opcode ID: 5e6e3916313fa9e1d7c58da1b17fd0684f76c4045731d250fbc6dad9f2419c6a
                                                  • Instruction ID: 4cc3b938a693f81db61f33493ec72cae9cedd5788e629e11c1d18687b1bb4983
                                                  • Opcode Fuzzy Hash: 5e6e3916313fa9e1d7c58da1b17fd0684f76c4045731d250fbc6dad9f2419c6a
                                                  • Instruction Fuzzy Hash: 4DD0121AF2C603C2EE2427F12C455B812927F48720FA006B0C0ABC26D1EE2EA9496B13
                                                  Function 00007FF626E1069C Relevance: 3.0, APIs: 2, Instructions: 12COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: DirectoryErrorLastRemove
                                                  • String ID:
                                                  • API String ID: 377330604-0
                                                  • Opcode ID: 5c7bb32b36a85c6e38956e9e406c1bc7378d89f1c14881f980c52feb224be4c2
                                                  • Instruction ID: 308062f83f9ca4fb2ce8e9d66d48709241df1a0e46ee02a5e74e5810c338beea
                                                  • Opcode Fuzzy Hash: 5c7bb32b36a85c6e38956e9e406c1bc7378d89f1c14881f980c52feb224be4c2
                                                  • Instruction Fuzzy Hash: E5D01254F2C78782EE1427B10C4613822923F94734FA006B4C0AAC1AD0EE6EEAC92B17
                                                  Function 00007FF626E0B660 Relevance: 1.6, APIs: 1, Instructions: 128COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: b345afe838e3c95f0f9b380c61dccf81f227957c6f4cd58c1ecdd6b9baae5824
                                                  • Instruction ID: 1e27c56bf19f255e778272c1fe2d60753cda5c97a77c37a1b6a1e368a0d62114
                                                  • Opcode Fuzzy Hash: b345afe838e3c95f0f9b380c61dccf81f227957c6f4cd58c1ecdd6b9baae5824
                                                  • Instruction Fuzzy Hash: A241E821B1C24246EE649E266D44679A291BF44BE0F184634EEEDE77C1FF3FE8418702
                                                  Function 00007FF626E14DA8 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: aaa2e81975be96ad5ecc7a33a5c0b8a6599b70b78ff790a43cee8d19cb8a699b
                                                  • Instruction ID: 91ba64421ac3e66c6f0b7cba8868da23dd6748e5f730d760b4d4fdd5202e3b14
                                                  • Opcode Fuzzy Hash: aaa2e81975be96ad5ecc7a33a5c0b8a6599b70b78ff790a43cee8d19cb8a699b
                                                  • Instruction Fuzzy Hash: 6F519B32608785CAEF18CF25DC512B83B60FB85B84F410975EAAE87395CF3AE811D711
                                                  Function 00007FF626E0B144 Relevance: 1.6, APIs: 1, Instructions: 107COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: 3d1aed0a88bb26ad9dd3cb1599a4b0d461de027fffbe7ca71196e3685bd60674
                                                  • Instruction ID: 5929afe482d2ee002c82cc10128a4698bdc8197a62709d21d3269c5c3cfd6391
                                                  • Opcode Fuzzy Hash: 3d1aed0a88bb26ad9dd3cb1599a4b0d461de027fffbe7ca71196e3685bd60674
                                                  • Instruction Fuzzy Hash: 9141D322A2D78A82EF548F55D8406BE6760FB94B90F404135EE9EA73D1EF2FE440C342
                                                  Function 00007FF626E12634 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: HandleModule$AddressFreeLibraryProc
                                                  • String ID:
                                                  • API String ID: 3947729631-0
                                                  • Opcode ID: c198a81c67182cb7a8f29352b2f65f8a55972543a7bdc04da48bfe6f2b591004
                                                  • Instruction ID: da057ccdfab7c9491de4c3b698a936cbc64681390d242d42ac41d9e610ae8745
                                                  • Opcode Fuzzy Hash: c198a81c67182cb7a8f29352b2f65f8a55972543a7bdc04da48bfe6f2b591004
                                                  • Instruction Fuzzy Hash: D3419D21E1C64286FF289B25DC942792292FF94B80F044476D98D976D5DE7EEC849B02
                                                  Function 00007FF626E14828 Relevance: 1.6, APIs: 1, Instructions: 77COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: ee27ab5847465ca45c1924a1ce9d7a51d07d439e219f3846ecbfb2a5dcceed57
                                                  • Instruction ID: 0cc726e33b0f00a0bb7f9baa500b753c76381ca513eb141c3e560e094ed30d2e
                                                  • Opcode Fuzzy Hash: ee27ab5847465ca45c1924a1ce9d7a51d07d439e219f3846ecbfb2a5dcceed57
                                                  • Instruction Fuzzy Hash: 3B310472E1C25396FF416B21AD013BC2A60AF44B60F500170E9AD873C2DF7EAC41A353
                                                  Function 00007FF626E14F58 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9a6f809b80c9e1511cf65beab5f18f2329c2093a9472961e56e76d098f2b0d56
                                                  • Instruction ID: 621a683c4ae4a09b8df0715a4f5d807c7b8f308b6a0b70738406df00e3e2c4e3
                                                  • Opcode Fuzzy Hash: 9a6f809b80c9e1511cf65beab5f18f2329c2093a9472961e56e76d098f2b0d56
                                                  • Instruction Fuzzy Hash: 0221C172A2C28291EE416F51AC413BC2A20AF447B4F554274EDBD873D2DE7EEC41A753
                                                  Function 00007FF626E158F8 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bcc7d47359c1d2e2749cf92099c5b2da68fcfe56d76d9cdc8d6541772909a373
                                                  • Instruction ID: 9141259e55cdf34e53d811fd57fb722619fc093df3213561d1d14c3743998ea5
                                                  • Opcode Fuzzy Hash: bcc7d47359c1d2e2749cf92099c5b2da68fcfe56d76d9cdc8d6541772909a373
                                                  • Instruction Fuzzy Hash: 9621B0B2E1C28252EE416F21AC517BC2A60BB847A0F554175EDAD873C2CE7EEC41A713
                                                  Function 00007FF626E01480 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _fread_nolockfread_s
                                                  • String ID:
                                                  • API String ID: 3465328306-0
                                                  • Opcode ID: 856469f80bdccfac258a38cb39c5c6a98a655ec42e99534c3a8782af6ea2e317
                                                  • Instruction ID: 6f3238f330ecdc5d832c1585e6cb15f4d403968c739896c217b7c1c2b9260b17
                                                  • Opcode Fuzzy Hash: 856469f80bdccfac258a38cb39c5c6a98a655ec42e99534c3a8782af6ea2e317
                                                  • Instruction Fuzzy Hash: BE317022A1CA8583EB20CF34D9413A97360FB99788F449335DF8C97A56EF39E1A5C700
                                                  Function 00007FF626E1F028 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: 2bbd89c9ec39b49b68c07395721d970a6d1f1903871a7586406ded25050aa68a
                                                  • Instruction ID: fdc83745c1d99c398ae8e832d99b956f294610e6d8fbdcceeb2f74a0031c2ab0
                                                  • Opcode Fuzzy Hash: 2bbd89c9ec39b49b68c07395721d970a6d1f1903871a7586406ded25050aa68a
                                                  • Instruction Fuzzy Hash: F821A73261C64247EF658F25E84037A76E1AB84790F184234DA9EC76D5EF2DDC00DB42
                                                  Function 00007FF626E0FC0C Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: 1b7a0eb86df289e3b4a80cd5b52d100e1ffe8d49a6e147d50c7217a74c21d9fc
                                                  • Instruction ID: 4c735bbdef94ccd6fdf0328018beeacfec829548d812032ee612d9b6a2967130
                                                  • Opcode Fuzzy Hash: 1b7a0eb86df289e3b4a80cd5b52d100e1ffe8d49a6e147d50c7217a74c21d9fc
                                                  • Instruction Fuzzy Hash: 41219221A1C68382EE209F519C1027DA2A5BF45B80F544031EECCE778ADF3EE9619F03
                                                  Function 00007FF626E10330 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: ab0909fb0052cb24f10cfc39830e2088f9c2ca04704d883f87e1c9c3676ba084
                                                  • Instruction ID: cd8661f27a5cdcb94989231548e676c55a2850c1edda8b19049d777ad17245bf
                                                  • Opcode Fuzzy Hash: ab0909fb0052cb24f10cfc39830e2088f9c2ca04704d883f87e1c9c3676ba084
                                                  • Instruction Fuzzy Hash: 6001D220E0D3C282FE646B215D485781390AF01390F4846B4E9ECE22D2CE7FBC42A303
                                                  Function 00007FF626E13FCC Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 63f4ece3698344d417df4e238e4022ff2bdc97132adc9127c3a3f89a968e36dc
                                                  • Instruction ID: 60bf2d573024c4fbe13700d91ed2581eb82152d8fb9bf81f061819e5464e468b
                                                  • Opcode Fuzzy Hash: 63f4ece3698344d417df4e238e4022ff2bdc97132adc9127c3a3f89a968e36dc
                                                  • Instruction Fuzzy Hash: 00118C7291C68696EE049B50E8403FC7B60EF94750F904272E69D423D6DFBEE805DB03
                                                  Function 00007FF626E054D0 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: CreateDirectory
                                                  • String ID:
                                                  • API String ID: 4241100979-0
                                                  • Opcode ID: 5a83cf68df78e8d3c01abd8f1fad3640b19df09d4c1be0a0c22199b135f3cc50
                                                  • Instruction ID: 0e68cde2bd223cd1a1993bd5a33424c0cc079389f47a8e5e02cb01e5fbee7c81
                                                  • Opcode Fuzzy Hash: 5a83cf68df78e8d3c01abd8f1fad3640b19df09d4c1be0a0c22199b135f3cc50
                                                  • Instruction Fuzzy Hash: 2301E572E1CA8682FF108F24EC1267A6361FF9C358F505221EADD86565EF2DE1C48F01
                                                  Function 00007FF626E0A9CC Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: 17ec2e5a449a61f0d6fbf7ab8cc7007b67d62487b63d90b9a07ba13c091ec6de
                                                  • Instruction ID: 60ad92949271c1abd49977725bbde6e960aefa791549c795d32033101b6764bb
                                                  • Opcode Fuzzy Hash: 17ec2e5a449a61f0d6fbf7ab8cc7007b67d62487b63d90b9a07ba13c091ec6de
                                                  • Instruction Fuzzy Hash: AE017C22E0D20745FE14AB699D5137C11609F957A8F650370F9ADE62C3CE2FE8429342
                                                  Function 00007FF626E0B7FC Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: bc10f8140ca28f15b7da1ab4a91c8559e616132ebb0e6e1def94b454fddd4859
                                                  • Instruction ID: 4488e579e3eb7da66a362e7ad1b1413aae1443649771d67ec4d2e70e72e4b1eb
                                                  • Opcode Fuzzy Hash: bc10f8140ca28f15b7da1ab4a91c8559e616132ebb0e6e1def94b454fddd4859
                                                  • Instruction Fuzzy Hash: 76016D72A08B1698EF10CFA0D8404EC37B8FB24748B500135EE8C63758EF35D6A5C391
                                                  Function 00007FF626E0AA50 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: 847d06e8797af203b89bb88710c619a1fd32f5fb76b65e0b6e0d7d17e0f13924
                                                  • Instruction ID: 33bcbc71c7c6328d4d8dc79966d8f8c181675738ab83331c078741094e799437
                                                  • Opcode Fuzzy Hash: 847d06e8797af203b89bb88710c619a1fd32f5fb76b65e0b6e0d7d17e0f13924
                                                  • Instruction Fuzzy Hash: E6F0B421A4C20752FE6467A96D0117D26A09F44750F240530E9DAE62C3DE2EE8518303
                                                  Function 00007FF626E0AE5C Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: 05bd597f1c2f430ec71908e497cad49f1acba4d30e0e2d9c093f57211559daa0
                                                  • Instruction ID: d6153e94db98ff5a6dfa43777f707aeb23daeb8c2b18896d5ac5c58f61d481dc
                                                  • Opcode Fuzzy Hash: 05bd597f1c2f430ec71908e497cad49f1acba4d30e0e2d9c093f57211559daa0
                                                  • Instruction Fuzzy Hash: 67F0E921B2C28642EF606769AC8107EA150FF447D0F505530FADED76C7DF2ED8814702
                                                  Function 00007FF626E0B0D8 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: 0e87bd9e42db2e8d7f1bf465a302cf8a45ccbe0db826729bca75c7f3bf6cade4
                                                  • Instruction ID: 4ffa019f41a9c7a70b291f96139e4f926de4d5e3dcc4620f8508932f5920d9c0
                                                  • Opcode Fuzzy Hash: 0e87bd9e42db2e8d7f1bf465a302cf8a45ccbe0db826729bca75c7f3bf6cade4
                                                  • Instruction Fuzzy Hash: 4EF09021A2D64341FE507B60AC412B92650AF44760F100630F5EEE62C2EE2EE8549712
                                                  Function 00007FF626E13028 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: AllocateHeap
                                                  • String ID:
                                                  • API String ID: 1279760036-0
                                                  • Opcode ID: 6afe5c70a1d291b5cc6f70d17e86e6fe4e1b9fef5da39aae0e2669c436260485
                                                  • Instruction ID: db4cf703c4fa3691efdeb12e655f558da678eb4ff7d71ea56e0940048105769f
                                                  • Opcode Fuzzy Hash: 6afe5c70a1d291b5cc6f70d17e86e6fe4e1b9fef5da39aae0e2669c436260485
                                                  • Instruction Fuzzy Hash: B2F08C11F0D24744FE5457B25C413B512C04F887A0F4803B0DCAEC62C1EEAEEC816752
                                                  Function 00007FF626E10664 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: c91f46927eea51351b0a70ae737abead9c0d42a475c9ec9d534e165927ade89c
                                                  • Instruction ID: d1f9620514b4fc96e5bfaa03fb478cd24dcb8809f2ba9eb4b74ccc0c468c51bd
                                                  • Opcode Fuzzy Hash: c91f46927eea51351b0a70ae737abead9c0d42a475c9ec9d534e165927ade89c
                                                  • Instruction Fuzzy Hash: DFE0EC65E2D38B4AFE243BA04D825BC55104F68340F9040B4EA999A6C3DD3E6C99BB23

                                                  Non-executed Functions

                                                  Function 00007FF626E02BB0 Relevance: 243.9, APIs: 46, Strings: 93, Instructions: 662libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcAddress.KERNEL32(?,?,00000000,00007FF626E020FE,00000000,00007FF626E0273E), ref: 00007FF626E02BC6
                                                  • GetProcAddress.KERNEL32(?,?,00000000,00007FF626E020FE,00000000,00007FF626E0273E), ref: 00007FF626E02C03
                                                    • Part of subcall function 00007FF626E01A80: GetLastError.KERNEL32(?,?,00000000,00007FF626E0548C,?,?,?,?,?,?,?,00007FF626E01023), ref: 00007FF626E01AA7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$ErrorLast
                                                  • String ID: Failed to get address for PyDict_GetItemString$Failed to get address for PyErr_Clear$Failed to get address for PyErr_Occurred$Failed to get address for PyErr_Print$Failed to get address for PyEval_EvalCode$Failed to get address for PyImport_AddModule$Failed to get address for PyImport_ExecCodeModule$Failed to get address for PyImport_ImportModule$Failed to get address for PyList_Append$Failed to get address for PyList_New$Failed to get address for PyLong_AsLong$Failed to get address for PyMarshal_ReadObjectFromString$Failed to get address for PyModule_GetDict$Failed to get address for PyObject_CallFunction$Failed to get address for PyObject_SetAttrString$Failed to get address for PyRun_SimpleString$Failed to get address for PyString_FromFormat$Failed to get address for PyString_FromString$Failed to get address for PySys_AddWarnOption$Failed to get address for PySys_GetObject$Failed to get address for PySys_SetArgvEx$Failed to get address for PySys_SetObject$Failed to get address for PySys_SetPath$Failed to get address for PyUnicode_Decode$Failed to get address for PyUnicode_DecodeFSDefault$Failed to get address for PyUnicode_FromFormat$Failed to get address for PyUnicode_FromString$Failed to get address for Py_BuildValue$Failed to get address for Py_DecRef$Failed to get address for Py_DecodeLocale$Failed to get address for Py_DontWriteBytecodeFlag$Failed to get address for Py_FileSystemDefaultEncoding$Failed to get address for Py_Finalize$Failed to get address for Py_FrozenFlag$Failed to get address for Py_GetPath$Failed to get address for Py_IgnoreEnvironmentFlag$Failed to get address for Py_IncRef$Failed to get address for Py_Initialize$Failed to get address for Py_NoSiteFlag$Failed to get address for Py_NoUserSiteDirectory$Failed to get address for Py_OptimizeFlag$Failed to get address for Py_SetPath$Failed to get address for Py_SetProgramName$Failed to get address for Py_SetPythonHome$Failed to get address for Py_VerboseFlag$Failed to get address for _Py_char2wchar$GetProcAddress$PyDict_GetItemString$PyErr_Clear$PyErr_Occurred$PyErr_Print$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyList_New$PyLong_AsLong$PyMarshal_ReadObjectFromString$PyModule_GetDict$PyObject_CallFunction$PyObject_SetAttrString$PyRun_SimpleString$PyString_FromFormat$PyString_FromString$PySys_AddWarnOption$PySys_GetObject$PySys_SetArgvEx$PySys_SetObject$PySys_SetPath$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$Py_BuildValue$Py_DecRef$Py_DecodeLocale$Py_DontWriteBytecodeFlag$Py_FileSystemDefaultEncoding$Py_Finalize$Py_FrozenFlag$Py_GetPath$Py_IgnoreEnvironmentFlag$Py_IncRef$Py_Initialize$Py_NoSiteFlag$Py_NoUserSiteDirectory$Py_OptimizeFlag$Py_SetPath$Py_SetProgramName$Py_SetPythonHome$Py_VerboseFlag$_Py_char2wchar
                                                  • API String ID: 4214558900-311823549
                                                  • Opcode ID: b03de2c09dde0fbb64bf4f7a76e3e37a93b4e71a23ed2bb7a7f7839e9bd6cd51
                                                  • Instruction ID: 2902041d01b0b9dcf8fd0086d31a6b7adc01330a7499792ed085495296dffcac
                                                  • Opcode Fuzzy Hash: b03de2c09dde0fbb64bf4f7a76e3e37a93b4e71a23ed2bb7a7f7839e9bd6cd51
                                                  • Instruction Fuzzy Hash: DE6244A1E1CF4390EE54DB19FC504B42362BF447A0B581631E8EDCA6F5EF2EE5988712
                                                  Function 00007FF626E1CCC0 Relevance: 24.1, APIs: 9, Strings: 4, Instructions: 1310COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfomemcpy_s$fegetenv
                                                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                  • API String ID: 281475176-2761157908
                                                  • Opcode ID: ef7f5ec9a41f8086e12268e9b774561201f76ba2bc47a2fec9c519d05fc89ff0
                                                  • Instruction ID: 51b3bcd7827544b8f96861a40956e8733d48aac7958836e404dd59804316d43c
                                                  • Opcode Fuzzy Hash: ef7f5ec9a41f8086e12268e9b774561201f76ba2bc47a2fec9c519d05fc89ff0
                                                  • Instruction Fuzzy Hash: 7EB2E472A0C2828BEB258F699C407FD27A1FB94388F505135DA5A97BC4DF3AED04DB41
                                                  Function 00007FF626E04FA0 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 89libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF626E022A6,00000000,00007FF626E02736), ref: 00007FF626E04FD0
                                                  • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF626E022A6,00000000,00007FF626E02736), ref: 00007FF626E0501A
                                                  • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF626E022A6,00000000,00007FF626E02736), ref: 00007FF626E05043
                                                  • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF626E022A6,00000000,00007FF626E02736), ref: 00007FF626E05056
                                                  • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF626E022A6,00000000,00007FF626E02736), ref: 00007FF626E05069
                                                    • Part of subcall function 00007FF626E01A80: GetLastError.KERNEL32(?,?,00000000,00007FF626E0548C,?,?,?,?,?,?,?,00007FF626E01023), ref: 00007FF626E01AA7
                                                    • Part of subcall function 00007FF626E05120: GetLastError.KERNEL32(00000000,00007FF626E05B02,?,?,?,00007FF626E05652), ref: 00007FF626E05147
                                                    • Part of subcall function 00007FF626E05120: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FF626E01B40), ref: 00007FF626E05176
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: AddressByteCharErrorLastMultiProcWide$FormatLibraryLoadMessage
                                                  • String ID: 8$ActivateActCtx$CreateActCtxW$Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$kernel32
                                                  • API String ID: 148262030-1940978792
                                                  • Opcode ID: 6a8008c061f2035e4ecc8e28484d5cc8c202b5daa14a250084cad5d51374a0ae
                                                  • Instruction ID: 9fa26ce239c5a0802fd293542da54bba78226dcad0feee4d9ec950c57267a94f
                                                  • Opcode Fuzzy Hash: 6a8008c061f2035e4ecc8e28484d5cc8c202b5daa14a250084cad5d51374a0ae
                                                  • Instruction Fuzzy Hash: D9414721A0DB4381EB509B15FD0416972A6FF847A0F544236EAED93BE4EF3ED4158742
                                                  Function 00007FF626E05120 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 52windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(00000000,00007FF626E05B02,?,?,?,00007FF626E05652), ref: 00007FF626E05147
                                                  • FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FF626E01B40), ref: 00007FF626E05176
                                                  • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FF626E01B40), ref: 00007FF626E051CA
                                                    • Part of subcall function 00007FF626E01A80: GetLastError.KERNEL32(?,?,00000000,00007FF626E0548C,?,?,?,?,?,?,?,00007FF626E01023), ref: 00007FF626E01AA7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$ByteCharFormatMessageMultiWide
                                                  • String ID: Failed to encode wchar_t as UTF-8.$FormatMessageW$No error messages generated.$PyInstaller: FormatMessageW failed.$PyInstaller: pyi_win32_utils_to_utf8 failed.$WideCharToMultiByte
                                                  • API String ID: 2383786077-2573406579
                                                  • Opcode ID: b62dc68774a4263bbf2c738e764c0ac0a57dd6dba59a1b44175ba69e93919a4c
                                                  • Instruction ID: 4cf1a160b0644e649a1a0d3cd58030fcfc02d15376623b97679b65c3a90f2ed0
                                                  • Opcode Fuzzy Hash: b62dc68774a4263bbf2c738e764c0ac0a57dd6dba59a1b44175ba69e93919a4c
                                                  • Instruction Fuzzy Hash: 94217F71A1CA4381EF249B11FD547B623A6FF88384F800035E6CDD2AA4EF3DD1198B02
                                                  Function 00007FF626E13C0C Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                  • String ID:
                                                  • API String ID: 1239891234-0
                                                  • Opcode ID: ba2cec4d47ba792ca5de36d595d6074de58dfd940a2d9bc65a45872d72ba5cc0
                                                  • Instruction ID: 6837fd650e085777d7ddec2baddfd33f4bbf35c379187682249e49511bb1ed87
                                                  • Opcode Fuzzy Hash: ba2cec4d47ba792ca5de36d595d6074de58dfd940a2d9bc65a45872d72ba5cc0
                                                  • Instruction Fuzzy Hash: A3315C32618B8286DF608F25EC406AE73A4FB88754F500136EA9D87B94EF3DD545CB01
                                                  Function 00007FF626E1A25C Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 169COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _invalid_parameter_noinfo.LIBCMT ref: 00007FF626E1A29C
                                                    • Part of subcall function 00007FF626E13E38: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF626E13E16), ref: 00007FF626E13E41
                                                    • Part of subcall function 00007FF626E13E38: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF626E13E16), ref: 00007FF626E13E65
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: CurrentFeaturePresentProcessProcessor_invalid_parameter_noinfo
                                                  • String ID: *$.$.
                                                  • API String ID: 4036615347-2112782162
                                                  • Opcode ID: 7aa148a33139f1f71c608de35969d93d1225779c3fd3bd3f4bf4345f8d90599c
                                                  • Instruction ID: 27f9371ccc3254dfe58ddfb82da7caf941bcbadf789354af14d353dab0b7b85f
                                                  • Opcode Fuzzy Hash: 7aa148a33139f1f71c608de35969d93d1225779c3fd3bd3f4bf4345f8d90599c
                                                  • Instruction Fuzzy Hash: 9551FE62F18B5185FF10DBAA9C042BD63A0BB48BC8F548135CE9DA7B85EE3DD8429311
                                                  Function 00007FF626E1C7F0 Relevance: 4.8, APIs: 3, Instructions: 340COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: memcpy_s
                                                  • String ID:
                                                  • API String ID: 1502251526-0
                                                  • Opcode ID: 7c95d79a6932f591ae303023ad9bcf5e3cdb31da0663f78c422ae26a9081d948
                                                  • Instruction ID: 6709a9b44f1717bf04c32280ee6fd96d73544d6c4164c09076688f9f3f3c62b1
                                                  • Opcode Fuzzy Hash: 7c95d79a6932f591ae303023ad9bcf5e3cdb31da0663f78c422ae26a9081d948
                                                  • Instruction Fuzzy Hash: 6AD18072B1C68687DB24CF15A58466AB7A1FB98B84F148134DB8ED7B44DE3DEC41EB00
                                                  Function 00007FF626E082A0 Relevance: 4.1, Strings: 3, Instructions: 371COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: invalid distance code$invalid distance too far back$invalid literal/length code
                                                  • API String ID: 0-3255898291
                                                  • Opcode ID: df2bdb3f904165255070f63fb3bded72e43a715e3a86da31a5fc8c3b671a6752
                                                  • Instruction ID: bb8eb3a87bb1b21fd94a050638ab0b8c15e09d7bf5c54ccd0bfaf9eb0a786d08
                                                  • Opcode Fuzzy Hash: df2bdb3f904165255070f63fb3bded72e43a715e3a86da31a5fc8c3b671a6752
                                                  • Instruction Fuzzy Hash: 6FD12832A1C6D18BDF198F29D85427E3BA1E7A5390F058136EAEA937C1DE3DD509C701
                                                  Function 00007FF626E1A48C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 110COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: .
                                                  • API String ID: 0-248832578
                                                  • Opcode ID: 51374ee0a9e6cb9ca21f42f648de551d91d19995cfe0da1c87dcd514034d2faa
                                                  • Instruction ID: adbd8c80b6ad25b173cc270d83ccc6c2b841bb454e963a467a38a2db853c02d9
                                                  • Opcode Fuzzy Hash: 51374ee0a9e6cb9ca21f42f648de551d91d19995cfe0da1c87dcd514034d2faa
                                                  • Instruction Fuzzy Hash: F2315922B1C6D544EF209F7AAC046B6B691FB50BE4F048631EEAD87BC5DE3DD8419301
                                                  Function 00007FF626E219F8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ExceptionRaise_clrfp
                                                  • String ID:
                                                  • API String ID: 15204871-0
                                                  • Opcode ID: 52b8c26ba367929151244b24ead60c3139cb2dfa4fe7cbca3775eafa54bcb224
                                                  • Instruction ID: 830031c55bb50b413c8ac7e0072ee32f4aae9d3f9a39735bc17089c34ab867e9
                                                  • Opcode Fuzzy Hash: 52b8c26ba367929151244b24ead60c3139cb2dfa4fe7cbca3775eafa54bcb224
                                                  • Instruction Fuzzy Hash: 41B15E77604B898BEB19CF29C8463A83BA1F744B48F158931DB9D87BA8CF3AD551C701
                                                  Function 00007FF626E1F108 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _get_daylight_invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 474895018-0
                                                  • Opcode ID: 2d18977413d655dc6c8e408144264a8bdc1e39c2b52aedb6140ccbb5ae789ee2
                                                  • Instruction ID: b4504ac9e72ef2ea17133c1acb1aeb9bfe974f9e1c419414d6def2b4e6e9c9f2
                                                  • Opcode Fuzzy Hash: 2d18977413d655dc6c8e408144264a8bdc1e39c2b52aedb6140ccbb5ae789ee2
                                                  • Instruction Fuzzy Hash: D5710422B0C28282FF648B299C5467C62D1AF44370F2446B5DAEDC76C5DE7EEC42A743
                                                  Function 00007FF626E11534 Relevance: 1.5, Strings: 1, Instructions: 228COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID: TMP
                                                  • API String ID: 3215553584-3125297090
                                                  • Opcode ID: 09be23874ea24f12acadf7a5f230c63a3cb302d9a7ceeb0b3ca021393c71686b
                                                  • Instruction ID: 7e79658b50ec723287195da538998c77953ec5ac0e0ffe399da8de455ca402c5
                                                  • Opcode Fuzzy Hash: 09be23874ea24f12acadf7a5f230c63a3cb302d9a7ceeb0b3ca021393c71686b
                                                  • Instruction Fuzzy Hash: 0B711525F1C25601FE28AB265D015BA5291AF45BC4F588075DEDEC3BD5EE3FEC42A302
                                                  Function 00007FF626E0D4F4 Relevance: 1.5, Strings: 1, Instructions: 219COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID: 0
                                                  • API String ID: 3215553584-4108050209
                                                  • Opcode ID: 9f4c5407e109a6a080354f9c02f0db549f3ea58df04abcd58b4027449d4bc1ee
                                                  • Instruction ID: c0c5510f18e7ed5c8b4022a18d6d968d4830823c50f7424d03a731bb739cd0e6
                                                  • Opcode Fuzzy Hash: 9f4c5407e109a6a080354f9c02f0db549f3ea58df04abcd58b4027449d4bc1ee
                                                  • Instruction Fuzzy Hash: 8081E626A2C20686FEA89A15A94067E3390EF41B48F581531DDCDF76D5CF3FE846C742
                                                  Function 00007FF626E0CFFC Relevance: 1.4, Strings: 1, Instructions: 199COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID: 0
                                                  • API String ID: 3215553584-4108050209
                                                  • Opcode ID: 74dcee436b559ad53bd5e083cad9013d74d93bd80b661b50ca22568b58697a90
                                                  • Instruction ID: 870876b3b6de65c07c0e316a4d8699d2a4c9a456ef9f9213ec6c88f33c4cbc39
                                                  • Opcode Fuzzy Hash: 74dcee436b559ad53bd5e083cad9013d74d93bd80b661b50ca22568b58697a90
                                                  • Instruction Fuzzy Hash: D5712821A0C24386FF689A699C4027E6792AF41B44F141531DDCCF76DADE2FE84AC743
                                                  Function 00007FF626E0D278 Relevance: 1.4, Strings: 1, Instructions: 199COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID: 0
                                                  • API String ID: 3215553584-4108050209
                                                  • Opcode ID: 5c66c6e0aff52e3a814ff90621c8c0917536b0a8d7c9c9eed1f23e2114802e5e
                                                  • Instruction ID: 336681b3f1dd276530f08c9f9ccbc36fb8a7396d8055608e90979f38a5208572
                                                  • Opcode Fuzzy Hash: 5c66c6e0aff52e3a814ff90621c8c0917536b0a8d7c9c9eed1f23e2114802e5e
                                                  • Instruction Fuzzy Hash: CE710621A1C38286FF788A29984827D6790AF49B44F141535DDC8FB7DACE2FF8468743
                                                  Function 00007FF626E12BB4 Relevance: 1.4, Strings: 1, Instructions: 139COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @
                                                  • API String ID: 0-2766056989
                                                  • Opcode ID: fb1d2149d45884ab0086f0bbf4783de7e5564a29e5253685282fd7522903ec34
                                                  • Instruction ID: 1b63eeac94b82dc0cdd2f156c068e8d827296f483d11e3d7f03b706e6e73b8da
                                                  • Opcode Fuzzy Hash: fb1d2149d45884ab0086f0bbf4783de7e5564a29e5253685282fd7522903ec34
                                                  • Instruction Fuzzy Hash: 1841BF72718A448AEE44CF2ADD542A973A1F748FC0B499036DE9DCB764EE3DD486D700
                                                  Function 00007FF626E1BE0C Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: HeapProcess
                                                  • String ID:
                                                  • API String ID: 54951025-0
                                                  • Opcode ID: 9d94584dc814af1dacac338b10a9c19c1f6d6ccb12bafb66aec7856ed6945f90
                                                  • Instruction ID: 1686e0cb15dc47bfcf54466cec60b2cc13ecfeecc5157e1e542d712336426311
                                                  • Opcode Fuzzy Hash: 9d94584dc814af1dacac338b10a9c19c1f6d6ccb12bafb66aec7856ed6945f90
                                                  • Instruction Fuzzy Hash: 18B09220E0BA02C6EE082B226C8222422A57F48751FA88039C48C92720DE6E21A64B02
                                                  Function 00007FF626E07A50 Relevance: .2, Instructions: 198COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b2efd99330bf43f108449ea08d251bb7b068c3386f3693a1762ded55f173855d
                                                  • Instruction ID: 7343cbd1a521c31e162b674901347555a6e102e1b466aabf9a6b1f657f42399f
                                                  • Opcode Fuzzy Hash: b2efd99330bf43f108449ea08d251bb7b068c3386f3693a1762ded55f173855d
                                                  • Instruction Fuzzy Hash: D0719FB37341749BEB648B2E9514EA93390F36A349FC16115EB8497B81CE3EB921CF50
                                                  Function 00007FF626E0F6D0 Relevance: .1, Instructions: 138COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 57fe8ae82f4a7f1e5c3cba6a7b579c4cbe970ed01518187d4632761707183b5f
                                                  • Instruction ID: 482b96acbe62147150c6483cd17f24d5897c36089ff0d1305940c5fa74f9a01b
                                                  • Opcode Fuzzy Hash: 57fe8ae82f4a7f1e5c3cba6a7b579c4cbe970ed01518187d4632761707183b5f
                                                  • Instruction Fuzzy Hash: CB418F5282CB9B04EE958D2D0D043B466809F22BA5D6C52B0DDE9F73E7CD0FA6678313
                                                  Function 00007FF626E21840 Relevance: .0, Instructions: 32COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d91bba4251002eff781ed709acee01116e9137215034a6b7ca77766570e30ed1
                                                  • Instruction ID: 054c9fafc84b624ae293366041cb9c460fbd0ffb808928083c0d29299848e2d1
                                                  • Opcode Fuzzy Hash: d91bba4251002eff781ed709acee01116e9137215034a6b7ca77766570e30ed1
                                                  • Instruction Fuzzy Hash: 42F06271B2D2958FDFA88F28A89262977D0F748380F908039D6CDC3B04DA7D90A1CF05
                                                  Function 00007FF626E09328 Relevance: .0, Instructions: 2COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8c6ddfc33cd518c5d5310d86ce568579507f0dba35187e2c487fea53b98d5356
                                                  • Instruction ID: 8703d0d0a8dfb7c6768dd9ecf9550dfcfd213beb6d92d5695fcd64cb7e846950
                                                  • Opcode Fuzzy Hash: 8c6ddfc33cd518c5d5310d86ce568579507f0dba35187e2c487fea53b98d5356
                                                  • Instruction Fuzzy Hash: 5DA00221A4CD03E0EE048F00EC544703331EB74F00F409032D08ED58A0AF3FA484CB16
                                                  Function 00007FF626E03750 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 122COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: htonl
                                                  • String ID: Failed to encode _MEIPASS as ANSI.$Failed to get _MEIPASS as PyObject.$_MEIPASS$loads$marshal$mod is NULL - %s$strict$utf-8
                                                  • API String ID: 2009864989-2184277183
                                                  • Opcode ID: 8604dd2ced6462475c32d8c846a0fa664eab56fb2557eda8326b5e24f10c9200
                                                  • Instruction ID: 8202494d43a6b8d598ca9962244208ea87ee8d1c44132ffbc6ecb36a65d9a666
                                                  • Opcode Fuzzy Hash: 8604dd2ced6462475c32d8c846a0fa664eab56fb2557eda8326b5e24f10c9200
                                                  • Instruction Fuzzy Hash: 1551C120A1DA83D1EE009B25EC542B963A0FF45B90F880131DAAED77E5DF3EE549C312
                                                  Function 00007FF626E020F0 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 151COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: .py$Could not get __main__ module's dict.$Could not get __main__ module.$Failed to execute script %s$Failed to unmarshal code object for %s$Name exceeds PATH_MAX$__file__$__main__
                                                  • API String ID: 0-4082989238
                                                  • Opcode ID: 8790a1551c33497c8ff4038f5c07932c04ceacf8880436bc0e358a517058372a
                                                  • Instruction ID: 244dbe049a285b940d3fb997e0e9b25538d4e235c4673749d04bfb56e17e148c
                                                  • Opcode Fuzzy Hash: 8790a1551c33497c8ff4038f5c07932c04ceacf8880436bc0e358a517058372a
                                                  • Instruction Fuzzy Hash: 4E51B231E1CA8399FE249B21AC942B923A0BF94B90F440131DADED77D5EE3EE4558712
                                                  Function 00007FF626E17C10 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
                                                  • API String ID: 3215553584-2617248754
                                                  • Opcode ID: 5ea786e8e141746a9ab0082f876dfec3a53250d85f40d41a760b569640bac513
                                                  • Instruction ID: 10055cd89ee2b24b028fcd6fe2eea30eb35f605304a41d812a773d674e5fe887
                                                  • Opcode Fuzzy Hash: 5ea786e8e141746a9ab0082f876dfec3a53250d85f40d41a760b569640bac513
                                                  • Instruction Fuzzy Hash: A4419A72A09B4689EF04CB25E8417ED37A5FB18788F405536EE9C87B94EE3ED425C341
                                                  Function 00007FF626E03950 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 88COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: htonl
                                                  • String ID: %U?%d$%s?%d$Failed to append to sys.path$Failed to convert %s to ShortFileName$Installing PYZ: Could not get sys.path$path$strict$utf-8
                                                  • API String ID: 2009864989-475945972
                                                  • Opcode ID: f1bfaceece70227214e33253aa626f1bb9e038800c5fc11700689245870e2552
                                                  • Instruction ID: d9ee969ac56f07a075c609f7ac1d792c52468a0230a4465f354169891f76c284
                                                  • Opcode Fuzzy Hash: f1bfaceece70227214e33253aa626f1bb9e038800c5fc11700689245870e2552
                                                  • Instruction Fuzzy Hash: E6419121A2CA8381EE049B16EC441B963A1FF45B90F544135D9AEABBE4DF3EE445C742
                                                  Function 00007FF626E18A5C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: CurrentDirectoryErrorFullLastNamePath_invalid_parameter_noinfo
                                                  • String ID: .$:
                                                  • API String ID: 2924719347-4202072812
                                                  • Opcode ID: 8acaafeacaef8cba7de4f0a13826fd00dec48a279c40bcf5f1f53d34bc7b8496
                                                  • Instruction ID: ed645190edac3c975ab95f0338e48342b9e889d9c0376f01fff49499cf32832b
                                                  • Opcode Fuzzy Hash: 8acaafeacaef8cba7de4f0a13826fd00dec48a279c40bcf5f1f53d34bc7b8496
                                                  • Instruction Fuzzy Hash: 9C31B165E1C64342FE606B619C1167F6290AF88784F844174EAEDC76C6EE3EEC00A717
                                                  Function 00007FF626E05380 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 93COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF626E01023), ref: 00007FF626E053FD
                                                  • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF626E01023), ref: 00007FF626E05443
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide
                                                  • String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$WideCharToMultiByte
                                                  • API String ID: 626452242-164604372
                                                  • Opcode ID: ed7cba6fd7e85fc9ca8435023f818a810efb83439cee147d218ac9cd1c2fde1a
                                                  • Instruction ID: c250c02d976da88fe4e70d23a6b6814213075168044c607c248abb943b22bb0d
                                                  • Opcode Fuzzy Hash: ed7cba6fd7e85fc9ca8435023f818a810efb83439cee147d218ac9cd1c2fde1a
                                                  • Instruction Fuzzy Hash: 9E31BD3261DA8692EB20DF11BD406BA76A5FB88790F444134DECEC7B95EF3DD4268702
                                                  Function 00007FF626E18918 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: CurrentDirectoryErrorFullLastNamePath_invalid_parameter_noinfo
                                                  • String ID: .$:.
                                                  • API String ID: 2924719347-2811378331
                                                  • Opcode ID: eb090421fb8465db2720cf619bcc1b7de339070fa2cf36b511749548a3701e43
                                                  • Instruction ID: 69bc726ab0a58194f825c10c476674d4a747eb06058a116ba1a9e0ba68f287b2
                                                  • Opcode Fuzzy Hash: eb090421fb8465db2720cf619bcc1b7de339070fa2cf36b511749548a3701e43
                                                  • Instruction Fuzzy Hash: B3319321A0C39382FE606B656C1127F6690AF55740F9440B5EADDC7BC6DE2FEC01A713
                                                  Function 00007FF626E057A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WideCharToMultiByte.KERNEL32(?,?,?,?,00000000,00007FF626E02926), ref: 00007FF626E057E1
                                                    • Part of subcall function 00007FF626E01A80: GetLastError.KERNEL32(?,?,00000000,00007FF626E0548C,?,?,?,?,?,?,?,00007FF626E01023), ref: 00007FF626E01AA7
                                                  • WideCharToMultiByte.KERNEL32(?,?,?,?,00000000,00007FF626E02926), ref: 00007FF626E05837
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$ErrorLast
                                                  • String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$WideCharToMultiByte
                                                  • API String ID: 1717984340-164604372
                                                  • Opcode ID: abe8da3f0dd2d7a18d4f200639b1c1b2b93f8392e2fb9882e7c2738e2b3bda97
                                                  • Instruction ID: 09b9eb21b89faca8e774b40cb8af6bffa49eeebaf164b99bba074410b7435964
                                                  • Opcode Fuzzy Hash: abe8da3f0dd2d7a18d4f200639b1c1b2b93f8392e2fb9882e7c2738e2b3bda97
                                                  • Instruction Fuzzy Hash: EF21CA71A1CB4385EB10DF16FD4016977A2FB88BD0B544239DA9E93BA4EF3CE4008706
                                                  Function 00007FF626E059B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF626E05659), ref: 00007FF626E059E2
                                                  • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF626E05659), ref: 00007FF626E05A46
                                                    • Part of subcall function 00007FF626E01A80: GetLastError.KERNEL32(?,?,00000000,00007FF626E0548C,?,?,?,?,?,?,?,00007FF626E01023), ref: 00007FF626E01AA7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$ErrorLast
                                                  • String ID: Failed to encode filename as ANSI.$Failed to get ANSI buffer size.$WideCharToMultiByte
                                                  • API String ID: 1717984340-1278643509
                                                  • Opcode ID: 952f2f83d881eac34c5c154b357ba3879e38eadeb64bed025af9a7a695863d13
                                                  • Instruction ID: 5e40f44ad11c449316e45c114949a5215a04dae60c751863412388e2a12bf619
                                                  • Opcode Fuzzy Hash: 952f2f83d881eac34c5c154b357ba3879e38eadeb64bed025af9a7a695863d13
                                                  • Instruction Fuzzy Hash: FD219272A1CB4285DB50DF15FC4006AB7A1FB88790F184139EACE93BA9DF3CD1548B05
                                                  Function 00007FF626E127EC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                  • String ID: CorExitProcess$mscoree.dll
                                                  • API String ID: 4061214504-1276376045
                                                  • Opcode ID: fd11eefc7501dc553944f060f7dcdfc83959ca11c5e8b4ef64d30f597c24027a
                                                  • Instruction ID: a3b9f4f78c994a99f2eb53ca05a8de53a4b0aadf76847b99f7da7c5570b3060d
                                                  • Opcode Fuzzy Hash: fd11eefc7501dc553944f060f7dcdfc83959ca11c5e8b4ef64d30f597c24027a
                                                  • Instruction Fuzzy Hash: F2F06261E1DA4382EF548B51FC943796361FF88B80F485035E99F86A64DE3DD889CB11
                                                  Function 00007FF626E20DF0 Relevance: 7.8, APIs: 5, Instructions: 265COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 78eee380675df2efd6ed763fea0a0ce49f814650d1f96b61200eb59b31a69c52
                                                  • Instruction ID: 68292722f018e99b03271a3fb346f330d69a88e9ea4f7554c015baf33e3a6d15
                                                  • Opcode Fuzzy Hash: 78eee380675df2efd6ed763fea0a0ce49f814650d1f96b61200eb59b31a69c52
                                                  • Instruction Fuzzy Hash: 0BA1D762B0C7C345FF608B609C403BA6792AF54BA4F544635DAED86BC9EF7ED5848302
                                                  Function 00007FF626E0FC18 Relevance: 7.7, APIs: 5, Instructions: 173COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00007FF626E13E38: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF626E13E16), ref: 00007FF626E13E41
                                                    • Part of subcall function 00007FF626E13E38: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF626E13E16), ref: 00007FF626E13E65
                                                  • _invalid_parameter_noinfo.LIBCMT ref: 00007FF626E0FCE1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: CurrentFeaturePresentProcessProcessor_invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 4036615347-0
                                                  • Opcode ID: 4fdab4e2de82278e54d9514812e7c6684e6ddec8340f98ee66ca902dcb22fe4f
                                                  • Instruction ID: 4ca5ca24b081b56fd2ededdba73410cd501ddad8a673a9dae3a15bad9b665076
                                                  • Opcode Fuzzy Hash: 4fdab4e2de82278e54d9514812e7c6684e6ddec8340f98ee66ca902dcb22fe4f
                                                  • Instruction Fuzzy Hash: 1761C222A0C78245EF608B21984467977A0EF44BA4F184234DEED97BD5DF3EE462C707
                                                  Function 00007FF626E15358 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
                                                  • String ID:
                                                  • API String ID: 3659116390-0
                                                  • Opcode ID: 4366a4d58e6c34dbcd3c9303ecfe5f8e9d8c186aec045659b139ee6509589918
                                                  • Instruction ID: 12383b0668f16b425ba482249905beac23986d2377db77a1839dab40d44f7b97
                                                  • Opcode Fuzzy Hash: 4366a4d58e6c34dbcd3c9303ecfe5f8e9d8c186aec045659b139ee6509589918
                                                  • Instruction Fuzzy Hash: 3B51D0B2A18A518AEB10CF65E8443AD3BB1FB48788F048135CE8E87B98DF39D546C711
                                                  Function 00007FF626E05210 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 105COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(?,?,00000000,00000000,?,00007FF626E03E28,?,?,00000000,00007FF626E04161,?,?,?,?,00000000,00007FF626E0273E), ref: 00007FF626E0528B
                                                  • MultiByteToWideChar.KERNEL32(?,?,00000000,00000000,?,00007FF626E03E28,?,?,00000000,00007FF626E04161,?,?,?,?,00000000,00007FF626E0273E), ref: 00007FF626E052C4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide
                                                  • String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar
                                                  • API String ID: 626452242-3466716416
                                                  • Opcode ID: e20e6688d482c1cf3175d09a3b82257a3792abb0629f391542f25f0a5cbda899
                                                  • Instruction ID: f4abea1e23b71292a696646ea001d7cf1a30145f0cdb584fda1dfd9102d2fc66
                                                  • Opcode Fuzzy Hash: e20e6688d482c1cf3175d09a3b82257a3792abb0629f391542f25f0a5cbda899
                                                  • Instruction Fuzzy Hash: CC312932A0C64385EF209F16BE4457AA291FF88794F984135DEDDD7B95EE3EE0018702
                                                  Function 00007FF626E05870 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 90COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(?,?,00000000,00000000,?,00007FF626E03E75,?,?,00000000,00007FF626E04161,?,?,?,?,00000000,00007FF626E0273E), ref: 00007FF626E058E3
                                                  • MultiByteToWideChar.KERNEL32(?,?,00000000,00000000,?,00007FF626E03E75,?,?,00000000,00007FF626E04161,?,?,?,?,00000000,00007FF626E0273E), ref: 00007FF626E0591F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide
                                                  • String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar
                                                  • API String ID: 626452242-3466716416
                                                  • Opcode ID: 1c68b2dd5a96908e0bcd17003082914911bd40ccc8fd53326b195fd571f03788
                                                  • Instruction ID: c209a94e3513a5761583004b601c6e05db35fba7659e0b7416e6867e8196de18
                                                  • Opcode Fuzzy Hash: 1c68b2dd5a96908e0bcd17003082914911bd40ccc8fd53326b195fd571f03788
                                                  • Instruction Fuzzy Hash: 5431E372A0DB4382EF209F15AC4067AAAA5FB447A4F544135DEDDC3BA0EE3ED4158702
                                                  Function 00007FF626E05580 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 81COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32 ref: 00007FF626E055CD
                                                  • MultiByteToWideChar.KERNEL32 ref: 00007FF626E0561C
                                                    • Part of subcall function 00007FF626E01A80: GetLastError.KERNEL32(?,?,00000000,00007FF626E0548C,?,?,?,?,?,?,?,00007FF626E01023), ref: 00007FF626E01AA7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$ErrorLast
                                                  • String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar
                                                  • API String ID: 1717984340-3466716416
                                                  • Opcode ID: a0cd29175812b42e15842dce39ab7e163b5f1d9f79a1e7d190692a3eebd7ef2e
                                                  • Instruction ID: e487784f17daf03448a5d88495cf9f58d294e9c0a80964afc7b752388481b640
                                                  • Opcode Fuzzy Hash: a0cd29175812b42e15842dce39ab7e163b5f1d9f79a1e7d190692a3eebd7ef2e
                                                  • Instruction Fuzzy Hash: A531E361B1CA4385FF20AB62BE0017A6292AF84BD0F544535DDDDDBF96EE3EE4054702
                                                  Function 00007FF626E18380 Relevance: 7.6, APIs: 5, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ByteCharErrorLastMultiWide$AllocateHeap_invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 1500607604-0
                                                  • Opcode ID: d5bee8ca93208870c2d691818c3980d38138551ce13e4a407ed7c17bbb303c62
                                                  • Instruction ID: 8b00b9b427ef92edbed6ef05ceb6c289020c2223dc981295915c667415c9f86d
                                                  • Opcode Fuzzy Hash: d5bee8ca93208870c2d691818c3980d38138551ce13e4a407ed7c17bbb303c62
                                                  • Instruction Fuzzy Hash: 2021C471A0CB4241EE249F626C0057EA696BF84B90F184575EEEDC37D6EE3EE8425702
                                                  Function 00007FF626E056C0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(?,00000000,00007FF626E0458C,00007FF626E025DA), ref: 00007FF626E056F6
                                                    • Part of subcall function 00007FF626E01A80: GetLastError.KERNEL32(?,?,00000000,00007FF626E0548C,?,?,?,?,?,?,?,00007FF626E01023), ref: 00007FF626E01AA7
                                                  • MultiByteToWideChar.KERNEL32(?,00000000,00007FF626E0458C,00007FF626E025DA), ref: 00007FF626E05750
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$ErrorLast
                                                  • String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar
                                                  • API String ID: 1717984340-3466716416
                                                  • Opcode ID: 3a16ef3591b69f9d0a985f577828e605e31592002adf921ec7feb696857d0dff
                                                  • Instruction ID: 029b98f8c36553dbc9685ce7c2703569a9be92c2f31d5be5b396afa32589b4a1
                                                  • Opcode Fuzzy Hash: 3a16ef3591b69f9d0a985f577828e605e31592002adf921ec7feb696857d0dff
                                                  • Instruction Fuzzy Hash: 8911AE21B0CA4281EB50DB29FD00166A3A2FB88BD4B584235DB9CC3FA9EE2DD5518705
                                                  Function 00007FF626E21640 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _set_statfp
                                                  • String ID:
                                                  • API String ID: 1156100317-0
                                                  • Opcode ID: 70895f6a6caca5a93f387097b68bfd30b7bf4dd7af3bc8c27b3038974be86bdd
                                                  • Instruction ID: a351cccd8fbd1ea5640caf73a9103d50297c0607e51c5a259d5eca01b3e02b68
                                                  • Opcode Fuzzy Hash: 70895f6a6caca5a93f387097b68bfd30b7bf4dd7af3bc8c27b3038974be86bdd
                                                  • Instruction Fuzzy Hash: 66115E7AE3C60741FE641124ECD63FD01936F55360F1D4A34EBEA86EE6CE2E66444742
                                                  Function 00007FF626E18D58 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 205COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                  • API String ID: 3215553584-1196891531
                                                  • Opcode ID: d07a2f78661d68b47df1c0c7dcc91cd3eba7fe27400595e3b3573f3bdbe2d5a4
                                                  • Instruction ID: 3353743e14e6b809d9d2b8600d485fce4d8305446dec3a678ef79f0d38fd4a6b
                                                  • Opcode Fuzzy Hash: d07a2f78661d68b47df1c0c7dcc91cd3eba7fe27400595e3b3573f3bdbe2d5a4
                                                  • Instruction Fuzzy Hash: 4181AF72E0C20685FF654F258E502BE66A1AF25744F2484B5DABAC7680DF2FED50E703
                                                  Function 00007FF626E03BE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 126COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: fflush
                                                  • String ID: Failed to convert Wflag %s using mbstowcs (invalid multibyte string)$pyi-
                                                  • API String ID: 497872470-3625900369
                                                  • Opcode ID: bdb28414d2d8f7058b85d996f509c1bd22f4e0de7df0f56aef85fba6d7fef7ce
                                                  • Instruction ID: effc8e46ea62ece4af3531d4e6dfc899ce743a6e98b294c26a1d70599f27e186
                                                  • Opcode Fuzzy Hash: bdb28414d2d8f7058b85d996f509c1bd22f4e0de7df0f56aef85fba6d7fef7ce
                                                  • Instruction Fuzzy Hash: 3D518B21A1C64381FF14AB65EC452B926A0AF84B90F804135D9CDEB3E7DE7FE8518753
                                                  Function 00007FF626E15784 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ByteCharErrorFileLastMultiWideWrite
                                                  • String ID: U
                                                  • API String ID: 2456169464-4171548499
                                                  • Opcode ID: 5954a6fc303682225655ac94497f616c2db65485563ffa68d4965f1e762738ba
                                                  • Instruction ID: f68f5edbbbf0bb76f604b9241bda92b777c815c5c4a32c385511462497e7c525
                                                  • Opcode Fuzzy Hash: 5954a6fc303682225655ac94497f616c2db65485563ffa68d4965f1e762738ba
                                                  • Instruction Fuzzy Hash: 1641A262B2DA8186EB208F25E8457BA77A1FB88784F404035EE8EC7794DF3DD401CB51
                                                  Function 00007FF626E028C0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameW.KERNEL32(?,00007FF626E025A7), ref: 00007FF626E028F1
                                                    • Part of subcall function 00007FF626E01A80: GetLastError.KERNEL32(?,?,00000000,00007FF626E0548C,?,?,?,?,?,?,?,00007FF626E01023), ref: 00007FF626E01AA7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ErrorFileLastModuleName
                                                  • String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
                                                  • API String ID: 2776309574-482168174
                                                  • Opcode ID: e30faaa21fd7dec7fea02afd213db843901c608c28621dc435670451c6b49c2f
                                                  • Instruction ID: a47786823292c52051b86fcca18a92715aeb42fc32d5ae4327bb7abff2174f31
                                                  • Opcode Fuzzy Hash: e30faaa21fd7dec7fea02afd213db843901c608c28621dc435670451c6b49c2f
                                                  • Instruction Fuzzy Hash: A7018420F1C64384FE349725EC453B51391AF58794FD00232E4DDD66D6EE2EE2048B02
                                                  Function 00007FF626E1F39C Relevance: 6.2, APIs: 4, Instructions: 160COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo$_get_daylight
                                                  • String ID:
                                                  • API String ID: 72036449-0
                                                  • Opcode ID: 57a80b3d5529d5f5b4c6a421e39c9ad8ad9c8474ed82c9519280ae2848f9f80f
                                                  • Instruction ID: a22e03942b77f041bf63828548ebe841d673d9a70b69c4664eba2ea05a3fb7a4
                                                  • Opcode Fuzzy Hash: 57a80b3d5529d5f5b4c6a421e39c9ad8ad9c8474ed82c9519280ae2848f9f80f
                                                  • Instruction Fuzzy Hash: EB51BF32D0C24286FF658F289E0537969D0AB04724F5981B5DA8DC62D6CE2EEC42A7D3
                                                  Function 00007FF626E16C10 Relevance: 6.1, APIs: 4, Instructions: 104COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
                                                  • String ID:
                                                  • API String ID: 4141327611-0
                                                  • Opcode ID: 570aee6898104e4f076ed688c9fa826cdad07e79dc6406c874fc876ed1d4501e
                                                  • Instruction ID: 83fef4149dbecf71ea6402db210a608aed6d97cbd21aa79dff6c8fa0792da995
                                                  • Opcode Fuzzy Hash: 570aee6898104e4f076ed688c9fa826cdad07e79dc6406c874fc876ed1d4501e
                                                  • Instruction Fuzzy Hash: 0841E5B1A0D78286FF659B109840379A7A1EF40B90F748170DADC8BAD9CF3EDC419B02
                                                  Function 00007FF626E10518 Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF626E103A4,?,?,00000000,00007FF626E10316,?,?,00000000,00007FF626E10689), ref: 00007FF626E10553
                                                  • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF626E103A4,?,?,00000000,00007FF626E10316,?,?,00000000,00007FF626E10689), ref: 00007FF626E10593
                                                  • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF626E103A4,?,?,00000000,00007FF626E10316,?,?,00000000,00007FF626E10689), ref: 00007FF626E105DA
                                                  • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF626E103A4,?,?,00000000,00007FF626E10316,?,?,00000000,00007FF626E10689), ref: 00007FF626E10621
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide
                                                  • String ID:
                                                  • API String ID: 626452242-0
                                                  • Opcode ID: 6233257c7a9a773674905cb2c87de12f38d11a6251b785c79051bbc41d58f46b
                                                  • Instruction ID: 97c410bd33fd46a14086f4fdaad54f8724efeb3c538a954ff6f38b5fac758c68
                                                  • Opcode Fuzzy Hash: 6233257c7a9a773674905cb2c87de12f38d11a6251b785c79051bbc41d58f46b
                                                  • Instruction Fuzzy Hash: BC317132A0DB8285EB249F26AD40169BAE5BF84BD0F544239EADE93BD5DF3DD4018701
                                                  Function 00007FF626E1B2AC Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF626E1203F,?,?,?,00007FF626E11FB2), ref: 00007FF626E1B2C5
                                                  • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF626E1203F,?,?,?,00007FF626E11FB2), ref: 00007FF626E1B327
                                                  • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF626E1203F,?,?,?,00007FF626E11FB2), ref: 00007FF626E1B361
                                                  • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF626E1203F,?,?,?,00007FF626E11FB2), ref: 00007FF626E1B38B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ByteCharEnvironmentMultiStringsWide$Free
                                                  • String ID:
                                                  • API String ID: 1557788787-0
                                                  • Opcode ID: 26b7d60fd6ec908042ca7350b9153c0cf6b0d9e94abffc0a3170f22cf79ec3e1
                                                  • Instruction ID: 18f91df073d57d3ea8ce4b8fbd95d1aa62678a2cfdfdbe0966b45f9d9231824b
                                                  • Opcode Fuzzy Hash: 26b7d60fd6ec908042ca7350b9153c0cf6b0d9e94abffc0a3170f22cf79ec3e1
                                                  • Instruction Fuzzy Hash: CB216121F0C75282EA209F16A84412DB6A4FB58BD0B484274DECEA3BA4DF7DE8529745
                                                  Function 00007FF626E17120 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(?,?,?,00007FF626E0C004,?,?,00000000,00007FF626E0E8F5), ref: 00007FF626E1712A
                                                  • SetLastError.KERNEL32(?,?,?,00007FF626E0C004,?,?,00000000,00007FF626E0E8F5), ref: 00007FF626E17192
                                                  • SetLastError.KERNEL32(?,?,?,00007FF626E0C004,?,?,00000000,00007FF626E0E8F5), ref: 00007FF626E171A8
                                                  • abort.LIBCMT ref: 00007FF626E171AE
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$abort
                                                  • String ID:
                                                  • API String ID: 1447195878-0
                                                  • Opcode ID: aaebfc23dab13aa53e8c2c2a607999f7b6d9bbcb8ed0d9b0e720f7c2adac4606
                                                  • Instruction ID: 9f0599061ea104db3589d5fd08c1a23f1764d2da53bab5a260def68c64239380
                                                  • Opcode Fuzzy Hash: aaebfc23dab13aa53e8c2c2a607999f7b6d9bbcb8ed0d9b0e720f7c2adac4606
                                                  • Instruction Fuzzy Hash: 47015E10F0D68342FE5967219E6697D12925F84B90F140578D99EC2BD2EE2FAC896702
                                                  Function 00007FF626E17384 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 245COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID: gfffffff
                                                  • API String ID: 3215553584-1523873471
                                                  • Opcode ID: eeb3ad31d0b564319db3cb84673d94e20562a2fd1e754b625e9329464f117d7d
                                                  • Instruction ID: e1f2eb24184fdbb579948250ed06d2625b4653e715075f950a0db6979c89bb00
                                                  • Opcode Fuzzy Hash: eeb3ad31d0b564319db3cb84673d94e20562a2fd1e754b625e9329464f117d7d
                                                  • Instruction Fuzzy Hash: 4B914863B1D38A86EF218F2999413BC6B55EB65BD0F048171CACD87395DE3EE912D302
                                                  Function 00007FF626E177B4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID: e+000$gfff
                                                  • API String ID: 3215553584-3030954782
                                                  • Opcode ID: 4968aa1ee207d6875aaaa9fe43e4c432ab5420fbdbed66a67b3513b472d8dbfd
                                                  • Instruction ID: df0bcd4bd3d4469e8e063077b61a7543e38e55c84386a4ccb46e826915f1903d
                                                  • Opcode Fuzzy Hash: 4968aa1ee207d6875aaaa9fe43e4c432ab5420fbdbed66a67b3513b472d8dbfd
                                                  • Instruction Fuzzy Hash: 03512762B1C7D246EF248B359D423A96B91EB81F90F489275C6DCC7BD6CE2ED844C702
                                                  Function 00007FF626E11E18 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: FileModuleName_invalid_parameter_noinfo
                                                  • String ID: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                  • API String ID: 3307058713-873524309
                                                  • Opcode ID: a65d3f83cf1b5251cf6099810242b6e7324b82c0b9af0ac1003a66984e4b3642
                                                  • Instruction ID: fc66697920c7f758614a169037c7c3085176ea0d725ac47be3e804bd3d5bcdcd
                                                  • Opcode Fuzzy Hash: a65d3f83cf1b5251cf6099810242b6e7324b82c0b9af0ac1003a66984e4b3642
                                                  • Instruction Fuzzy Hash: 31416B36A0CA528AEF159F219C400FC67A4EF48BD4F554075E98E97B95DF3EE881D302
                                                  Function 00007FF626E180D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: CurrentDirectory
                                                  • String ID: :
                                                  • API String ID: 1611563598-336475711
                                                  • Opcode ID: 748178b6baff8b33190132aa31179332de53706a0052989229f914b352324fed
                                                  • Instruction ID: 7d9161a6876a317492967c2c96b19b6f8f283ac30bc10dd9c11e76f8fabd2e59
                                                  • Opcode Fuzzy Hash: 748178b6baff8b33190132aa31179332de53706a0052989229f914b352324fed
                                                  • Instruction Fuzzy Hash: 63218F27B0C68281FF209B11D8442BE63A1FB84B84F858075DAED87684DF7EED85D752
                                                  Function 00007FF626E18C88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1573962326.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000000.00000002.1573937231.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574029581.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574098574.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1574182303.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID: :
                                                  • API String ID: 3215553584-336475711
                                                  • Opcode ID: d6d6e34964956db082e71a28770fe06b0e2d0fb141bbdcf566c624eadcaa19bf
                                                  • Instruction ID: a51b37872b4bcb519f9548f49f6a00eb4c7d93516ffe80fd574e84859881139d
                                                  • Opcode Fuzzy Hash: d6d6e34964956db082e71a28770fe06b0e2d0fb141bbdcf566c624eadcaa19bf
                                                  • Instruction Fuzzy Hash: 7201D62291C64281FF20AF60A8512BF6760EF48304FD00135E9DEC7692DF3DD9049B17

                                                  Execution Graph

                                                  Execution Coverage:2.2%
                                                  Dynamic/Decrypted Code Coverage:0%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:299
                                                  Total number of Limit Nodes:19
                                                  execution_graph 68481 7ff626e0b0d8 68482 7ff626e0b0ee 68481->68482 68483 7ff626e0b103 68481->68483 68496 7ff626e13f38 68482->68496 68495 7ff626e0ba10 EnterCriticalSection 68483->68495 68487 7ff626e0b108 68489 7ff626e0b144 33 API calls 68487->68489 68490 7ff626e0b113 68489->68490 68491 7ff626e0b128 68490->68491 68493 7ff626e13f38 _set_errno_from_matherr 15 API calls 68490->68493 68494 7ff626e0ba1c fread_s LeaveCriticalSection 68491->68494 68492 7ff626e0b0fe 68493->68491 68494->68492 68500 7ff626e171b4 GetLastError 68496->68500 68499 7ff626e13e18 32 API calls _invalid_parameter_noinfo 68499->68492 68501 7ff626e171d8 68500->68501 68502 7ff626e171e5 68500->68502 68520 7ff626e1634c 6 API calls __vcrt_uninitialize_ptd 68501->68520 68521 7ff626e13140 15 API calls 2 library calls 68502->68521 68505 7ff626e171dd 68505->68502 68507 7ff626e17226 68505->68507 68510 7ff626e1722b SetLastError 68507->68510 68511 7ff626e17235 SetLastError 68507->68511 68513 7ff626e0b0f3 68510->68513 68511->68513 68513->68499 68520->68505 68522 7ff626e14da8 68523 7ff626e14dc8 68522->68523 68527 7ff626e14df0 68522->68527 68524 7ff626e13f38 _set_errno_from_matherr 15 API calls 68523->68524 68525 7ff626e14dcd 68524->68525 68577 7ff626e13e18 32 API calls _invalid_parameter_noinfo 68525->68577 68528 7ff626e14e3f 68527->68528 68534 7ff626e14dd8 68527->68534 68578 7ff626e1c174 16 API calls 2 library calls 68527->68578 68542 7ff626e102c8 68528->68542 68535 7ff626e102c8 fread_s 32 API calls 68536 7ff626e14ea7 68535->68536 68536->68534 68537 7ff626e102c8 fread_s 32 API calls 68536->68537 68538 7ff626e14eb5 68537->68538 68538->68534 68539 7ff626e102c8 fread_s 32 API calls 68538->68539 68540 7ff626e14ec6 68539->68540 68541 7ff626e102c8 fread_s 32 API calls 68540->68541 68541->68534 68543 7ff626e102e1 68542->68543 68544 7ff626e102d1 68542->68544 68548 7ff626e14828 68543->68548 68545 7ff626e13f38 _set_errno_from_matherr 15 API calls 68544->68545 68546 7ff626e102d6 68545->68546 68579 7ff626e13e18 32 API calls _invalid_parameter_noinfo 68546->68579 68549 7ff626e1484c 68548->68549 68550 7ff626e14864 68548->68550 68581 7ff626e13f18 15 API calls abort 68549->68581 68552 7ff626e14911 68550->68552 68556 7ff626e148a0 68550->68556 68583 7ff626e13f18 15 API calls abort 68552->68583 68553 7ff626e14851 68555 7ff626e13f38 _set_errno_from_matherr 15 API calls 68553->68555 68576 7ff626e14859 68555->68576 68559 7ff626e148b0 68556->68559 68560 7ff626e148c5 68556->68560 68557 7ff626e14916 68558 7ff626e13f38 _set_errno_from_matherr 15 API calls 68557->68558 68562 7ff626e148bd 68558->68562 68582 7ff626e13f18 15 API calls abort 68559->68582 68580 7ff626e10b9c EnterCriticalSection 68560->68580 68584 7ff626e13e18 32 API calls _invalid_parameter_noinfo 68562->68584 68564 7ff626e148cc 68566 7ff626e148f7 68564->68566 68567 7ff626e148e2 68564->68567 68565 7ff626e148b5 68569 7ff626e13f38 _set_errno_from_matherr 15 API calls 68565->68569 68571 7ff626e14940 fread_s 44 API calls 68566->68571 68570 7ff626e13f38 _set_errno_from_matherr 15 API calls 68567->68570 68569->68562 68572 7ff626e148e7 68570->68572 68573 7ff626e148f2 68571->68573 68574 7ff626e13f18 fread_s 15 API calls 68572->68574 68575 7ff626e10c80 LeaveCriticalSection 68573->68575 68574->68573 68575->68576 68576->68534 68576->68535 68577->68534 68578->68528 68579->68543 68581->68553 68582->68565 68583->68557 68584->68576 68585 7ff626e12768 68592 7ff626e12fc0 68585->68592 68587 7ff626e1276d 68588 7ff626e19194 _isindst LeaveCriticalSection 68587->68588 68589 7ff626e12778 68588->68589 68590 7ff626e12784 68589->68590 68591 7ff626e127a0 11 API calls 68589->68591 68591->68590 68597 7ff626e17120 36 API calls 2 library calls 68592->68597 68595 7ff626e12fcb 68598 7ff626e130e8 36 API calls abort 68595->68598 68597->68595 68599 7ff626e14f58 68600 7ff626e14f99 68599->68600 68601 7ff626e14f81 68599->68601 68603 7ff626e15014 68600->68603 68607 7ff626e14fcc 68600->68607 68624 7ff626e13f18 15 API calls abort 68601->68624 68625 7ff626e13f18 15 API calls abort 68603->68625 68604 7ff626e14f86 68606 7ff626e13f38 _set_errno_from_matherr 15 API calls 68604->68606 68622 7ff626e14f8e 68606->68622 68623 7ff626e10b9c EnterCriticalSection 68607->68623 68608 7ff626e15019 68610 7ff626e13f38 _set_errno_from_matherr 15 API calls 68608->68610 68612 7ff626e15021 68610->68612 68611 7ff626e14fd3 68613 7ff626e14ff8 68611->68613 68614 7ff626e14fe3 68611->68614 68626 7ff626e13e18 32 API calls _invalid_parameter_noinfo 68612->68626 68616 7ff626e15048 34 API calls 68613->68616 68617 7ff626e13f38 _set_errno_from_matherr 15 API calls 68614->68617 68619 7ff626e14ff3 68616->68619 68618 7ff626e14fe8 68617->68618 68620 7ff626e13f18 fread_s 15 API calls 68618->68620 68621 7ff626e10c80 LeaveCriticalSection 68619->68621 68620->68619 68621->68622 68624->68604 68625->68608 68626->68622 68627 7ff626e0899c 68644 7ff626e08e00 68627->68644 68631 7ff626e089c3 __scrt_acquire_startup_lock 68633 7ff626e089e8 __scrt_is_nonwritable_in_current_image __scrt_release_startup_lock 68631->68633 68708 7ff626e0918c 7 API calls fread_s 68631->68708 68634 7ff626e08a97 68633->68634 68643 7ff626e08a0d 68633->68643 68709 7ff626e1288c 36 API calls 68633->68709 68652 7ff626e12538 68634->68652 68641 7ff626e08ac0 68710 7ff626e08fd8 8 API calls 2 library calls 68641->68710 68645 7ff626e08e22 __isa_available_init 68644->68645 68711 7ff626e09fb4 68645->68711 68648 7ff626e089b5 68648->68631 68707 7ff626e0918c 7 API calls fread_s 68648->68707 68653 7ff626e12548 68652->68653 68654 7ff626e08aac 68652->68654 68760 7ff626e11fd4 37 API calls 68653->68760 68656 7ff626e01000 68654->68656 68657 7ff626e01011 68656->68657 68761 7ff626e05380 68657->68761 68659 7ff626e01023 68770 7ff626e0f6a4 68659->68770 68663 7ff626e0256c 68664 7ff626e02574 68663->68664 68665 7ff626e0258f 68663->68665 68667 7ff626e019e0 82 API calls 68664->68667 68666 7ff626e028c0 85 API calls 68665->68666 68669 7ff626e025a7 68666->68669 68698 7ff626e02587 68667->68698 68668 7ff626e08820 _wfindfirst32i64 8 API calls 68670 7ff626e027ed 68668->68670 68671 7ff626e04560 92 API calls 68669->68671 68705 7ff626e092d4 GetModuleHandleW 68670->68705 68672 7ff626e025da 68671->68672 68673 7ff626e04be0 85 API calls 68672->68673 68674 7ff626e025e9 68673->68674 68675 7ff626e018c0 117 API calls 68674->68675 68678 7ff626e02613 68675->68678 68676 7ff626e02669 68677 7ff626e0268b 68676->68677 68679 7ff626e022c0 83 API calls 68676->68679 68680 7ff626e056c0 84 API calls 68677->68680 68685 7ff626e0274d 68677->68685 68678->68676 68681 7ff626e018c0 117 API calls 68678->68681 68679->68677 68682 7ff626e026a5 SetDllDirectoryW 68680->68682 68684 7ff626e02641 68681->68684 68683 7ff626e026b9 68682->68683 68683->68685 68692 7ff626e026c2 68683->68692 68684->68676 68687 7ff626e02645 68684->68687 68686 7ff626e02150 185 API calls 68685->68686 68688 7ff626e02755 68686->68688 68689 7ff626e01a20 82 API calls 68687->68689 68690 7ff626e04b70 88 API calls 68688->68690 68688->68698 68689->68698 68691 7ff626e02777 68690->68691 68693 7ff626e04560 92 API calls 68691->68693 68694 7ff626e02270 88 API calls 68692->68694 68692->68698 68695 7ff626e02783 pre_c_initialization 68693->68695 68696 7ff626e02736 68694->68696 68695->68698 68699 7ff626e02795 pre_c_initialization 68695->68699 68697 7ff626e020f0 175 API calls 68696->68697 68697->68698 68698->68668 68700 7ff626e04c20 91 API calls 68699->68700 68701 7ff626e027b0 68700->68701 68702 7ff626e027c3 68701->68702 68703 7ff626e04810 93 API calls 68701->68703 68704 7ff626e01910 63 API calls 68702->68704 68703->68702 68704->68698 68706 7ff626e092e8 68705->68706 68706->68641 68707->68631 68708->68633 68709->68634 68710->68643 68712 7ff626e09fbd __vcrt_initialize_pure_virtual_call_handler __vcrt_initialize_winapi_thunks 68711->68712 68724 7ff626e0a118 68712->68724 68715 7ff626e08e27 68715->68648 68719 7ff626e12f98 68715->68719 68717 7ff626e09fd4 68717->68715 68731 7ff626e0a160 DeleteCriticalSection 68717->68731 68721 7ff626e1be34 68719->68721 68720 7ff626e08e34 68720->68648 68723 7ff626e09fe8 8 API calls 3 library calls 68720->68723 68721->68720 68748 7ff626e152dc 68721->68748 68723->68648 68725 7ff626e0a120 68724->68725 68727 7ff626e0a151 68725->68727 68728 7ff626e09fc7 68725->68728 68732 7ff626e0a470 68725->68732 68737 7ff626e0a160 DeleteCriticalSection 68727->68737 68728->68715 68730 7ff626e0a0b4 8 API calls 3 library calls 68728->68730 68730->68717 68731->68715 68738 7ff626e0a198 68732->68738 68735 7ff626e0a4c7 InitializeCriticalSectionAndSpinCount 68736 7ff626e0a4b3 68735->68736 68736->68725 68737->68728 68739 7ff626e0a1fe 68738->68739 68741 7ff626e0a1f9 68738->68741 68739->68735 68739->68736 68740 7ff626e0a231 LoadLibraryExW 68740->68741 68743 7ff626e0a257 GetLastError 68740->68743 68741->68739 68741->68740 68746 7ff626e0a2c6 68741->68746 68747 7ff626e0a2a4 FreeLibrary 68741->68747 68742 7ff626e0a2d5 GetProcAddress 68742->68739 68744 7ff626e0a2ed 68742->68744 68743->68741 68745 7ff626e0a262 LoadLibraryExW 68743->68745 68744->68739 68745->68741 68746->68739 68746->68742 68747->68741 68759 7ff626e19140 EnterCriticalSection 68748->68759 68750 7ff626e152ec 68751 7ff626e10ae4 33 API calls 68750->68751 68752 7ff626e152f5 68751->68752 68753 7ff626e15303 68752->68753 68754 7ff626e150f4 35 API calls 68752->68754 68755 7ff626e19194 _isindst LeaveCriticalSection 68753->68755 68756 7ff626e152fe 68754->68756 68757 7ff626e1530f 68755->68757 68758 7ff626e151e0 GetStdHandle GetFileType 68756->68758 68757->68721 68758->68753 68760->68654 68762 7ff626e0f69c 16 API calls 68761->68762 68768 7ff626e053ab 68762->68768 68763 7ff626e053d0 WideCharToMultiByte 68764 7ff626e05470 68763->68764 68763->68768 68784 7ff626e01a80 82 API calls 68764->68784 68765 7ff626e0f69c 16 API calls 68767 7ff626e05419 WideCharToMultiByte 68765->68767 68767->68764 68767->68768 68768->68763 68768->68765 68769 7ff626e0548c 68768->68769 68769->68659 68771 7ff626e0f6a9 68770->68771 68772 7ff626e18898 68771->68772 68775 7ff626e188d3 68771->68775 68773 7ff626e13f38 _set_errno_from_matherr 15 API calls 68772->68773 68774 7ff626e1889d 68773->68774 68785 7ff626e13e18 32 API calls _invalid_parameter_noinfo 68774->68785 68786 7ff626e18748 61 API calls fread_s 68775->68786 68778 7ff626e0255d 68779 7ff626e0f69c 68778->68779 68781 7ff626e13140 fread_s 68779->68781 68780 7ff626e13186 HeapAlloc 68780->68781 68782 7ff626e131a2 68780->68782 68781->68780 68781->68782 68783 7ff626e13f38 _set_errno_from_matherr 15 API calls 68782->68783 68783->68782 68784->68769 68785->68778 68786->68778 68787 7ff626e0ae5c 68788 7ff626e0ae7d 68787->68788 68789 7ff626e0ae92 68787->68789 68790 7ff626e13f38 _set_errno_from_matherr 15 API calls 68788->68790 68789->68788 68791 7ff626e0ae97 68789->68791 68792 7ff626e0ae82 68790->68792 68800 7ff626e0ba10 EnterCriticalSection 68791->68800 68801 7ff626e13e18 32 API calls _invalid_parameter_noinfo 68792->68801 68795 7ff626e0ae9c 68797 7ff626e0afd8 58 API calls 68795->68797 68796 7ff626e0ae8d 68798 7ff626e0aead 68797->68798 68799 7ff626e0ba1c fread_s LeaveCriticalSection 68798->68799 68799->68796 68801->68796 68802 7ff626e184d4 68803 7ff626e186d0 68802->68803 68805 7ff626e18513 _isindst 68802->68805 68804 7ff626e13f38 _set_errno_from_matherr 15 API calls 68803->68804 68826 7ff626e18693 68804->68826 68805->68803 68808 7ff626e185a0 _isindst 68805->68808 68827 7ff626e1ec94 68808->68827 68813 7ff626e18728 68814 7ff626e13e38 _wfindfirst32i64 17 API calls 68813->68814 68816 7ff626e1873d 68814->68816 68818 7ff626e18713 68820 7ff626e13e38 _wfindfirst32i64 17 API calls 68818->68820 68820->68813 68822 7ff626e186ff 68863 7ff626e13e38 IsProcessorFeaturePresent 68822->68863 68824 7ff626e185f9 68824->68826 68853 7ff626e1ecd0 32 API calls _isindst 68824->68853 68854 7ff626e08820 68826->68854 68828 7ff626e185bb 68827->68828 68829 7ff626e1eca2 68827->68829 68835 7ff626e1e1c8 68828->68835 68867 7ff626e19140 EnterCriticalSection 68829->68867 68831 7ff626e1ecaa 68832 7ff626e1ecba 68831->68832 68833 7ff626e1eb8c 46 API calls 68831->68833 68834 7ff626e19194 _isindst LeaveCriticalSection 68832->68834 68833->68832 68834->68828 68836 7ff626e185cf 68835->68836 68837 7ff626e1e1d1 68835->68837 68836->68813 68841 7ff626e1e1f8 68836->68841 68838 7ff626e13f38 _set_errno_from_matherr 15 API calls 68837->68838 68839 7ff626e1e1d6 68838->68839 68868 7ff626e13e18 32 API calls _invalid_parameter_noinfo 68839->68868 68842 7ff626e1e201 68841->68842 68846 7ff626e185e0 68841->68846 68843 7ff626e13f38 _set_errno_from_matherr 15 API calls 68842->68843 68844 7ff626e1e206 68843->68844 68869 7ff626e13e18 32 API calls _invalid_parameter_noinfo 68844->68869 68846->68818 68847 7ff626e1e228 68846->68847 68848 7ff626e1e231 68847->68848 68852 7ff626e185f1 68847->68852 68849 7ff626e13f38 _set_errno_from_matherr 15 API calls 68848->68849 68850 7ff626e1e236 68849->68850 68870 7ff626e13e18 32 API calls _invalid_parameter_noinfo 68850->68870 68852->68822 68852->68824 68853->68826 68855 7ff626e0882a 68854->68855 68856 7ff626e08836 68855->68856 68857 7ff626e08b5c IsProcessorFeaturePresent 68855->68857 68858 7ff626e08b73 68857->68858 68871 7ff626e08d50 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 68858->68871 68860 7ff626e08b86 68872 7ff626e08b28 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 68860->68872 68864 7ff626e13e4a 68863->68864 68873 7ff626e13c0c 14 API calls 3 library calls 68864->68873 68866 7ff626e13e65 GetCurrentProcess TerminateProcess 68868->68836 68869->68846 68870->68852 68871->68860 68873->68866

                                                  Executed Functions

                                                  Function 00007FF626E1E768 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 366timeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 129 7ff626e1e768-7ff626e1e79c call 7ff626e1e1c0 call 7ff626e1e228 134 7ff626e1e9a1-7ff626e1e9e2 call 7ff626e13e38 call 7ff626e1e1c0 call 7ff626e1e228 129->134 135 7ff626e1e7a2-7ff626e1e7ad call 7ff626e1e1c8 129->135 159 7ff626e1eb77-7ff626e1ebe5 call 7ff626e13e38 call 7ff626e19f88 134->159 160 7ff626e1e9e8-7ff626e1e9f3 call 7ff626e1e1c8 134->160 141 7ff626e1e98c-7ff626e1e9a0 call 7ff626e13e38 135->141 142 7ff626e1e7b3-7ff626e1e7bd 135->142 141->134 144 7ff626e1e7bf-7ff626e1e7c5 142->144 145 7ff626e1e7e5-7ff626e1e7ee call 7ff626e12fe8 142->145 148 7ff626e1e7c8-7ff626e1e7d3 144->148 155 7ff626e1e7f1-7ff626e1e7f8 145->155 152 7ff626e1e7dd-7ff626e1e7df 148->152 153 7ff626e1e7d5-7ff626e1e7db 148->153 152->145 157 7ff626e1e93c-7ff626e1e94c 152->157 153->148 153->152 155->155 158 7ff626e1e7fa-7ff626e1e81a call 7ff626e13028 call 7ff626e12fe8 155->158 158->157 176 7ff626e1e820-7ff626e1e827 158->176 179 7ff626e1ebe7-7ff626e1ebec 159->179 180 7ff626e1ebee-7ff626e1ebf1 159->180 169 7ff626e1e9f9-7ff626e1ea04 call 7ff626e1e1f8 160->169 170 7ff626e1eb62-7ff626e1eb76 call 7ff626e13e38 160->170 182 7ff626e1ea0a-7ff626e1ea2d call 7ff626e12fe8 GetTimeZoneInformation 169->182 183 7ff626e1eb4d-7ff626e1eb61 call 7ff626e13e38 169->183 170->159 176->176 181 7ff626e1e829-7ff626e1e837 call 7ff626e13088 176->181 184 7ff626e1ec3c-7ff626e1ec4e 179->184 187 7ff626e1ebf8-7ff626e1ec08 call 7ff626e13028 180->187 188 7ff626e1ebf3-7ff626e1ebf6 180->188 199 7ff626e1e977-7ff626e1e98b call 7ff626e13e38 181->199 200 7ff626e1e83d-7ff626e1e857 call 7ff626e201d4 181->200 196 7ff626e1eb26-7ff626e1eb4c call 7ff626e1e1b8 call 7ff626e1e1a8 call 7ff626e1e1b0 182->196 197 7ff626e1ea33-7ff626e1ea55 182->197 183->170 190 7ff626e1ec5f 184->190 191 7ff626e1ec50-7ff626e1ec53 184->191 204 7ff626e1ec0a 187->204 205 7ff626e1ec13-7ff626e1ec2e call 7ff626e19f88 187->205 188->184 201 7ff626e1ec64-7ff626e1ec90 call 7ff626e12fe8 call 7ff626e08820 190->201 202 7ff626e1ec5f call 7ff626e1e9b8 190->202 191->190 198 7ff626e1ec55-7ff626e1ec5d call 7ff626e1e768 191->198 207 7ff626e1ea57-7ff626e1ea5c 197->207 208 7ff626e1ea5f-7ff626e1ea66 197->208 198->201 199->141 228 7ff626e1e85d-7ff626e1e860 200->228 229 7ff626e1e962-7ff626e1e976 call 7ff626e13e38 200->229 202->201 213 7ff626e1ec0c-7ff626e1ec11 call 7ff626e12fe8 204->213 233 7ff626e1ec30-7ff626e1ec33 205->233 234 7ff626e1ec35 205->234 207->208 215 7ff626e1ea68-7ff626e1ea70 208->215 216 7ff626e1ea80-7ff626e1ea83 208->216 213->188 215->216 224 7ff626e1ea72-7ff626e1ea7e 215->224 225 7ff626e1ea86-7ff626e1eac2 call 7ff626e1b448 WideCharToMultiByte 216->225 224->225 247 7ff626e1ead2-7ff626e1ead5 225->247 248 7ff626e1eac4-7ff626e1eac7 225->248 237 7ff626e1e86b-7ff626e1e875 228->237 238 7ff626e1e862-7ff626e1e869 228->238 229->199 233->213 234->184 244 7ff626e1ec37 call 7ff626e12fe8 234->244 239 7ff626e1e877 237->239 240 7ff626e1e87a-7ff626e1e888 call 7ff626e13be0 237->240 238->228 238->237 239->240 252 7ff626e1e88b-7ff626e1e88f 240->252 244->184 251 7ff626e1ead8-7ff626e1eb0e WideCharToMultiByte 247->251 248->247 250 7ff626e1eac9-7ff626e1ead0 248->250 250->251 253 7ff626e1eb1f-7ff626e1eb23 251->253 254 7ff626e1eb10-7ff626e1eb13 251->254 255 7ff626e1e897-7ff626e1e89a 252->255 256 7ff626e1e891-7ff626e1e895 252->256 253->196 254->253 257 7ff626e1eb15-7ff626e1eb1d 254->257 255->252 256->255 258 7ff626e1e89c-7ff626e1e89f 256->258 257->196 259 7ff626e1e8ed-7ff626e1e8f0 258->259 260 7ff626e1e8a1-7ff626e1e8b7 call 7ff626e13be0 258->260 261 7ff626e1e8f7-7ff626e1e905 259->261 262 7ff626e1e8f2-7ff626e1e8f4 259->262 268 7ff626e1e8c0-7ff626e1e8c4 260->268 264 7ff626e1e907-7ff626e1e91d call 7ff626e201d4 261->264 265 7ff626e1e921-7ff626e1e925 261->265 262->261 269 7ff626e1e928-7ff626e1e93a call 7ff626e1e1b8 call 7ff626e1e1a8 264->269 274 7ff626e1e91f-7ff626e1e961 call 7ff626e13e38 264->274 265->269 271 7ff626e1e8c6-7ff626e1e8c9 268->271 272 7ff626e1e8b9-7ff626e1e8bb 268->272 269->157 271->259 276 7ff626e1e8cb-7ff626e1e8de call 7ff626e13be0 271->276 272->271 275 7ff626e1e8bd 272->275 274->229 275->268 284 7ff626e1e8e7-7ff626e1e8eb 276->284 284->259 286 7ff626e1e8e0-7ff626e1e8e2 284->286 286->259 287 7ff626e1e8e4 286->287 287->284
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _get_daylight$ByteCharMultiWide_invalid_parameter_noinfo$InformationTimeZone
                                                  • String ID: ?
                                                  • API String ID: 3440502458-1684325040
                                                  • Opcode ID: a27dce4f683726e5c9c14e27096819f0143c36c0f7d15939d53de878fb674df3
                                                  • Instruction ID: 1a4ba757b44120556430f7b9d62257cfc8a58fa5e24f057e758f8d99db12cfca
                                                  • Opcode Fuzzy Hash: a27dce4f683726e5c9c14e27096819f0143c36c0f7d15939d53de878fb674df3
                                                  • Instruction Fuzzy Hash: ADE1F232A0C2824AFF24AF31AC415B96B91FF84784F444175FA8E83A95DF7EEC419742
                                                  Function 00007FF626E184D4 Relevance: 6.2, APIs: 4, Instructions: 179COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _get_daylight$_isindst
                                                  • String ID:
                                                  • API String ID: 4170891091-0
                                                  • Opcode ID: d5eeda719bd18130e753a87b16964e5977d1f2ef54ac4c2fa4a9ea025e11ae79
                                                  • Instruction ID: 69561622c22414c82b4287c397fcefd4e550da29712ecd59cdad6a4f9e899169
                                                  • Opcode Fuzzy Hash: d5eeda719bd18130e753a87b16964e5977d1f2ef54ac4c2fa4a9ea025e11ae79
                                                  • Instruction Fuzzy Hash: 54612572F2C20586FF28DF649D517BE33A6AB50398F400235DEAD96AC4DF3DA8058702
                                                  Function 00007FF626E04FA0 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 89libraryloaderCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF626E022A6,00000000,00007FF626E02736), ref: 00007FF626E04FD0
                                                  • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF626E022A6,00000000,00007FF626E02736), ref: 00007FF626E0501A
                                                  • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF626E022A6,00000000,00007FF626E02736), ref: 00007FF626E05043
                                                  • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF626E022A6,00000000,00007FF626E02736), ref: 00007FF626E05056
                                                  • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF626E022A6,00000000,00007FF626E02736), ref: 00007FF626E05069
                                                    • Part of subcall function 00007FF626E01A80: GetLastError.KERNEL32(?,?,00000000,00007FF626E0548C,?,?,?,?,?,?,?,00007FF626E01023), ref: 00007FF626E01AA7
                                                    • Part of subcall function 00007FF626E05120: GetLastError.KERNEL32(00000000,00007FF626E05B02,?,?,?,00007FF626E05652), ref: 00007FF626E05147
                                                    • Part of subcall function 00007FF626E05120: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FF626E01B40), ref: 00007FF626E05176
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: AddressByteCharErrorLastMultiProcWide$FormatLibraryLoadMessage
                                                  • String ID: 8$ActivateActCtx$CreateActCtxW$Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$kernel32
                                                  • API String ID: 148262030-1940978792
                                                  • Opcode ID: 0596184b9433193d582e0e344f58def41022115cc5e3a7d4cfd9b4164663af2b
                                                  • Instruction ID: 9fa26ce239c5a0802fd293542da54bba78226dcad0feee4d9ec950c57267a94f
                                                  • Opcode Fuzzy Hash: 0596184b9433193d582e0e344f58def41022115cc5e3a7d4cfd9b4164663af2b
                                                  • Instruction Fuzzy Hash: D9414721A0DB4381EB509B15FD0416972A6FF847A0F544236EAED93BE4EF3ED4158742
                                                  Function 00007FF626E03750 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 122COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: htonl
                                                  • String ID: Failed to encode _MEIPASS as ANSI.$Failed to get _MEIPASS as PyObject.$_MEIPASS$loads$marshal$mod is NULL - %s$strict$utf-8
                                                  • API String ID: 2009864989-2184277183
                                                  • Opcode ID: 5248ed9fde9ac2b8a4ac834c6959239f6ca1c7aa9165943b01afbe54baae16da
                                                  • Instruction ID: 8202494d43a6b8d598ca9962244208ea87ee8d1c44132ffbc6ecb36a65d9a666
                                                  • Opcode Fuzzy Hash: 5248ed9fde9ac2b8a4ac834c6959239f6ca1c7aa9165943b01afbe54baae16da
                                                  • Instruction Fuzzy Hash: 1551C120A1DA83D1EE009B25EC542B963A0FF45B90F880131DAAED77E5DF3EE549C312
                                                  Function 00007FF626E01670 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 91COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: htonl$_fread_nolock_invalid_parameter_noinfo
                                                  • String ID: Could not allocate buffer for TOC.$Could not read from file.$Error on file.$fread$malloc
                                                  • API String ID: 235321421-2332847760
                                                  • Opcode ID: e4e447f56fc7ff2bdc062d0295e63a31827a7360767318e5e83dea32ee537c8b
                                                  • Instruction ID: 6e73ce65d50edf41742d7a72e361bca13ee7e3e58bb3eadae813cc716572292d
                                                  • Opcode Fuzzy Hash: e4e447f56fc7ff2bdc062d0295e63a31827a7360767318e5e83dea32ee537c8b
                                                  • Instruction Fuzzy Hash: 7A319E31F1C50282EF04EB74DC613B823A1AF94B58F584530E59DDB2DAEE3EE8818702
                                                  Function 00007FF626E05120 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 52windowCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetLastError.KERNEL32(00000000,00007FF626E05B02,?,?,?,00007FF626E05652), ref: 00007FF626E05147
                                                  • FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FF626E01B40), ref: 00007FF626E05176
                                                  • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FF626E01B40), ref: 00007FF626E051CA
                                                    • Part of subcall function 00007FF626E01A80: GetLastError.KERNEL32(?,?,00000000,00007FF626E0548C,?,?,?,?,?,?,?,00007FF626E01023), ref: 00007FF626E01AA7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$ByteCharFormatMessageMultiWide
                                                  • String ID: An attempt to set the process default activation context failed because the process default activation context was already set.$Failed to encode wchar_t as UTF-8.$FormatMessageW$No error messages generated.$PyInstaller: FormatMessageW failed.$PyInstaller: pyi_win32_utils_to_utf8 failed.$WideCharToMultiByte
                                                  • API String ID: 2383786077-999350857
                                                  • Opcode ID: b62dc68774a4263bbf2c738e764c0ac0a57dd6dba59a1b44175ba69e93919a4c
                                                  • Instruction ID: 4cf1a160b0644e649a1a0d3cd58030fcfc02d15376623b97679b65c3a90f2ed0
                                                  • Opcode Fuzzy Hash: b62dc68774a4263bbf2c738e764c0ac0a57dd6dba59a1b44175ba69e93919a4c
                                                  • Instruction Fuzzy Hash: 94217F71A1CA4381EF249B11FD547B623A6FF88384F800035E6CDD2AA4EF3DD1198B02
                                                  Function 00007FF626E020F0 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 151COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 288 7ff626e020f0-7ff626e02100 call 7ff626e03ac0 291 7ff626e02102-7ff626e0210a 288->291 292 7ff626e0210b-7ff626e0211f call 7ff626e03ef0 288->292 292->291 295 7ff626e02121-7ff626e0212b call 7ff626e03750 292->295 295->291 298 7ff626e0212d-7ff626e02137 call 7ff626e03950 295->298 298->291 301 7ff626e02139-7ff626e0234e call 7ff626e08860 298->301 306 7ff626e02364-7ff626e0237b 301->306 307 7ff626e02350-7ff626e0235f call 7ff626e01a20 301->307 312 7ff626e02391-7ff626e023a5 306->312 313 7ff626e0237d-7ff626e0238c call 7ff626e01a20 306->313 311 7ff626e024bd-7ff626e024d8 call 7ff626e08820 307->311 314 7ff626e024a3 312->314 315 7ff626e023ab 312->315 322 7ff626e024b5 313->322 318 7ff626e024a5-7ff626e024ad 314->318 319 7ff626e023b0-7ff626e023b4 315->319 318->322 323 7ff626e0248b-7ff626e0249d call 7ff626e01630 319->323 324 7ff626e023ba-7ff626e023df call 7ff626e01230 call 7ff626e0a670 319->324 322->311 323->314 323->319 331 7ff626e023e5-7ff626e023ed 324->331 332 7ff626e0250f-7ff626e0251e call 7ff626e01a20 324->332 334 7ff626e023f0-7ff626e023fc 331->334 332->318 334->334 336 7ff626e023fe-7ff626e02403 334->336 337 7ff626e02406-7ff626e0240e 336->337 337->337 338 7ff626e02410-7ff626e02424 337->338 339 7ff626e0242e 338->339 340 7ff626e02426-7ff626e0242c 338->340 341 7ff626e02434-7ff626e02469 htonl 339->341 340->341 346 7ff626e024f4-7ff626e0250d call 7ff626e01a20 341->346 347 7ff626e0246f-7ff626e02481 341->347 346->318 351 7ff626e02483-7ff626e02486 call 7ff626e0a9bc 347->351 352 7ff626e024d9-7ff626e024ea call 7ff626e01a20 347->352 351->323 357 7ff626e024ef-7ff626e024f2 352->357 357->318
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: .py$Could not get __main__ module's dict.$Could not get __main__ module.$Failed to execute script %s$Failed to unmarshal code object for %s$Name exceeds PATH_MAX$__file__$__main__
                                                  • API String ID: 0-4082989238
                                                  • Opcode ID: be43b82145219d87cf57bb07217ead1f5b0323dfb21228fe2650b1feb2e4787f
                                                  • Instruction ID: 244dbe049a285b940d3fb997e0e9b25538d4e235c4673749d04bfb56e17e148c
                                                  • Opcode Fuzzy Hash: be43b82145219d87cf57bb07217ead1f5b0323dfb21228fe2650b1feb2e4787f
                                                  • Instruction Fuzzy Hash: 4E51B231E1CA8399FE249B21AC942B923A0BF94B90F440131DADED77D5EE3EE4558712
                                                  Function 00007FF626E01230 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 95COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: htonl$_fread_nolock
                                                  • String ID: Cannot open archive file$Could not allocate read buffer$Could not read from file$Error decompressing %s
                                                  • API String ID: 941911645-3387914768
                                                  • Opcode ID: 0a3265300e8c7cb3a87cd7480501eefbb069b8ccbe9b37b5ccc6d0127be21122
                                                  • Instruction ID: 666983f5b355849d76b4f9dec96d7f6fc3caae3a2a825292ca8ea84865cd0b58
                                                  • Opcode Fuzzy Hash: 0a3265300e8c7cb3a87cd7480501eefbb069b8ccbe9b37b5ccc6d0127be21122
                                                  • Instruction Fuzzy Hash: FC31A221B1C54285EF44EB65E9513B923A0EF487C4F440431EA8DDBB8AEE2EE9918702
                                                  Function 00007FF626E1F66C Relevance: 13.8, APIs: 9, Instructions: 272fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 395 7ff626e1f66c-7ff626e1f6de call 7ff626e1f39c 398 7ff626e1f6f7-7ff626e1f701 call 7ff626e10ca4 395->398 399 7ff626e1f6e0-7ff626e1f6e8 call 7ff626e13f18 395->399 404 7ff626e1f71b-7ff626e1f787 CreateFileW 398->404 405 7ff626e1f703-7ff626e1f719 call 7ff626e13f18 call 7ff626e13f38 398->405 406 7ff626e1f6eb-7ff626e1f6f2 call 7ff626e13f38 399->406 408 7ff626e1f78d-7ff626e1f794 404->408 409 7ff626e1f80f-7ff626e1f81a GetFileType 404->409 405->406 423 7ff626e1fa3e-7ff626e1fa5a 406->423 412 7ff626e1f796-7ff626e1f79a 408->412 413 7ff626e1f7dc-7ff626e1f80a GetLastError call 7ff626e13ec8 408->413 415 7ff626e1f86d-7ff626e1f873 409->415 416 7ff626e1f81c-7ff626e1f857 GetLastError call 7ff626e13ec8 CloseHandle 409->416 412->413 421 7ff626e1f79c-7ff626e1f7da CreateFileW 412->421 413->406 419 7ff626e1f87a-7ff626e1f87d 415->419 420 7ff626e1f875-7ff626e1f878 415->420 416->406 429 7ff626e1f85d-7ff626e1f868 call 7ff626e13f38 416->429 426 7ff626e1f882-7ff626e1f8d0 call 7ff626e10bc0 419->426 427 7ff626e1f87f 419->427 420->426 421->409 421->413 434 7ff626e1f8d2-7ff626e1f8de call 7ff626e1f5a8 426->434 435 7ff626e1f8e4-7ff626e1f90e call 7ff626e1f108 426->435 427->426 429->406 442 7ff626e1f8e0 434->442 443 7ff626e1f913-7ff626e1f91d call 7ff626e14070 434->443 440 7ff626e1f910 435->440 441 7ff626e1f922-7ff626e1f967 435->441 440->443 445 7ff626e1f989-7ff626e1f995 441->445 446 7ff626e1f969-7ff626e1f96d 441->446 442->435 443->423 449 7ff626e1f99b-7ff626e1f99f 445->449 450 7ff626e1fa3c 445->450 446->445 448 7ff626e1f96f-7ff626e1f984 446->448 448->445 449->450 451 7ff626e1f9a5-7ff626e1f9ed CloseHandle CreateFileW 449->451 450->423 452 7ff626e1f9ef-7ff626e1fa1d GetLastError call 7ff626e13ec8 call 7ff626e10dd4 451->452 453 7ff626e1fa22-7ff626e1fa37 451->453 452->453 453->450
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type_get_daylight
                                                  • String ID:
                                                  • API String ID: 1330151763-0
                                                  • Opcode ID: 4e312cbdaea06996988d8d323f6e4bff09b570e26b286370dc240ebc8d32d696
                                                  • Instruction ID: 07af31ef1d2b3d15750313b70b59450b16f26df0a33fd409d12903f076430b7d
                                                  • Opcode Fuzzy Hash: 4e312cbdaea06996988d8d323f6e4bff09b570e26b286370dc240ebc8d32d696
                                                  • Instruction Fuzzy Hash: 59C1CF33B28A418AEF108B65D8513AC37A1EB497A8F040235DAAE977D5CF39E855D342
                                                  Function 00007FF626E0899C Relevance: 13.6, APIs: 9, Instructions: 92COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterPresentUnhandled__scrt_fastfail__scrt_is_nonwritable_in_current_image$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual__isa_available_init__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt__vcrt_initialize
                                                  • String ID:
                                                  • API String ID: 552178382-0
                                                  • Opcode ID: 70968b06e30dede323ce45a542f067e5329e95d33d1afdf5ff1aeb90018d2c88
                                                  • Instruction ID: 49529b2b1f6cb4eef05084b4a67a5bbd8aa61757e0a72d9582483c5ee789860b
                                                  • Opcode Fuzzy Hash: 70968b06e30dede323ce45a542f067e5329e95d33d1afdf5ff1aeb90018d2c88
                                                  • Instruction Fuzzy Hash: 6A31CD21E0C24342FE50AB609C553BA23A1AF55784F504034EAEEEB6D7DE2FE844CB13
                                                  Function 00007FF626E1E9B8 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 155timeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 517 7ff626e1e9b8-7ff626e1e9e2 call 7ff626e1e1c0 call 7ff626e1e228 522 7ff626e1eb77-7ff626e1ebe5 call 7ff626e13e38 call 7ff626e19f88 517->522 523 7ff626e1e9e8-7ff626e1e9f3 call 7ff626e1e1c8 517->523 537 7ff626e1ebe7-7ff626e1ebec 522->537 538 7ff626e1ebee-7ff626e1ebf1 522->538 529 7ff626e1e9f9-7ff626e1ea04 call 7ff626e1e1f8 523->529 530 7ff626e1eb62-7ff626e1eb76 call 7ff626e13e38 523->530 539 7ff626e1ea0a-7ff626e1ea2d call 7ff626e12fe8 GetTimeZoneInformation 529->539 540 7ff626e1eb4d-7ff626e1eb61 call 7ff626e13e38 529->540 530->522 541 7ff626e1ec3c-7ff626e1ec4e 537->541 543 7ff626e1ebf8-7ff626e1ec08 call 7ff626e13028 538->543 544 7ff626e1ebf3-7ff626e1ebf6 538->544 551 7ff626e1eb26-7ff626e1eb4c call 7ff626e1e1b8 call 7ff626e1e1a8 call 7ff626e1e1b0 539->551 552 7ff626e1ea33-7ff626e1ea55 539->552 540->530 546 7ff626e1ec5f 541->546 547 7ff626e1ec50-7ff626e1ec53 541->547 557 7ff626e1ec0a 543->557 558 7ff626e1ec13-7ff626e1ec2e call 7ff626e19f88 543->558 544->541 554 7ff626e1ec64-7ff626e1ec90 call 7ff626e12fe8 call 7ff626e08820 546->554 555 7ff626e1ec5f call 7ff626e1e9b8 546->555 547->546 553 7ff626e1ec55-7ff626e1ec5d call 7ff626e1e768 547->553 560 7ff626e1ea57-7ff626e1ea5c 552->560 561 7ff626e1ea5f-7ff626e1ea66 552->561 553->554 555->554 564 7ff626e1ec0c-7ff626e1ec11 call 7ff626e12fe8 557->564 580 7ff626e1ec30-7ff626e1ec33 558->580 581 7ff626e1ec35 558->581 560->561 566 7ff626e1ea68-7ff626e1ea70 561->566 567 7ff626e1ea80-7ff626e1ea83 561->567 564->544 566->567 573 7ff626e1ea72-7ff626e1ea7e 566->573 574 7ff626e1ea86-7ff626e1eac2 call 7ff626e1b448 WideCharToMultiByte 567->574 573->574 587 7ff626e1ead2-7ff626e1ead5 574->587 588 7ff626e1eac4-7ff626e1eac7 574->588 580->564 581->541 585 7ff626e1ec37 call 7ff626e12fe8 581->585 585->541 590 7ff626e1ead8-7ff626e1eb0e WideCharToMultiByte 587->590 588->587 589 7ff626e1eac9-7ff626e1ead0 588->589 589->590 591 7ff626e1eb1f-7ff626e1eb23 590->591 592 7ff626e1eb10-7ff626e1eb13 590->592 591->551 592->591 593 7ff626e1eb15-7ff626e1eb1d 592->593 593->551
                                                  APIs
                                                  • _get_daylight.LIBCMT ref: 00007FF626E1E9DB
                                                    • Part of subcall function 00007FF626E1E228: _invalid_parameter_noinfo.LIBCMT ref: 00007FF626E1E23C
                                                  • _get_daylight.LIBCMT ref: 00007FF626E1E9EC
                                                    • Part of subcall function 00007FF626E1E1C8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF626E1E1DC
                                                  • _get_daylight.LIBCMT ref: 00007FF626E1E9FD
                                                    • Part of subcall function 00007FF626E1E1F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF626E1E20C
                                                    • Part of subcall function 00007FF626E12FE8: HeapFree.KERNEL32(?,?,00000000,00007FF626E17203,?,?,?,00007FF626E13F41,?,?,?,?,00007FF626E131A7,?,?,00000000), ref: 00007FF626E12FFE
                                                    • Part of subcall function 00007FF626E12FE8: GetLastError.KERNEL32(?,?,00000000,00007FF626E17203,?,?,?,00007FF626E13F41,?,?,?,?,00007FF626E131A7,?,?,00000000), ref: 00007FF626E13010
                                                  • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF626E1EC5D), ref: 00007FF626E1EA24
                                                  • WideCharToMultiByte.KERNEL32 ref: 00007FF626E1EABA
                                                  • WideCharToMultiByte.KERNEL32 ref: 00007FF626E1EB06
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _get_daylight_invalid_parameter_noinfo$ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone
                                                  • String ID: ?
                                                  • API String ID: 500310315-1684325040
                                                  • Opcode ID: 91182e50ed4f2bb1e8759a9778c86e8c8fc7d90275ffa4ce3d61a76719f821f3
                                                  • Instruction ID: d9daaf8e6577f528f1578e58f1e2a5693c73136a7678b9cf95285e9c2cc9b76e
                                                  • Opcode Fuzzy Hash: 91182e50ed4f2bb1e8759a9778c86e8c8fc7d90275ffa4ce3d61a76719f821f3
                                                  • Instruction Fuzzy Hash: 5C617032A0C6428AEF60AF21AC805B977A4FF44794F540175FA8DC3A95DF7DD841D781
                                                  Function 00007FF626E01040 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 56COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: htonl
                                                  • String ID: 1.2.11$Error %d from inflate: %s$Error %d from inflateInit: %s$Error allocating decompression buffer
                                                  • API String ID: 2009864989-3188157777
                                                  • Opcode ID: df98e4717e3913a67ae54af8d97e0e02ee2b6280404411e24ec56e859f35455c
                                                  • Instruction ID: 4b53907c29e55d1b967fb7e8b33dca3e1ec63ee417067a01b2765aaf208f196a
                                                  • Opcode Fuzzy Hash: df98e4717e3913a67ae54af8d97e0e02ee2b6280404411e24ec56e859f35455c
                                                  • Instruction Fuzzy Hash: 16217F31A1C68292EF50DB50EC413AA63A0FB88380F544135EACDD7A99EF3EE5158B42
                                                  Function 00007FF626E14940 Relevance: 10.8, APIs: 7, Instructions: 294COMMONLIBRARYCODE
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 696 7ff626e14940-7ff626e14966 697 7ff626e14968-7ff626e1497c call 7ff626e13f18 call 7ff626e13f38 696->697 698 7ff626e14981-7ff626e14985 696->698 712 7ff626e14d8a 697->712 700 7ff626e1498b-7ff626e14992 698->700 701 7ff626e14d73-7ff626e14d7f call 7ff626e13f18 call 7ff626e13f38 698->701 700->701 703 7ff626e14998-7ff626e149c7 700->703 719 7ff626e14d85 call 7ff626e13e18 701->719 703->701 706 7ff626e149cd-7ff626e149d4 703->706 709 7ff626e149d6-7ff626e149e8 call 7ff626e13f18 call 7ff626e13f38 706->709 710 7ff626e149ed-7ff626e149f0 706->710 709->719 715 7ff626e149f6-7ff626e149fb 710->715 716 7ff626e14d6f-7ff626e14d71 710->716 717 7ff626e14d8d-7ff626e14da4 712->717 715->716 720 7ff626e14a01-7ff626e14a04 715->720 716->717 719->712 720->709 721 7ff626e14a06-7ff626e14a2c 720->721 724 7ff626e14a48-7ff626e14a50 721->724 725 7ff626e14a2e-7ff626e14a31 721->725 729 7ff626e14a6e-7ff626e14a9a call 7ff626e13028 call 7ff626e12fe8 * 2 724->729 730 7ff626e14a52-7ff626e14a69 call 7ff626e13f18 call 7ff626e13f38 call 7ff626e13e18 724->730 727 7ff626e14a3d-7ff626e14a43 725->727 728 7ff626e14a33-7ff626e14a3b 725->728 731 7ff626e14ae8-7ff626e14afe 727->731 728->727 728->730 757 7ff626e14ab7-7ff626e14ae3 call 7ff626e150ec 729->757 758 7ff626e14a9c-7ff626e14ab2 call 7ff626e13f38 call 7ff626e13f18 729->758 762 7ff626e14bf4 730->762 735 7ff626e14b7d-7ff626e14b87 call 7ff626e1c114 731->735 736 7ff626e14b00-7ff626e14b07 731->736 747 7ff626e14b8d-7ff626e14ba2 735->747 748 7ff626e14c12 735->748 736->735 740 7ff626e14b09-7ff626e14b0c 736->740 740->735 745 7ff626e14b0e-7ff626e14b26 740->745 745->735 750 7ff626e14b28-7ff626e14b33 745->750 747->748 754 7ff626e14ba4-7ff626e14bb6 GetConsoleMode 747->754 753 7ff626e14c17-7ff626e14c37 ReadFile 748->753 750->735 751 7ff626e14b35-7ff626e14b38 750->751 751->735 756 7ff626e14b3a-7ff626e14b53 751->756 759 7ff626e14d39-7ff626e14d42 GetLastError 753->759 760 7ff626e14c3d-7ff626e14c45 753->760 754->748 761 7ff626e14bb8-7ff626e14bc0 754->761 756->735 764 7ff626e14b55-7ff626e14b60 756->764 757->731 758->762 769 7ff626e14d5f-7ff626e14d62 759->769 770 7ff626e14d44-7ff626e14d5a call 7ff626e13f38 call 7ff626e13f18 759->770 760->759 766 7ff626e14c4b 760->766 761->753 768 7ff626e14bc2-7ff626e14be5 ReadConsoleW 761->768 763 7ff626e14bf7-7ff626e14c01 call 7ff626e12fe8 762->763 763->717 764->735 772 7ff626e14b62-7ff626e14b65 764->772 776 7ff626e14c52-7ff626e14c67 766->776 778 7ff626e14c06-7ff626e14c10 768->778 779 7ff626e14be7 GetLastError 768->779 773 7ff626e14d68-7ff626e14d6a 769->773 774 7ff626e14bed-7ff626e14bef call 7ff626e13ec8 769->774 770->762 772->735 783 7ff626e14b67-7ff626e14b78 772->783 773->763 774->762 776->763 785 7ff626e14c69-7ff626e14c71 776->785 778->776 779->774 783->735 789 7ff626e14c9b-7ff626e14ca2 785->789 790 7ff626e14c73-7ff626e14c8f call 7ff626e14528 785->790 793 7ff626e14d21-7ff626e14d34 call 7ff626e142f8 789->793 794 7ff626e14ca4-7ff626e14cbc 789->794 796 7ff626e14c94-7ff626e14c96 790->796 793->796 797 7ff626e14cbe-7ff626e14cc2 794->797 798 7ff626e14d14-7ff626e14d1c 794->798 796->763 799 7ff626e14cc7-7ff626e14cd0 797->799 798->763 801 7ff626e14d0b-7ff626e14d0f 799->801 802 7ff626e14cd2-7ff626e14cd7 799->802 801->798 803 7ff626e14cd9-7ff626e14cdc 802->803 804 7ff626e14cf4-7ff626e14d00 802->804 803->804 805 7ff626e14cde-7ff626e14ce1 803->805 806 7ff626e14d04-7ff626e14d07 804->806 805->804 807 7ff626e14ce3-7ff626e14cf2 805->807 806->799 808 7ff626e14d09 806->808 807->806 808->798
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: 6932f63db3935fb8fa1e8ce1f0cbc29b5785700aed5692074f9536b7ef702483
                                                  • Instruction ID: d19d0137468bd7bec9f7a26f6c6befdf023f500a9a9c9831a32aa86c23b7e604
                                                  • Opcode Fuzzy Hash: 6932f63db3935fb8fa1e8ce1f0cbc29b5785700aed5692074f9536b7ef702483
                                                  • Instruction Fuzzy Hash: 5EC1DF62A0C68281EF608F1498407BD6B65BF81B84F5541B4EADE877D5CF3EEC45E702
                                                  Function 00007FF626E01130 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _fread_nolock$fread_s
                                                  • String ID: M$Z
                                                  • API String ID: 184871262-4250246861
                                                  • Opcode ID: e5197a11c57ce8295b80a5b9c7d047b24606fe712e562c3123c6388f1abedc31
                                                  • Instruction ID: a78eb49a2f3bdf9549248b16363edc1b29a3f5250df2a050d262a7c95c2009e2
                                                  • Opcode Fuzzy Hash: e5197a11c57ce8295b80a5b9c7d047b24606fe712e562c3123c6388f1abedc31
                                                  • Instruction Fuzzy Hash: 4D21F062A2C04982EF60DA66E8507AE7311EB95754F405131FA8EC7ACADF3ED845CF02
                                                  Function 00007FF626E01000 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 187COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 834 7ff626e01000-7ff626e02572 call 7ff626e0a5cc call 7ff626e0a5c4 call 7ff626e05380 call 7ff626e08860 call 7ff626e0b9a0 call 7ff626e0f6a4 call 7ff626e0f69c 850 7ff626e02574-7ff626e0258a call 7ff626e019e0 834->850 851 7ff626e0258f-7ff626e025ee call 7ff626e028c0 call 7ff626e02800 call 7ff626e02a70 call 7ff626e04560 call 7ff626e04be0 834->851 856 7ff626e027dd-7ff626e027f8 call 7ff626e08820 850->856 867 7ff626e025f2-7ff626e025f9 851->867 867->867 868 7ff626e025fb-7ff626e02615 call 7ff626e018c0 867->868 871 7ff626e02669-7ff626e02681 868->871 872 7ff626e02617-7ff626e0261c 868->872 874 7ff626e02683-7ff626e0268d call 7ff626e022c0 871->874 875 7ff626e02698-7ff626e026bc call 7ff626e056c0 SetDllDirectoryW call 7ff626e0a9bc 871->875 873 7ff626e02620-7ff626e02627 872->873 873->873 876 7ff626e02629-7ff626e02643 call 7ff626e018c0 873->876 884 7ff626e02693 874->884 885 7ff626e0274d-7ff626e02750 call 7ff626e02150 874->885 875->885 889 7ff626e026c2-7ff626e026cd 875->889 876->871 888 7ff626e02645-7ff626e02664 call 7ff626e01a20 876->888 884->875 890 7ff626e02755-7ff626e02757 885->890 899 7ff626e027d5 888->899 892 7ff626e026d0-7ff626e026da 889->892 893 7ff626e02790-7ff626e02793 890->893 894 7ff626e02759-7ff626e0278e call 7ff626e04b70 call 7ff626e04560 call 7ff626e09130 890->894 896 7ff626e026e3-7ff626e026e5 892->896 897 7ff626e026dc-7ff626e026e1 892->897 900 7ff626e027cd 893->900 894->893 917 7ff626e02795-7ff626e027b9 call 7ff626e0a090 call 7ff626e04c20 894->917 901 7ff626e0272e-7ff626e02743 call 7ff626e02270 call 7ff626e020f0 call 7ff626e02260 896->901 902 7ff626e026e7-7ff626e02706 call 7ff626e0ed00 896->902 897->892 897->896 899->856 900->899 918 7ff626e02748 901->918 902->893 910 7ff626e0270c-7ff626e0271d 902->910 913 7ff626e02720-7ff626e0272c 910->913 913->901 913->913 924 7ff626e027c3-7ff626e027c6 call 7ff626e01910 917->924 925 7ff626e027bb-7ff626e027be call 7ff626e04810 917->925 920 7ff626e027cb 918->920 920->900 924->920 925->924
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$_invalid_parameter_noinfo
                                                  • String ID: Cannot allocate memory for ARCHIVE_STATUS$Cannot open self %s or archive %s$_MEIPASS2$calloc
                                                  • API String ID: 4226448076-3874408297
                                                  • Opcode ID: d24bcdc07d4375ae7c1ddf0aee5edefa57d207fce004096a7ccff59d2b5f2b38
                                                  • Instruction ID: 53a9059b4a0b34b671506939b5da43a1cff30e6f1d45e4ac4819857631f88c6f
                                                  • Opcode Fuzzy Hash: d24bcdc07d4375ae7c1ddf0aee5edefa57d207fce004096a7ccff59d2b5f2b38
                                                  • Instruction Fuzzy Hash: 8881F531E0C68695EE24AB31AD952FD6391EF847D0F404131EADDA76CADF3EE1058702
                                                  Function 00007FF626E159E4 Relevance: 7.7, APIs: 5, Instructions: 203COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: 2f7bcaecceb36eecdccf574391bf900be0cffb0692915f96fe00f067866c602e
                                                  • Instruction ID: 9225799e5b512a6311ebb2c509932f0ba7f348d9e579507d79d129b6254e51f3
                                                  • Opcode Fuzzy Hash: 2f7bcaecceb36eecdccf574391bf900be0cffb0692915f96fe00f067866c602e
                                                  • Instruction Fuzzy Hash: 8681D2A2F2C60289FF109F259C806BD27A0BB44B88F444175DE8E976D5DF3EAC45E712
                                                  Function 00007FF626E15FC0 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcAddress.KERNEL32(?,?,00000003,00007FF626E163D7,?,?,00000000,00007FF626E17213,?,?,?,00007FF626E13F41), ref: 00007FF626E160E2
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: AddressProc
                                                  • String ID:
                                                  • API String ID: 190572456-0
                                                  • Opcode ID: e4f38beb4a091d050f27c2334aa2686840f91458448eacaec98016cc0bf5d900
                                                  • Instruction ID: 7b7cf435d63eb354fa3a7bc8dc188ac2549378818f47e4cd91ca2473972b9c74
                                                  • Opcode Fuzzy Hash: e4f38beb4a091d050f27c2334aa2686840f91458448eacaec98016cc0bf5d900
                                                  • Instruction Fuzzy Hash: 234127A1B0DA4281FE258B12AC006B56396BF44BD0F294675DD9DCBB84FF3FE8449742
                                                  Function 00007FF626E151E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: FileHandleType
                                                  • String ID: @
                                                  • API String ID: 3000768030-2766056989
                                                  • Opcode ID: 684ce04248267d855382c620c221f8df4a26059d37e9916bf26084109412f334
                                                  • Instruction ID: d46bde08ba803a1a33abbb3f8777a34a5a85a2370c58573e4659876d787b3e46
                                                  • Opcode Fuzzy Hash: 684ce04248267d855382c620c221f8df4a26059d37e9916bf26084109412f334
                                                  • Instruction Fuzzy Hash: 652181A3A1CA4281EF608B289C901392665EB45774F281375D6EE877D4CE3EEC81E342
                                                  Function 00007FF626E0F054 Relevance: 4.6, APIs: 3, Instructions: 137pipeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ErrorFileLastNamedPeekPipeType
                                                  • String ID:
                                                  • API String ID: 1388729460-0
                                                  • Opcode ID: 1e96c5fef20893280a8b15efc0fa0d3c517567b4bf2d22b8fdcb0850e2ab7870
                                                  • Instruction ID: ee5c63ba9bd3676b9e265d5057e0cfbc8df8300f0c859f54c16e1ccc7f9528bb
                                                  • Opcode Fuzzy Hash: 1e96c5fef20893280a8b15efc0fa0d3c517567b4bf2d22b8fdcb0850e2ab7870
                                                  • Instruction Fuzzy Hash: A051CB62A0C65289EF10CB71DC403BD33A1BB44B68F144634DEADA77C9DF39D8168742
                                                  Function 00007FF626E0EE94 Relevance: 4.6, APIs: 3, Instructions: 122fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: File$CloseCreateHandleType_invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 1405040552-0
                                                  • Opcode ID: fe5eef5ee4e3644145924420639b586b664da7bb89814c748e8b48b74c0fb88c
                                                  • Instruction ID: 933f1c190a326d0ebc892a46f723761f465d93b5ffeeb44578733168aa7f2490
                                                  • Opcode Fuzzy Hash: fe5eef5ee4e3644145924420639b586b664da7bb89814c748e8b48b74c0fb88c
                                                  • Instruction Fuzzy Hash: ED51A222A1C74146FA609F25AC012BD76A0BF943A4F149334EEED62AD2DF3DE5819742
                                                  Function 00007FF626E0F23C Relevance: 4.6, APIs: 3, Instructions: 50timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF626E0F113), ref: 00007FF626E0F270
                                                  • SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF626E0F113), ref: 00007FF626E0F284
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF626E0F113), ref: 00007FF626E0F2D1
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: Time$System$ErrorFileLastLocalSpecific
                                                  • String ID:
                                                  • API String ID: 2674341965-0
                                                  • Opcode ID: e7d5c1ce460788a976e03217c2461d1d5aee4c25f04631c192cb23a35b3136c1
                                                  • Instruction ID: 77a038f46635a8b4f03c7afc611255bbffe63ceba40b4786c90e198c38fdecc6
                                                  • Opcode Fuzzy Hash: e7d5c1ce460788a976e03217c2461d1d5aee4c25f04631c192cb23a35b3136c1
                                                  • Instruction Fuzzy Hash: 11116D21F1C65289FF509B7098111BD26A1AF04B35F500335EEFEA6AD8EF3D94608712
                                                  Function 00007FF626E127A0 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: Process$CurrentExitTerminate
                                                  • String ID:
                                                  • API String ID: 1703294689-0
                                                  • Opcode ID: 6af1f5f4e259511a7fd2ca9a09745217329c0a7cbc39c5daa09a01073255fccb
                                                  • Instruction ID: 925ae2d7685fa60ff2529454d2bc2acded75d89264859baa99ea09a6f2afea1a
                                                  • Opcode Fuzzy Hash: 6af1f5f4e259511a7fd2ca9a09745217329c0a7cbc39c5daa09a01073255fccb
                                                  • Instruction Fuzzy Hash: 22E04F28B0C30B86EE446B219C8177A23535F84741F104479C88E87792DE3FA8889B12
                                                  Function 00007FF626E0AB14 Relevance: 3.2, APIs: 2, Instructions: 187COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: ecf3264a030f1d94219489a15d86942b3c015555ea4854584f75f4fe9a16eb75
                                                  • Instruction ID: da01280924d0f350a49d84d3bb7924e4875c98d7e5c2f86ec18d6a2927d405e1
                                                  • Opcode Fuzzy Hash: ecf3264a030f1d94219489a15d86942b3c015555ea4854584f75f4fe9a16eb75
                                                  • Instruction Fuzzy Hash: 33612B21B0D64A46EE34DE399C0037A6691AF44BA8F044734DDEDE77DADE3ED4019B02
                                                  Function 00007FF626E0C2C0 Relevance: 3.2, APIs: 2, Instructions: 150COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: f0228f900ba0616f27e98acbb307cc0e83f78da6cbec9b196d62afd1f8d319be
                                                  • Instruction ID: b38c9cf8b239d6a81b685a7a6b6100499d4c5883f9b0f5149063493c899bb06a
                                                  • Opcode Fuzzy Hash: f0228f900ba0616f27e98acbb307cc0e83f78da6cbec9b196d62afd1f8d319be
                                                  • Instruction Fuzzy Hash: AC61527291C642DAEF648F34885527C3BA1FB16F18F541135CACAA2199CF3ED48ED702
                                                  Function 00007FF626E15560 Relevance: 3.1, APIs: 2, Instructions: 74fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ErrorFileLastWrite
                                                  • String ID:
                                                  • API String ID: 442123175-0
                                                  • Opcode ID: a9684a228e1691769fdd64b5a71f1bc9fe2afc9a6e834ea75efd6107adc770d0
                                                  • Instruction ID: a0939b8ffbffc3b3dcf5b4919a0a2bad0ae24e5d56ea9d2659f808946fee5dbe
                                                  • Opcode Fuzzy Hash: a9684a228e1691769fdd64b5a71f1bc9fe2afc9a6e834ea75efd6107adc770d0
                                                  • Instruction Fuzzy Hash: 8331DF73A2CA868AEB108F15E8007A9B761FB48784F848031EA8D87755DF3DD906DB41
                                                  Function 00007FF626E14070 Relevance: 3.1, APIs: 2, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindCloseChangeNotification.KERNEL32(?,?,?,00007FF626E13FA3,?,?,00000000,00007FF626E1404B,?,?,?,?,?,?,00007FF626E0AA1E), ref: 00007FF626E140D3
                                                  • GetLastError.KERNEL32(?,?,?,00007FF626E13FA3,?,?,00000000,00007FF626E1404B,?,?,?,?,?,?,00007FF626E0AA1E), ref: 00007FF626E140DD
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ChangeCloseErrorFindLastNotification
                                                  • String ID:
                                                  • API String ID: 1687624791-0
                                                  • Opcode ID: 330a491f5bc223d93eb8a7ba1c531ec1200787dd13d3c5c7f4932ceea18e02bb
                                                  • Instruction ID: 316590450c3b6e14956e9ef7dcae55605de3845f739ddf45ca3df5d57ffe1ce8
                                                  • Opcode Fuzzy Hash: 330a491f5bc223d93eb8a7ba1c531ec1200787dd13d3c5c7f4932ceea18e02bb
                                                  • Instruction Fuzzy Hash: 7311C811F0C68381FE9457769D9537C16C29F94764F5402B4DAAEC73D2DEAEAC84A303
                                                  Function 00007FF626E15048 Relevance: 3.0, APIs: 2, Instructions: 42COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetFilePointerEx.KERNEL32(?,?,00000000,00007FF626E15A82,?,?,?,?,?,?,?,?,?,?,?,00007FF626E159A4), ref: 00007FF626E1508C
                                                  • GetLastError.KERNEL32(?,?,00000000,00007FF626E15A82,?,?,?,?,?,?,?,?,?,?,?,00007FF626E159A4), ref: 00007FF626E15096
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ErrorFileLastPointer
                                                  • String ID:
                                                  • API String ID: 2976181284-0
                                                  • Opcode ID: 3bad29e83aeed8d0fc0bd44871fb944ed94c24ed5fcf2358b2e5fab63c8285fe
                                                  • Instruction ID: e3fc513bed704ae980ab603306e9d11926f5f77c24fb84e01c27a398c8fdee97
                                                  • Opcode Fuzzy Hash: 3bad29e83aeed8d0fc0bd44871fb944ed94c24ed5fcf2358b2e5fab63c8285fe
                                                  • Instruction Fuzzy Hash: 1C012661B1C78241EE104B65BC4407C6611AF81BF4F544375EAFE87BD4DE3ED8458302
                                                  Function 00007FF626E14DA8 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: aaa2e81975be96ad5ecc7a33a5c0b8a6599b70b78ff790a43cee8d19cb8a699b
                                                  • Instruction ID: 91ba64421ac3e66c6f0b7cba8868da23dd6748e5f730d760b4d4fdd5202e3b14
                                                  • Opcode Fuzzy Hash: aaa2e81975be96ad5ecc7a33a5c0b8a6599b70b78ff790a43cee8d19cb8a699b
                                                  • Instruction Fuzzy Hash: 6F519B32608785CAEF18CF25DC512B83B60FB85B84F410975EAAE87395CF3AE811D711
                                                  Function 00007FF626E0B144 Relevance: 1.6, APIs: 1, Instructions: 107COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: 3d1aed0a88bb26ad9dd3cb1599a4b0d461de027fffbe7ca71196e3685bd60674
                                                  • Instruction ID: 5929afe482d2ee002c82cc10128a4698bdc8197a62709d21d3269c5c3cfd6391
                                                  • Opcode Fuzzy Hash: 3d1aed0a88bb26ad9dd3cb1599a4b0d461de027fffbe7ca71196e3685bd60674
                                                  • Instruction Fuzzy Hash: 9141D322A2D78A82EF548F55D8406BE6760FB94B90F404135EE9EA73D1EF2FE440C342
                                                  Function 00007FF626E12634 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: HandleModule$AddressFreeLibraryProc
                                                  • String ID:
                                                  • API String ID: 3947729631-0
                                                  • Opcode ID: c198a81c67182cb7a8f29352b2f65f8a55972543a7bdc04da48bfe6f2b591004
                                                  • Instruction ID: da057ccdfab7c9491de4c3b698a936cbc64681390d242d42ac41d9e610ae8745
                                                  • Opcode Fuzzy Hash: c198a81c67182cb7a8f29352b2f65f8a55972543a7bdc04da48bfe6f2b591004
                                                  • Instruction Fuzzy Hash: D3419D21E1C64286FF289B25DC942792292FF94B80F044476D98D976D5DE7EEC849B02
                                                  Function 00007FF626E14828 Relevance: 1.6, APIs: 1, Instructions: 77COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: ee27ab5847465ca45c1924a1ce9d7a51d07d439e219f3846ecbfb2a5dcceed57
                                                  • Instruction ID: 0cc726e33b0f00a0bb7f9baa500b753c76381ca513eb141c3e560e094ed30d2e
                                                  • Opcode Fuzzy Hash: ee27ab5847465ca45c1924a1ce9d7a51d07d439e219f3846ecbfb2a5dcceed57
                                                  • Instruction Fuzzy Hash: 3B310472E1C25396FF416B21AD013BC2A60AF44B60F500170E9AD873C2DF7EAC41A353
                                                  Function 00007FF626E14F58 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9a6f809b80c9e1511cf65beab5f18f2329c2093a9472961e56e76d098f2b0d56
                                                  • Instruction ID: 621a683c4ae4a09b8df0715a4f5d807c7b8f308b6a0b70738406df00e3e2c4e3
                                                  • Opcode Fuzzy Hash: 9a6f809b80c9e1511cf65beab5f18f2329c2093a9472961e56e76d098f2b0d56
                                                  • Instruction Fuzzy Hash: 0221C172A2C28291EE416F51AC413BC2A20AF447B4F554274EDBD873D2DE7EEC41A753
                                                  Function 00007FF626E158F8 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bcc7d47359c1d2e2749cf92099c5b2da68fcfe56d76d9cdc8d6541772909a373
                                                  • Instruction ID: 9141259e55cdf34e53d811fd57fb722619fc093df3213561d1d14c3743998ea5
                                                  • Opcode Fuzzy Hash: bcc7d47359c1d2e2749cf92099c5b2da68fcfe56d76d9cdc8d6541772909a373
                                                  • Instruction Fuzzy Hash: 9621B0B2E1C28252EE416F21AC517BC2A60BB847A0F554175EDAD873C2CE7EEC41A713
                                                  Function 00007FF626E01480 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _fread_nolockfread_s
                                                  • String ID:
                                                  • API String ID: 3465328306-0
                                                  • Opcode ID: 12f0c5b31b417e63693fa1232262e42da781dddcdd6402b71edd39f4628d76fc
                                                  • Instruction ID: 6f3238f330ecdc5d832c1585e6cb15f4d403968c739896c217b7c1c2b9260b17
                                                  • Opcode Fuzzy Hash: 12f0c5b31b417e63693fa1232262e42da781dddcdd6402b71edd39f4628d76fc
                                                  • Instruction Fuzzy Hash: BE317022A1CA8583EB20CF34D9413A97360FB99788F449335DF8C97A56EF39E1A5C700
                                                  Function 00007FF626E1F028 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: 2bbd89c9ec39b49b68c07395721d970a6d1f1903871a7586406ded25050aa68a
                                                  • Instruction ID: fdc83745c1d99c398ae8e832d99b956f294610e6d8fbdcceeb2f74a0031c2ab0
                                                  • Opcode Fuzzy Hash: 2bbd89c9ec39b49b68c07395721d970a6d1f1903871a7586406ded25050aa68a
                                                  • Instruction Fuzzy Hash: F821A73261C64247EF658F25E84037A76E1AB84790F184234DA9EC76D5EF2DDC00DB42
                                                  Function 00007FF626E0FC0C Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: 1b7a0eb86df289e3b4a80cd5b52d100e1ffe8d49a6e147d50c7217a74c21d9fc
                                                  • Instruction ID: 4c735bbdef94ccd6fdf0328018beeacfec829548d812032ee612d9b6a2967130
                                                  • Opcode Fuzzy Hash: 1b7a0eb86df289e3b4a80cd5b52d100e1ffe8d49a6e147d50c7217a74c21d9fc
                                                  • Instruction Fuzzy Hash: 41219221A1C68382EE209F519C1027DA2A5BF45B80F544031EECCE778ADF3EE9619F03
                                                  Function 00007FF626E13FCC Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 63f4ece3698344d417df4e238e4022ff2bdc97132adc9127c3a3f89a968e36dc
                                                  • Instruction ID: 60bf2d573024c4fbe13700d91ed2581eb82152d8fb9bf81f061819e5464e468b
                                                  • Opcode Fuzzy Hash: 63f4ece3698344d417df4e238e4022ff2bdc97132adc9127c3a3f89a968e36dc
                                                  • Instruction Fuzzy Hash: 00118C7291C68696EE049B50E8403FC7B60EF94750F904272E69D423D6DFBEE805DB03
                                                  Function 00007FF626E0A9CC Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: 27529888cd5daac1723e0dcd270c16768940a1d486bdead5b7389302ec615d12
                                                  • Instruction ID: 60ad92949271c1abd49977725bbde6e960aefa791549c795d32033101b6764bb
                                                  • Opcode Fuzzy Hash: 27529888cd5daac1723e0dcd270c16768940a1d486bdead5b7389302ec615d12
                                                  • Instruction Fuzzy Hash: AE017C22E0D20745FE14AB699D5137C11609F957A8F650370F9ADE62C3CE2FE8429342
                                                  Function 00007FF626E0E7F0 Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: 23f9a558a3cb17523b244e49f0027997f198694e1a85672cfae2b995fa700062
                                                  • Instruction ID: 82ec658f13d8cbccbdfe41267bb18672b72bad3cc3d59ef646d9b23f6e908693
                                                  • Opcode Fuzzy Hash: 23f9a558a3cb17523b244e49f0027997f198694e1a85672cfae2b995fa700062
                                                  • Instruction Fuzzy Hash: 8E11C276A15F569CEB10DFA0E8810DC37B8FB1835CB540636EA9C62B59EF34C2A5C391
                                                  Function 00007FF626E0C950 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: d06468e8018f1d3a49c8fb2b2c8a6c1928e0785be9612d8df375a43d0c3e1d98
                                                  • Instruction ID: b4fdb585dae5a6e583a1a00a8702b43c3dce5ed09309f682b97410b5da628815
                                                  • Opcode Fuzzy Hash: d06468e8018f1d3a49c8fb2b2c8a6c1928e0785be9612d8df375a43d0c3e1d98
                                                  • Instruction Fuzzy Hash: 19F0A46180C242C5EF645B3088813BD27A1DF49F18FA42135DA9A973D6CE3BD889D363
                                                  Function 00007FF626E0AA50 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: 847d06e8797af203b89bb88710c619a1fd32f5fb76b65e0b6e0d7d17e0f13924
                                                  • Instruction ID: 33bcbc71c7c6328d4d8dc79966d8f8c181675738ab83331c078741094e799437
                                                  • Opcode Fuzzy Hash: 847d06e8797af203b89bb88710c619a1fd32f5fb76b65e0b6e0d7d17e0f13924
                                                  • Instruction Fuzzy Hash: E6F0B421A4C20752FE6467A96D0117D26A09F44750F240530E9DAE62C3DE2EE8518303
                                                  Function 00007FF626E0AE5C Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: 05bd597f1c2f430ec71908e497cad49f1acba4d30e0e2d9c093f57211559daa0
                                                  • Instruction ID: d6153e94db98ff5a6dfa43777f707aeb23daeb8c2b18896d5ac5c58f61d481dc
                                                  • Opcode Fuzzy Hash: 05bd597f1c2f430ec71908e497cad49f1acba4d30e0e2d9c093f57211559daa0
                                                  • Instruction Fuzzy Hash: 67F0E921B2C28642EF606769AC8107EA150FF447D0F505530FADED76C7DF2ED8814702
                                                  Function 00007FF626E0B0D8 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: 0e87bd9e42db2e8d7f1bf465a302cf8a45ccbe0db826729bca75c7f3bf6cade4
                                                  • Instruction ID: 4ffa019f41a9c7a70b291f96139e4f926de4d5e3dcc4620f8508932f5920d9c0
                                                  • Opcode Fuzzy Hash: 0e87bd9e42db2e8d7f1bf465a302cf8a45ccbe0db826729bca75c7f3bf6cade4
                                                  • Instruction Fuzzy Hash: 4EF09021A2D64341FE507B60AC412B92650AF44760F100630F5EEE62C2EE2EE8549712
                                                  Function 00007FF626E13028 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: AllocateHeap
                                                  • String ID:
                                                  • API String ID: 1279760036-0
                                                  • Opcode ID: 6afe5c70a1d291b5cc6f70d17e86e6fe4e1b9fef5da39aae0e2669c436260485
                                                  • Instruction ID: db4cf703c4fa3691efdeb12e655f558da678eb4ff7d71ea56e0940048105769f
                                                  • Opcode Fuzzy Hash: 6afe5c70a1d291b5cc6f70d17e86e6fe4e1b9fef5da39aae0e2669c436260485
                                                  • Instruction Fuzzy Hash: B2F08C11F0D24744FE5457B25C413B512C04F887A0F4803B0DCAEC62C1EEAEEC816752
                                                  Function 00007FF626E04DE0 Relevance: 1.5, APIs: 1, Instructions: 20libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00007FF626E056C0: MultiByteToWideChar.KERNEL32(?,00000000,00007FF626E0458C,00007FF626E025DA), ref: 00007FF626E056F6
                                                  • LoadLibraryW.KERNEL32(?,?,00000000,00007FF626E020FE,00000000,00007FF626E0273E), ref: 00007FF626E04E03
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ByteCharLibraryLoadMultiWide
                                                  • String ID:
                                                  • API String ID: 2592636585-0
                                                  • Opcode ID: 2e83b1e0d80bfeb64d80c4d350211a906be63e918abfb203055a3c321d4e7ede
                                                  • Instruction ID: f0916408cfc512d4a4078ff42ab150172863c9c78c13044dead94e3d5c113dd7
                                                  • Opcode Fuzzy Hash: 2e83b1e0d80bfeb64d80c4d350211a906be63e918abfb203055a3c321d4e7ede
                                                  • Instruction Fuzzy Hash: 90E08611B2814582DE189767BA0587AA251AF48BC0B489135DE4D47B56DD2DD4914B00

                                                  Non-executed Functions

                                                  Function 00007FFBAAC0A2F0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 174networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastgetsockoptsetsockopt
                                                  • String ID: ..\s\crypto\bio\b_sock2.c
                                                  • API String ID: 2137281509-3200932406
                                                  • Opcode ID: 12efdc8ccf7b2e9759605e35139849d6657079d7c6e7c94ed37b065956f56127
                                                  • Instruction ID: 06c7b048751f1ff43a6295a969aadce80febfe8ce600c6185a3d45475bb6e56c
                                                  • Opcode Fuzzy Hash: 12efdc8ccf7b2e9759605e35139849d6657079d7c6e7c94ed37b065956f56127
                                                  • Instruction Fuzzy Hash: 9B71CFB1A09642C7FB22DF31E8047A93254FB85B44F404279DE8947AD5DF3DE64ACB60
                                                  Function 00007FFBAABD3E9A Relevance: 21.2, APIs: 14, Instructions: 246fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide_errno$FileFind$ErrorFirstLastNextfreemallocmemset
                                                  • String ID:
                                                  • API String ID: 3372420414-0
                                                  • Opcode ID: 968b4e60be6234b19012ce801a432b3262cabe930b56801a9690dd629d3c1a04
                                                  • Instruction ID: 4d17a318c3ad20041c44829f594ebb900ff4ce3eb785b24dff4579aeccbf1d0e
                                                  • Opcode Fuzzy Hash: 968b4e60be6234b19012ce801a432b3262cabe930b56801a9690dd629d3c1a04
                                                  • Instruction Fuzzy Hash: 6BB1C2B6A06A82C5EB128F35D91827867A8FB59BA4F548371DE5D43BD4FF3CD0528320
                                                  Function 00007FFBAABD4359 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 184COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: EnvironmentVariable$ByteCharMultiWide
                                                  • String ID: .rnd$HOME$RANDFILE$SYSTEMROOT$USERPROFILE
                                                  • API String ID: 2184640988-1666712896
                                                  • Opcode ID: 718d73d7eab038b99290cd41b0c3c28f1b92d6b8d63c09cc89987006ed2300c8
                                                  • Instruction ID: e3664c23f0e58b4972eea56f41b58e0ede9b296710c51a34c2527e17d857a1d1
                                                  • Opcode Fuzzy Hash: 718d73d7eab038b99290cd41b0c3c28f1b92d6b8d63c09cc89987006ed2300c8
                                                  • Instruction Fuzzy Hash: 396125A2B0AB42C5FB229B76DC001756699FF45BA4B848271ED6E43BD5EF3CE5138310
                                                  Function 00007FFBAABD395E Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 278COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: Fiber$ErrorLastSwitch$CreateValuememmove
                                                  • String ID: *$..\s\crypto\async\async.c
                                                  • API String ID: 3019965278-1471988776
                                                  • Opcode ID: 6a145af970d285865a35a7261d46e26e6e2759828149aa883827f38fc653df2c
                                                  • Instruction ID: 630fa63faa7841627d80838dc155d219aeb7bdcf270fe059b9b5276c842968cc
                                                  • Opcode Fuzzy Hash: 6a145af970d285865a35a7261d46e26e6e2759828149aa883827f38fc653df2c
                                                  • Instruction Fuzzy Hash: 16C18FB660AB02D6FA22DB35E85427973A8FB44B44F404475CE9D47BA1EF3CE616C720
                                                  Function 00007FF626E04320 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 146COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetTempPathW.KERNEL32(?,00000000,?,00007FF626E042ED), ref: 00007FF626E043CE
                                                  • GetCurrentProcessId.KERNEL32(?,00000000,?,00007FF626E042ED), ref: 00007FF626E043D4
                                                    • Part of subcall function 00007FF626E04560: GetEnvironmentVariableW.KERNEL32(00007FF626E025DA), ref: 00007FF626E0459A
                                                    • Part of subcall function 00007FF626E04560: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF626E045B7
                                                    • Part of subcall function 00007FF626E056C0: MultiByteToWideChar.KERNEL32(?,00000000,00007FF626E0458C,00007FF626E025DA), ref: 00007FF626E056F6
                                                    • Part of subcall function 00007FF626E056C0: MultiByteToWideChar.KERNEL32(?,00000000,00007FF626E0458C,00007FF626E025DA), ref: 00007FF626E05750
                                                    • Part of subcall function 00007FF626E10664: _invalid_parameter_noinfo.LIBCMT ref: 00007FF626E1067D
                                                  • SetEnvironmentVariableW.KERNEL32(?,00000000,?,00007FF626E042ED), ref: 00007FF626E04494
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: Environment$ByteCharMultiVariableWide$CurrentExpandPathProcessStringsTemp_invalid_parameter_noinfo
                                                  • String ID: TMP$_MEI%d
                                                  • API String ID: 850739655-1047136609
                                                  • Opcode ID: 2774ab36640aec6457bce4cf02adafe68635a41800451ba3ea008761917c2f16
                                                  • Instruction ID: ec4d056d44a0875780ddc16205bfa5ff9d7e0fb79d69b1a78ee3ade3ec944aa5
                                                  • Opcode Fuzzy Hash: 2774ab36640aec6457bce4cf02adafe68635a41800451ba3ea008761917c2f16
                                                  • Instruction Fuzzy Hash: CF518211B2D647C0EE54BB26BE156BE5241AF89BC0F845035EDCEE7B97DD2EE0018702
                                                  Function 00007FF626E13C0C Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                  • String ID:
                                                  • API String ID: 1239891234-0
                                                  • Opcode ID: ba2cec4d47ba792ca5de36d595d6074de58dfd940a2d9bc65a45872d72ba5cc0
                                                  • Instruction ID: 6837fd650e085777d7ddec2baddfd33f4bbf35c379187682249e49511bb1ed87
                                                  • Opcode Fuzzy Hash: ba2cec4d47ba792ca5de36d595d6074de58dfd940a2d9bc65a45872d72ba5cc0
                                                  • Instruction Fuzzy Hash: A3315C32618B8286DF608F25EC406AE73A4FB88754F500136EA9D87B94EF3DD545CB01
                                                  Function 00007FF626E1A25C Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 169COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _invalid_parameter_noinfo.LIBCMT ref: 00007FF626E1A29C
                                                    • Part of subcall function 00007FF626E13E38: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF626E13E16), ref: 00007FF626E13E41
                                                    • Part of subcall function 00007FF626E13E38: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF626E13E16), ref: 00007FF626E13E65
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: CurrentFeaturePresentProcessProcessor_invalid_parameter_noinfo
                                                  • String ID: *$.$.
                                                  • API String ID: 4036615347-2112782162
                                                  • Opcode ID: d3f99600aac8a7ba07542c0f6aec527f8ca1a3c30beff32ad4f5f554625fa609
                                                  • Instruction ID: 27f9371ccc3254dfe58ddfb82da7caf941bcbadf789354af14d353dab0b7b85f
                                                  • Opcode Fuzzy Hash: d3f99600aac8a7ba07542c0f6aec527f8ca1a3c30beff32ad4f5f554625fa609
                                                  • Instruction Fuzzy Hash: 9551FE62F18B5185FF10DBAA9C042BD63A0BB48BC8F548135CE9DA7B85EE3DD8429311
                                                  Function 00007FF626E19338 Relevance: 6.4, APIs: 4, Instructions: 425stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: EnvironmentVariable$strchrwcschr
                                                  • String ID:
                                                  • API String ID: 2618829048-0
                                                  • Opcode ID: 6653d4a39e1cc46233a553b7792d4bf2e2cc0d2a5abb9b4eb4d0752012b84b7c
                                                  • Instruction ID: 1c898e976c5932c243afad8e3fee505862eaafc358180a52be38e1bf5974b1c8
                                                  • Opcode Fuzzy Hash: 6653d4a39e1cc46233a553b7792d4bf2e2cc0d2a5abb9b4eb4d0752012b84b7c
                                                  • Instruction Fuzzy Hash: A8F1FE21E0D65241FE21AB269C442B92690AF21BA0F084675DEFDD73D1DE7FEC42A342
                                                  Function 00007FFBAABD6843 Relevance: 6.4, APIs: 5, Instructions: 141COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: memmove$memset
                                                  • String ID:
                                                  • API String ID: 3790616698-0
                                                  • Opcode ID: df623fab108c65763f031bb44a5941982a0dc65d18a0d482169fda7ce8fc079b
                                                  • Instruction ID: d50a91e987772c1b82e99965e318cd10e11c947b025e2ff04df7ae7a68790175
                                                  • Opcode Fuzzy Hash: df623fab108c65763f031bb44a5941982a0dc65d18a0d482169fda7ce8fc079b
                                                  • Instruction Fuzzy Hash: 8A51E27271A785C2EA11CB26F84026BBBA8FB89B94F444175EE9C07B99DF3CD106C710
                                                  Function 00007FFBAABD2702 Relevance: 6.4, APIs: 3, Strings: 1, Instructions: 354COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: memmove$memset
                                                  • String ID: ..\s\crypto\pkcs12\p12_key.c
                                                  • API String ID: 3790616698-2868009966
                                                  • Opcode ID: fec18282f624b6f23fd515b21897ea9c7d69ac3f9f3b8b666b21219a9a000482
                                                  • Instruction ID: a5f02081b815d3fadb74a69982c55c02d0eeee4dafe98cffda280aaec6fc3401
                                                  • Opcode Fuzzy Hash: fec18282f624b6f23fd515b21897ea9c7d69ac3f9f3b8b666b21219a9a000482
                                                  • Instruction Fuzzy Hash: 73D1B8A5B0A686C1FA229B26D8003BA7799FFC5BC0F445075EE4D57B96DE3DE4038720
                                                  Function 00007FFBAABD3391 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 304COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: memmovememset
                                                  • String ID: ..\s\crypto\rsa\rsa_oaep.c$]
                                                  • API String ID: 1288253900-3318549696
                                                  • Opcode ID: c0b0c32fa97128152d9a08a02b160fa810bc0faaf28a08ddd03395a762d8ad5e
                                                  • Instruction ID: 144ea83b149e09aa102da728309229e94374f082231aa7cc158f2771f239a66b
                                                  • Opcode Fuzzy Hash: c0b0c32fa97128152d9a08a02b160fa810bc0faaf28a08ddd03395a762d8ad5e
                                                  • Instruction Fuzzy Hash: D3C1C1A2B19BC685EA128B38D8406BE6764FB85B84F504236DF8E53B55FF3CD10AC710
                                                  Function 00007FFBAAC10A50 Relevance: 3.0, APIs: 2, Instructions: 47networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastrecv
                                                  • String ID:
                                                  • API String ID: 2514157807-0
                                                  • Opcode ID: 79a89b2597b96d229d4e995bc724a7c46ce2f724cc1a40df88610be099144cda
                                                  • Instruction ID: 0e3a5507bdcc7cf8accb92f0cc1283b378bea6fe332941867155a4a93bc4cebe
                                                  • Opcode Fuzzy Hash: 79a89b2597b96d229d4e995bc724a7c46ce2f724cc1a40df88610be099144cda
                                                  • Instruction Fuzzy Hash: 3701E5A1B0A782C2F7966B76E94023D6A59FF44BC4F404075EE0D57F96EE2CD8138310
                                                  Function 00007FFBAABD5D67 Relevance: 30.0, APIs: 10, Strings: 7, Instructions: 205stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: strspn$strncmp
                                                  • String ID: $ $ ,$..\s\crypto\pem\pem_lib.c$DEK-Info:$ENCRYPTED$Proc-Type:
                                                  • API String ID: 1384302209-3505811795
                                                  • Opcode ID: 957a7918354118ffed1176fd6ac36a159e32f02cada5e88d736e1538f2d6e484
                                                  • Instruction ID: 2f50cb01f475a5af226cbe9bbd708e876c934e6eb5c0f41f974282f92f813e57
                                                  • Opcode Fuzzy Hash: 957a7918354118ffed1176fd6ac36a159e32f02cada5e88d736e1538f2d6e484
                                                  • Instruction Fuzzy Hash: 6C91AEF1A0A653C6FB229B31E8102B93358EF04B44F4444B5DE8D47AA5EF6DE55BC720
                                                  Function 00007FFBAAAC31B4 Relevance: 24.2, APIs: 16, Instructions: 235COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566389535.00007FFBAAAC1000.00000020.00000001.01000000.00000025.sdmp, Offset: 00007FFBAAAC0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566361784.00007FFBAAAC0000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAAC6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB03000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB4F000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB51000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAABA6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566606067.00007FFBAABA8000.00000004.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566627399.00007FFBAABA9000.00000008.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566659797.00007FFBAABC4000.00000004.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566682008.00007FFBAABC6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaaac0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_fastfail__scrt_release_startup_lock$__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_initialize_default_local_stdio_options__scrt_is_nonwritable_in_current_image__scrt_uninitialize_crt
                                                  • String ID:
                                                  • API String ID: 627783611-0
                                                  • Opcode ID: 7fe3cc309b6c9c2aadd3b2cb29106bc6e5feddc1a4ad658a052828156223869d
                                                  • Instruction ID: 66a2e74cbb09027631007f700d20ca94da5b5a6e8d25181e732910670dc7a589
                                                  • Opcode Fuzzy Hash: 7fe3cc309b6c9c2aadd3b2cb29106bc6e5feddc1a4ad658a052828156223869d
                                                  • Instruction Fuzzy Hash: E4917DA0E0A642C6FA529FB6E4402BAE6D8AF85780F4450B5DD4D477B2FE3CE5478730
                                                  Function 00007FFBAABF4EC0 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 232stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: strtoul
                                                  • String ID: $$, value=$..\s\crypto\asn1\asn_mstbl.c$field=$flags$mask$max$min$name=$nomask$none
                                                  • API String ID: 3805803174-2031678796
                                                  • Opcode ID: e89e7a0c6427e0a223ead49f4a1e019a595259fb738fca17cb348e86c07ee72c
                                                  • Instruction ID: 5f8679bb38df61d9d9ef097b06273563563f3bba987a068ac3d5f4062aa9dd85
                                                  • Opcode Fuzzy Hash: e89e7a0c6427e0a223ead49f4a1e019a595259fb738fca17cb348e86c07ee72c
                                                  • Instruction Fuzzy Hash: 4AA1B3A9A09686C6EB12DB31E1103BD77A9FB45780F884176DE8E43795DF3CE44AC720
                                                  Function 00007FFBAABF4A90 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 183stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: strtoul
                                                  • String ID: , value=$..\s\crypto\asn1\asn_mstbl.c$field=$flags$mask$max$min$n$name=$nomask$none
                                                  • API String ID: 3805803174-975128978
                                                  • Opcode ID: 5c0f18f2cd2457612f599e1d2d76b1510644cb2f77c81e8faa3bd94349c2e882
                                                  • Instruction ID: e64c013d158d083504766a3c21989bf962332218ce3e0b4e69529f5d6fdbb84d
                                                  • Opcode Fuzzy Hash: 5c0f18f2cd2457612f599e1d2d76b1510644cb2f77c81e8faa3bd94349c2e882
                                                  • Instruction Fuzzy Hash: F771D7A9609686C5E6639732E0102FD77A5FB45780F8481B2DE9E43792DF7DE40BC720
                                                  Function 00007FFBAABD5FB5 Relevance: 21.3, APIs: 5, Strings: 9, Instructions: 273stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: strcmp$strncmp$isspace
                                                  • String ID: ..\s\crypto\asn1\asn_mime.c$application/pkcs7-mime$application/pkcs7-signature$application/x-pkcs7-mime$application/x-pkcs7-signature$boundary$content-type$multipart/signed$type:
                                                  • API String ID: 3709746212-3630080479
                                                  • Opcode ID: f21bf694d5589c9a22ba0d16a14b86a9b5fdaa53933b51cbba4cace628801bfa
                                                  • Instruction ID: 6b75829eb5ebab07acbf75a3309cb83ffdbb27228f6be201660b647aaa39454b
                                                  • Opcode Fuzzy Hash: f21bf694d5589c9a22ba0d16a14b86a9b5fdaa53933b51cbba4cace628801bfa
                                                  • Instruction Fuzzy Hash: 9AC17BE9B0E642D6FA56DB31E4002BD6259AF84784FC844B6DE4D07796EF3CE50AC720
                                                  Function 00007FFBAAAC2FE0 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566389535.00007FFBAAAC1000.00000020.00000001.01000000.00000025.sdmp, Offset: 00007FFBAAAC0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566361784.00007FFBAAAC0000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAAC6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB03000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB4F000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB51000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAABA6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566606067.00007FFBAABA8000.00000004.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566627399.00007FFBAABA9000.00000008.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566659797.00007FFBAABC4000.00000004.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566682008.00007FFBAABC6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaaac0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: Module_$Object$Capsule_ConstantCreate2Object_String
                                                  • String ID: 11.0.0$UCD$ucd_3_2_0$ucnhash_CAPI$unicodedata.ucnhash_CAPI$unidata_version
                                                  • API String ID: 3760240918-4182789126
                                                  • Opcode ID: b9ba3667fa5eb0936dc88d7244baf2c81d3f9d1e46d32926d63ab9ab8251de3e
                                                  • Instruction ID: bf4d898f3c2ce4e19b667e9ed9d691f459ae55b7a91a2173851d1d0ae0028462
                                                  • Opcode Fuzzy Hash: b9ba3667fa5eb0936dc88d7244baf2c81d3f9d1e46d32926d63ab9ab8251de3e
                                                  • Instruction Fuzzy Hash: 3411DAE4A0BB07D1FE52DFB5E9441B5A3A9AF48B46B4420B5CC0E17271FE2CA50BC360
                                                  Function 00007FFBAACCC320 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 157COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: isspace
                                                  • String ID: ,Reason=$..\s\crypto\ocsp\ocsp_ht.c$Code=
                                                  • API String ID: 3785662208-3537114172
                                                  • Opcode ID: 0dd834cc59f5c5e69229972dd00902d4bdcbb96ba6df7f871908d9b69c26edc2
                                                  • Instruction ID: 4cdda84b8587e19db2925e9e7a21a81613fbfac9e274190dfd2aafe0e56357e8
                                                  • Opcode Fuzzy Hash: 0dd834cc59f5c5e69229972dd00902d4bdcbb96ba6df7f871908d9b69c26edc2
                                                  • Instruction Fuzzy Hash: 0D61B0E1A0E582C6FB138F35E81037967A8AB05B44F4840B5DE8D47A91EF2DD5968720
                                                  Function 00007FFBAABF4782 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 147stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: isspace$memmovestrrchr
                                                  • String ID: &$..\s\crypto\asn1\asn_moid.c
                                                  • API String ID: 236176661-2391411541
                                                  • Opcode ID: f4608e3a43de18ed88606e5759f4b959846972c0334b27dac28ffec061a3f4dc
                                                  • Instruction ID: 68fa1c1dce9827d4f7888601992f8b8d9e3a9ea884961a112c49a791169538e4
                                                  • Opcode Fuzzy Hash: f4608e3a43de18ed88606e5759f4b959846972c0334b27dac28ffec061a3f4dc
                                                  • Instruction Fuzzy Hash: 985196A5B0A682C6FA169B32E4102BD6799EF41B80F8C8075DE9D47795DF3DE44B8320
                                                  Function 00007FFBAABD647E Relevance: 16.7, APIs: 4, Strings: 7, Instructions: 159stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: strchr
                                                  • String ID: ..\s\crypto\ocsp\ocsp_lib.c$/$/$443$[$http$https
                                                  • API String ID: 2830005266-535551730
                                                  • Opcode ID: cc810f09e1c353f3e40941b6364dd42f3ca00c94dcd863706d4ba81b343d6424
                                                  • Instruction ID: fc5bb0b903c6ed6ce22e2ca05841749eee5b97d4d786a31ef0447d310beaae3d
                                                  • Opcode Fuzzy Hash: cc810f09e1c353f3e40941b6364dd42f3ca00c94dcd863706d4ba81b343d6424
                                                  • Instruction Fuzzy Hash: 9B617EA5B0EB42D5FA13DF25D81027A2B68EB45B80F4480B5DE9E07796EE3CE157C320
                                                  Function 00007FFBAABD2FA9 Relevance: 16.6, APIs: 5, Strings: 6, Instructions: 127stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: atoi$strcmp
                                                  • String ID: ..\s\crypto\ts\ts_conf.c$accuracy$microsecs$millisecs$o$secs
                                                  • API String ID: 4175852868-2913108578
                                                  • Opcode ID: fe03227c0863cdba2dbb67a541af57d575ae428a1de4e9f850f1ce2c4086936e
                                                  • Instruction ID: 811d6b88fa71c3183ae023fe1bca844186f5edf2161256f1ef10a8e6c2bf4ba6
                                                  • Opcode Fuzzy Hash: fe03227c0863cdba2dbb67a541af57d575ae428a1de4e9f850f1ce2c4086936e
                                                  • Instruction Fuzzy Hash: 5751A2A5B0BA47D6EA06DB35E4002B93398FF88B84F4444B5DDDE63B61DE3CE4078620
                                                  Function 00007FFBAAAC24F0 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 374COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566389535.00007FFBAAAC1000.00000020.00000001.01000000.00000025.sdmp, Offset: 00007FFBAAAC0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566361784.00007FFBAAAC0000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAAC6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB03000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB4F000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB51000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAABA6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566606067.00007FFBAABA8000.00000004.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566627399.00007FFBAABA9000.00000008.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566659797.00007FFBAABC4000.00000004.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566682008.00007FFBAABC6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaaac0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: Mem_$Free$DataErr_FromKindMallocMemoryReallocUnicode_
                                                  • String ID: 0$0
                                                  • API String ID: 857045822-203156872
                                                  • Opcode ID: 636198e2b82285325a47393fb7e48aac1d833f71378457af8956e62c62ba5253
                                                  • Instruction ID: 7666fb2d6fe23cdc0ceab0e54fec718d4f3ff28acf0d987df8c62a1f900f1d65
                                                  • Opcode Fuzzy Hash: 636198e2b82285325a47393fb7e48aac1d833f71378457af8956e62c62ba5253
                                                  • Instruction Fuzzy Hash: 5DF1F3F2E0A692C6F6269FA4D04867977E8FB85B80F144175DE5E076A0EE3CE507C720
                                                  Function 00007FF626E17C10 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
                                                  • API String ID: 3215553584-2617248754
                                                  • Opcode ID: 5ea786e8e141746a9ab0082f876dfec3a53250d85f40d41a760b569640bac513
                                                  • Instruction ID: 10055cd89ee2b24b028fcd6fe2eea30eb35f605304a41d812a773d674e5fe887
                                                  • Opcode Fuzzy Hash: 5ea786e8e141746a9ab0082f876dfec3a53250d85f40d41a760b569640bac513
                                                  • Instruction Fuzzy Hash: A4419A72A09B4689EF04CB25E8417ED37A5FB18788F405536EE9C87B94EE3ED425C341
                                                  Function 00007FFBAAC124E0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 112timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: Time$Systemperror$Filegetsockoptsetsockopt
                                                  • String ID: getsockopt$gfff$setsockopt
                                                  • API String ID: 1115382697-2244914463
                                                  • Opcode ID: 29c8e17fa1067b3e355520509c292eb51afd193eee9be711f0719f66b1a98e31
                                                  • Instruction ID: 6d7e752959d5f9094ccf5cf1297bc0ff98b074bdbe5f09b40a32113d1791a445
                                                  • Opcode Fuzzy Hash: 29c8e17fa1067b3e355520509c292eb51afd193eee9be711f0719f66b1a98e31
                                                  • Instruction Fuzzy Hash: E34122B6B1A642C6FB558F34E85027977A8FB98744F505036EA4E83E94EF3CE5428B00
                                                  Function 00007FFBAABD106E Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 94libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: InformationObjectUser$AddressErrorHandleLastModuleProcProcessStationWindowwcsstr
                                                  • String ID: Service-0x$_OPENSSL_isservice
                                                  • API String ID: 459917433-1672312481
                                                  • Opcode ID: ae9fc7827a4d29f6bc034760549bc02f56c23f5be27f0cb27b3c47ca4000a6b2
                                                  • Instruction ID: 934b7632288c0c4bb5cc038a7bfb2a4917a43b573f51f9c831d76a3d7b6eb087
                                                  • Opcode Fuzzy Hash: ae9fc7827a4d29f6bc034760549bc02f56c23f5be27f0cb27b3c47ca4000a6b2
                                                  • Instruction Fuzzy Hash: 7841A1B1656B82C6FB22AF34D8442A82298FF49774B544774ED7E07BD4EF2CE1468320
                                                  Function 00007FFBAABF45E0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 92stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: isspace$memmovestrrchr
                                                  • String ID: ..\s\crypto\asn1\asn_moid.c
                                                  • API String ID: 236176661-3897362374
                                                  • Opcode ID: 981ebdbddafc5d2a1383ddea474923a38d010d1651cc4167c21a055e91bda7df
                                                  • Instruction ID: 1eedb3641e5977275277675e034e12d9ebfea8a495ffb360b89f418c79bc51b1
                                                  • Opcode Fuzzy Hash: 981ebdbddafc5d2a1383ddea474923a38d010d1651cc4167c21a055e91bda7df
                                                  • Instruction Fuzzy Hash: A131D7E5A0F693C1FB125B32E8501BD67989F05B80F4C80B5DE9D47696DF2CE54B8320
                                                  Function 00007FF626E03950 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 88COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: htonl
                                                  • String ID: %U?%d$%s?%d$Failed to append to sys.path$Failed to convert %s to ShortFileName$Installing PYZ: Could not get sys.path$path$strict$utf-8
                                                  • API String ID: 2009864989-475945972
                                                  • Opcode ID: 1b3fda98628402addbf6982201172697a2ba6a6b395c018e2d9f813a0af76745
                                                  • Instruction ID: d9ee969ac56f07a075c609f7ac1d792c52468a0230a4465f354169891f76c284
                                                  • Opcode Fuzzy Hash: 1b3fda98628402addbf6982201172697a2ba6a6b395c018e2d9f813a0af76745
                                                  • Instruction Fuzzy Hash: E6419121A2CA8381EE049B16EC441B963A1FF45B90F544135D9AEABBE4DF3EE445C742
                                                  Function 00007FFBAAC13A80 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 80stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _errno$ErrorLastfclosestrchr
                                                  • String ID: ','$..\s\crypto\bio\bss_file.c$J$fopen('
                                                  • API String ID: 755514220-3777956436
                                                  • Opcode ID: 7cf6ca53dd8c5b95a2aa503dde34870a575522ca887ce17c68742a8f62cd49f6
                                                  • Instruction ID: 1f9f9576dee88f533c89fa7d3aac2770a6341025469fbb8403bcea7040213ffd
                                                  • Opcode Fuzzy Hash: 7cf6ca53dd8c5b95a2aa503dde34870a575522ca887ce17c68742a8f62cd49f6
                                                  • Instruction Fuzzy Hash: 9E31B2B1B0AA42C6F7129F31E8402A97369FF44B84F444579EE8D07B96EF3DE5168720
                                                  Function 00007FFBAAC50DC0 Relevance: 15.2, APIs: 1, Strings: 9, Instructions: 247stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: strncmp
                                                  • String ID: %-8d$, path=$, retcode=$, value=$..\s\crypto\conf\conf_mod.c$OPENSSL_finish$OPENSSL_init$module=$path
                                                  • API String ID: 1114863663-3652895664
                                                  • Opcode ID: 7185f3a8fe28e715526d816ea2fc1d4bb2088bb723e7b3d452c9ba6dc56682de
                                                  • Instruction ID: 465072e5f1cb34f9c402485c64ddb5031e8c78ca7ed4bec95260dcdbc96f2bd9
                                                  • Opcode Fuzzy Hash: 7185f3a8fe28e715526d816ea2fc1d4bb2088bb723e7b3d452c9ba6dc56682de
                                                  • Instruction Fuzzy Hash: 92A1C7A5B4A643D6FA52DB32E8002B96298EF44B80F4401B5ED5E47B92EF3CE5078720
                                                  Function 00007FFBAABE7310 Relevance: 14.5, APIs: 2, Strings: 6, Instructions: 460stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: isdigitstrchr
                                                  • String ID: %ld$'()+,-./:=?$..\s\crypto\asn1\a_mbstr.c$maxsize=$minsize=$u
                                                  • API String ID: 4006902084-1260310586
                                                  • Opcode ID: bf2f10368aa46ee9d223384f44465b4f3f52b5a4b175ccf54b425e376b1c825e
                                                  • Instruction ID: 7c44b7dfd313af32579b9b9ec6e32570d8018590183c04a9cc024766ea892e34
                                                  • Opcode Fuzzy Hash: bf2f10368aa46ee9d223384f44465b4f3f52b5a4b175ccf54b425e376b1c825e
                                                  • Instruction Fuzzy Hash: B912B2BAF0A282CAF7328B75D4043BC26A9BB41348F9441B5DE5D176D5DE3CE9878720
                                                  Function 00007FFBAABD321A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 117networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastsetsockopt
                                                  • String ID: ..\s\crypto\bio\b_sock2.c$m
                                                  • API String ID: 1729277954-2173729257
                                                  • Opcode ID: 237c78ba6e62276d331633910fd05e99d9fd4f51be2fe486cd9c7019ad328b6c
                                                  • Instruction ID: 4927cf38311ac331b8c568cb3ca2e04486cf8251d22b7914ad1547f21ab66b44
                                                  • Opcode Fuzzy Hash: 237c78ba6e62276d331633910fd05e99d9fd4f51be2fe486cd9c7019ad328b6c
                                                  • Instruction Fuzzy Hash: 1451BDB1B09502C6F722DF31E8143A97369FB84B48F504275EE9907A95DF3DE50ACB60
                                                  Function 00007FFBAAAC2CE0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 93COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566389535.00007FFBAAAC1000.00000020.00000001.01000000.00000025.sdmp, Offset: 00007FFBAAAC0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566361784.00007FFBAAAC0000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAAC6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB03000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB4F000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB51000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAABA6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566606067.00007FFBAABA8000.00000004.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566627399.00007FFBAABA9000.00000008.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566659797.00007FFBAABC4000.00000004.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566682008.00007FFBAABC6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaaac0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: FromSizeStringUnicode_$Arg_Parse_S_snprintfmemcpy
                                                  • String ID: $%04X$C:decomposition
                                                  • API String ID: 1775429316-223850201
                                                  • Opcode ID: 71c0ca379bc620ea4c9d2cbe8656ece7881e7ae3f38eca93a273c92c989ca538
                                                  • Instruction ID: 4c70d594fc2daca64dd94f6988fd37cdf760917705032cde8d0cdff2ee75c4a7
                                                  • Opcode Fuzzy Hash: 71c0ca379bc620ea4c9d2cbe8656ece7881e7ae3f38eca93a273c92c989ca538
                                                  • Instruction Fuzzy Hash: D141B3B2A09A91D2FA239F64D5443B967D8FB54BA0F441271CE6E076E0EF3CD44B8320
                                                  Function 00007FFBAABD5FC9 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 85stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: strcmpstrncmpstrtoul
                                                  • String ID: MASK:$default$nombstr$pkix$utf8only
                                                  • API String ID: 1175158921-3483942737
                                                  • Opcode ID: a5aa9d1bc14a8521f2e16cef0a299dcbcbb89c428d9351029a038ce5cfad5276
                                                  • Instruction ID: 8e5f9139e59cdccfab87e7b4f3f6b1a9519ffb3a911849b0a2f56f56d92a106a
                                                  • Opcode Fuzzy Hash: a5aa9d1bc14a8521f2e16cef0a299dcbcbb89c428d9351029a038ce5cfad5276
                                                  • Instruction Fuzzy Hash: 433107A2B1A582C6EB534B38F4503B93BA4EF45740F8442B1EF9E47691DE1CE493C720
                                                  Function 00007FFBAAAC1700 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 60COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566389535.00007FFBAAAC1000.00000020.00000001.01000000.00000025.sdmp, Offset: 00007FFBAAAC0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566361784.00007FFBAAAC0000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAAC6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB03000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB4F000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB51000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAABA6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566606067.00007FFBAABA8000.00000004.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566627399.00007FFBAABA9000.00000008.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566659797.00007FFBAABC4000.00000004.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566682008.00007FFBAABC6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaaac0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: Err_FromUnicode_strncmp$Arg_DataFormatKindOrdinalParse_SizeString
                                                  • String ID: name too long$s#:lookup$undefined character name '%s'
                                                  • API String ID: 1473278383-1943843822
                                                  • Opcode ID: 954ddeb8d37aea01965fd4e5edf7ccfded55ed13d8f95723bd2b03c38ef6729e
                                                  • Instruction ID: 22c3cc36054ec22ec43a82bafaf96e48fd40643875c2195765575ae153a579b2
                                                  • Opcode Fuzzy Hash: 954ddeb8d37aea01965fd4e5edf7ccfded55ed13d8f95723bd2b03c38ef6729e
                                                  • Instruction Fuzzy Hash: F2213CA1B09A46C1FB02CFA5E4841B9A3A9FB88B84F441072DE0E47765FF6CE547CB10
                                                  Function 00007FFBAABEE886 Relevance: 13.6, APIs: 4, Strings: 5, Instructions: 51stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: strncmp
                                                  • String ID: ..\s\crypto\asn1\asn1_gen.c$ASCII$BITLIST$HEX$UTF8
                                                  • API String ID: 1114863663-1110328159
                                                  • Opcode ID: 39727e97ff5851807586ca079c4f23bf924a5dc0774dd42df5fa8ede5b3a3ca5
                                                  • Instruction ID: 925db6b1b33dbc3cbc6b2bbac5b8b4279822af6ba671af3cdd3dcaa855f34d9b
                                                  • Opcode Fuzzy Hash: 39727e97ff5851807586ca079c4f23bf924a5dc0774dd42df5fa8ede5b3a3ca5
                                                  • Instruction Fuzzy Hash: FB114DF9B0E642D5FB638F22D5103782659EB04B94F80807ACD4D47694EF7CE54ACB22
                                                  Function 00007FF626E04C20 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93processsynchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00007FF626E056C0: MultiByteToWideChar.KERNEL32(?,00000000,00007FF626E0458C,00007FF626E025DA), ref: 00007FF626E056F6
                                                    • Part of subcall function 00007FF626E11320: SetConsoleCtrlHandler.KERNEL32(?,00007FF626E04C70,00000000,00007FF626E027B0), ref: 00007FF626E1138D
                                                    • Part of subcall function 00007FF626E11320: GetLastError.KERNEL32(?,00007FF626E04C70,00000000,00007FF626E027B0), ref: 00007FF626E113A8
                                                  • GetStartupInfoW.KERNEL32 ref: 00007FF626E04CA7
                                                    • Part of subcall function 00007FF626E102C8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF626E102DC
                                                    • Part of subcall function 00007FF626E10E90: _invalid_parameter_noinfo.LIBCMT ref: 00007FF626E10EF7
                                                  • GetCommandLineW.KERNEL32 ref: 00007FF626E04D2F
                                                  • CreateProcessW.KERNEL32 ref: 00007FF626E04D71
                                                  • WaitForSingleObject.KERNEL32 ref: 00007FF626E04D83
                                                  • GetExitCodeProcess.KERNEL32 ref: 00007FF626E04D93
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlErrorExitHandlerInfoLastLineMultiObjectSingleStartupWaitWide
                                                  • String ID: CreateProcessW$Error creating child process!
                                                  • API String ID: 1742298069-3524285272
                                                  • Opcode ID: 05d262c293b487762f3dbad098e564223b159d77222357447265fbdf363835cf
                                                  • Instruction ID: ad287d7ef93f3fc4b7d414a6db47bbc5b5166a037bbb9824f7bd3cdf001a553f
                                                  • Opcode Fuzzy Hash: 05d262c293b487762f3dbad098e564223b159d77222357447265fbdf363835cf
                                                  • Instruction Fuzzy Hash: 4A416232A0C68286DF10DB60F8452EEB3A1FF94350F504535E6CD93A9AEF7DD5548B41
                                                  Function 00007FFBAAD0EF90 Relevance: 12.2, APIs: 2, Strings: 6, Instructions: 190stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: memsetstrncpy
                                                  • String ID: , failure codes: $, status text: $..\s\crypto\ts\ts_rsp_verify.c$status code: $unknown code$unspecified
                                                  • API String ID: 388311670-2553778726
                                                  • Opcode ID: d8248f4815dfb57c955df11d0adba861b260a6dcfe094448280a023f608cd267
                                                  • Instruction ID: 49c05edf61dc8e40f0cda9f3f76f1f5cc3ea857acd6e3ce88c995af085aff317
                                                  • Opcode Fuzzy Hash: d8248f4815dfb57c955df11d0adba861b260a6dcfe094448280a023f608cd267
                                                  • Instruction Fuzzy Hash: D181B0B5B0A686D6FB62DB31D4403B963A8EB89B80F9440B5DEDD43791DF3CE4068320
                                                  Function 00007FFBAAAC1E40 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 289COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566389535.00007FFBAAAC1000.00000020.00000001.01000000.00000025.sdmp, Offset: 00007FFBAAAC0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566361784.00007FFBAAAC0000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAAC6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB03000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB4F000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB51000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAABA6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566606067.00007FFBAABA8000.00000004.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566627399.00007FFBAABA9000.00000008.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566659797.00007FFBAABC4000.00000004.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566682008.00007FFBAABC6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaaac0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: Mem_$Malloc$Err_FreeMemory
                                                  • String ID: 0
                                                  • API String ID: 1333846002-4108050209
                                                  • Opcode ID: ac0cd9dad7bb92226a4b930b896b2f17d7cd400103a064e6564edbcdac359049
                                                  • Instruction ID: 04e1694aabbb9762901d0c2aca937e8038da5720c9c6346cbb7aaaf631d8f35a
                                                  • Opcode Fuzzy Hash: ac0cd9dad7bb92226a4b930b896b2f17d7cd400103a064e6564edbcdac359049
                                                  • Instruction Fuzzy Hash: 6DC1BDB1A0E652C6F6769FA4D05867D66E8FB01794F1001B2EE4E426A0FF2DE847C720
                                                  Function 00007FFBAAAC17E0 Relevance: 10.8, APIs: 5, Strings: 2, Instructions: 287stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566389535.00007FFBAAAC1000.00000020.00000001.01000000.00000025.sdmp, Offset: 00007FFBAAAC0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566361784.00007FFBAAAC0000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAAC6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB03000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB4F000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB51000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAABA6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566606067.00007FFBAABA8000.00000004.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566627399.00007FFBAABA9000.00000008.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566659797.00007FFBAABC4000.00000004.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566682008.00007FFBAABC6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaaac0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: strncmp
                                                  • String ID: CJK UNIFIED IDEOGRAPH-$HANGUL SYLLABLE
                                                  • API String ID: 1114863663-87138338
                                                  • Opcode ID: e6c50c973f45941aec730bd366ea3640c97d0f73c903663a45224574febfbc58
                                                  • Instruction ID: e58513198dbb0d5f577c2d0dd35034604b1221ade8d79c9ec14389c7cc3deaa2
                                                  • Opcode Fuzzy Hash: e6c50c973f45941aec730bd366ea3640c97d0f73c903663a45224574febfbc58
                                                  • Instruction Fuzzy Hash: C1B104A2B09642C6F6224FB9C44027966D8BB45BA4F4103B5DE6D833E1FE3CEC438720
                                                  Function 00007FFBAABD3F17 Relevance: 10.7, APIs: 7, Instructions: 224COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: isspace$isalnumisdigit
                                                  • String ID:
                                                  • API String ID: 2198966314-0
                                                  • Opcode ID: aa22fc3c88503bc0a0c2ecd118ae8b00e230d66334d1ff3dded09c42363f25b7
                                                  • Instruction ID: 80064bd0e44e7d6695aa7ac0da868e6240d04546fade7811ff7ec59c13dd9acc
                                                  • Opcode Fuzzy Hash: aa22fc3c88503bc0a0c2ecd118ae8b00e230d66334d1ff3dded09c42363f25b7
                                                  • Instruction Fuzzy Hash: 3C41D4A1A0E2A2D5FB625F31EC543796BA8FB05B84F4840F4DE8D42985EF2DD4478730
                                                  Function 00007FFBAAAC2310 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 131COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566389535.00007FFBAAAC1000.00000020.00000001.01000000.00000025.sdmp, Offset: 00007FFBAAAC0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566361784.00007FFBAAAC0000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAAC6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB03000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB4F000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB51000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAABA6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566606067.00007FFBAABA8000.00000004.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566627399.00007FFBAABA9000.00000008.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566659797.00007FFBAABC4000.00000004.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566682008.00007FFBAABC6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaaac0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: NFC$NFD$NFKC$NFKD$invalid normalization form
                                                  • API String ID: 0-3528878251
                                                  • Opcode ID: ecee6329b526dee13c4c36ddf591b1f0735e3d777ab7548333349780420002b0
                                                  • Instruction ID: ad4e15a6833aee7df896743d7c74f9c87d8af1fc5f0af9a74466ba3d64bf876b
                                                  • Opcode Fuzzy Hash: ecee6329b526dee13c4c36ddf591b1f0735e3d777ab7548333349780420002b0
                                                  • Instruction Fuzzy Hash: 9441F9A2B19182C1FFA25FB6E61067866D5EF85BC4F4850B1DE0F42765FE2CD04B8610
                                                  Function 00007FFBAAC11AB0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: Timeperror$ErrorLastSystemsetsockopt$Filegetsockoptrecvfrom
                                                  • String ID: setsockopt
                                                  • API String ID: 469914002-3981526788
                                                  • Opcode ID: 56db6eeb0113412606949d3a5190c690f45ff68da6bab4d89411168ce9b1bc9f
                                                  • Instruction ID: e4a11300e5af9a0d9c2e9834daf9d665b17a0e1595ca6c434537c26578ed0683
                                                  • Opcode Fuzzy Hash: 56db6eeb0113412606949d3a5190c690f45ff68da6bab4d89411168ce9b1bc9f
                                                  • Instruction Fuzzy Hash: 3741E1B2B19642C6F7519F35E89022A77A8FB88784F400175EE4E83F94EF3CE4568B10
                                                  Function 00007FFBAAAC4C90 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566389535.00007FFBAAAC1000.00000020.00000001.01000000.00000025.sdmp, Offset: 00007FFBAAAC0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566361784.00007FFBAAAC0000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAAC6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB03000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB4F000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB51000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAABA6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566606067.00007FFBAABA8000.00000004.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566627399.00007FFBAABA9000.00000008.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566659797.00007FFBAABC4000.00000004.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566682008.00007FFBAABC6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaaac0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: FromStringUnicode_$S_snprintfSizememcpy
                                                  • String ID: $%04X
                                                  • API String ID: 3253253298-4013080060
                                                  • Opcode ID: f10fdfa9caa85e4dd474249333d0b256f3db330c26ac83f201225fb80a7eb4cb
                                                  • Instruction ID: 7b451b5cf75b2f09b88401c95f424fec77f03105763da83b20d62faf1d4c57cd
                                                  • Opcode Fuzzy Hash: f10fdfa9caa85e4dd474249333d0b256f3db330c26ac83f201225fb80a7eb4cb
                                                  • Instruction Fuzzy Hash: 9C3182B2A09A8182FA239F65E4143B967E4FB49B60F440275DE6E477E4EF3CD5478310
                                                  Function 00007FFBAAAC2F00 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566389535.00007FFBAAAC1000.00000020.00000001.01000000.00000025.sdmp, Offset: 00007FFBAAAC0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566361784.00007FFBAAAC0000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAAC6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB03000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB4F000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB51000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAABA6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566606067.00007FFBAABA8000.00000004.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566627399.00007FFBAABA9000.00000008.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566659797.00007FFBAABC4000.00000004.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566682008.00007FFBAABC6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaaac0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: Arg_DoubleErr_Float_FromNumericParseSizeStack_StringUnicode_
                                                  • String ID: C|O:numeric$not a numeric character
                                                  • API String ID: 1654542721-2358484945
                                                  • Opcode ID: da7430f40d876e1bfb9f58aade698e4490dee9bcae1a498064fe5f425e5d62b8
                                                  • Instruction ID: e1c256fee2e4051cf00acc3f1612988a5939649e963b79035101ae58184cc04f
                                                  • Opcode Fuzzy Hash: da7430f40d876e1bfb9f58aade698e4490dee9bcae1a498064fe5f425e5d62b8
                                                  • Instruction Fuzzy Hash: D72184A1A09B45C5F6429FA1F404139E3E4FB48B90F4840B1DE4E57769EF3CE4978B50
                                                  Function 00007FFBAAAC2B50 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566389535.00007FFBAAAC1000.00000020.00000001.01000000.00000025.sdmp, Offset: 00007FFBAAAC0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566361784.00007FFBAAAC0000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAAC6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB03000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB4F000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB51000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAABA6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566606067.00007FFBAABA8000.00000004.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566627399.00007FFBAABA9000.00000008.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566659797.00007FFBAABC4000.00000004.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566682008.00007FFBAABC6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaaac0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: Arg_DecimalDigitErr_FromLongLong_ParseSizeStack_StringUnicode_
                                                  • String ID: C|O:decimal$not a decimal
                                                  • API String ID: 3392957115-3814973584
                                                  • Opcode ID: b6c5b79b7ae552e7378b10a2eb547f96ad55e633272a7dc70dd545333771aa50
                                                  • Instruction ID: dc36c1cd2a2b35dc8fcb8e014b88d35c654585bce0411a12c81ef740d50e60a5
                                                  • Opcode Fuzzy Hash: b6c5b79b7ae552e7378b10a2eb547f96ad55e633272a7dc70dd545333771aa50
                                                  • Instruction Fuzzy Hash: F1215361B09A91C2EB028FA5F404279A3E4FB84B94F4850B1EE4E47769EF6CD457C710
                                                  Function 00007FFBAAC1378C Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastfflush
                                                  • String ID: ','$..\s\crypto\bio\bss_file.c$fflush()$fopen('
                                                  • API String ID: 1518747402-2694509311
                                                  • Opcode ID: e5905d0545d63c97224a07d2f8fe671e84450e4526203a99f4ca7ce7d3b6c4fb
                                                  • Instruction ID: 8d120080293853525fbef4b4e635bb5fe8f3fedd844221919fc9ab83501d1f93
                                                  • Opcode Fuzzy Hash: e5905d0545d63c97224a07d2f8fe671e84450e4526203a99f4ca7ce7d3b6c4fb
                                                  • Instruction Fuzzy Hash: 7C2180F5A0E542C2F3529B30D8001A96BA8FB45758F8005B6EA9D03BD5DF7DE51BC720
                                                  Function 00007FFBAAAC2C30 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566389535.00007FFBAAAC1000.00000020.00000001.01000000.00000025.sdmp, Offset: 00007FFBAAAC0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566361784.00007FFBAAAC0000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAAC6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB03000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB4F000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB51000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAABA6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566606067.00007FFBAABA8000.00000004.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566627399.00007FFBAABA9000.00000008.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566659797.00007FFBAABC4000.00000004.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566682008.00007FFBAABC6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaaac0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: Arg_DigitErr_FromLongLong_ParseSizeStack_StringUnicode_
                                                  • String ID: C|O:digit$not a digit
                                                  • API String ID: 3162013007-464030167
                                                  • Opcode ID: c3b0f26561a28324365b276687b5a14ebe39306a41bc78b67c403baadc05986e
                                                  • Instruction ID: 13f3c3238fe6f1af474424e64f0ab2ecc60bba20cd4266ed2c7126e9acb55529
                                                  • Opcode Fuzzy Hash: c3b0f26561a28324365b276687b5a14ebe39306a41bc78b67c403baadc05986e
                                                  • Instruction Fuzzy Hash: 66110CA5B19B42C2EE02DF71E85026AA3E4FB89B95F981071DE4D47725EF3CD41BC610
                                                  Function 00007FFBAABD40CA Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 225COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: memmove
                                                  • String ID: )$..\s\crypto\evp\p5_crpt.c$assertion failed: EVP_CIPHER_iv_length(cipher) <= 16$assertion failed: EVP_CIPHER_key_length(cipher) <= (int)sizeof(md_tmp)
                                                  • API String ID: 2162964266-3025833483
                                                  • Opcode ID: f38fb61a77def7bba3f855c6d4067cd739d03024248c511cd56e6ec2af081b6f
                                                  • Instruction ID: 83002adccf4a30d8cc3b619f8919b75fd6faca6c499c4990aceb672f9246932b
                                                  • Opcode Fuzzy Hash: f38fb61a77def7bba3f855c6d4067cd739d03024248c511cd56e6ec2af081b6f
                                                  • Instruction Fuzzy Hash: 5E91C5B9A1E683C5FA62E735D9503B96359EF85784FC40071EE4D47A97EF2CE8028720
                                                  Function 00007FFBAABD1D20 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 135stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: strchr
                                                  • String ID: characters$ to $..\s\crypto\ui\ui_lib.c$You must type in
                                                  • API String ID: 2830005266-3422546668
                                                  • Opcode ID: 07dddb3263f304df54fdbd9711671b33dbf135c719acd1bead022a499d2dd06a
                                                  • Instruction ID: f77e65f443400202f6a807183a0374b6d6ef159781ce1390685c304fd97759ef
                                                  • Opcode Fuzzy Hash: 07dddb3263f304df54fdbd9711671b33dbf135c719acd1bead022a499d2dd06a
                                                  • Instruction Fuzzy Hash: 2551C2A6B0A642C6FA62CB34D4502B93BA8FB54B44F4042B2DEEC476D1CF3DE452C760
                                                  Function 00007FFBAAC1358A Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: __acrt_iob_func$_setmode$_fileno
                                                  • String ID:
                                                  • API String ID: 2229569496-0
                                                  • Opcode ID: a481417be05173e43ecfa1b77bdcc274a82f8553fc7fe45d2d06c1e3c9cac551
                                                  • Instruction ID: 5b07827080d9eed5a948aea018b24b6f8da2efa060149ce0a29ede4f038c1baa
                                                  • Opcode Fuzzy Hash: a481417be05173e43ecfa1b77bdcc274a82f8553fc7fe45d2d06c1e3c9cac551
                                                  • Instruction Fuzzy Hash: 2E1184A1F0A511C3FB9A6B35D81423966A9FF48704F504076DE0E47B81DF7CE82B8720
                                                  Function 00007FFBAAD44000 Relevance: 9.0, APIs: 7, Instructions: 286stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • strchr.VCRUNTIME140(?,00000000,?,00007FFBAAD43F6B,?,?,?,00007FFBAAD43467), ref: 00007FFBAAD440F1
                                                  • strchr.VCRUNTIME140(?,00000000,?,00007FFBAAD43F6B,?,?,?,00007FFBAAD43467), ref: 00007FFBAAD4411F
                                                  • strchr.VCRUNTIME140(?,00000000,?,00007FFBAAD43F6B,?,?,?,00007FFBAAD43467), ref: 00007FFBAAD44133
                                                  • strchr.VCRUNTIME140(?,00000000,?,00007FFBAAD43F6B,?,?,?,00007FFBAAD43467), ref: 00007FFBAAD442CE
                                                  • strchr.VCRUNTIME140(?,00000000,?,00007FFBAAD43F6B,?,?,?,00007FFBAAD43467), ref: 00007FFBAAD442DE
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: strchr
                                                  • String ID:
                                                  • API String ID: 2830005266-0
                                                  • Opcode ID: 5f29d590f409323ca5425571f678a69d61dd990e29c2448b5eea4eb1a79431ca
                                                  • Instruction ID: bc1877c2ca65b7643ed06d3a3fb4ce183481d369ab8d4cc73063e126228eccfc
                                                  • Opcode Fuzzy Hash: 5f29d590f409323ca5425571f678a69d61dd990e29c2448b5eea4eb1a79431ca
                                                  • Instruction Fuzzy Hash: 24B1C5F1B5A282C7FA628635C4442786F9DEB41B94F588175DEEE477C1DE2DE8C38220
                                                  Function 00007FFBAAC06770 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 182stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: strchr$strrchr
                                                  • String ID: ..\s\crypto\bio\b_addr.c
                                                  • API String ID: 189730685-2547254400
                                                  • Opcode ID: d22fb818a08779ad7788e03c4be5e6a7466b2fb283ae63310f90979b5c92d01e
                                                  • Instruction ID: 9a29c6ed61321adfa70d8cab9fbdd8ce04f4eb94440af6b8a22366b9f4ec93d1
                                                  • Opcode Fuzzy Hash: d22fb818a08779ad7788e03c4be5e6a7466b2fb283ae63310f90979b5c92d01e
                                                  • Instruction Fuzzy Hash: 5F61B6A1A0E257E6FA638F31D904779A6DCAF00B44F1445B1DE8D26E85EF7CE9438320
                                                  Function 00007FFBAAC06AE0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 131networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: FormatMessagegetnameinfohtonsmemset
                                                  • String ID: $..\s\crypto\bio\b_addr.c
                                                  • API String ID: 2299657542-1606403076
                                                  • Opcode ID: 9499b93fbcaf11c8f1d333a266be7f7b3775aa63e6282e3f191211555a1bec20
                                                  • Instruction ID: 0345ad536c746642d762ce02e09a42be8d3eb1779b7d4f2fb5e6231945893d6d
                                                  • Opcode Fuzzy Hash: 9499b93fbcaf11c8f1d333a266be7f7b3775aa63e6282e3f191211555a1bec20
                                                  • Instruction Fuzzy Hash: 6D51B3B1A0A742D6FB629F31E8502B9B2A8EB40B44F404075DE8D47A95EF7DE5468720
                                                  Function 00007FFBAABF3710 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: isuppertolower
                                                  • String ID: ..\s\crypto\asn1\asn_mime.c
                                                  • API String ID: 2435887076-3920432902
                                                  • Opcode ID: afd99dc6705e7c4221e0938ea4742fb1041aee332b4208002f227d8eba97caa4
                                                  • Instruction ID: 64a5447562d4d3414a525f7f59aca045d8592c74a83071402028496cebd6308b
                                                  • Opcode Fuzzy Hash: afd99dc6705e7c4221e0938ea4742fb1041aee332b4208002f227d8eba97caa4
                                                  • Instruction Fuzzy Hash: F741D499B0B752C5EA5B9B36E4501B81A989F45B80F8C40B1DD9C073C2DE2DE64BC330
                                                  Function 00007FF626E18A5C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: CurrentDirectoryErrorFullLastNamePath_invalid_parameter_noinfo
                                                  • String ID: .$:
                                                  • API String ID: 2924719347-4202072812
                                                  • Opcode ID: 2b5d3c6d9a19e600da38749441d06f2a1408d4c78e7468e1be4b862c8dcf4944
                                                  • Instruction ID: ed645190edac3c975ab95f0338e48342b9e889d9c0376f01fff49499cf32832b
                                                  • Opcode Fuzzy Hash: 2b5d3c6d9a19e600da38749441d06f2a1408d4c78e7468e1be4b862c8dcf4944
                                                  • Instruction Fuzzy Hash: 9C31B165E1C64342FE606B619C1167F6290AF88784F844174EAEDC76C6EE3EEC00A717
                                                  Function 00007FF626E05380 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 93COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF626E01023), ref: 00007FF626E053FD
                                                  • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF626E01023), ref: 00007FF626E05443
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide
                                                  • String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$WideCharToMultiByte
                                                  • API String ID: 626452242-164604372
                                                  • Opcode ID: 53e4c40024f9ca38fe992ad1bfb943dd56ff4b7e8b7d324bf1c813a14befccd9
                                                  • Instruction ID: c250c02d976da88fe4e70d23a6b6814213075168044c607c248abb943b22bb0d
                                                  • Opcode Fuzzy Hash: 53e4c40024f9ca38fe992ad1bfb943dd56ff4b7e8b7d324bf1c813a14befccd9
                                                  • Instruction Fuzzy Hash: 9E31BD3261DA8692EB20DF11BD406BA76A5FB88790F444134DECEC7B95EF3DD4268702
                                                  Function 00007FF626E18918 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: CurrentDirectoryErrorFullLastNamePath_invalid_parameter_noinfo
                                                  • String ID: .$:.
                                                  • API String ID: 2924719347-2811378331
                                                  • Opcode ID: 6ddb3fe7c171f8ee91857a2b560b169866213077858cbfda58b4fcc12716f768
                                                  • Instruction ID: 69bc726ab0a58194f825c10c476674d4a747eb06058a116ba1a9e0ba68f287b2
                                                  • Opcode Fuzzy Hash: 6ddb3fe7c171f8ee91857a2b560b169866213077858cbfda58b4fcc12716f768
                                                  • Instruction Fuzzy Hash: B3319321A0C39382FE606B656C1127F6690AF55740F9440B5EADDC7BC6DE2FEC01A713
                                                  Function 00007FF626E01390 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 61COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: htonl
                                                  • String ID: %s could not be extracted!$Failed to write all bytes for %s$fopen$fwrite
                                                  • API String ID: 2009864989-741305175
                                                  • Opcode ID: 655351d089e77394d5c0f8cd54a64d5835264fa9e9d851cf64fb43f92be44e21
                                                  • Instruction ID: a72c0ae14d2835d754f7a71171870c3c63278677cf1d0a1149a7a34dfcfa1022
                                                  • Opcode Fuzzy Hash: 655351d089e77394d5c0f8cd54a64d5835264fa9e9d851cf64fb43f92be44e21
                                                  • Instruction Fuzzy Hash: 0221D420F1C94381EE1097A6BD001F96361EF41BE4F184131EEADEBBD6DE2EE5418702
                                                  Function 00007FF626E057A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WideCharToMultiByte.KERNEL32(?,?,?,?,00000000,00007FF626E02926), ref: 00007FF626E057E1
                                                    • Part of subcall function 00007FF626E01A80: GetLastError.KERNEL32(?,?,00000000,00007FF626E0548C,?,?,?,?,?,?,?,00007FF626E01023), ref: 00007FF626E01AA7
                                                  • WideCharToMultiByte.KERNEL32(?,?,?,?,00000000,00007FF626E02926), ref: 00007FF626E05837
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$ErrorLast
                                                  • String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$WideCharToMultiByte
                                                  • API String ID: 1717984340-164604372
                                                  • Opcode ID: abe8da3f0dd2d7a18d4f200639b1c1b2b93f8392e2fb9882e7c2738e2b3bda97
                                                  • Instruction ID: 09b9eb21b89faca8e774b40cb8af6bffa49eeebaf164b99bba074410b7435964
                                                  • Opcode Fuzzy Hash: abe8da3f0dd2d7a18d4f200639b1c1b2b93f8392e2fb9882e7c2738e2b3bda97
                                                  • Instruction Fuzzy Hash: EF21CA71A1CB4385EB10DF16FD4016977A2FB88BD0B544239DA9E93BA4EF3CE4008706
                                                  Function 00007FF626E059B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF626E05659), ref: 00007FF626E059E2
                                                  • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF626E05659), ref: 00007FF626E05A46
                                                    • Part of subcall function 00007FF626E01A80: GetLastError.KERNEL32(?,?,00000000,00007FF626E0548C,?,?,?,?,?,?,?,00007FF626E01023), ref: 00007FF626E01AA7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$ErrorLast
                                                  • String ID: Failed to encode filename as ANSI.$Failed to get ANSI buffer size.$WideCharToMultiByte
                                                  • API String ID: 1717984340-1278643509
                                                  • Opcode ID: 952f2f83d881eac34c5c154b357ba3879e38eadeb64bed025af9a7a695863d13
                                                  • Instruction ID: 5e40f44ad11c449316e45c114949a5215a04dae60c751863412388e2a12bf619
                                                  • Opcode Fuzzy Hash: 952f2f83d881eac34c5c154b357ba3879e38eadeb64bed025af9a7a695863d13
                                                  • Instruction Fuzzy Hash: FD219272A1CB4285DB50DF15FC4006AB7A1FB88790F184139EACE93BA9DF3CD1548B05
                                                  Function 00007FFBAAAC1220 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566389535.00007FFBAAAC1000.00000020.00000001.01000000.00000025.sdmp, Offset: 00007FFBAAAC0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566361784.00007FFBAAAC0000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAAC6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB03000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB4F000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB51000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAABA6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566606067.00007FFBAABA8000.00000004.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566627399.00007FFBAABA9000.00000008.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566659797.00007FFBAABC4000.00000004.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566682008.00007FFBAABC6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaaac0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: String$Arg_Err_FromParseSizeStack_Unicode_
                                                  • String ID: C|O:name$no such name
                                                  • API String ID: 734639558-1565169856
                                                  • Opcode ID: 7065d11b67a2634f5ed81565959e3e7b886a6f0febacd8842b686bdcdd8b548d
                                                  • Instruction ID: 7b28a12c07d067f238ccd31af318fde179b92b0e6afa1bd521fa70abb574347a
                                                  • Opcode Fuzzy Hash: 7065d11b67a2634f5ed81565959e3e7b886a6f0febacd8842b686bdcdd8b548d
                                                  • Instruction Fuzzy Hash: FD215775B19A85C1FA62CFA1E8102AAA3A8FB88F91F441171DE4E47B64EF3CD407C710
                                                  Function 00007FFBAAAC4E4C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566389535.00007FFBAAAC1000.00000020.00000001.01000000.00000025.sdmp, Offset: 00007FFBAAAC0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566361784.00007FFBAAAC0000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAAC6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB03000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB4F000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB51000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAABA6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566606067.00007FFBAABA8000.00000004.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566627399.00007FFBAABA9000.00000008.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566659797.00007FFBAABC4000.00000004.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566682008.00007FFBAABC6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaaac0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: Err_$FormatString
                                                  • String ID: name too long$undefined character name '%s'
                                                  • API String ID: 4212644371-4056717002
                                                  • Opcode ID: c7228a6ace1e7e6a6402f17ffe35acee62ea0ea55f0f9311a0b4f3a184d55900
                                                  • Instruction ID: 281a663ac4122e0d1e6ce7b6887144a41955ceacff6826a04907bc44d7e22dc2
                                                  • Opcode Fuzzy Hash: c7228a6ace1e7e6a6402f17ffe35acee62ea0ea55f0f9311a0b4f3a184d55900
                                                  • Instruction Fuzzy Hash: 2B112BE5A0A946C2FB02CFA4E4442B8A3A8FB84B85F811471CE1E87271FF6CD1478724
                                                  Function 00007FF626E127EC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                  • String ID: CorExitProcess$mscoree.dll
                                                  • API String ID: 4061214504-1276376045
                                                  • Opcode ID: fd11eefc7501dc553944f060f7dcdfc83959ca11c5e8b4ef64d30f597c24027a
                                                  • Instruction ID: a3b9f4f78c994a99f2eb53ca05a8de53a4b0aadf76847b99f7da7c5570b3060d
                                                  • Opcode Fuzzy Hash: fd11eefc7501dc553944f060f7dcdfc83959ca11c5e8b4ef64d30f597c24027a
                                                  • Instruction Fuzzy Hash: F2F06261E1DA4382EF548B51FC943796361FF88B80F485035E99F86A64DE3DD889CB11
                                                  Function 00007FF626E20DF0 Relevance: 7.8, APIs: 5, Instructions: 265COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b145a7158bdd16b593d30fb29a70c91a4ff1f2401e4f07ed695a1c2cd355fbe2
                                                  • Instruction ID: 68292722f018e99b03271a3fb346f330d69a88e9ea4f7554c015baf33e3a6d15
                                                  • Opcode Fuzzy Hash: b145a7158bdd16b593d30fb29a70c91a4ff1f2401e4f07ed695a1c2cd355fbe2
                                                  • Instruction Fuzzy Hash: 0BA1D762B0C7C345FF608B609C403BA6792AF54BA4F544635DAED86BC9EF7ED5848302
                                                  Function 00007FF626E0FC18 Relevance: 7.7, APIs: 5, Instructions: 173COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00007FF626E13E38: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF626E13E16), ref: 00007FF626E13E41
                                                    • Part of subcall function 00007FF626E13E38: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF626E13E16), ref: 00007FF626E13E65
                                                  • _invalid_parameter_noinfo.LIBCMT ref: 00007FF626E0FCE1
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: CurrentFeaturePresentProcessProcessor_invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 4036615347-0
                                                  • Opcode ID: 4fdab4e2de82278e54d9514812e7c6684e6ddec8340f98ee66ca902dcb22fe4f
                                                  • Instruction ID: 4ca5ca24b081b56fd2ededdba73410cd501ddad8a673a9dae3a15bad9b665076
                                                  • Opcode Fuzzy Hash: 4fdab4e2de82278e54d9514812e7c6684e6ddec8340f98ee66ca902dcb22fe4f
                                                  • Instruction Fuzzy Hash: 1761C222A0C78245EF608B21984467977A0EF44BA4F184234DEED97BD5DF3EE462C707
                                                  Function 00007FF626E15358 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
                                                  • String ID:
                                                  • API String ID: 3659116390-0
                                                  • Opcode ID: 4366a4d58e6c34dbcd3c9303ecfe5f8e9d8c186aec045659b139ee6509589918
                                                  • Instruction ID: 12383b0668f16b425ba482249905beac23986d2377db77a1839dab40d44f7b97
                                                  • Opcode Fuzzy Hash: 4366a4d58e6c34dbcd3c9303ecfe5f8e9d8c186aec045659b139ee6509589918
                                                  • Instruction Fuzzy Hash: 3B51D0B2A18A518AEB10CF65E8443AD3BB1FB48788F048135CE8E87B98DF39D546C711
                                                  Function 00007FF626E05210 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 105COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(?,?,00000000,00000000,?,00007FF626E03E28,?,?,00000000,00007FF626E04161,?,?,?,?,00000000,00007FF626E0273E), ref: 00007FF626E0528B
                                                  • MultiByteToWideChar.KERNEL32(?,?,00000000,00000000,?,00007FF626E03E28,?,?,00000000,00007FF626E04161,?,?,?,?,00000000,00007FF626E0273E), ref: 00007FF626E052C4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide
                                                  • String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar
                                                  • API String ID: 626452242-3466716416
                                                  • Opcode ID: 768ae4858cc63c504eeb1e608a74dd286ba938eed46a798055779b7b3cdfefb5
                                                  • Instruction ID: f4abea1e23b71292a696646ea001d7cf1a30145f0cdb584fda1dfd9102d2fc66
                                                  • Opcode Fuzzy Hash: 768ae4858cc63c504eeb1e608a74dd286ba938eed46a798055779b7b3cdfefb5
                                                  • Instruction Fuzzy Hash: CC312932A0C64385EF209F16BE4457AA291FF88794F984135DEDDD7B95EE3EE0018702
                                                  Function 00007FFBAABF2490 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 102stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: isspacestrcmp
                                                  • String ID: ..\s\crypto\asn1\asn_mime.c$content-type$text/plain$type:
                                                  • API String ID: 44590463-2116075170
                                                  • Opcode ID: ba097b5156be0b7bbbe2d7de9ae29fb3d94249712c4ed0e4977a05576eef6a59
                                                  • Instruction ID: ed82e5f05f8e745cee029e6b074cc1ec00a3179b254c9d42c73352d0d6c4f8a7
                                                  • Opcode Fuzzy Hash: ba097b5156be0b7bbbe2d7de9ae29fb3d94249712c4ed0e4977a05576eef6a59
                                                  • Instruction Fuzzy Hash: D14193B5B0A683D5F656DB31D8113B96358EF84780F840075ED8E46795EF6CE446C720
                                                  Function 00007FF626E05870 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 90COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(?,?,00000000,00000000,?,00007FF626E03E75,?,?,00000000,00007FF626E04161,?,?,?,?,00000000,00007FF626E0273E), ref: 00007FF626E058E3
                                                  • MultiByteToWideChar.KERNEL32(?,?,00000000,00000000,?,00007FF626E03E75,?,?,00000000,00007FF626E04161,?,?,?,?,00000000,00007FF626E0273E), ref: 00007FF626E0591F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide
                                                  • String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar
                                                  • API String ID: 626452242-3466716416
                                                  • Opcode ID: 34c8a2f7fc66a2459ec47ca8afa07331ff50b8329ab9b2c93f181c85060267a2
                                                  • Instruction ID: c209a94e3513a5761583004b601c6e05db35fba7659e0b7416e6867e8196de18
                                                  • Opcode Fuzzy Hash: 34c8a2f7fc66a2459ec47ca8afa07331ff50b8329ab9b2c93f181c85060267a2
                                                  • Instruction Fuzzy Hash: 5431E372A0DB4382EF209F15AC4067AAAA5FB447A4F544135DEDDC3BA0EE3ED4158702
                                                  Function 00007FFBAAC08360 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 88COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memmove.VCRUNTIME140(00000000,00007FFBAAC07BE4,?,?,?,?,?,?,?,00007FFBAAC07A51), ref: 00007FFBAAC0845B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: memmove
                                                  • String ID: ..\s\crypto\bio\b_print.c$assertion failed: *currlen <= *maxlen$assertion failed: *sbuffer != NULL$assertion failed: *sbuffer != NULL || buffer != NULL
                                                  • API String ID: 2162964266-3390609203
                                                  • Opcode ID: 55ebde2b4616f47e0efcdd36a966e03da5b8ff93867734d032d296a060db8524
                                                  • Instruction ID: 08ff8a0294fb02201d9e20fb7ecbd1d32e13705559e90f0c3c3a195a23d83939
                                                  • Opcode Fuzzy Hash: 55ebde2b4616f47e0efcdd36a966e03da5b8ff93867734d032d296a060db8524
                                                  • Instruction Fuzzy Hash: 0F416CA5B0BA42D0FB528B75D8603783369EB54B84F40C475DE9C17B99EF7CE6528320
                                                  Function 00007FF626E05580 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 81COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32 ref: 00007FF626E055CD
                                                  • MultiByteToWideChar.KERNEL32 ref: 00007FF626E0561C
                                                    • Part of subcall function 00007FF626E01A80: GetLastError.KERNEL32(?,?,00000000,00007FF626E0548C,?,?,?,?,?,?,?,00007FF626E01023), ref: 00007FF626E01AA7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$ErrorLast
                                                  • String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar
                                                  • API String ID: 1717984340-3466716416
                                                  • Opcode ID: 807dd285fc1c8f601161197948aaf5342ec423ad13cf7883e31a352ef3edb9a6
                                                  • Instruction ID: e487784f17daf03448a5d88495cf9f58d294e9c0a80964afc7b752388481b640
                                                  • Opcode Fuzzy Hash: 807dd285fc1c8f601161197948aaf5342ec423ad13cf7883e31a352ef3edb9a6
                                                  • Instruction Fuzzy Hash: A531E361B1CA4385FF20AB62BE0017A6292AF84BD0F544535DDDDDBF96EE3EE4054702
                                                  Function 00007FF626E18380 Relevance: 7.6, APIs: 5, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ByteCharErrorLastMultiWide$AllocateHeap_invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 1500607604-0
                                                  • Opcode ID: 1b61148e8c69ef46a594c1aaa1bc8ccbf0cb62a70f49a0799f10f0eab64746dc
                                                  • Instruction ID: 8b00b9b427ef92edbed6ef05ceb6c289020c2223dc981295915c667415c9f86d
                                                  • Opcode Fuzzy Hash: 1b61148e8c69ef46a594c1aaa1bc8ccbf0cb62a70f49a0799f10f0eab64746dc
                                                  • Instruction Fuzzy Hash: 2021C471A0CB4241EE249F626C0057EA696BF84B90F184575EEEDC37D6EE3EE8425702
                                                  Function 00007FF626E056C0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(?,00000000,00007FF626E0458C,00007FF626E025DA), ref: 00007FF626E056F6
                                                    • Part of subcall function 00007FF626E01A80: GetLastError.KERNEL32(?,?,00000000,00007FF626E0548C,?,?,?,?,?,?,?,00007FF626E01023), ref: 00007FF626E01AA7
                                                  • MultiByteToWideChar.KERNEL32(?,00000000,00007FF626E0458C,00007FF626E025DA), ref: 00007FF626E05750
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$ErrorLast
                                                  • String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar
                                                  • API String ID: 1717984340-3466716416
                                                  • Opcode ID: 3a16ef3591b69f9d0a985f577828e605e31592002adf921ec7feb696857d0dff
                                                  • Instruction ID: 029b98f8c36553dbc9685ce7c2703569a9be92c2f31d5be5b396afa32589b4a1
                                                  • Opcode Fuzzy Hash: 3a16ef3591b69f9d0a985f577828e605e31592002adf921ec7feb696857d0dff
                                                  • Instruction Fuzzy Hash: 8911AE21B0CA4281EB50DB29FD00166A3A2FB88BD4B584235DB9CC3FA9EE2DD5518705
                                                  Function 00007FF626E21640 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _set_statfp
                                                  • String ID:
                                                  • API String ID: 1156100317-0
                                                  • Opcode ID: 70895f6a6caca5a93f387097b68bfd30b7bf4dd7af3bc8c27b3038974be86bdd
                                                  • Instruction ID: a351cccd8fbd1ea5640caf73a9103d50297c0607e51c5a259d5eca01b3e02b68
                                                  • Opcode Fuzzy Hash: 70895f6a6caca5a93f387097b68bfd30b7bf4dd7af3bc8c27b3038974be86bdd
                                                  • Instruction Fuzzy Hash: 66115E7AE3C60741FE641124ECD63FD01936F55360F1D4A34EBEA86EE6CE2E66444742
                                                  Function 00007FF626E18D58 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 205COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                  • API String ID: 3215553584-1196891531
                                                  • Opcode ID: d07a2f78661d68b47df1c0c7dcc91cd3eba7fe27400595e3b3573f3bdbe2d5a4
                                                  • Instruction ID: 3353743e14e6b809d9d2b8600d485fce4d8305446dec3a678ef79f0d38fd4a6b
                                                  • Opcode Fuzzy Hash: d07a2f78661d68b47df1c0c7dcc91cd3eba7fe27400595e3b3573f3bdbe2d5a4
                                                  • Instruction Fuzzy Hash: 4181AF72E0C20685FF654F258E502BE66A1AF25744F2484B5DABAC7680DF2FED50E703
                                                  Function 00007FF626E03BE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 126COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: fflush
                                                  • String ID: Failed to convert Wflag %s using mbstowcs (invalid multibyte string)$pyi-
                                                  • API String ID: 497872470-3625900369
                                                  • Opcode ID: d92fe505b4fbedabe44ec988c752729d919cd51ef8afc4ba3ab5fec21b9ef081
                                                  • Instruction ID: effc8e46ea62ece4af3531d4e6dfc899ce743a6e98b294c26a1d70599f27e186
                                                  • Opcode Fuzzy Hash: d92fe505b4fbedabe44ec988c752729d919cd51ef8afc4ba3ab5fec21b9ef081
                                                  • Instruction Fuzzy Hash: 3D518B21A1C64381FF14AB65EC452B926A0AF84B90F804135D9CDEB3E7DE7FE8518753
                                                  Function 00007FFBAAC06D70 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 102COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: freeaddrinfo
                                                  • String ID: +$..\s\crypto\bio\b_addr.c$assertion failed: bai != NULL
                                                  • API String ID: 2731292433-170714298
                                                  • Opcode ID: 595fed822ab412484a383ac26d089dd9b1ed027c373dd2cb9affa1f41c5086c3
                                                  • Instruction ID: be7654b74922b11d843e13805e5e8be9c4c12f85ab4cf2d7fe2c8f2331567112
                                                  • Opcode Fuzzy Hash: 595fed822ab412484a383ac26d089dd9b1ed027c373dd2cb9affa1f41c5086c3
                                                  • Instruction Fuzzy Hash: 6B41B276A1AB42C5EB528F25D800269B7A8FB98F44F15C075EE9C43760EF7CE546C710
                                                  Function 00007FF626E15784 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ByteCharErrorFileLastMultiWideWrite
                                                  • String ID: U
                                                  • API String ID: 2456169464-4171548499
                                                  • Opcode ID: 5954a6fc303682225655ac94497f616c2db65485563ffa68d4965f1e762738ba
                                                  • Instruction ID: f68f5edbbbf0bb76f604b9241bda92b777c815c5c4a32c385511462497e7c525
                                                  • Opcode Fuzzy Hash: 5954a6fc303682225655ac94497f616c2db65485563ffa68d4965f1e762738ba
                                                  • Instruction Fuzzy Hash: 1641A262B2DA8186EB208F25E8457BA77A1FB88784F404035EE8EC7794DF3DD401CB51
                                                  Function 00007FFBAABD6848 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 82COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ..\s\crypto\bio\b_sock.c$O$host=
                                                  • API String ID: 0-891313173
                                                  • Opcode ID: 14882c00628e4dbee00398d69e621b251c1c76d76d0dafcc54a7fa168ba9d242
                                                  • Instruction ID: b21d9b4912667d4fcaf5860b0b2ed34e3b0e254e07c42df08a2332f6a24df553
                                                  • Opcode Fuzzy Hash: 14882c00628e4dbee00398d69e621b251c1c76d76d0dafcc54a7fa168ba9d242
                                                  • Instruction Fuzzy Hash: 2431E2B6B09682C2EB51DB25F4402AEA374FB84780F800075EF8C57B9ADF7DD9468B14
                                                  Function 00007FFBAABD15AF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 81COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: BIO[%p]: $bio callback - unknown type (%d)
                                                  • API String ID: 0-3830480438
                                                  • Opcode ID: 655c52cb9ff0c91a09caa3640b18354ac7b359dc799a2be84f57ce4c92ddb041
                                                  • Instruction ID: 37e38840ea6bf604feb0a555b94c97ce534e94cb34a406e0ce6a4162c1ac5a55
                                                  • Opcode Fuzzy Hash: 655c52cb9ff0c91a09caa3640b18354ac7b359dc799a2be84f57ce4c92ddb041
                                                  • Instruction Fuzzy Hash: 0B31F3B6A0E681D6FB239B71E8507F52768FB48784F905072DE4E43796EE3CD4468710
                                                  Function 00007FFBAABD1195 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastacceptclosesocket
                                                  • String ID: ..\s\crypto\bio\b_sock2.c
                                                  • API String ID: 3541127826-3200932406
                                                  • Opcode ID: c28f882a5f03fa4e9c5131b571d4c6657ccec1536fc8b78ef73f1726cb1964e9
                                                  • Instruction ID: e191c635251486f112c6ae37e85c0647e944633966776decac0d404a9ada10e5
                                                  • Opcode Fuzzy Hash: c28f882a5f03fa4e9c5131b571d4c6657ccec1536fc8b78ef73f1726cb1964e9
                                                  • Instruction Fuzzy Hash: A821C1B5B0A542C2FA52EB31E8142B96259FF88758F500275ED5E47AD5DF3CE4068710
                                                  Function 00007FFBAAC13250 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastferrorfread
                                                  • String ID: ..\s\crypto\bio\bss_file.c
                                                  • API String ID: 2845062543-1037876578
                                                  • Opcode ID: 2f37e00d3ebdd09ffc7ebc240d2118d4869925ea6661ad58966872e115cc802f
                                                  • Instruction ID: ef684b568929603aa6ede18d6e227773b84ae3bb0241c757dac5261ed248adf9
                                                  • Opcode Fuzzy Hash: 2f37e00d3ebdd09ffc7ebc240d2118d4869925ea6661ad58966872e115cc802f
                                                  • Instruction Fuzzy Hash: C921BDB1B0A542C3F752AB35D80422963A8FF44B88F640275DE4D47BA1DF3DE8978B20
                                                  Function 00007FFBAAC0EF4A Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast
                                                  • String ID: service=$..\s\crypto\bio\bss_acpt.c$hostname=
                                                  • API String ID: 1452528299-3041361201
                                                  • Opcode ID: 209002cff70c84a687809a8b9fe316519a2d516bb370bb359e8763430163ef03
                                                  • Instruction ID: ec4b87ffb847828714cefc65764ea4cb819fe96b1226ca4a4d127f520d9762ce
                                                  • Opcode Fuzzy Hash: 209002cff70c84a687809a8b9fe316519a2d516bb370bb359e8763430163ef03
                                                  • Instruction Fuzzy Hash: 4011AEB6A19652C7E712DF70E4002AD2358FB84B98F40067AEE5C47795DF3DD4478750
                                                  Function 00007FFBAAAC4FCC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566389535.00007FFBAAAC1000.00000020.00000001.01000000.00000025.sdmp, Offset: 00007FFBAAAC0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566361784.00007FFBAAAC0000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAAC6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB03000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB4F000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB51000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAABA6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566606067.00007FFBAABA8000.00000004.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566627399.00007FFBAABA9000.00000008.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566659797.00007FFBAABC4000.00000004.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566682008.00007FFBAABC6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaaac0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: DoubleErr_Float_FromNumericStringUnicode_
                                                  • String ID: not a numeric character
                                                  • API String ID: 727557307-2058156748
                                                  • Opcode ID: 04335cd90c1b7efa9b3c109320634fd862f6d739738ee16eba67e35163319bc4
                                                  • Instruction ID: aacab7fb5110a00460c9d1744bcc11adad264a15eb8c9bbd2ce7c9d5d5a2fdbb
                                                  • Opcode Fuzzy Hash: 04335cd90c1b7efa9b3c109320634fd862f6d739738ee16eba67e35163319bc4
                                                  • Instruction Fuzzy Hash: 5F11A3A1A4A943D9FA978FB0D05013862E9AF44742F5480B4DD4D872B1FF2CE8479261
                                                  Function 00007FFBAAAC4C0C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566389535.00007FFBAAAC1000.00000020.00000001.01000000.00000025.sdmp, Offset: 00007FFBAAAC0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566361784.00007FFBAAAC0000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAAC6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB03000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB4F000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB51000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAABA6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566606067.00007FFBAABA8000.00000004.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566627399.00007FFBAABA9000.00000008.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566659797.00007FFBAABC4000.00000004.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566682008.00007FFBAABC6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaaac0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: DecimalDigitErr_FromLongLong_StringUnicode_
                                                  • String ID: not a decimal
                                                  • API String ID: 2585962759-3590249192
                                                  • Opcode ID: 8dabed524ac2d3766912640e3301048d50aa03fb4eb717702b3a2454768d2940
                                                  • Instruction ID: fbd06218abdaf3f9f856d204f68221565a891b20fb8242ad7edff5c92b285843
                                                  • Opcode Fuzzy Hash: 8dabed524ac2d3766912640e3301048d50aa03fb4eb717702b3a2454768d2940
                                                  • Instruction Fuzzy Hash: 570184A1A0E542C2FF578FB5D05813862E9AF84B45F5994B0CD1E472B0FF2CE8479324
                                                  Function 00007FFBAAC0A6A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastsocket
                                                  • String ID: ..\s\crypto\bio\b_sock2.c$2
                                                  • API String ID: 1120909799-2051290508
                                                  • Opcode ID: 6b2f26f9ead768d44c5cf92d9b4639b2a0c4d3a3e4d8a33f9ad15b1b1061a747
                                                  • Instruction ID: 9aa9059882db97893307e1212b82a5077a996ee864a7e06eba95f4d28ce46593
                                                  • Opcode Fuzzy Hash: 6b2f26f9ead768d44c5cf92d9b4639b2a0c4d3a3e4d8a33f9ad15b1b1061a747
                                                  • Instruction Fuzzy Hash: B701DEB1A09482C3F712DB35E40026D6629FB84B94F604675EBAC43AE1CF3DEA17CB50
                                                  Function 00007FF626E028C0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameW.KERNEL32(?,00007FF626E025A7), ref: 00007FF626E028F1
                                                    • Part of subcall function 00007FF626E01A80: GetLastError.KERNEL32(?,?,00000000,00007FF626E0548C,?,?,?,?,?,?,?,00007FF626E01023), ref: 00007FF626E01AA7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ErrorFileLastModuleName
                                                  • String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
                                                  • API String ID: 2776309574-482168174
                                                  • Opcode ID: 8648082102eec205b8fc16e7130eb8d983c75af25cc9c0e4bb8935c18a360487
                                                  • Instruction ID: a47786823292c52051b86fcca18a92715aeb42fc32d5ae4327bb7abff2174f31
                                                  • Opcode Fuzzy Hash: 8648082102eec205b8fc16e7130eb8d983c75af25cc9c0e4bb8935c18a360487
                                                  • Instruction Fuzzy Hash: A7018420F1C64384FE349725EC453B51391AF58794FD00232E4DDD66D6EE2EE2048B02
                                                  Function 00007FFBAAD33F70 Relevance: 6.5, APIs: 5, Instructions: 218COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: memcmp
                                                  • String ID:
                                                  • API String ID: 1475443563-0
                                                  • Opcode ID: d170005a03c2bf4c12a9e392ebfa1bc5cfaa59f3d4ac4bad304444b33f0edc76
                                                  • Instruction ID: c9d9dd9bd804f0fe3fa40fb80b8b2b4e738d0c48a40c8be5aced843aad5d7545
                                                  • Opcode Fuzzy Hash: d170005a03c2bf4c12a9e392ebfa1bc5cfaa59f3d4ac4bad304444b33f0edc76
                                                  • Instruction Fuzzy Hash: 5481C1F9B19683C5FB12AB72D5401B96769FB44788F8090B5CEAD57A95EF3CE4028330
                                                  Function 00007FFBAAC07160 Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 367COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: memset
                                                  • String ID: $%02x%c$%04x -
                                                  • API String ID: 2221118986-38741901
                                                  • Opcode ID: d541516476bf54a8d2c5d8742551894904fbe985ebccf8cae6b0aa1cdaee4d7e
                                                  • Instruction ID: fbac9f5f5ea644e98220e69f8b7656ec96e411c9937303927508f091f8a39fd8
                                                  • Opcode Fuzzy Hash: d541516476bf54a8d2c5d8742551894904fbe985ebccf8cae6b0aa1cdaee4d7e
                                                  • Instruction Fuzzy Hash: B17109B1B19AC2D6E721DB74E8803EA6795FB84744F800075EE8D87A95EF7CD506CB10
                                                  Function 00007FFBAABF3E00 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 166stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: strncmp
                                                  • String ID: content-type
                                                  • API String ID: 1114863663-3266185539
                                                  • Opcode ID: d1541f71b300ca4ef3ac87241361e9342e0f6ed828d1c34eb151425f1770ced2
                                                  • Instruction ID: 25d5d01748945001242598b6805323969eff5a2d300ed1ee933155c35d5117dd
                                                  • Opcode Fuzzy Hash: d1541f71b300ca4ef3ac87241361e9342e0f6ed828d1c34eb151425f1770ced2
                                                  • Instruction Fuzzy Hash: 425138A6B1F643C1FA669B3AE45077E62A8BF44B84FC85074DE5D436C9DE2CE4078720
                                                  Function 00007FFBAABD1118 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 160COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: memmove
                                                  • String ID: ..\s\crypto\ct\ct_oct.c
                                                  • API String ID: 2162964266-1972679481
                                                  • Opcode ID: e62e66ae4085271aa951420eed6b1e2eff7d328156c608e164aecd96d3159171
                                                  • Instruction ID: df2333a26e407a9e2eb945abd0f289785334c25a620d57c4437356236f6182cd
                                                  • Opcode Fuzzy Hash: e62e66ae4085271aa951420eed6b1e2eff7d328156c608e164aecd96d3159171
                                                  • Instruction Fuzzy Hash: 7571B5E660E692C9E716CF75C4201783BB4EB59B44F0441B6EE9C07786EE3CE656C720
                                                  Function 00007FF626E1F39C Relevance: 6.2, APIs: 4, Instructions: 160COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo$_get_daylight
                                                  • String ID:
                                                  • API String ID: 72036449-0
                                                  • Opcode ID: 57a80b3d5529d5f5b4c6a421e39c9ad8ad9c8474ed82c9519280ae2848f9f80f
                                                  • Instruction ID: a22e03942b77f041bf63828548ebe841d673d9a70b69c4664eba2ea05a3fb7a4
                                                  • Opcode Fuzzy Hash: 57a80b3d5529d5f5b4c6a421e39c9ad8ad9c8474ed82c9519280ae2848f9f80f
                                                  • Instruction Fuzzy Hash: EB51BF32D0C24286FF658F289E0537969D0AB04724F5981B5DA8DC62D6CE2EEC42A7D3
                                                  Function 00007FF626E16C10 Relevance: 6.1, APIs: 4, Instructions: 104COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
                                                  • String ID:
                                                  • API String ID: 4141327611-0
                                                  • Opcode ID: 570aee6898104e4f076ed688c9fa826cdad07e79dc6406c874fc876ed1d4501e
                                                  • Instruction ID: 83fef4149dbecf71ea6402db210a608aed6d97cbd21aa79dff6c8fa0792da995
                                                  • Opcode Fuzzy Hash: 570aee6898104e4f076ed688c9fa826cdad07e79dc6406c874fc876ed1d4501e
                                                  • Instruction Fuzzy Hash: 0841E5B1A0D78286FF659B109840379A7A1EF40B90F748170DADC8BAD9CF3EDC419B02
                                                  Function 00007FF626E10518 Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF626E103A4,?,?,00000000,00007FF626E10316,?,?,00000000,00007FF626E10689), ref: 00007FF626E10553
                                                  • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF626E103A4,?,?,00000000,00007FF626E10316,?,?,00000000,00007FF626E10689), ref: 00007FF626E10593
                                                  • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF626E103A4,?,?,00000000,00007FF626E10316,?,?,00000000,00007FF626E10689), ref: 00007FF626E105DA
                                                  • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF626E103A4,?,?,00000000,00007FF626E10316,?,?,00000000,00007FF626E10689), ref: 00007FF626E10621
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide
                                                  • String ID:
                                                  • API String ID: 626452242-0
                                                  • Opcode ID: 2dd896016fce2a177f67a4fe2625975256ba1a72bfdf18c7eaa90f1a31df1ee1
                                                  • Instruction ID: 97c410bd33fd46a14086f4fdaad54f8724efeb3c538a954ff6f38b5fac758c68
                                                  • Opcode Fuzzy Hash: 2dd896016fce2a177f67a4fe2625975256ba1a72bfdf18c7eaa90f1a31df1ee1
                                                  • Instruction Fuzzy Hash: BC317132A0DB8285EB249F26AD40169BAE5BF84BD0F544239EADE93BD5DF3DD4018701
                                                  Function 00007FFBAABD2199 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 87COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: memset
                                                  • String ID: ..\s\crypto\buffer\buffer.c$d
                                                  • API String ID: 2221118986-3339940913
                                                  • Opcode ID: f53787ca993ff5b719e0c057eac90d12ba3eb7bc7ea9dc84af9f781cad736776
                                                  • Instruction ID: 1535c424d69c0de595fa1fb73621af2da5de162afdeb44a7bdd476aef8bba2ea
                                                  • Opcode Fuzzy Hash: f53787ca993ff5b719e0c057eac90d12ba3eb7bc7ea9dc84af9f781cad736776
                                                  • Instruction Fuzzy Hash: D1310372B1A756C6EB01DB26E4002ACA3A4FB88B88F444571DF9C07B95EF3CE166C710
                                                  Function 00007FFBAAC13633 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 87COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast
                                                  • String ID: ','$..\s\crypto\bio\bss_file.c$fopen('
                                                  • API String ID: 1452528299-4071347828
                                                  • Opcode ID: 52615947246644e98301bd3310d56dd083fca32e3ff0934cdf2ed52144c17e56
                                                  • Instruction ID: 7d5a35d55230124b0f4fe79ce42930335e1bd528552cade2439a5f67991df493
                                                  • Opcode Fuzzy Hash: 52615947246644e98301bd3310d56dd083fca32e3ff0934cdf2ed52144c17e56
                                                  • Instruction Fuzzy Hash: BC418EE4B0A602C5FB528B24D8413B46768FB44748F8041BAEE8D43BA5EF3DE54BC760
                                                  Function 00007FF626E1B2AC Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF626E1203F,?,?,?,00007FF626E11FB2), ref: 00007FF626E1B2C5
                                                  • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF626E1203F,?,?,?,00007FF626E11FB2), ref: 00007FF626E1B327
                                                  • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF626E1203F,?,?,?,00007FF626E11FB2), ref: 00007FF626E1B361
                                                  • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF626E1203F,?,?,?,00007FF626E11FB2), ref: 00007FF626E1B38B
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ByteCharEnvironmentMultiStringsWide$Free
                                                  • String ID:
                                                  • API String ID: 1557788787-0
                                                  • Opcode ID: fc8dfe4995f08a4cb97c383202e9b3e1b66504f052c537ad1553479c6389dff0
                                                  • Instruction ID: 18f91df073d57d3ea8ce4b8fbd95d1aa62678a2cfdfdbe0966b45f9d9231824b
                                                  • Opcode Fuzzy Hash: fc8dfe4995f08a4cb97c383202e9b3e1b66504f052c537ad1553479c6389dff0
                                                  • Instruction Fuzzy Hash: CB216121F0C75282EA209F16A84412DB6A4FB58BD0B484274DECEA3BA4DF7DE8529745
                                                  Function 00007FFBAAC11C90 Relevance: 6.1, APIs: 4, Instructions: 68networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$sendsendto
                                                  • String ID:
                                                  • API String ID: 3676581841-0
                                                  • Opcode ID: 6a0b855c58cdf1599e503aa45fa22da51727a31a1e6f404a477f6819d32ef78d
                                                  • Instruction ID: 00482876008d8768733f75d9b118b11221f02ce2bcdf9bf423e112c0ea6fc280
                                                  • Opcode Fuzzy Hash: 6a0b855c58cdf1599e503aa45fa22da51727a31a1e6f404a477f6819d32ef78d
                                                  • Instruction Fuzzy Hash: 1221F3B1B09641C6F722AF76E85022AAAA9FB88B80F540079DE4D47F55DE3CE4438710
                                                  Function 00007FFBAABD20BA Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 60stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: strcmp
                                                  • String ID: ..\s\crypto\pem\pem_pkey.c$DH PARAMETERS$X9.42 DH PARAMETERS
                                                  • API String ID: 1004003707-3633731555
                                                  • Opcode ID: d684365fa30dc407a3abe23c3878e1e93ba436fb6e3ec6ca5723f9c3ab1fabf2
                                                  • Instruction ID: d909d4e2ccaddd637476d72db6c7de65222c3ee9df59da4d1bf467dd96cf8db6
                                                  • Opcode Fuzzy Hash: d684365fa30dc407a3abe23c3878e1e93ba436fb6e3ec6ca5723f9c3ab1fabf2
                                                  • Instruction Fuzzy Hash: 0421B7B6B0AB46D2EB11DB60E4402A9B3A8FF84790F504076EE8C07B55EF7DD542CB20
                                                  Function 00007FF626E17120 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(?,?,?,00007FF626E0C004,?,?,00000000,00007FF626E0E8F5), ref: 00007FF626E1712A
                                                  • SetLastError.KERNEL32(?,?,?,00007FF626E0C004,?,?,00000000,00007FF626E0E8F5), ref: 00007FF626E17192
                                                  • SetLastError.KERNEL32(?,?,?,00007FF626E0C004,?,?,00000000,00007FF626E0E8F5), ref: 00007FF626E171A8
                                                  • abort.LIBCMT ref: 00007FF626E171AE
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$abort
                                                  • String ID:
                                                  • API String ID: 1447195878-0
                                                  • Opcode ID: 54156677517fff9ab6a5c35c47de3bf9a375e1bc4fd3453adbc7b56df9f8fce5
                                                  • Instruction ID: 9f0599061ea104db3589d5fd08c1a23f1764d2da53bab5a260def68c64239380
                                                  • Opcode Fuzzy Hash: 54156677517fff9ab6a5c35c47de3bf9a375e1bc4fd3453adbc7b56df9f8fce5
                                                  • Instruction Fuzzy Hash: 47015E10F0D68342FE5967219E6697D12925F84B90F140578D99EC2BD2EE2FAC896702
                                                  Function 00007FFBAABD5FF6 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: memmovememset
                                                  • String ID: $$..\s\crypto\rsa\rsa_none.c
                                                  • API String ID: 1288253900-779172340
                                                  • Opcode ID: a9d3b909d1b2e24173f67ff678cd477ccbb5c469bc0d12cbf45f9b2f47e18968
                                                  • Instruction ID: 76cc37e58ea0c5d2fd08d568bcad902948af751418ebf953fef60c182427b296
                                                  • Opcode Fuzzy Hash: a9d3b909d1b2e24173f67ff678cd477ccbb5c469bc0d12cbf45f9b2f47e18968
                                                  • Instruction Fuzzy Hash: A101DE71B19642C7E611DB26E9400ADB369EB84790F548670EE9807BAAEF3CD2068B00
                                                  Function 00007FF626E17384 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 245COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID: gfffffff
                                                  • API String ID: 3215553584-1523873471
                                                  • Opcode ID: eeb3ad31d0b564319db3cb84673d94e20562a2fd1e754b625e9329464f117d7d
                                                  • Instruction ID: e1f2eb24184fdbb579948250ed06d2625b4653e715075f950a0db6979c89bb00
                                                  • Opcode Fuzzy Hash: eeb3ad31d0b564319db3cb84673d94e20562a2fd1e754b625e9329464f117d7d
                                                  • Instruction Fuzzy Hash: 4B914863B1D38A86EF218F2999413BC6B55EB65BD0F048171CACD87395DE3EE912D302
                                                  Function 00007FFBAAC34790 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 166COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ..\s\crypto\bn\bn_rand.c$\
                                                  • API String ID: 0-2127634195
                                                  • Opcode ID: 0a9c33ea8f146ccf0e86e8746e17cabade823217244249f6023e009e80619c95
                                                  • Instruction ID: ee44ff8a58f5f29fc20b3a69e2eb34b5850fd9c337c613e51dd258e04bdbda11
                                                  • Opcode Fuzzy Hash: 0a9c33ea8f146ccf0e86e8746e17cabade823217244249f6023e009e80619c95
                                                  • Instruction Fuzzy Hash: 0F5108A2A0E782C5FA129735EA003B9B75DAB41755F4482B1DE9E03A85EF3CE446C730
                                                  Function 00007FF626E177B4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID: e+000$gfff
                                                  • API String ID: 3215553584-3030954782
                                                  • Opcode ID: 4968aa1ee207d6875aaaa9fe43e4c432ab5420fbdbed66a67b3513b472d8dbfd
                                                  • Instruction ID: df0bcd4bd3d4469e8e063077b61a7543e38e55c84386a4ccb46e826915f1903d
                                                  • Opcode Fuzzy Hash: 4968aa1ee207d6875aaaa9fe43e4c432ab5420fbdbed66a67b3513b472d8dbfd
                                                  • Instruction Fuzzy Hash: 03512762B1C7D246EF248B359D423A96B91EB81F90F489275C6DCC7BD6CE2ED844C702
                                                  Function 00007FF626E11E18 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: FileModuleName_invalid_parameter_noinfo
                                                  • String ID: C:\Users\user\Desktop\LisectAVT_2403002A_489.exe
                                                  • API String ID: 3307058713-873524309
                                                  • Opcode ID: e56ba1043f2c9df4732542cfa3c373007413f998d8ab6c43111962edd9b7e8fd
                                                  • Instruction ID: fc66697920c7f758614a169037c7c3085176ea0d725ac47be3e804bd3d5bcdcd
                                                  • Opcode Fuzzy Hash: e56ba1043f2c9df4732542cfa3c373007413f998d8ab6c43111962edd9b7e8fd
                                                  • Instruction Fuzzy Hash: 31416B36A0CA528AEF159F219C400FC67A4EF48BD4F554075E98E97B95DF3EE881D302
                                                  Function 00007FFBAABF33F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: isuppertolower
                                                  • String ID: ..\s\crypto\asn1\asn_mime.c
                                                  • API String ID: 2435887076-3920432902
                                                  • Opcode ID: d94804d17b663fc8d3bde8fc146fda4d7e5c9656fc5069661aaa8eed1174cf01
                                                  • Instruction ID: 9555b6b26ac9b15cb781d956966aaa5f0320a1e2a4b127058eb6d35fa1fa6ef3
                                                  • Opcode Fuzzy Hash: d94804d17b663fc8d3bde8fc146fda4d7e5c9656fc5069661aaa8eed1174cf01
                                                  • Instruction Fuzzy Hash: 263146A5B0EB52C1FA1B9B36E4402792AD8EF45BC0F8840B6DD9C473D5EE3DE5468320
                                                  Function 00007FFBAABEF9C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: strtoul
                                                  • String ID: ..\s\crypto\asn1\asn1_gen.c$Char=
                                                  • API String ID: 3805803174-1115830501
                                                  • Opcode ID: 911ba6f920e2482127f9bc05aca60748e1903456a37485712a168285a4d66c98
                                                  • Instruction ID: 94085570272f95d267b89b588634d92ca7d019296ef350ff7184b2b1bc873d26
                                                  • Opcode Fuzzy Hash: 911ba6f920e2482127f9bc05aca60748e1903456a37485712a168285a4d66c98
                                                  • Instruction Fuzzy Hash: C43190FAA0A3C2C6F3229F34D4007B966A9EB40744FC45172EA884B698CF7DE957C750
                                                  Function 00007FFBAABE7F10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: isdigitstrchr
                                                  • String ID: '()+,-./:=?
                                                  • API String ID: 4006902084-3524873388
                                                  • Opcode ID: 8303c435c33a21090f74c8f5ee8f9a4a32d33e184a3f8fd0b558241d61f0c4db
                                                  • Instruction ID: 3f8a89ccdb7ccee28d58cb04e74d7f483c57a4a407f635d14d63e8243b519cf8
                                                  • Opcode Fuzzy Hash: 8303c435c33a21090f74c8f5ee8f9a4a32d33e184a3f8fd0b558241d61f0c4db
                                                  • Instruction Fuzzy Hash: 9D2183BAF1A68285F7725738E48037C6299AF54350F9801B1EE6D421D5DF2CA8D242A0
                                                  Function 00007FF626E180D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: CurrentDirectory
                                                  • String ID: :
                                                  • API String ID: 1611563598-336475711
                                                  • Opcode ID: 1eedce42e3152873d5b4067a559663dc53d51d1e6a4ed842a1b4b14e6ce6dd9e
                                                  • Instruction ID: 7d9161a6876a317492967c2c96b19b6f8f283ac30bc10dd9c11e76f8fabd2e59
                                                  • Opcode Fuzzy Hash: 1eedce42e3152873d5b4067a559663dc53d51d1e6a4ed842a1b4b14e6ce6dd9e
                                                  • Instruction Fuzzy Hash: 63218F27B0C68281FF209B11D8442BE63A1FB84B84F858075DAED87684DF7EED85D752
                                                  Function 00007FFBAAC09EFE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastacceptclosesocket
                                                  • String ID: ..\s\crypto\bio\b_sock2.c
                                                  • API String ID: 3541127826-3200932406
                                                  • Opcode ID: 06c9b126970d1eadd709e6386a321f06baf8321de7f19142c13b03de72c24e69
                                                  • Instruction ID: 2f5b45f373acd85821d9efa8d32d2e34e1cf3071ee682e401fa4014cb81e94ff
                                                  • Opcode Fuzzy Hash: 06c9b126970d1eadd709e6386a321f06baf8321de7f19142c13b03de72c24e69
                                                  • Instruction Fuzzy Hash: 0C11E1B1B0A546C2FA52DB31E8142A97364FF88794F900275EE9D07AD6DF3CD4168B10
                                                  Function 00007FFBAABD4976 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastgetsockname
                                                  • String ID: ..\s\crypto\bio\b_sock.c
                                                  • API String ID: 566540725-540685895
                                                  • Opcode ID: aa72d3494bbc6dd9940a1aa7909f39d73eb293dfc4e6e7ec056965f823f6970d
                                                  • Instruction ID: 629aaca35670076380ef7be7489d7f6a927733005178f3789c9a85b6a5d05032
                                                  • Opcode Fuzzy Hash: aa72d3494bbc6dd9940a1aa7909f39d73eb293dfc4e6e7ec056965f823f6970d
                                                  • Instruction Fuzzy Hash: 73218EB5A19102C6E752DB31E8047ED7768EB40714F800675DA9C06AA0DF7DE69ACB50
                                                  Function 00007FFBAAAC1CB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566389535.00007FFBAAAC1000.00000020.00000001.01000000.00000025.sdmp, Offset: 00007FFBAAAC0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566361784.00007FFBAAAC0000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAAC6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB03000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB4F000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB51000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAABA6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566606067.00007FFBAABA8000.00000004.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566627399.00007FFBAABA9000.00000008.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566659797.00007FFBAABC4000.00000004.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566682008.00007FFBAABC6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaaac0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: Arg_FromParse_SizeStringUnicode_
                                                  • String ID: C:bidirectional
                                                  • API String ID: 2111088505-2187346101
                                                  • Opcode ID: 1697f08bf0033de532db670b90cc5d8243c590d93b7cf74a0a1ad30f2cc2a80b
                                                  • Instruction ID: 14573ae21c463e78658a888c16517fdc57b8dd7d8a970bd6c5aa3e68e9b80aa7
                                                  • Opcode Fuzzy Hash: 1697f08bf0033de532db670b90cc5d8243c590d93b7cf74a0a1ad30f2cc2a80b
                                                  • Instruction Fuzzy Hash: 912195A2B1A681C2FB578F74D4402B963E9EB84745F581572DE9F037A4EE2CE857C320
                                                  Function 00007FFBAAAC1000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566389535.00007FFBAAAC1000.00000020.00000001.01000000.00000025.sdmp, Offset: 00007FFBAAAC0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566361784.00007FFBAAAC0000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAAC6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB03000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB4F000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB51000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAABA6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566606067.00007FFBAABA8000.00000004.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566627399.00007FFBAABA9000.00000008.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566659797.00007FFBAABC4000.00000004.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566682008.00007FFBAABC6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaaac0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: Arg_FromLongLong_Parse_Size
                                                  • String ID: C:mirrored
                                                  • API String ID: 3477851657-3678755944
                                                  • Opcode ID: fef00ae312b02f4c9941a20cc13a8ad4d493a03434f3c10f1471f73f0fb45099
                                                  • Instruction ID: 1e0ad4031f2cac124040934a09f58d35c4b99d1d71bab55e940f1899111bb695
                                                  • Opcode Fuzzy Hash: fef00ae312b02f4c9941a20cc13a8ad4d493a03434f3c10f1471f73f0fb45099
                                                  • Instruction Fuzzy Hash: F811A2D2B4E682D2FB868F70D4401B863EAEB84740F484071D94E067A5EE2CD947D360
                                                  Function 00007FFBAAAC2E50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566389535.00007FFBAAAC1000.00000020.00000001.01000000.00000025.sdmp, Offset: 00007FFBAAAC0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566361784.00007FFBAAAC0000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAAC6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB03000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB4F000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB51000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAABA6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566606067.00007FFBAABA8000.00000004.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566627399.00007FFBAABA9000.00000008.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566659797.00007FFBAABC4000.00000004.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566682008.00007FFBAABC6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaaac0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: Arg_FromLongLong_Parse_Size
                                                  • String ID: C:combining
                                                  • API String ID: 3477851657-3102836608
                                                  • Opcode ID: 7ec5b61f363c5cda9962e6316abf4fa1c09f7c32130e2ff7443ca1e1bef1ceba
                                                  • Instruction ID: b00038be6e75866bdad70981446987b7edccc45915518de3c181d7703ad4fe3a
                                                  • Opcode Fuzzy Hash: 7ec5b61f363c5cda9962e6316abf4fa1c09f7c32130e2ff7443ca1e1bef1ceba
                                                  • Instruction Fuzzy Hash: 5011B2A2A0D691C2FB569FA5D4401BD66E9EB88B80F484071EE4E17764EF3CD487D360
                                                  Function 00007FFBAAAC1D80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566389535.00007FFBAAAC1000.00000020.00000001.01000000.00000025.sdmp, Offset: 00007FFBAAAC0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566361784.00007FFBAAAC0000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAAC6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB03000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB4F000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB51000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAABA6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566606067.00007FFBAABA8000.00000004.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566627399.00007FFBAABA9000.00000008.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566659797.00007FFBAABC4000.00000004.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566682008.00007FFBAABC6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaaac0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: Arg_FromParse_SizeStringUnicode_
                                                  • String ID: C:category
                                                  • API String ID: 2111088505-1316378673
                                                  • Opcode ID: 0f242852e330e30b6724f7bc2b745c4dd1b3c70460fca93505011663137e737c
                                                  • Instruction ID: fd72ea8d091ba7d152880d342eef5865609cee45b6281aa86e73ec66b006b035
                                                  • Opcode Fuzzy Hash: 0f242852e330e30b6724f7bc2b745c4dd1b3c70460fca93505011663137e737c
                                                  • Instruction Fuzzy Hash: F511E4A2B09681C2E7568F71E44017863E5FB44B91B584171EF9E437A4EF3CE857C320
                                                  Function 00007FFBAAC11F7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: getsockoptperror
                                                  • String ID: getsockopt
                                                  • API String ID: 2965403756-3272894102
                                                  • Opcode ID: 9dc47eb4fa395ff1b21e5dfa43cb95426701e0984e8b79842e953c0c77d0f500
                                                  • Instruction ID: 74883a45b21ab1699de606ff88e896529e132817fa87ea21c4bcb7a6e4f28df1
                                                  • Opcode Fuzzy Hash: 9dc47eb4fa395ff1b21e5dfa43cb95426701e0984e8b79842e953c0c77d0f500
                                                  • Instruction Fuzzy Hash: EC018C72718642C7E7158F24E84012D6A69F78C710F404236EB8A87BD4EF3CD5068B00
                                                  Function 00007FFBAAC12860 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: Time$System$File
                                                  • String ID: gfff
                                                  • API String ID: 2838179519-1553575800
                                                  • Opcode ID: 74085c394f5c6408696e4f35565f54d5a51be4a2c98643566ef7bc954dabc6ef
                                                  • Instruction ID: 1b5e698a9ada3d435f98504a9b32dead3e6968f492c9685c2b0c0076a9af77f3
                                                  • Opcode Fuzzy Hash: 74085c394f5c6408696e4f35565f54d5a51be4a2c98643566ef7bc954dabc6ef
                                                  • Instruction Fuzzy Hash: EB01F2E2A19685C2EF51AF39F8111546794EBDC784B449031EA4D8B769EE2CD1028B00
                                                  Function 00007FF626E18C88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566175214.00007FF626E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF626E00000, based on PE: true
                                                  • Associated: 00000003.00000002.1566151324.00007FF626E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566208358.00007FF626E23000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566235938.00007FF626E41000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566331992.00007FF626E43000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ff626e00000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID: :
                                                  • API String ID: 3215553584-336475711
                                                  • Opcode ID: d6d6e34964956db082e71a28770fe06b0e2d0fb141bbdcf566c624eadcaa19bf
                                                  • Instruction ID: a51b37872b4bcb519f9548f49f6a00eb4c7d93516ffe80fd574e84859881139d
                                                  • Opcode Fuzzy Hash: d6d6e34964956db082e71a28770fe06b0e2d0fb141bbdcf566c624eadcaa19bf
                                                  • Instruction Fuzzy Hash: 7201D62291C64281FF20AF60A8512BF6760EF48304FD00135E9DEC7692DF3DD9049B17
                                                  Function 00007FFBAAAC4F44 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566389535.00007FFBAAAC1000.00000020.00000001.01000000.00000025.sdmp, Offset: 00007FFBAAAC0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566361784.00007FFBAAAC0000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAAC6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB03000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB4F000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB51000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAABA6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566606067.00007FFBAABA8000.00000004.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566627399.00007FFBAABA9000.00000008.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566659797.00007FFBAABC4000.00000004.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566682008.00007FFBAABC6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaaac0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: String$Err_FromUnicode_
                                                  • String ID: no such name
                                                  • API String ID: 3678473424-4211486178
                                                  • Opcode ID: 297c0f4c2f5ecc3253a6636d9d389c327314a2b1630558ff803bc29882cdaf9d
                                                  • Instruction ID: d91c55427bd73de81cd809d43b8ff70c4532ad7aac454de9921fbef8df4bad77
                                                  • Opcode Fuzzy Hash: 297c0f4c2f5ecc3253a6636d9d389c327314a2b1630558ff803bc29882cdaf9d
                                                  • Instruction Fuzzy Hash: FE01FFB1A1AA42C6FA629FB1E8143B5A3E8AB98B85F401471DD4E47765FE3CD0078660
                                                  Function 00007FFBAABD304E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: _time64
                                                  • String ID: !$..\s\crypto\ct\ct_policy.c
                                                  • API String ID: 1670930206-3401457818
                                                  • Opcode ID: 1a434778e50ca44d247c24033c5aae7a6f5c0b7aa9617a6f3b32990a92c7eec1
                                                  • Instruction ID: dbcd7d537bf873862f7276d4ac4b86ed89a3564a2773b96e10cf9024f50c67f2
                                                  • Opcode Fuzzy Hash: 1a434778e50ca44d247c24033c5aae7a6f5c0b7aa9617a6f3b32990a92c7eec1
                                                  • Instruction Fuzzy Hash: F7F037B5B57602D6EB069B34E8013AD2399EF44704F940878DE6D467A1EE3CE656C620
                                                  Function 00007FFBAAC127C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: perrorsetsockopt
                                                  • String ID: setsockopt
                                                  • API String ID: 1637780026-3981526788
                                                  • Opcode ID: 873e25a78bda31d22861a31c3b075a320e4d0df384d2b8a4980e8ba112313bc3
                                                  • Instruction ID: 69d1a21a94db70488e98843436a3a559dbcb10baa6ae013a642cef5b75abbdd9
                                                  • Opcode Fuzzy Hash: 873e25a78bda31d22861a31c3b075a320e4d0df384d2b8a4980e8ba112313bc3
                                                  • Instruction Fuzzy Hash: 79F081B2F09582CBF3919B28D84432837E8FB88745F904176EA4D86A94EF3CD55ACB51
                                                  Function 00007FFBAAC11F1B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: perrorsetsockopt
                                                  • String ID: setsockopt
                                                  • API String ID: 1637780026-3981526788
                                                  • Opcode ID: d99ccdf3d776d9dde9850fbc50d2cd395d0db26ffa1fa23f0c5d22d2bc768041
                                                  • Instruction ID: 9e40a7e2db1ad002b85957a4fe7e3ea235b3b4c113fa131446b7a29fe2ed0160
                                                  • Opcode Fuzzy Hash: d99ccdf3d776d9dde9850fbc50d2cd395d0db26ffa1fa23f0c5d22d2bc768041
                                                  • Instruction Fuzzy Hash: F4F0AF76B04541C7E361CF29E84016976A4EB88720F444232EB8982BA4EF38D4868A10
                                                  Function 00007FFBAAAC4DF8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566389535.00007FFBAAAC1000.00000020.00000001.01000000.00000025.sdmp, Offset: 00007FFBAAAC0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566361784.00007FFBAAAC0000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAAC6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB03000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB4F000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAAB51000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566415949.00007FFBAABA6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566606067.00007FFBAABA8000.00000004.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566627399.00007FFBAABA9000.00000008.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566659797.00007FFBAABC4000.00000004.00000001.01000000.00000025.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566682008.00007FFBAABC6000.00000002.00000001.01000000.00000025.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaaac0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: DigitErr_StringUnicode_
                                                  • String ID: not a digit
                                                  • API String ID: 1987352478-3016634541
                                                  • Opcode ID: 3f5af5a410e4fe9208c7c478fbd31f2f5bac721227351a79d27eb94d8741b7e4
                                                  • Instruction ID: 9af9d57aa4a3095594c75ffec3792df9bbbe5594e17ae81de0689acaeeb44496
                                                  • Opcode Fuzzy Hash: 3f5af5a410e4fe9208c7c478fbd31f2f5bac721227351a79d27eb94d8741b7e4
                                                  • Instruction Fuzzy Hash: 2AF01C90F0A906C6FA178FB5E45417452D9AF48B49F0428B0CE0E8B270FE1CA5878328
                                                  Function 00007FFBAAC0B410 Relevance: 5.2, APIs: 4, Instructions: 189COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: memmove
                                                  • String ID:
                                                  • API String ID: 2162964266-0
                                                  • Opcode ID: 05dd8e0b1acef65c916b6f799a675147af4211f3b39dacb62b5c4e640c44be94
                                                  • Instruction ID: a27abcf76d221f7e71bfef6521adf970060dab17da74eaa2b1265925b5e7fda8
                                                  • Opcode Fuzzy Hash: 05dd8e0b1acef65c916b6f799a675147af4211f3b39dacb62b5c4e640c44be94
                                                  • Instruction Fuzzy Hash: 8F6128A6B0A681D6FA52DE39DA04139A798FF44B84F088070DE4D67B5EEE3CE442C710
                                                  Function 00007FFBAABD1B04 Relevance: 5.1, APIs: 4, Instructions: 108stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: strchr
                                                  • String ID:
                                                  • API String ID: 2830005266-0
                                                  • Opcode ID: 68a504bfbca2598efe054819a9555a2f16280dd3d2307538c23928f96af10492
                                                  • Instruction ID: ede0ee975b41dc6fab46308ff12ffb4b32913f0df56a4d9c818d2dd26b5e0596
                                                  • Opcode Fuzzy Hash: 68a504bfbca2598efe054819a9555a2f16280dd3d2307538c23928f96af10492
                                                  • Instruction Fuzzy Hash: 0741DCB1B1E642C3FB628B35D44017962ADEF95780F544571EEED876C5EF2CE9028B20
                                                  Function 00007FFBAABD4A61 Relevance: 5.0, APIs: 4, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000003.00000002.1566728877.00007FFBAABD1000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBAABD0000, based on PE: true
                                                  • Associated: 00000003.00000002.1566705762.00007FFBAABD0000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABDC000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAABE0000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566728877.00007FFBAAD55000.00000020.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD57000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAAD7C000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADA3000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADBC000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1566934604.00007FFBAADDD000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567103892.00007FFBAAE01000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567126287.00007FFBAAE06000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567149429.00007FFBAAE08000.00000008.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567172061.00007FFBAAE0B000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE11000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2A000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  • Associated: 00000003.00000002.1567198977.00007FFBAAE2E000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_3_2_7ffbaabd0000_LisectAVT_2403002A_489.jbxd
                                                  Similarity
                                                  • API ID: memmove
                                                  • String ID:
                                                  • API String ID: 2162964266-0
                                                  • Opcode ID: 145b7a2abba6c3569b79fb3a6b67f58f825c25dc80346e689b3748ad780ccc66
                                                  • Instruction ID: 66443e1c7b14a4017e65b7d7ab5c562be6d0b8866ca73b770f500169ea4adb69
                                                  • Opcode Fuzzy Hash: 145b7a2abba6c3569b79fb3a6b67f58f825c25dc80346e689b3748ad780ccc66
                                                  • Instruction Fuzzy Hash: CA1103B2B09641D3D721EB2AE4401E9B364EB447D0F844531EF9D47B96EF28E592C310